Support to install pihole on the server and use it as a dns server for

the clients

create_aws_wireguard_server.yml

@@ -29,6 +29,9 @@
   roles:
     - aws_graviton_nano_spot
 
+- name: include playbook for pihole
+  import_playbook: pihole.yml
+
 - name: Include playbook to install wireguard
   import_playbook: wireguard.yml
 

pihole.yml

@@ -0,0 +1,15 @@
+---
+# INstall pihole
+- name: Install pihole
+  hosts: launched 
+  remote_user: admin
+  become: true
+  vars_prompt:
+  - name: install_pihole
+    prompt: Shall the wireguard server also act as pihole dns server (Defaults to false)?
+    default: false
+    private: no
+  roles:
+    - role: pihole
+      when: install_pihole
+ 

roles/pihole/tasks/main.yml

@@ -0,0 +1,57 @@
+---
+- name: Update APT package cache
+  apt:
+    update_cache: true
+    upgrade: dist
+    
+- name: Install git package
+  apt:
+    name: "git"
+    state: present
+
+- name: '[main] Make sure /etc/pihole directory exists'
+  file:
+    state: directory
+    path: /etc/pihole
+    owner: root
+    group: root
+    mode: 0755
+  become: yes
+  
+- name: '[install] Clone pihole repo'
+  git:
+    repo: https://github.com/pi-hole/pi-hole.git
+    depth: 1
+    dest: /tmp/pi-hole
+    version: master
+
+- name: '[install] Generate /etc/pihole/setupVars.conf for unattended install if it does not exist or if upgrading'
+  template:
+    src: setupVars.conf
+    dest: /etc/pihole/setupVars.conf
+    owner: root
+    group: root
+    mode: 0644
+  become: yes
+
+- name: '[install] Install pihole'
+  command: 'bash /tmp/pi-hole/automated\ install/basic-install.sh --unattended'
+  become: yes
+
+- name: '[install] Generate /etc/dnsmasq.d/01-pihole.conf'
+  template:
+    src: 01-pihole.conf
+    dest: /etc/dnsmasq.d/01-pihole.conf
+  become: yes
+
+- name: '[install] Set cron job for daily pihole updates'
+  cron:
+    name: "daily pihole updater"
+    user: "{{ ansible_user_id }}"
+    minute: "0"
+    hour: "4"
+    job: "/usr/local/bin/pihole -up"
+  become: yes
+  tags: pihole
+
+

roles/pihole/templates/01-pihole.conf

@@ -0,0 +1,43 @@
+# Pi-hole: A black hole for Internet advertisements
+# (c) 2017 Pi-hole, LLC (https://pi-hole.net)
+# Network-wide ad blocking via your own hardware.
+#
+# Dnsmasq config for Pi-hole's FTLDNS
+#
+# This file is copyright under the latest version of the EUPL.
+# Please see LICENSE file for your rights under this license.
+
+###############################################################################
+#      FILE AUTOMATICALLY POPULATED BY PI-HOLE INSTALL/UPDATE PROCEDURE.      #
+# ANY CHANGES MADE TO THIS FILE AFTER INSTALL WILL BE LOST ON THE NEXT UPDATE #
+#                                                                             #
+#        IF YOU WISH TO CHANGE THE UPSTREAM SERVERS, CHANGE THEM IN:          #
+#                      /etc/pihole/setupVars.conf                             #
+#                                                                             #
+#        ANY OTHER CHANGES SHOULD BE MADE IN A SEPARATE CONFIG FILE           #
+#                    WITHIN /etc/dnsmasq.d/yourname.conf                      #
+###############################################################################
+
+addn-hosts=/etc/pihole/local.list
+addn-hosts=/etc/pihole/custom.list
+
+
+localise-queries
+
+
+no-resolv
+
+
+
+cache-size=10000
+
+#log-queries
+log-facility=/var/log/pihole.log
+
+local-ttl=2
+
+log-async
+server=9.9.9.9
+server=149.112.112.112
+interface=wg0
+server=/use-application-dns.net/

roles/pihole/templates/setupVars.conf

@@ -0,0 +1,12 @@
+PIHOLE_INTERFACE=wg0
+IPV4_ADDRESS=10.100.100.1
+IPV6_ADDRESS=
+PIHOLE_DNS_1=9.9.9.9
+PIHOLE_DNS_2=149.112.112.112
+QUERY_LOGGING=false
+INSTALL_WEB_SERVER=true
+INSTALL_WEB_INTERFACE=true
+LIGHTTPD_ENABLED=true
+CACHE_SIZE=10000
+WEBPASSWORD=7f1e9d01ec046e7e51e17bdad56720fdfea4b4dcc96169f67b0a114ce8a5f954
+BLOCKING_ENABLED=true

roles/wireguard_server/tasks/main.yml

@@ -20,9 +20,6 @@
     name: "qrencode"
     state: present
 
-- name: Reboot to use new kernel
-  reboot:
-
 - name: ensure wireguard services are stopped
   command: "systemctl stop wg-quick@wg0"
 

roles/wireguard_server/templates/wg0.conf

@@ -6,9 +6,10 @@ PrivateKey = {{ vpn_server_private_key.stdout }}
 PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens5 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ens5 -j MASQUERADE
 PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens5 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ens5 -j MASQUERADE
 
-{% for i in range(vpn_client_public_keys.results|int) %}
+{% for i in vpn_client_public_keys.results %}
+# {{ i.item }}
 [Peer]
-PublicKey = {{ vpn_client_public_keys.results[i].stdout }}
+PublicKey = {{ i.stdout }}
-AllowedIPs = {{ vpn_network }}.{{ i + 2 }}/32
+AllowedIPs = {{ vpn_network }}.{{ loop.index0 + 2 }}/32
 
 {% endfor %}

wireguard.yml

@@ -8,6 +8,10 @@
     prompt: Please provide a space separated list of clients keys to generate (e.g. "mobilephone dekstop"
     default: ""
     private: no
+  - name: dns_for_clients
+    prompt: Please provide the dns that is announced to clients (e.g. 10.100.100.1 if pihole is used on server). Defaults to 9.9.9.9
+    default: "9.9.9.9"
+    private: no
   vars:
     vpn_client_names: "{{ vpn_clients_text.split(' ') }}"
     vpn_clients: []