Add PiHole and Unbound, RPi configuration, etc.

.gitignore

@@ -4,5 +4,7 @@
 .DS_Store
 secret.yml
 /group_vars/
+/host_vars/
+!/host_vars/.gitkeep
 !/group_vars/all/vars.yml
-mountsraspi
+mountsraspi

group_vars/all/vars.yml

@@ -11,6 +11,8 @@ timezone: Europe/Amsterdam
 
 dns_nameservers: [9.9.9.9, 149.112.112.112]
 
+dot_nameservers: [185.95.218.42@853#dns.digitale-gesellschaft.ch, 94.140.15.140@853#dns-unfiltered.adguard.com]
+
 host: "{{ duckdns_domain }}.duckdns.org"
 
 ntp_timezone: "{{ timezone }}"
@@ -147,6 +149,8 @@ enable_timemachine: true
 #
 ikev2_ondemand: true
 
+
+
 #
 # Samba
 #

roles/containers/deluge/tasks/main.yml

@@ -30,7 +30,7 @@
       "PGID": "{{ guid }}"
       "TZ": "{{ timezone }}"
     ports:
-      - "0.0.0.0:8112:8112"
+      - "8112:8112"
       - "58846:58846"
     volumes:
       - "{{ docker_dir }}/{{ container_name }}/data:/data"

roles/containers/ikev2/tasks/main.yml

@@ -1,8 +1,18 @@
 ---
+- name: Set the architecture variable
+  set_fact:
+    arch: "armhf"
+  when: '"armv" in ansible_architecture'
+
+- name: Set the architecture variable
+  set_fact:
+    arch: "amd64"
+  when: '"x86_64" in ansible_architecture'
+
 - name: Make sure the {{ container_name }} container is created and running
   docker_container:
     name: 'ikev2'
-    image: "notthebee/ikev2"
+    image: "notthebee/ikev2:{{ arch }}"
     privileged: yes
     pull: yes
     state: 'started'

roles/containers/pihole/tasks/main.yml

@@ -1,4 +1,16 @@
 ---
+- name: Create the configuration directory
+  file:
+    path: "{{ docker_dir }}/{{ container_name }}/unbound.conf.d/"
+    state: directory
+    recurse: yes
+
+- name: Copy the unbound configuration file
+  template:
+    src: unbound.j2
+    dest: "{{ docker_dir }}/{{ container_name }}/unbound.conf.d/pi-hole.conf"
+
+
 - name: Make sure the {{ container_name }} container is created and running
   docker_container:
     name: 'pihole'
@@ -13,19 +25,19 @@
       "TZ": "{{ timezone }}"
       "WEBPASSWORD": "{{ pihole_password }}"
       "REV_SERVER": "true"
-      "REV_SERVER_DOMAIN": "local"
+      "REV_SERVER_DOMAIN": "box"
       "REV_SERVER_TARGET": "{{ ansible_default_ipv4.gateway }}"
       "REV_SERVER_CIDR": "{{ '.'.join(ansible_default_ipv4.address.split('.')[0:3]) }}.0/24"
       "DNS1": "127.0.0.1#5335" # Hardcoded to our Unbound server
       "DNS2": "127.0.0.1#5335" # Hardcoded to our Unbound server
       "DNSSEC": "true" # Enable DNSSEC
-      "DOMAIN_NAME": "pihole.local"
+      "DOMAIN_NAME": "pihole.box"
     volumes:
       - "{{ docker_dir }}/{{ container_name }}/pihole:/etc/pihole"
       - "{{ docker_dir }}/{{ container_name }}/dnmasq-unbound:/etc/dnsmasq.d"
+      - "{{ docker_dir }}/{{ container_name }}/unbound.conf.d/pi-hole.conf:/etc/unbound/unbound.conf.d/pi-hole.conf"
     ports:
-      - 443:443/tcp
-      - 81:80/tcp
-      - 53:53/tcp
-      - 53:53/udp
+      - "81:80/tcp"
+      - "53:53/tcp"
+      - "53:53/udp"
     restart_policy: unless-stopped

roles/containers/pihole/templates/unbound.j2

@@ -0,0 +1,70 @@
+# Config pulled from https://docs.pi-hole.net/guides/unbound/
+
+server:
+    # If no logfile is specified, syslog is used
+    # logfile: "/var/log/unbound/unbound.log"
+
+
+    logfile: "/var/log/unbound.log"
+    verbosity: 3
+
+    hide-identity: yes
+    hide-version: yes
+    qname-minimisation: yes
+    rrset-roundrobin: yes
+    ssl-upstream: yes
+    ssl-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+
+    interface: 127.0.0.1
+    port: 5335
+    do-ip4: yes
+    do-udp: yes
+    do-tcp: yes
+
+    # May be set to yes if you have IPv6 connectivity
+    do-ip6: no
+
+    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
+    # Terredo tunnels your web browser should favor IPv4 for the same reasons
+    prefer-ip6: no
+
+    # Use this only when you downloaded the list of primary root servers!
+    # If you use the default dns-root-data package, unbound will find it automatically
+    #root-hints: "/var/lib/unbound/root.hints"
+
+    # Trust glue only if it is within the server's authority
+    harden-glue: yes
+
+    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
+    harden-dnssec-stripped: yes
+
+    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
+    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
+    use-caps-for-id: no
+
+    # Reduce EDNS reassembly buffer size.
+    # Suggested by the unbound man page to reduce fragmentation reassembly problems
+    edns-buffer-size: 1472
+
+    msg-cache-size: 50m
+    rrset-cache-size: 100m
+
+    # Perform prefetching of close to expired message cache entries
+    # This only applies to domains that have been frequently queried
+    prefetch: yes
+
+    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
+    so-reuseport: yes
+
+    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
+    so-rcvbuf: 1m
+
+    # Ensure privacy of local IP ranges
+    private-address: {{ '.'.join(ansible_default_ipv4.address.split('.')[0:3]) }}.0/24
+
+forward-zone:
+    # forward all queries to these DNS servers:
+    name: "."
+  {% for item in dot_nameservers %}
+    forward-addr: {{ item }}
+  {% endfor %}

