281 lines
7.0 KiB
YAML
281 lines
7.0 KiB
YAML
---
|
|
|
|
# authelia: https://github.com/linuxserver/reverse-proxy-confs/blob/master/pihole.subfolder.conf.sample
|
|
# also has generally better reverse proxy config
|
|
|
|
- name: install certs
|
|
copy:
|
|
src: "/usr/local/etc/letsencrypt/live/{{ item }}"
|
|
dest: "/usr/local/etc/certs/"
|
|
owner: root
|
|
group: root
|
|
mode: 0755
|
|
tags:
|
|
- letsencrypt-certs
|
|
notify: reload nginx
|
|
vars:
|
|
prediff_cmd: echo
|
|
with_items:
|
|
- "{{ pihole_url }}"
|
|
|
|
- name: template nginx vhost
|
|
template:
|
|
src: 01-pihole.conf.j2
|
|
dest: /etc/nginx/sites-enabled/01-pihole-vhost
|
|
#validate: /usr/sbin/nginx -t
|
|
tags:
|
|
- nginx-config
|
|
- nginx-vhosts
|
|
- pihole-nginx
|
|
notify: reload nginx
|
|
|
|
- name: create log dirs
|
|
file:
|
|
path: /var/log/{{ item.name }}
|
|
state: directory
|
|
mode: 0755
|
|
owner: "{{ item.owner }}"
|
|
group: "{{ item.owner }}"
|
|
with_items:
|
|
- name: pihole
|
|
owner: "{{ pihole_uid }}"
|
|
- name: unbound0
|
|
owner: "{{ pihole_uid }}"
|
|
- name: unbound1
|
|
owner: "{{ pihole_uid }}"
|
|
|
|
- name: create dir structure
|
|
file:
|
|
path: "{{ pihole_root }}/{{ item['dir'] }}"
|
|
state: directory
|
|
mode: 0775
|
|
owner: "{{ item['owner'] | default('999') }}"
|
|
group: "{{ item['group'] | default('999') }}"
|
|
with_items:
|
|
- { dir: "etc/pihole" }
|
|
- { dir: "etc/dnsmasq.d" }
|
|
- { dir: "etc/unbound" }
|
|
tags: docker
|
|
|
|
- name: template dns overrides if pihole_custom_list
|
|
template:
|
|
src: custom.list.j2
|
|
dest: "{{ pihole_root }}/etc/pihole/custom.list"
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
tags:
|
|
- pihole-config
|
|
- pihole-overrides
|
|
notify: pihole restartdns
|
|
when: pihole_custom_list|default(false)
|
|
|
|
- name: cron file
|
|
template:
|
|
src: pihole-cron.j2
|
|
dest: /etc/cron.d/pihole
|
|
owner: root
|
|
group: root
|
|
mode: 0600
|
|
tags:
|
|
- cron
|
|
|
|
- name: template pihole-FTL.conf
|
|
template:
|
|
src: pihole-FTL.conf.j2
|
|
dest: "{{ pihole_root }}/etc/pihole/pihole-FTL.conf"
|
|
owner: 999
|
|
group: 999
|
|
mode: 0644
|
|
tags:
|
|
- pihole-config
|
|
- pihole-overrides
|
|
notify: restart pihole
|
|
|
|
- name: template dhcp options if dhcp server
|
|
template:
|
|
src: 07-dhcp-options.conf.j2
|
|
dest: "{{ pihole_root }}/etc/dnsmasq.d/07-dhcp-otions.conf"
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
tags:
|
|
- pihole-config
|
|
when: pihole_dhcp
|
|
notify: restart pihole
|
|
|
|
- name: template other dnsmasq.d files
|
|
template:
|
|
src: "{{ item }}.j2"
|
|
dest: "{{ pihole_root }}/etc/dnsmasq.d/{{ item }}"
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
tags:
|
|
- pihole-config
|
|
with_items:
|
|
- "99-edns.conf"
|
|
notify: restart pihole
|
|
|
|
- name: template unbound config
|
|
template:
|
|
src: "{{ item }}.j2"
|
|
dest: "{{ pihole_root }}/etc/unbound/{{ item }}"
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
tags:
|
|
- unbound
|
|
with_items:
|
|
- unbound.conf
|
|
- a-records.conf
|
|
notify: restart unbound
|
|
|
|
- name: template unbound custom entrypoint with uid change
|
|
template:
|
|
src: unbound-entrypoint.sh.j2
|
|
dest: "{{ pihole_root }}/unbound-entrypoint.sh"
|
|
owner: root
|
|
group: root
|
|
mode: 0755
|
|
tags:
|
|
- unbound
|
|
|
|
- name: disable systemd-resolved or named if they are active
|
|
service:
|
|
name: "{{ item }}"
|
|
state: stopped
|
|
enabled: false
|
|
ignore_errors: true
|
|
with_items:
