From 1915c5da5e021e65627950db415def5df40fc8ab Mon Sep 17 00:00:00 2001 From: Ryan Date: Tue, 14 Jun 2022 21:42:58 -0400 Subject: [PATCH] remove pihole role; update template; move docker tasks to own folder --- applications/hosts | 11 +- applications/roles/authsec.pihole/LICENSE | 21 -- applications/roles/authsec.pihole/README.md | 241 ------------------ .../roles/authsec.pihole/defaults/main.yml | 65 ----- .../roles/authsec.pihole/files/mappings.csv | 11 - .../authsec.pihole/meta/.galaxy_install_info | 2 - .../roles/authsec.pihole/meta/main.yml | 26 -- .../tasks/checkssh-photonos.yml | 5 - .../roles/authsec.pihole/tasks/checkssh.yml | 5 - .../tasks/firewall-iptables.yml | 41 --- .../authsec.pihole/tasks/install-apt.yml | 6 - .../authsec.pihole/tasks/install-photonos.yml | 5 - .../roles/authsec.pihole/tasks/main.yml | 159 ------------ .../templates/02-pihole-dhcp.conf.j2 | 11 - .../templates/10-pihole-custom-static.conf.j2 | 18 -- .../templates/ansible-managed.hosts.j2 | 9 - .../templates/setupVars.conf.j2 | 33 --- applications/roles/base/tasks/containers.yml | 2 +- applications/roles/base/tasks/docker.yml | 50 ++++ applications/roles/base/tasks/main.yml | 52 +--- applications/site.yml | 6 + templates/hosts.tmpl | 5 + 22 files changed, 71 insertions(+), 713 deletions(-) delete mode 100644 applications/roles/authsec.pihole/LICENSE delete mode 100644 applications/roles/authsec.pihole/README.md delete mode 100644 applications/roles/authsec.pihole/defaults/main.yml delete mode 100755 applications/roles/authsec.pihole/files/mappings.csv delete mode 100644 applications/roles/authsec.pihole/meta/.galaxy_install_info delete mode 100644 applications/roles/authsec.pihole/meta/main.yml delete mode 100644 applications/roles/authsec.pihole/tasks/checkssh-photonos.yml delete mode 100644 applications/roles/authsec.pihole/tasks/checkssh.yml delete mode 100644 applications/roles/authsec.pihole/tasks/firewall-iptables.yml delete mode 100644 applications/roles/authsec.pihole/tasks/install-apt.yml delete mode 100644 applications/roles/authsec.pihole/tasks/install-photonos.yml delete mode 100644 applications/roles/authsec.pihole/tasks/main.yml delete mode 100644 applications/roles/authsec.pihole/templates/02-pihole-dhcp.conf.j2 delete mode 100644 applications/roles/authsec.pihole/templates/10-pihole-custom-static.conf.j2 delete mode 100644 applications/roles/authsec.pihole/templates/ansible-managed.hosts.j2 delete mode 100644 applications/roles/authsec.pihole/templates/setupVars.conf.j2 create mode 100644 applications/roles/base/tasks/docker.yml diff --git a/applications/hosts b/applications/hosts index b382024..1433247 100644 --- a/applications/hosts +++ b/applications/hosts @@ -2,8 +2,11 @@ [media-servers] -[docker-servers:children] -main-docker -media-managers +[home-servers] -[main-docker] \ No newline at end of file +[docker-servers:children] +media_managers +media_servers +home-servers + +[pi-hole] diff --git a/applications/roles/authsec.pihole/LICENSE b/applications/roles/authsec.pihole/LICENSE deleted file mode 100644 index f30cbee..0000000 --- a/applications/roles/authsec.pihole/LICENSE +++ /dev/null @@ -1,21 +0,0 @@ -MIT License - -Copyright (c) 2020 Jens Frey - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. diff --git a/applications/roles/authsec.pihole/README.md b/applications/roles/authsec.pihole/README.md deleted file mode 100644 index 3fe19ea..0000000 --- a/applications/roles/authsec.pihole/README.md +++ /dev/null @@ -1,241 +0,0 @@ -# Pihole - - -Pi-hole role. This will install [Pi-hole®: A black hole for Internet -advertisements – A black hole for Internet -advertisements](https://pi-hole.net/) for you. - -It also helps you administering Pi-Hole using a simple CSV file that you can -edit with your favourite editor. - -## Requirements - -A host running Ubuntu/Debian/Photon OS or e.g. a raspberry pi running Raspberry -Pi OS (Lite). - -If you run into problems, a look into the [Pi-hole -documentation](https://docs.pi-hole.net/docker/dhcp/) may help. - -### Host CSV File - -Pi-hole configuration is done via a csv file. This gives you a nice overview -and makes it easy to manage your environment. - -The role includes a full example CSV file in the `files` folder for you to -review. - -The following lines do show `dhcp-option` settings that will be written into -the dnsmasq configuration file. The lines tag one IP address as the vm based -DNS server and the raspberry pi based DNS server running on an actual