From 0ba0c1ae164f4ea3643d08cc81058a181c556733 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Stefan=20M=C3=A4rkle?= Date: Mon, 28 Dec 2020 18:04:08 +0100 Subject: [PATCH] Support to install pihole on the server and use it as a dns server for the clients --- create_aws_wireguard_server.yml | 3 ++ pihole.yml | 15 ++++++ roles/pihole/tasks/main.yml | 57 +++++++++++++++++++++++ roles/pihole/templates/01-pihole.conf | 43 +++++++++++++++++ roles/pihole/templates/setupVars.conf | 12 +++++ roles/wireguard_server/tasks/main.yml | 3 -- roles/wireguard_server/templates/wg0.conf | 7 +-- wireguard.yml | 4 ++ 8 files changed, 138 insertions(+), 6 deletions(-) create mode 100644 pihole.yml create mode 100644 roles/pihole/tasks/main.yml create mode 100644 roles/pihole/templates/01-pihole.conf create mode 100644 roles/pihole/templates/setupVars.conf diff --git a/create_aws_wireguard_server.yml b/create_aws_wireguard_server.yml index c611e97..e55c264 100644 --- a/create_aws_wireguard_server.yml +++ b/create_aws_wireguard_server.yml @@ -29,6 +29,9 @@ roles: - aws_graviton_nano_spot +- name: include playbook for pihole + import_playbook: pihole.yml + - name: Include playbook to install wireguard import_playbook: wireguard.yml diff --git a/pihole.yml b/pihole.yml new file mode 100644 index 0000000..9f1953b --- /dev/null +++ b/pihole.yml @@ -0,0 +1,15 @@ +--- +# INstall pihole +- name: Install pihole + hosts: launched + remote_user: admin + become: true + vars_prompt: + - name: install_pihole + prompt: Shall the wireguard server also act as pihole dns server (Defaults to false)? + default: false + private: no + roles: + - role: pihole + when: install_pihole + diff --git a/roles/pihole/tasks/main.yml b/roles/pihole/tasks/main.yml new file mode 100644 index 0000000..4afedd0 --- /dev/null +++ b/roles/pihole/tasks/main.yml @@ -0,0 +1,57 @@ +--- +- name: Update APT package cache + apt: + update_cache: true + upgrade: dist + +- name: Install git package + apt: + name: "git" + state: present + +- name: '[main] Make sure /etc/pihole directory exists' + file: + state: directory + path: /etc/pihole + owner: root + group: root + mode: 0755 + become: yes + +- name: '[install] Clone pihole repo' + git: + repo: https://github.com/pi-hole/pi-hole.git + depth: 1 + dest: /tmp/pi-hole + version: master + +- name: '[install] Generate /etc/pihole/setupVars.conf for unattended install if it does not exist or if upgrading' + template: + src: setupVars.conf + dest: /etc/pihole/setupVars.conf + owner: root + group: root + mode: 0644 + become: yes + +- name: '[install] Install pihole' + command: 'bash /tmp/pi-hole/automated\ install/basic-install.sh --unattended' + become: yes + +- name: '[install] Generate /etc/dnsmasq.d/01-pihole.conf' + template: + src: 01-pihole.conf + dest: /etc/dnsmasq.d/01-pihole.conf + become: yes + +- name: '[install] Set cron job for daily pihole updates' + cron: + name: "daily pihole updater" + user: "{{ ansible_user_id }}" + minute: "0" + hour: "4" + job: "/usr/local/bin/pihole -up" + become: yes + tags: pihole + + diff --git a/roles/pihole/templates/01-pihole.conf b/roles/pihole/templates/01-pihole.conf new file mode 100644 index 0000000..941c14c --- /dev/null +++ b/roles/pihole/templates/01-pihole.conf @@ -0,0 +1,43 @@ +# Pi-hole: A black hole for Internet advertisements +# (c) 2017 Pi-hole, LLC (https://pi-hole.net) +# Network-wide ad