|
|
- systemd-resolved
|
|
- named
|
|
|
|
# NOTE: For a DNS server with lots of short-lived connections, you may
|
|
# wish to consider adding --net=host to the run command for
|
|
# performance reasons.
|
|
- name: start unbound docker containers
|
|
docker_container:
|
|
name: "{{ item }}"
|
|
image: mvance/unbound:latest
|
|
auto_remove: false
|
|
pull: true
|
|
restart_policy: "always"
|
|
state: started
|
|
mounts:
|
|
- type: bind
|
|
read_only: true
|
|
source: /dev/null
|
|
target: /opt/unbound/etc/unbound/forward-records.conf
|
|
- type: bind
|
|
read_only: true
|
|
source: "{{ pihole_root }}/etc/unbound/unbound.conf"
|
|
target: /opt/unbound/etc/unbound/unbound.conf
|
|
- type: bind
|
|
read_only: true
|
|
source: "{{ pihole_root }}/etc/unbound/a-records.conf"
|
|
target: /opt/unbound/etc/unbound/a-records.conf
|
|
- type: bind
|
|
source: /var/log/{{ item }}/
|
|
target: /opt/unbound/etc/unbound/log/
|
|
- type: bind
|
|
source: "{{ pihole_root }}/unbound-entrypoint.sh"
|
|
target: /unbound-entrypoint.sh
|
|
entrypoint: /unbound-entrypoint.sh
|
|
container_default_behavior: compatibility
|
|
networks_cli_compatible: false
|
|
networks:
|
|
- name: bridgewithdns
|
|
ipv4_address: "{{ bridgewithdns[item] }}"
|
|
dns_servers:
|
|
- 127.0.0.1
|
|
tags:
|
|
- unbound-container
|
|
- docker-containers
|
|
with_items:
|
|
- unbound0
|
|
- unbound1
|
|
|
|
# docker exec pihole pihole -a -p
|
|
# docker exec pihole sudo pihole -a -p
|
|
- name: start docker container
|
|
docker_container:
|
|
name: "pihole"
|
|
image: "pihole/pihole:latest"
|
|
auto_remove: no
|
|
detach: yes
|
|
pull: yes
|
|
restart_policy: "always"
|
|
state: started
|
|
container_default_behavior: compatibility
|
|
capabilities:
|
|
- NET_ADMIN
|
|
- NET_RAW
|
|
- NET_BIND_SERVICE
|
|
env:
|
|
WEB_PORT: "{{ pihole_http_port|string }}"
|
|
DNSMASQ_LISTENING: "all" # the docker nat port forward is a firewall
|
|
VIRTUAL_HOST: "{{ pihole_url }}"
|
|
TZ: "Europe/Berlin"
|
|
PIHOLE_DNS_: "{{ bridgewithdns.unbound0 }};{{ bridgewithdns.unbound1 }}"
|
|
CONDITIONAL_FORWARDING: "{{ pihole_cond|string }}"
|
|
CONDITIONAL_FORWARDING_IP: "{{ pihole_cond_ip }}"
|
|
CONDITIONAL_FORWARDING_DOMAIN: "{{ pihole_cond_domain }}"
|
|
IPv6: "false"
|
|
dns_servers:
|
|
- "{{ bridgewithdns.unbound0 }}"
|
|
- "{{ bridgewithdns.unbound1 }}"
|
|
ports:
|
|
- 127.0.0.1:53:53/udp
|
|
- 127.0.0.1:53:53/tcp
|
|
#- "{{ pihole_nginx_interface }}:53:53/udp"
|
|
- "{{ wg_clients[inventory_hostname]['ip'] }}:53:53/udp"
|
|
- 127.0.0.1:{{pihole_http_port}}:{{pihole_http_port}}
|
|
# setting the hostname to {{pihole_url}} makes pihole mess with resolving that record.
|
|
#hostname: "{{ pihole_url }}"
|
|
network_mode: bridge
|
|
purge_networks: yes
|
|
networks_cli_compatible: yes
|
|
# /var/log/pihole/pihole-FTL.log
|
|
# add_message(type=7, message=/dev/shm) - SQL error step DELETE: database is locked
|
|
shm_size: '2G'
|
|
networks:
|
|
- name: bridgewithdns
|
|
ipv4_address: "{{ bridgewithdns.pihole }}"
|
|
mounts:
|
|
- type: bind
|
|
source: "{{ pihole_root }}/etc/pihole"
|
|
target: /etc/pihole
|
|
- type: bind
|
|
source: "{{ pihole_root }}/etc/dnsmasq.d"
|
|
target: /etc/dnsmasq.d
|
|
- type: bind
|
|
source: /var/log/pihole
|
|
target: /var/log/pihole
|
|
tags:
|
|
- pihole-container
|
|
- docker-containers
|
|
|
|
- name: wait for port 53
|
|
wait_for:
|
|
port: 53
|
|
host: localhost
|
|
sleep: 4
|
|
tags: pihole-container
|
|
|
|
- name: template filebeat configs
|
|
template:
|
|
src: "filebeat-{{ item }}.yml.j2"
|
|
dest: "/etc/filebeat/inputs.d/{{ item }}.yml"
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
with_items:
|
|
- unbound
|
|
tags:
|
|
- filebeat
|
|
- filebeat-input
|
|
- filebeat-pihole
|
|
- filebeat-unbound
|
|
notify: restart filebeat
|