raspberry -pi. - -#### Set DHCP Options - -``` csv -hostname,domainname,ip_address,static,mac_address,dhcp_option,type,comment -,,,,,"tag:vm-dns,option:dns-server,192.168.30.253","<>","Sets value of dhcp-option configuration option, here which DNS server to use" -,,,,,"tag:pi-dns,option:dns-server,192.168.30.254","<>","Sets value of dhcp-option configuration option, here which DNS server to use" -``` - -**Note:** If you are setting up multiple DNS servers here, you probably do want -to set the `riv_pihole_dns_default_tag` option when configuring your setup to set a default DNS server -for clients without a specific configuration. - -#### Setup IP/Host mapping - -The configuration below configures the host with the name `slash` to receive an -IP address of `192.168.128.2` if that address is still available. If a DHCP -lease was already handed out to another machine, a new IP address will be -assigned. It also identifies the machine as a physical host. - -``` csv -hostname,domainname,ip_address,static,mac_address,dhcp_option,type,comment -slash,example.net,192.168.128.2,true,,,"<>","ESXi Host"" -``` - -#### Setup static IP address - -If you want to make sure that the IP address is assigned to a specific hostname -only, you can set the `static` field to `true` to achieve that. Setting this -option will instruct dnsmasq to ignore DHCP requests from any host named -`vmhole` as shown in the example below. The type is also identified as a virtual machine. - -``` csv -hostname,domainname,ip_address,static,mac_address,dhcp_option,type,comment -vmhole,example.net,192.168.128.253,true,,,"<>","Pi-hole Virtual machine DNS server" -``` - -#### Setup Mac address/IP address mapping - -To assign a specific IP address and hostname to a special device using the mac -address of the device, use the following entry in the csv configuration -database. - -``` csv -hostname,domainname,ip_address,static,mac_address,dhcp_option,type,comment -blib,example.net,192.168.128.18,,00:0c:29:43:37:dc,,"<>","Pi-hole Virtual machine DNS server" -``` - -#### Set different DNS server - -Setting up a special DNS server for some devices can be achieved by supplying -the appropriate DHCP option when defining the mapping. The below example shows -how to set the `vm-dns` DNS server for the photon host. - -``` csv -hostname,domainname,ip_address,static,mac_address,dhcp_option,type,comment -photon,example.net,192.168.128.19,,00:0c:29:51:80:1f,"vm-dns","<>","Proxy server VM based on a docker image, using vm-dns server" -``` - -## Role Variables - -The role uses the following variables: - -| Variable | Default | Description | -| ------------------------------------ | ---------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| riv_pihole_admin_password_generated | {{ lookup('password', '/dev/null length=15 chars=ascii_letters') }} | This variable sets the password for the web user interface. If no password is set, it will be auto-generated. The password value is shown in plain text in the last step if the variable `riv_pihole_show_summary` is set to `true`. | -| riv_pihole_dns_default_tag | | This variable sets a DHCP tag that lets you specify a default DNS server for hosts not listed in the configuration csv file. | -| riv_pihole_show_summary | false | If set `true` the last step will show the (generated) password in plain text along with some useful information like the IP address and name of the host pihole was installed on. | -| riv_pihole_docker_network | host | The network to which docker connects. If you want to use DHCP, you need to connect to the host network. | -| riv_pihole_docker_purge_networks | yes | Remove the created network when the docker container is shut down. | -| riv_pihole_dhcp_active | false | Enable or disable the built-in DHCP server. If you want to use Pi-hole as DHCP server, you need to turn this on. | -| riv_pihole_dhcp_leasetime | 24h | The default lease time to set when handing out a client IP address | -| riv_pihole_dhcp_start | 192.168.1.2 | The starting range of the built-in DHCP server. | -| riv_pihole_dhcp_end | 192.168.1.253 | The last address of the built-in DHCP server. | -| riv_pihole_dhcp_router | 192.168.1.1 | The router which should be advertised to clients getting an IP address. | -| riv_pihole_domain | example.net | The domain of your local network. | -| riv_pihole_interface | eth0 | The interface processes inside Pi-hole will bind to | -| riv_pihole_dhcp_ipv6 | false | Enable IPv6 support on