Support to install pihole on the server and use it as a dns server for

the clients

Readme.md

@@ -36,3 +36,7 @@ defaults by pressing return
 1. Install wireguard client for your operating system (e.g. via package manager or Appstore)
 2. Import the client profile that was created during the server installation. It is located in `wireguard_profiles` subfolder
 as config file and as a qrcode png file to be scanned by mobile clients
+
+(!) under ubuntu, you have to enable tcp_mtu_probing e.g. by issuing 'echo 2 >
+/proc/sys/net/ipv4/tcp_mtu_probing' or by setting 'net.ipv4.tcp_mtu_probing = 2'
+/in /etc/sysctl.conf

create_aws_wireguard_server.yml

@@ -29,6 +29,9 @@
   roles:
     - aws_graviton_nano_spot
 
+- name: include playbook for pihole
+  import_playbook: pihole.yml
+
 - name: Include playbook to install wireguard
   import_playbook: wireguard.yml
 

pihole.yml

@@ -0,0 +1,15 @@
+---
+# INstall pihole
+- name: Install pihole
+  hosts: launched 
+  remote_user: admin
+  become: true
+  vars_prompt:
+  - name: install_pihole
+    prompt: Shall the wireguard server also act as pihole dns server (Defaults to false)?
+    default: false
+    private: no
+  roles:
+    - role: pihole
+      when: install_pihole
+ 

roles/pihole/tasks/main.yml

@@ -0,0 +1,57 @@
+---
+- name: Update APT package cache
+  apt:
+    update_cache: true
+    upgrade: dist
+    
+- name: Install git package
+  apt:
+    name: "git"
+    state: present
+
+- name: '[main] Make sure /etc/pihole directory exists'
+  file:
+    state: directory
+    path: /etc/pihole
+    owner: root
+    group: root
+    mode: 0755
+  become: yes
+  
+- name: '[install] Clone pihole repo'
+  git:
+    repo: https://github.com/pi-hole/pi-hole.git
+    depth: 1
+    dest: /tmp/pi-hole
+    version: master
+
+- name: '[install] Generate /etc/pihole/setupVars.conf for unattended install if it does not exist or if upgrading'
+  template:
+    src: setupVars.conf
+    dest: /etc/pihole/setupVars.conf
+    owner: root
+    group: root
+    mode: 0644
+  become: yes
+
+- name: '[install] Install pihole'
+  command: 'bash /tmp/pi-hole/automated\ install/basic-install.sh --unattended'
+  become: yes
+
+- name: '[install] Generate /etc/dnsmasq.d/01-pihole.conf'
+  template:
+    src: 01-pihole.conf
+    dest: /etc/dnsmasq.d/01-pihole.conf
+  become: yes
+
+- name: '[install] Set cron job for daily pihole updates'
+  cron:
+    name: "daily pihole updater"
+    user: "{{ ansible_user_id }}"
+    minute: "0"
+    hour: "4"
+    job: "/usr/local/bin/pihole -up"
+  become: yes
+  tags: pihole
+
+

roles/pihole/templates/01-pihole.conf

@@ -0,0 +1,43 @@
+# Pi-hole: A black hole for Internet advertisements
+# (c) 2017 Pi-hole, LLC (https://pi-hole.net)
+# Network-wide ad blocking via your own hardware.
+#
+# Dnsmasq config for Pi-hole's FTLDNS
+#
+# This file is copyright under the latest version of the EUPL.
+# Please see LICENSE file for your rights under this license.
+
+###############################################################################
+#      FILE AUTOMATICALLY POPULATED BY PI-HOLE INSTALL/UPDATE PROCEDURE.      #
+# ANY CHANGES MADE TO THIS FILE AFTER INSTALL WILL BE LOST ON THE NEXT UPDATE #
+#                                                                             #
+#        IF YOU WISH TO CHANGE THE UPSTREAM SERVERS, CHANGE THEM IN:          #
+#                      /etc/pihole/setupVars.conf                             #
+#                                                                             #
+#        ANY OTHER CHANGES SHOULD BE MADE IN A SEPARATE CONFIG FILE           #
+#                    WITHIN /etc/dnsmasq.d/yourname.conf                      #
+###############################################################################
+
+addn-hosts=/etc/pihole/local.list
+addn-hosts=/etc/pihole/custom.list
+
+
+localise-queries
+
+
+no-resolv
+
+
+
+cache-size=10000
+
+#log-queries
+log-facility=/var/log/pihole.log
+
+local-ttl=2
+
+log-async
+server=9.9.9.9
+server=149.112.112.112
+interface=wg0
+server=/use-application-dns.net/

roles/pihole/templates/setupVars.conf

@@ -0,0 +1,12 @@
+PIHOLE_INTERFACE=wg0
+IPV4_ADDRESS=10.100.100.1
+IPV6_ADDRESS=
+PIHOLE_DNS_1=9.9.9.9
+PIHOLE_DNS_2=149.112.112.112
+QUERY_LOGGING=false
+INSTALL_WEB_SERVER=true
+INSTALL_WEB_INTERFACE=true
+LIGHTTPD_ENABLED=true
+CACHE_SIZE=10000
+WEBPASSWORD=7f1e9d01ec046e7e51e17bdad56720fdfea4b4dcc96169f67b0a114ce8a5f954
+BLOCKING_ENABLED=true

roles/wireguard_server/tasks/main.yml

@@ -20,9 +20,6 @@
     name: "qrencode"
     state: present
 
-- name: Reboot to use new kernel
-  reboot:
-
 - name: ensure wireguard services are stopped
   command: "systemctl stop wg-quick@wg0"
 

roles/wireguard_server/templates/wg0-client.conf

@@ -1,6 +1,6 @@
 [Interface]
-Address = {{ vpn_network }}.{{item|int + 1}}/32
+Address = {{ vpn_network }}.{{item|int + 2}}/32
-DNS = 9.9.9.9
+DNS = {{ dns_for_clients }}
 PrivateKey = {{ item.stdout }}
 
 [Peer]

roles/wireguard_server/templates/wg0.conf

@@ -6,9 +6,10 @@ PrivateKey = {{ vpn_server_private_key.stdout }}
 PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens5 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ens5 -j MASQUERADE
 PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens5 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ens5 -j MASQUERADE
 
-{% for i in range(vpn_client_public_keys.results|int) %}
+{% for i in vpn_client_public_keys.results %}
+# {{ i.item }}
 [Peer]
-PublicKey = {{ vpn_client_public_keys.results[i].stdout }}
+PublicKey = {{ i.stdout }}
-AllowedIPs = {{ vpn_network }}.{{ i + 2 }}/32
+AllowedIPs = {{ vpn_network }}.{{ loop.index0 + 2 }}/32
 
 {% endfor %}

wireguard.yml

@@ -8,6 +8,10 @@
     prompt: Please provide a space separated list of clients keys to generate (e.g. "mobilephone dekstop"
     default: ""
     private: no
+  - name: dns_for_clients
+    prompt: Please provide the dns that is announced to clients (e.g. 10.100.100.1 if pihole is used on server). Defaults to 9.9.9.9
+    default: "9.9.9.9"
+    private: no
   vars:
     vpn_client_names: "{{ vpn_clients_text.split(' ') }}"
     vpn_clients: []