blocking via your own hardware. +# +# Dnsmasq config for Pi-hole's FTLDNS +# +# This file is copyright under the latest version of the EUPL. +# Please see LICENSE file for your rights under this license. + +############################################################################### +# FILE AUTOMATICALLY POPULATED BY PI-HOLE INSTALL/UPDATE PROCEDURE. # +# ANY CHANGES MADE TO THIS FILE AFTER INSTALL WILL BE LOST ON THE NEXT UPDATE # +# # +# IF YOU WISH TO CHANGE THE UPSTREAM SERVERS, CHANGE THEM IN: # +# /etc/pihole/setupVars.conf # +# # +# ANY OTHER CHANGES SHOULD BE MADE IN A SEPARATE CONFIG FILE # +# WITHIN /etc/dnsmasq.d/yourname.conf # +############################################################################### + +addn-hosts=/etc/pihole/local.list +addn-hosts=/etc/pihole/custom.list + + +localise-queries + + +no-resolv + + + +cache-size=10000 + +#log-queries +log-facility=/var/log/pihole.log + +local-ttl=2 + +log-async +server=9.9.9.9 +server=149.112.112.112 +interface=wg0 +server=/use-application-dns.net/ diff --git a/roles/pihole/templates/setupVars.conf b/roles/pihole/templates/setupVars.conf new file mode 100644 index 0000000..89426e8 --- /dev/null +++ b/roles/pihole/templates/setupVars.conf @@ -0,0 +1,12 @@ +PIHOLE_INTERFACE=wg0 +IPV4_ADDRESS=10.100.100.1 +IPV6_ADDRESS= +PIHOLE_DNS_1=9.9.9.9 +PIHOLE_DNS_2=149.112.112.112 +QUERY_LOGGING=false +INSTALL_WEB_SERVER=true +INSTALL_WEB_INTERFACE=true +LIGHTTPD_ENABLED=true +CACHE_SIZE=10000 +WEBPASSWORD=7f1e9d01ec046e7e51e17bdad56720fdfea4b4dcc96169f67b0a114ce8a5f954 +BLOCKING_ENABLED=true diff --git a/roles/wireguard_server/tasks/main.yml b/roles/wireguard_server/tasks/main.yml index 92a0c69..fd49134 100644 --- a/roles/wireguard_server/tasks/main.yml +++ b/roles/wireguard_server/tasks/main.yml @@ -20,9 +20,6 @@ name: "qrencode" state: present -- name: Reboot to use new kernel - reboot: - - name: ensure wireguard services are stopped command: "systemctl stop wg-quick@wg0" diff --git a/roles/wireguard_server/templates/wg0.conf b/roles/wireguard_server/templates/wg0.conf index 78b54c3..87d6413 100644 --- a/roles/wireguard_server/templates/wg0.conf +++ b/roles/wireguard_server/templates/wg0.conf @@ -6,9 +6,10 @@ PrivateKey = {{ vpn_server_private_key.stdout }} PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens5 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ens5 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens5 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ens5 -j MASQUERADE -{% for i in range(vpn_client_public_keys.results|int) %} +{% for i in vpn_client_public_keys.results %} +# {{ i.item }} [Peer] -PublicKey = {{ vpn_client_public_keys.results[i].stdout }} -AllowedIPs = {{ vpn_network }}.{{ i + 2 }}/32 +PublicKey = {{ i.stdout }} +AllowedIPs = {{ vpn_network }}.{{ loop.index0 + 2 }}/32 {% endfor %} \ No newline at end of file diff --git a/wireguard.yml b/wireguard.yml index 271cd81..e77d167 100644 --- a/wireguard.yml +++ b/wireguard.yml @@ -8,6 +8,10 @@ prompt: Please provide a space separated list of clients keys to generate (e.g. "mobilephone dekstop" default: "" private: no + - name: dns_for_clients + prompt: Please provide the dns that is announced to clients (e.g. 10.100.100.1 if pihole is used on server). Defaults to 9.9.9.9 + default: "9.9.9.9" + private: no vars: vpn_client_names: "{{ vpn_clients_text.split(' ') }}" vpn_clients: []