DHCP. | -| riv_pihole_dhcp_rapid_commit | false | Control switch for the rapid commit option. | -| riv_pihole_dnsmasq_listening | all | The interface dnsmasq should listen on. | -| riv_pihole_query_logging | true | Log DNS queries. | -| riv_pihole_install_web_server | true | Install the built in Web-Server | -| riv_pihole_install_web_interface | true | Install the Web-Interface. | -| riv_pihole_lighttpd_enabled | | Enable lighttpd | -| riv_pihole_ipv4_address | {{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] \| default(ansible_host) }} | The IPv4 address you want Pi-Hole to listen on. | -| riv_pihole_ipv6_address | | The IPv6 address you want Pi-Hole to listen on. | -| riv_pihole_dns_bogus_priv | | Control bogus private reverse lookups | -| riv_pihole_dns_fqdn_required | | Controls if the unqualified name is put into DNS as well | -| riv_pihole_dnssec | | Control DNSSEC | -| riv_pihole_rev_server_enabled | | Enable DNS conditional forwarding for device name resolution. | -| riv_pihole_rev_server_cidr | | If conditional forwarding is enabled, set the reverse DNS zone (e.g. 192.168.0.0/24) | -| riv_pihole_rev_server_domain | | If conditional forwarding is enabled, set the domain of the local network router (e.g example.net). | -| riv_pihole_rev_server_target | | If conditional forwarding is enabled, set the IP of the local network router. | -| riv_pihole_docker_image | pihole/pihole:latest | Which docker image to pull. You can e.g. specify a version. | -| riv_pihole_configuration_base_folder | /opt/pihole | Where do you want your configuration to live on the target host. | -| riv_pihole_etc_pihole_folder | {{ riv_pihole_configuration_base_folder }}/pihole | Control position of pihole folder. | -| riv_pihole_etc_dnsmasq_folder | {{ riv_pihole_configuration_base_folder }}/dnsmasq.d | Control position of dnsmasq.d folder. | -| riv_pihole_sys_dns_server1 | 127.0.0.1 | System DNS servers for Pi-hole. The first one HAS TO BE 127.0.0.1 | -| riv_pihole_sys_dns_server2 | 8.8.8.8 | System DNS server for Pi-hole | -| riv_pihole_dns_server1 | 1.1.1.1 | DNS Server used inside the docker container | -| riv_pihole_dns_server2 | 8.8.8.8 | DNS Server used inside the docker container | -| riv_pihole_serverip | {{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] \| default(ansible_host) }} | The IP address of the Pi-hole host | -| riv_pihole_timezone | Europe/Berlin | Your timezone | -| riv_pihole_open_firewall_ports | true | Set to false if you don't want the role to open required firewall ports. | -| riv_pihole_dns_db_configuration_file | {{ role_path }}/files/mappings.csv | The location of the DNS configuration file. The default file pointed to should be copied and adopted appropriately. | - -## Example Playbook - -The example below shows a playbook you can use to configure pi-hole on a Photon -OS based virtual machine which is reflected in the inventory file. - -### Folder structure - -The folder structure is as follows (the roles folder will be created automatically later): - -``` -|-- dns-db.csv -|-- inventory -|-- pihole-vm.yml -`-- roles - `-- authsec.pihole - |-- defaults - | `-- main.yml - |-- files - | `-- mappings.csv - |-- LICENSE - |-- meta - | `-- main.yml - |-- README.md - |-- tasks - | |-- checkssh-photonos.yml - | |-- checkssh.yml - | |-- firewall-iptables.yml - | |-- install-apt.yml - | |-- install-photonos.yml - | `-- main.yml - `-- templates - |-- 02-pihole-dhcp.conf.j2 - |-- 10-pihole-custom-static.conf.j2 - `-- setupVars.conf.j2 -``` - -### Import Role - -You can import the role into your project using: - -``` bash -#> ansible-galaxy install -p roles authsec.pihole -``` - -### Create database - -This is a copy of the example database in `roles/authsec.pihole/files`. - -**dns-db.csv:** - -``` csv -hostname,domainname,ip_address,static,mac_address,dhcp_option,comment -,,,,,"tag:vm-dns,option:dns-server,192.168.128.253","Sets value of dhcp-option configuration option" -,,,,,"tag:pi-dns,option:dns-server,192.168.128.254","Sets value of dhcp-option configuration option" -slash,example.net,192.168.128.2,,,,"ESXi Host" -mohh,example.net,192.168.128.5,,,,"The Brain (vCenter Server)" -blib,example.net,192.168.128.18,,00:0c:29:43:37:dc,"pi-dns","VM using Raspberry Pi based DNS (and DHCP) server" -photon,example.net,192.168.128.19,,00:0c:29:51:80:1f,"vm-dns","VM using VM based DNS server" -vmhole,example.net,192.168.128.253,true,,,"Pi-hole Virtual machine DNS server" -pihole,example.net,192.168.128.254,,,,"Raspberry Pi