pihole

playbooks/roles/containers/subroles/pihole/defaults/main.yml

@@ -0,0 +1,16 @@
+---
+# Pi-Hole container configuration
+pi_hole_container_name: "pihole"
+pi_hole_image: "pihole/pihole:latest"
+pi_hole_host_port: "314"
+pi_hole_dns_port: "53"
+pi_hole_timezone: "Europe/Berlin"
+pi_hole_volume_dir: "/opt/pi-hole"  # Directory to store Pi-Hole data
+pi_hole_web_password: "risICE3!risICE3!"  # Change this to a secure password
+blocklists:
+  - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/pro.txt
+  - https://raw.githubusercontent.com/daylamtayari/Pi-Hole-Blocklist/master/Pi-Hole-Blocklist.txt
+  - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/tif.txt
+
+# Docker network configuration
+docker_network_name: "pi-hole-net"

playbooks/roles/containers/subroles/pihole/files/stack.yml

@@ -0,0 +1,15 @@
+services:
+  pihole:
+    image: pihole/pihole:latest
+    ports:
+      - '53:53/tcp'
+      - '53:53/udp'
+      - '67:67/udp'
+      - '80:80/tcp'
+    environment:
+      - TZ=Europe/Berlin
+      - WEBPASSWORD=risICE3!risICE3!
+    volumes:
+      - './etc-pihole:/etc/pihole'
+      - './etc-dnsmasq.d:/etc/dnsmasq.d'
+    restart: unless-stopped

playbooks/roles/containers/subroles/pihole/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: portainer

playbooks/roles/containers/subroles/pihole/tasks/main.yml

@@ -0,0 +1,114 @@
+---
+- name: Ensure Pi-Hole data directory exists
+  file:
+    path: "{{ pi_hole_volume_dir }}"
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+  become: true
+
+- name: Generate Docker Compose file for Pi-Hole
+  template:
+    src: pi-hole-compose.j2
+    dest: /opt/pi-hole/docker-compose.yml
+    owner: root
+    group: root
+    mode: '0644'
+  become: true
+
+- name: Ensure Docker network exists
+  community.docker.docker_network:
+    name: "{{ docker_network_name }}"
+    driver: bridge
+    state: present
+
+- name: Ensure systemd-resolved is installed
+  ansible.builtin.apt:
+    name: systemd-resolved
+    state: present
+  become: true
+
+- name: Disable DNSStubListener in resolved.conf
+  ansible.builtin.lineinfile:
+    path: /etc/systemd/resolved.conf
+    regexp: '^#?DNSStubListener='
+    line: 'DNSStubListener=no'
+    create: true
+    mode: '0644'  # Secure file permissions
+  become: true
+
+- name: Restart systemd-resolved service
+  ansible.builtin.service:
+    name: systemd-resolved
+    state: restarted
+  become: true
+  changed_when: false
+
+- name: Verify port 53 is no longer in use by systemd-resolved
+  ansible.builtin.command: ss -tuln | grep ':53'
+  register: port_check
+  failed_when: port_check.rc == 0 and '127.0.0.53:53' in port_check.stdout
+  changed_when: false
+  become: true
+
+- name: Ensure Docker service directory exists
+  file:
+    path: /etc/systemd/system/docker.service.d
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+  become: true
+
+- name: Add custom DNS settings to Docker service
+  lineinfile:
+    path: /etc/systemd/system/docker.service.d/docker.conf
+    create: true
+    line: |
+      [Service]
+      ExecStart=
+      ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --dns 8.8.8.8 --dns 8.8.4.4
+    regexp: '^ExecStart='
+    insertafter: '^\[Service\]'
+    state: present
+    mode: '0644'
+  become: true
+
+- name: Reload systemd daemon
+  systemd:
+    daemon_reload: true
+  become: true
+
+- name: Restart Docker service
+  service:
+    name: docker
+    state: restarted
+  become: true
+
+- name: Deploy Pi-Hole container using Docker Compose V2
+  community.docker.docker_compose_v2:
+    project_src: /opt/pi-hole
+    state: present
+  become: true
+
+- name: Ensure Pi-Hole container is running
+  community.docker.docker_container_info:
+    name: "{{ pi_hole_container_name }}"
+  register: container_info
+
+- name: Restart Pi-Hole container if not running
+  community.docker.docker_container:
+    name: "{{ pi_hole_container_name }}"
+    state: started
+    restart: true
+  when: not container_info.container.State.Running
+
+- name: Wait for the container to be fully operational
+  command: docker exec {{ pi_hole_container_name }} pihole status
+  register: pihole_status
+  until: "'Pi-hole blocking is enabled' in pihole_status.stdout"
+  retries: 30
+  delay: 5
+  ignore_errors: true
+  changed_when: false

playbooks/roles/containers/subroles/pihole/templates/pi-hole-compose.j2

@@ -0,0 +1,21 @@
+services:
+  pihole:
+    container_name: {{ pi_hole_container_name }}
+    image: {{ pi_hole_image }}
+    ports:
+      - "{{ pi_hole_host_port }}:80/tcp"
+      - "{{ pi_hole_dns_port }}:53/tcp"
+      - "{{ pi_hole_dns_port }}:53/udp"
+    environment:
+      TZ: {{ pi_hole_timezone }}
+      WEBPASSWORD: {{ pi_hole_web_password }}
+    volumes:
+      - "{{ pi_hole_volume_dir }}/etc-pihole:/etc/pihole"
+      - "{{ pi_hole_volume_dir }}/etc-dnsmasq.d:/etc/dnsmasq.d"
+    networks:
+      - {{ docker_network_name }}
+    restart: unless-stopped
+
+networks:
+  {{ docker_network_name }}:
+    driver: bridge