roles/docker/tasks/main.yml

@@ -1,13 +1,13 @@
 ---
 - name: Include OS-specific variables
-  include_vars: "{{ ansible_facts['distribution'] }}.yml"
+  include_vars: "{{ ansible_facts['os_family'] }}.yml"
 
 - name: Install required system packages
   package: 
     state: latest
     name: "{{ docker_packages }}"
 
-- name: Install Docker packages
+- name: Install Docker (Ubuntu)
   when: ansible_facts['distribution'] == 'Ubuntu'
   block:
   - name: Add Docker GPG apt Key
@@ -20,12 +20,68 @@
       repo: deb https://download.docker.com/linux/ubuntu bionic stable
       state: present
 
-  - name: Update apt and install docker-ce
+- name: Install Docker (Raspbian)
+  when: ansible_facts['distribution'] == 'Debian'
+  block:
+  - name: Add Docker GPG apt Key
+    apt_key:
+      url: https://download.docker.com/linux/raspbian/gpg
+      state: present
+
+  - name: Add Docker Repository
+    apt_repository:
+      repo: deb https://download.docker.com/linux/raspbian buster stable
+      state: present
+
+  - name: Add buster-backports GPG key (for libseccomp2)
+    apt_key:
+      keyserver: keyserver.ubuntu.com
+      id: "{{ item }}"
+    loop:
+      - 04EE7237B7D453EC
+      - 648ACFD622F3D138
+
+  - name: Add buster-backports repository
+    apt_repository:
+      repo: deb http://deb.debian.org/debian buster-backports main contrib non-free
+
+  - name: Update to the latest version of libseccomp2
     apt: 
       update_cache: yes 
-      name: docker-ce 
+      name: libseccomp2
+      default_release: buster-backports
       state: latest
 
+  - name: Switch to iptables-legacy
+    alternatives:
+      name: iptables
+      path: /usr/sbin/iptables-legacy
+
+  - name: Switch to ip6tables-legacy
+    alternatives:
+      name: ip6tables
+      path: /usr/sbin/ip6tables-legacy
+
+  - name: Switch to pip3
+    alternatives:
+      name: pip
+      link: /usr/bin/pip
+      path: /usr/bin/pip3
+
+  - name: Switch to python3
+    alternatives:
+      name: python
+      link: /usr/bin/python
+      path: /usr/bin/python3
+
+
+- name: Update apt and install docker-ce
+  when: ansible_facts['os_family'] == 'Debian'
+  apt: 
+    update_cache: yes 
+    name: docker-ce 
+    state: latest
+
 - name: Ensure group docker exists
   group:
     name: docker

roles/docker/vars/Ubuntu.yml → roles/docker/vars/Debian.yml

@@ -6,4 +6,5 @@ docker_packages:
   - 'software-properties-common'
   - 'python3-pip'
   - 'virtualenv'
-  - 'python3-setuptools'
+  - 'python3-setuptools'
+  - 'python3-pip'

roles/essential/tasks/main.yml

@@ -1,6 +1,6 @@
 ---
 - name: Include OS-specific variables
-  include_vars: "{{ ansible_facts['distribution'] }}.yml"
+  include_vars: "{{ ansible_facts['os_family'] }}.yml"
 
 - name: Ubuntu specific tasks
   become: yes
@@ -11,11 +11,6 @@
       name: cloud-config
       state: absent
 
-  - name: Generate the locale
-    locale_gen:
-      name: "{{ locale }}"
-      state: present
-
   - name: Make sure iSCSId and Open-iSCSId services are disabled
     service: 
       name: "{{ item }}"
@@ -34,12 +29,19 @@
       group: root
       mode: 0644
     tags: mirrors
-
-  - name: Update and upgrade apt packages
-    apt:
-      upgrade: "yes"
-      update_cache: yes
-      cache_valid_time: 86400 
+
+- name: Generate the locale (Debian and Ubuntu)
+  when: ansible_os_family == 'Debian'
+  locale_gen:
+    name: "{{ locale }}"
+    state: present
+
+- name: Update and upgrade apt packages (Debian and Ubuntu)
+  when: ansible_os_family == 'Debian'
+  apt:
+    upgrade: "yes"
+    update_cache: yes
+    cache_valid_time: 86400 
 
 - name: Alpine specific tasks
   become: yes