backed Pi-Hole DNS and DHCP server for this network, docker based and ansible managed" -``` - -**inventory:** - -``` -[dns_vms] -vmhole.example.net ansible_host=192.168.128.253 ansible_user=pihole ansible_become_method='su' ansible_become_password='kevin.is.dead' ansible_python_interpreter=/usr/bin/python3 -``` - -**pihole-vm.yml:** - -``` yaml ---- -# Configure a machine to run pi-hole inside a docker container -- hosts: dns_vms - gather_facts: yes - become: yes - tasks: - - include_role: - name: authsec.pihole - vars: - # true|false - riv_pihole_admin_password: "secure.me" - riv_pihole_dhcp_active: "false" - riv_pihole_dhcp_start: "192.168.128.8" - riv_pihole_dhcp_end: "192.168.128.252" - riv_pihole_dhcp_router: "192.168.128.1" - riv_pihole_domain: "example.net" - riv_pihole_show_summary: true - riv_pihole_dns_db_configuration_file: "dns-db.csv" -``` - -### Run ansible - -Once everything is configured, you can run `ansible` to setup pi-hole on the -system configured in the `inventory`. - -``` bash -#> ansible-playbook -i inventory pihole-vm.yml -``` - -License -------- - -MIT diff --git a/applications/roles/authsec.pihole/defaults/main.yml b/applications/roles/authsec.pihole/defaults/main.yml deleted file mode 100644 index 3240dab..0000000 --- a/applications/roles/authsec.pihole/defaults/main.yml +++ /dev/null @@ -1,65 +0,0 @@ ---- -# tasks file for pihole - -# Generate a secure default password -riv_pihole_admin_password_generated: "{{ lookup('password', '/dev/null length=15 chars=ascii_letters') }}" -riv_pihole_docker_network: "host" -riv_pihole_docker_purge_networks: "yes" - -# If you are using tags to assign multiple DNS servers to an IP address, -# you can use this option to set a default, where you do not want to define -# a specific IP address to name mapping. -riv_pihole_dns_default_tag: "" - -riv_pihole_show_summary: false - -riv_pihole_dhcp_active: "false" -# 1 day lease -riv_pihole_dhcp_leasetime: "24h" -riv_pihole_dhcp_start: "192.168.1.2" -riv_pihole_dhcp_end: "192.168.1.253" -riv_pihole_dhcp_router: "192.168.1.1" -riv_pihole_domain: "example.net" -riv_pihole_interface: "eth0" - -riv_pihole_dhcp_ipv6: "false" -riv_pihole_dhcp_rapid_commit: "false" -riv_pihole_dnsmasq_listening: "all" -riv_pihole_query_logging: "true" -riv_pihole_install_web_server: "true" -riv_pihole_install_web_interface: "true" -riv_pihole_lighttpd_enabled: "" -riv_pihole_ipv4_address: "{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] | default(ansible_host) }}" -riv_pihole_ipv6_address: "" -riv_pihole_dns_bogus_priv: "false" -riv_pihole_dns_fqdn_required: "false" -riv_pihole_dnssec: "false" -riv_pihole_rev_server_enabled: "false" # previously conditional forwarding (riv_pihole_conditional_forwarding) -riv_pihole_rev_server_cidr: "" # previously conditional forwarding IP (riv_pihole_conditional_forwarding_ip) -riv_pihole_rev_server_domain: "" # previously conditional forwarding domain (riv_pihole_conditional_forwarding_domain) -riv_pihole_rev_server_target: "" # previously conditional forwarding host (riv_pihole_conditional_forwarding_reverse) - -riv_pihole_docker_image: "pihole/pihole:latest" - -riv_pihole_configuration_base_folder: "/opt/pihole" -riv_pihole_etc_pihole_folder: "{{ riv_pihole_configuration_base_folder }}/pihole" -riv_pihole_etc_dnsmasq_folder: "{{ riv_pihole_configuration_base_folder }}/dnsmasq.d" - -# These are the DNS servers for the docker system -# The first one MUST be 127.0.0.1 -riv_pihole_sys_dns_server1: "127.0.0.1" -riv_pihole_sys_dns_server2: "8.8.8.8" - -# These are the DNS servers that Pi-hole uses to resolve -riv_pihole_dns_server1: "1.1.1.1" -riv_pihole_dns_server2: "8.8.8.8" - -riv_pihole_serverip: "{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] | default(ansible_host) }}" - -riv_pihole_timezone: "Europe/Berlin" - -# Photon OS e.g. has the firewall locked by default, if this is enabled -# the necessary ports will be opened -riv_pihole_open_firewall_ports: true - -riv_pihole_dns_db_configuration_file: "{{ role_path }}/files/mappings.csv" \ No newline at end of file diff --git a/applications/roles/authsec.pihole/files/mappings.csv b/applications/roles/authsec.pihole/files/mappings.csv deleted file mode 100755 index 2b13024..0000000 --- a/applications/roles/authsec.pihole/files/mappings.csv +++ /dev/null @@ -1,11 +0,0 @@ -hostname,domainname,ip_address,static,mac_address,dhcp_option,type,comment -,,,,,"tag:vm-dns,option:dns-server,192.168.128.253","<>","Sets value of dhcp-option configuration option, here which DNS server to use" -,,,,,"tag:pi-dns,option:dns-server,192.168.128.254","<>","Sets value of dhcp-option configuration option, here which DNS server to use" -slash,example.net,192.168.128.2,true,f4:02:70:b6:17:d2,,"<>","ESXi Host" -dudu,example.net,192.168.128.3,true,,,"<>","dudu node" -mohh,example.net,192.168.128.5,true,,,"<>","vCenter installation" -ku,example.net,192.168.128.250,true,,"pi-dns","<>","Control node" -proxy,example.net,192.168.128.252,true,,"vm-dns","<>","Proxy server VM based on a docker image" -wpad,example.net,192.168.128.252,,,,"<>","Proxy autodiscovery alias" -vmhole,example.net,192.168.128.253,true,,,"<>","Pi-hole based VM DNS server with statically assigned IP (static prevents DHCP from handing out that IP/DNS name combination)" -opihi,example.net,192.168.128.254,,b8:27:eb:24:32:1b,,"<>","Raspberry Pi backed Pi-Hole DNS and DHCP server for this network, docker based and ansible managed" diff --git a/applications/roles/authsec.pihole/meta/.galaxy_install_info b/applications/roles/authsec.pihole/meta/.galaxy_install_info deleted file mode 100644 index 26b130d..0000000 --- a/applications/roles/authsec.pihole/meta/.galaxy_install_info +++ /dev/null @@ -1,2 +0,0 @@ -install_date: Mon Jun 13 19:57:14 2022 -version: master diff --git a/applications/roles/authsec.pihole/meta/main.yml b/applications/roles/authsec.pihole/meta/main.yml deleted file mode 100644 index c3c71bd..0000000 --- a/applications/roles/authsec.pihole/meta/main.yml +++ /dev/null @@ -1,26 +0,0 @@ -galaxy_info: - role_name: pihole - author: Jens Frey - description: Install, run and configure Pi-Hole using docker and a CSV file where you can map your hosts to IP addresses. - license: MIT - - min_ansible_version: 2.9 - - # To view available platforms and versions (or releases), visit: - # https://galaxy.ansible.com/api/v1/platforms/ - platforms: - - name: Debian - versions: - - buster - - name: Ubuntu - versions: - - focal - - galaxy_tags: - - pihole - - raspberry - - raspberrypi - - rpi - - photonos - -dependencies: [] \ No newline at end of file diff --git a/applications/roles/authsec.pihole/tasks/checkssh-photonos.yml b/applications/roles/authsec.pihole/tasks/checkssh-photonos.yml deleted file mode 100644 index 8ea881d..0000000 --- a/applications/roles/authsec.pihole/tasks/checkssh-photonos.yml +++ /dev/null @@ -1,5 +0,0 @@ -- name: Make sure ssh is enabled, not just started - systemd: - name: sshd.service - enabled: true - state: started \ No newline at end of file diff --git a/applications/roles/authsec.pihole/tasks/checkssh.yml b/applications/roles/authsec.pihole/tasks/checkssh.yml deleted file mode 100644 index 9b20139..0000000 --- a/applications/roles/authsec.pihole/tasks/checkssh.yml +++ /dev/null @@ -1,5 +0,0 @@ -- name: Make sure ssh is enabled, not just started - systemd: - name: ssh.service - enabled: true - state: started \ No newline at end of file diff --git a/applications/roles/authsec.pihole/tasks/firewall-iptables.yml b/applications/roles/authsec.pihole/tasks/firewall-iptables.yml deleted file mode 100644 index e83b155..0000000 --- a/applications/roles/authsec.pihole/tasks/firewall-iptables.yml +++ /dev/null @@ -1,41 +0,0 @@ -- name: Allow ping - iptables: - chain: INPUT - jump: ACCEPT - protocol: icmp - -- name: Allow DHCP - iptables: - chain: INPUT - protocol: udp - destination_port: "67" - jump: ACCEPT - when: riv_pihole_dhcp_active|bool - -- name: Allow HTTP - iptables: - chain: INPUT - protocol: tcp - destination_port: "80" - jump: ACCEPT - -- name: Allow HTTPS - iptables: - chain: INPUT - protocol: tcp - destination_port: "443" - jump: ACCEPT - -- name: Allow UDP DNS queries - iptables: - chain: INPUT - protocol: udp - destination_port: "53" - jump: ACCEPT - -- name: Allow TCP DNS queries - iptables: - chain: INPUT - protocol: tcp - destination_port: "53" - jump: ACCEPT \ No newline at end of file diff --git a/applications/roles/authsec.pihole/tasks/install-apt.yml b/applications/roles/authsec.pihole/tasks/install-apt.yml deleted file mode 100644 index 618a14a..0000000 --- a/applications/roles/authsec.pihole/tasks/install-apt.yml +++ /dev/null @@ -1,6 +0,0 @@ -- name: Install docker and pip3 - apt: - pkg: - - docker.io - - python3-pip - state: present \ No newline at end of file diff --git a/applications/roles/authsec.pihole/tasks/install-photonos.yml b/applications/roles/authsec.pihole/tasks/install-photonos.yml deleted file mode 100644 index 5317862..0000000 --- a/applications/roles/authsec.pihole/tasks/install-photonos.yml +++ /dev/null @@ -1,5 +0,0 @@ -- name: Install docker and pip3 - command: tdnf -y install docker python3-pip - register: result - changed_when: - - '"Complete!" in result.stdout' \ No newline at end of file diff --git a/applications/roles/authsec.pihole/tasks/main.yml b/applications/roles/authsec.pihole/tasks/main.yml deleted file mode 100644 index ccc8d52..0000000 --- a/applications/roles/authsec.pihole/tasks/main.yml +++ /dev/null @@ -1,159 +0,0 @@ ---- -- name: Setting or generating password for web interface - set_fact: - riv_pihole_admin_password: "{{ riv_pihole_admin_password_generated }}" - when: riv_pihole_admin_password is undefined -- name: Ensure resolv.conf absent - file: - path: /etc/resolv.conf - state: absent -- name: Ensure we do have DNS available for the installation. - lineinfile: - path: /etc/resolv.conf - insertbefore: '^{{ item.property | regex_escape() }} ' - line: '{{ item.property }} {{ item.value }}' - create: true - with_items: - - { property: 'nameserver', value: '127.0.0.1'} - - { property: 'nameserver', value: '9.9.9.9'} - - { property: 'search', value: "{{ riv_pihole_domain }}" } -- name: Running apt install environment - include_tasks: - file: install-apt.yml - when: - - (ansible_facts['distribution'] == 'Debian') or (ansible_facts['distribution'] == 'Ubuntu') -- name: Running photon os install environment - include_tasks: - file: install-photonos.yml - when: - - ansible_facts['distribution'] == 'VMware Photon OS' -- name: Install python docker support - pip: - name: docker - state: present -- name: Ensure docker is up - systemd: - name: docker - enabled: true - state: started -- name: Pull Pi-hole image before resolved is shut down - docker_image: - name: "{{ riv_pihole_docker_image }}" - force_source: yes - source: pull -- name: Running general SSH check - include_tasks: - file: checkssh.yml - when: - - ansible_facts['distribution'] != 'VMware Photon OS' -- name: Running Photon OS SSH check - include_tasks: - file: checkssh-photonos.yml - when: - - ansible_facts['distribution'] == 'VMware Photon OS' -- name: Make sure default resolved service is stopped - systemd: - name: systemd-resolved.service - enabled: false - state: stopped -- name: Read configuration data - read_csv: - path: "{{ riv_pihole_dns_db_configuration_file }}" - delimiter: ',' - register: mappings - delegate_to: localhost - become: no -- name: Ensure pihole folder is present - file: - path: "{{ riv_pihole_etc_pihole_folder }}" - state: directory - mode: '0775' -- name: Ensure dnsmasq.d folder is present - file: - path: "{{ riv_pihole_etc_dnsmasq_folder }}" - state: directory - mode: '0755' -- name: Generate encoded Pi-hole WEBPASSWORD - shell: set -o pipefail && echo -n $(echo -n "{{ riv_pihole_admin_password }}" | sha256sum | sed 's/\s.*$//') | sha256sum | sed 's/\s.*$//' - args: - executable: /bin/bash - register: riv_pihole_admin_password_encoded - changed_when: false -- name: Provision Pihole config - template: - src: setupVars.conf.j2 - dest: "{{ riv_pihole_etc_pihole_folder }}/setupVars.conf" - mode: '0644' - register: riv_pihole_config -- name: Provision DNS configuration - template: - src: 10-pihole-custom-static.conf.j2 - dest: "{{ riv_pihole_etc_dnsmasq_folder }}/10-pihole-custom-static.conf" - owner: root - group: root - mode: '0644' - register: riv_pihole_dns_config - vars: - mappings: mappings -- name: Provision DHCP configuration - template: - src: 02-pihole-dhcp.conf.j2 - dest: "{{ riv_pihole_etc_dnsmasq_folder }}/02-pihole-dhcp.conf" - owner: root - group: root - mode: '0644' - register: riv_pihole_dhcp_config -- name: Provisioning host aliases - template: - src: ansible-managed.hosts.j2 - dest: "{{ riv_pihole_etc_pihole_folder }}/ansible-managed.hosts" - owner: root - group: root - mode: '0644' - register: riv_pihole_dns_alias_config - vars: - mappings: mappings -- name: Setting up firewall - include_tasks: - file: firewall-iptables.yml - when: riv_pihole_open_firewall_ports -- name: Ensure pihole docker container is running - docker_container: - name: pihole - image: "{{ riv_pihole_docker_image }}" - state: started - restart: "{{ riv_pihole_config.changed or riv_pihole_dns_config.changed or riv_pihole_dhcp_config.changed }}" - restart_policy: unless-stopped - networks_cli_compatible: yes - network_mode: host - networks: - - name: "{{ riv_pihole_docker_network }}" - capabilities: - - NET_ADMIN - dns_servers: - - "{{ riv_pihole_sys_dns_server1 }}" - - "{{ riv_pihole_sys_dns_server2 }}" - volumes: - - "{{ riv_pihole_etc_pihole_folder }}:/etc/pihole/" - - "{{ riv_pihole_etc_dnsmasq_folder }}:/etc/dnsmasq.d/" - env: - TZ: '{{ riv_pihole_timezone }}' - DNS1: '{{ riv_pihole_dns_server1 }}' - DNS2: '{{ riv_pihole_dns_server2 }}' - WEBPASSWORD: "{{ riv_pihole_admin_password }}" - ServerIP: "{{ riv_pihole_serverip }}" - REV_SERVER: "{{ riv_pihole_rev_server_enabled }}" - REV_SERVER_CIDR: "{{ riv_pihole_rev_server_cidr }}" - REV_SERVER_DOMAIN: "{{ riv_pihole_rev_server_domain }}" - REV_SERVER_TARGET: "{{ riv_pihole_rev_server_target }}" -- name: DNS/DHCP server summary - pause: - seconds: 1 - prompt: | - Pi-Hole web PASSWORD: "{{ riv_pihole_admin_password }}" - Pi-Hole Server IP: "{{ riv_pihole_serverip }}" - Pi-Hole Server Name: "{{ inventory_hostname }}" - Pi-Hole DHCP server active: "{{ riv_pihole_dhcp_active }}" - changed_when: false - when: riv_pihole_show_summary - delegate_to: localhost diff --git a/applications/roles/authsec.pihole/templates/02-pihole-dhcp.conf.j2 b/applications/roles/authsec.pihole/templates/02-pihole-dhcp.conf.j2 deleted file mode 100644 index df91fd0..0000000 --- a/applications/roles/authsec.pihole/templates/02-pihole-dhcp.conf.j2 +++ /dev/null @@ -1,11 +0,0 @@ -############################################################################### -# DHCP SERVER CONFIG FILE AUTOMATICALLY POPULATED BY PI-HOLE WEB INTERFACE. # -# ANY CHANGES MADE TO THIS FILE WILL BE LOST ON CHANGE # -############################################################################### -dhcp-authoritative -dhcp-range={% if riv_pihole_dns_default_tag is defined and riv_pihole_dns_default_tag|length >0%}set:{{ riv_pihole_dns_default_tag }},{% endif %}{{ riv_pihole_dhcp_start }},{{ riv_pihole_dhcp_end }},{{ riv_pihole_dhcp_leasetime }} -dhcp-option=option:router,{{ riv_pihole_dhcp_router }} -dhcp-leasefile=/etc/pihole/dhcp.leases -#quiet-dhcp - -domain={{ riv_pihole_domain }} \ No newline at end of file diff --git a/applications/roles/authsec.pihole/templates/10-pihole-custom-static.conf.j2 b/applications/roles/authsec.pihole/templates/10-pihole-custom-static.conf.j2 deleted file mode 100644 index 56676aa..0000000 --- a/applications/roles/authsec.pihole/templates/10-pihole-custom-static.conf.j2 +++ /dev/null @@ -1,18 +0,0 @@ -# {{ ansible_managed }} - -# Change dhcp-option to dhcp-option-force if you need PXELinux support -{% for item in mappings.list %} -{% if item.type=="<>" %} -dhcp-option={{ item.dhcp_option }} -{% elif item.type=="<>" or item.type=="<>" %} - -# {{ item.comment }} -address=/{{ item.hostname }}.{{ item.domainname }}/{{ item.ip_address }} -ptr-record={{ (item.ip_address.split('.'))[::-1]|join('.') }}.in-addr.arpa,{{ item.hostname }}.{{ item.domainname }} -dhcp-host={% if item.mac_address is defined and item.mac_address|length %}{{ item.mac_address }},{% endif %}{% if item.dhcp_option is defined and item.dhcp_option|length >0%}set:{{ item.dhcp_option }},{% endif %}{{ item.ip_address }},{{ item.hostname }}{% if item.static is defined and item.static|length%},ignore{% endif %} - -{% endif %} -{% endfor %} - -# Include ansible managed static hosts -addn-hosts=/etc/pihole/ansible-managed.hosts diff --git a/applications/roles/authsec.pihole/templates/ansible-managed.hosts.j2 b/applications/roles/authsec.pihole/templates/ansible-managed.hosts.j2 deleted file mode 100644 index d22ee66..0000000 --- a/applications/roles/authsec.pihole/templates/ansible-managed.hosts.j2 +++ /dev/null @@ -1,9 +0,0 @@ -# {{ ansible_managed }} - -{% for item in mappings.list %} -{% if item.type=="<>" %} -# {{ item.comment }} -{{ item.ip_address }} {{ item.hostname }} {{ item.hostname }}.{{ item.domainname }} - -{% endif %} -{% endfor %} \ No newline at end of file diff --git a/applications/roles/authsec.pihole/templates/setupVars.conf.j2 b/applications/roles/authsec.pihole/templates/setupVars.conf.j2 deleted file mode 100644 index cc6b41e..0000000 --- a/applications/roles/authsec.pihole/templates/setupVars.conf.j2 +++ /dev/null @@ -1,33 +0,0 @@ -# {{ ansible_managed }} - -BLOCKING_ENABLED=true -DHCP_ACTIVE={{ riv_pihole_dhcp_active }} -DHCP_START={{ riv_pihole_dhcp_start }} -DHCP_END={{ riv_pihole_dhcp_end }} -DHCP_ROUTER={{ riv_pihole_dhcp_router }} -DHCP_LEASETIME={{ riv_pihole_dhcp_leasetime }} -PIHOLE_DOMAIN={{ riv_pihole_domain }} -DHCP_IPv6={{ riv_pihole_dhcp_ipv6 }} -DHCP_rapid_commit={{ riv_pihole_dhcp_rapid_commit }} -DNSMASQ_LISTENING={{ riv_pihole_dnsmasq_listening }} -PIHOLE_DNS_1={{ riv_pihole_dns_server1 }} -PIHOLE_DNS_2={{ riv_pihole_dns_server2 }} -WEBPASSWORD={{ riv_pihole_admin_password_encoded.stdout }} -QUERY_LOGGING={{ riv_pihole_query_logging }} -INSTALL_WEB_SERVER={{ riv_pihole_install_web_server }} -INSTALL_WEB_INTERFACE={{ riv_pihole_install_web_interface }} -LIGHTTPD_ENABLED={{ riv_pihole_lighttpd_enabled }} -IPV4_ADDRESS={{ riv_pihole_ipv4_address }} -IPV6_ADDRESS={{ riv_pihole_ipv6_address }} -DNS_BOGUS_PRIV={{ riv_pihole_dns_bogus_priv }} -DNS_FQDN_REQUIRED={{ riv_pihole_dns_fqdn_required }} -DNSSEC={{ riv_pihole_dnssec }} -REV_SERVER={{ riv_pihole_rev_server_enabled }} -REV_SERVER_CIDR={{ riv_pihole_rev_server_cidr }} -REV_SERVER_DOMAIN={{ riv_pihole_rev_server_domain }} -REV_SERVER_TARGET={{ riv_pihole_rev_server_target }} -CONDITIONAL_FORWARDING= -CONDITIONAL_FORWARDING_IP= -CONDITIONAL_FORWARDING_DOMAIN= -CONDITIONAL_FORWARDING_REVERSE= -PIHOLE_INTERFACE={{ riv_pihole_interface }} diff --git a/applications/roles/base/tasks/containers.yml b/applications/roles/base/tasks/containers.yml index 833d18b..d8b54ab 100644 --- a/applications/roles/base/tasks/containers.yml +++ b/applications/roles/base/tasks/containers.yml @@ -11,7 +11,7 @@ ports: - 9000:9000 - 8000:8000 - when: "'docker-main' in group_names" + when: "'home-apps' in group_names" - name: Deploy Portainer Agent community.docker.docker_container: diff --git a/applications/roles/base/tasks/docker.yml b/applications/roles/base/tasks/docker.yml new file mode 100644 index 0000000..6d292e2 --- /dev/null +++ b/applications/roles/base/tasks/docker.yml @@ -0,0 +1,50 @@ +# Docker +- name: Install prerequisites + apt: + name: + - apt-transport-https + - ca-certificates + - curl + - gnupg-agent + - software-properties-common + state: present + update_cache: yes + +- name: Add docker apt-key + apt_key: + url: https://download.docker.com/linux/ubuntu/gpg + +- name: Add docker repo + apt_repository: + repo: deb https://download.docker.com/linux/ubuntu focal stable + +- name: Install Docker + apt: + name: + - docker-ce + - docker-ce-cli + - containerd.io + state: present + update_cache: yes + +- name: Add user permissions + shell: "usermod -aG docker {{ lookup ('env', 'USER') }}" + +# Python Docker SDK +- name: Install Python package manager + apt: + name: python3-pip + state: present + +- name: Install Python SDK + become_user: "{{ lookup('env', 'USER') }}" + pip: + name: + - docker + - docker-compose + state: present + +# Containers +- include_tasks: containers.yml + become_user: "{{ lookup('env', 'USER') }}" + when: "'docker-servers' in group_names" \ No newline at end of file diff --git a/applications/roles/base/tasks/main.yml b/applications/roles/base/tasks/main.yml index 5a08837..a71358c 100644 --- a/applications/roles/base/tasks/main.yml +++ b/applications/roles/base/tasks/main.yml @@ -7,53 +7,5 @@ update_cache: yes state: present -# Docker -- name: Install prerequisites - apt: - name: - - apt-transport-https - - ca-certificates - - curl - - gnupg-agent - - software-properties-common - state: present - update_cache: yes - -- name: Add docker apt-key - apt_key: - url: https://download.docker.com/linux/ubuntu/gpg - -- name: Add docker repo - apt_repository: - repo: deb https://download.docker.com/linux/ubuntu focal stable - -- name: Install Docker - apt: - name: - - docker-ce - - docker-ce-cli - - containerd.io - state: present - update_cache: yes - -- name: Ddd user permissions - shell: "usermod -aG docker {{ lookup ('env', 'USER') }}" - -# Python Docker SDK -- name: Install Python package manager - apt: - name: python3-pip - state: present - -- name: Install Python SDK - become_user: "{{ lookup('env', 'USER') }}" - pip: - name: - - docker - - docker-compose - state: present - -# Containers -- include_tasks: containers.yml - become_user: "{{ lookup('env', 'USER') }}" - when: "'docker-servers' in group_names" +- include_tasks: docker.yml + when: "'docker_servers' in group_names" diff --git a/applications/site.yml b/applications/site.yml index e69de29..813f56c 100644 --- a/applications/site.yml +++ b/applications/site.yml @@ -0,0 +1,6 @@ +--- + - hosts: all + tasks: + - include_roles: + name: base + diff --git a/templates/hosts.tmpl b/templates/hosts.tmpl index 3e24434..fc1554a 100644 --- a/templates/hosts.tmpl +++ b/templates/hosts.tmpl @@ -13,6 +13,11 @@ ${ ip } ${ ip } %{ end for } +[docker-servers:children] +media_managers +media_servers +home-servers + [pi-hole] %{ for ip in piholes } ${ ip }