fix dns

11 files changed, 82 insertions, 1 deletions

diff --git a/deploy.yml b/deploy.yml
index 5b245a3..f15c152 100644
--- a/deploy.yml
+++ b/deploy.yml
@@ -26,3 +26,6 @@
 
 - name: Keepalived
   ansible.builtin.import_playbook: playbooks/deploy-portainer.yml
+
+- name: Pihole
+  ansible.builtin.import_playbook: playbooks/deploy-pihole.yml
diff --git a/group_vars/pihole.yml b/group_vars/pihole.yml
new file mode 100644
index 0000000..e98d56d
--- /dev/null
+++ b/group_vars/pihole.yml
@@ -0,0 +1,6 @@
+---
+
+pihole_base: "{{ swarm_base }}/pihole"
+upstream_dns_servers:
+  - 1.1.1.1
+  - 1.0.0.1
diff --git a/inventory b/inventory
index 9e07919..d1abb62 100644
--- a/inventory
+++ b/inventory
@@ -34,3 +34,6 @@ swarm-one ansible_host=10.128.0.201  ansible_user=serve ansible_connection=ssh a
 
 [traefik]
 swarm-one ansible_host=10.128.0.201  ansible_user=serve ansible_connection=ssh ansible_become_password='{{ swarm_become_password }}'
+
+[pihole]
+swarm-one ansible_host=10.128.0.201  ansible_user=serve ansible_connection=ssh ansible_become_password='{{ swarm_become_password }}'
diff --git a/playbooks/deploy-pihole.yml b/playbooks/deploy-pihole.yml
new file mode 100644
index 0000000..6a8b523
--- /dev/null
+++ b/playbooks/deploy-pihole.yml
@@ -0,0 +1,7 @@
+---
+
+- name: pihole setup
+  hosts: pihole
+  become: true
+  roles:
+    - pihole
diff --git a/playbooks/roles/pihole/tasks/main.yml b/playbooks/roles/pihole/tasks/main.yml
new file mode 100644
index 0000000..6990623
--- /dev/null
+++ b/playbooks/roles/pihole/tasks/main.yml
@@ -0,0 +1,19 @@
+---
+
+- name: Build pihole compose dirs
+  ansible.builtin.file:
+    state: directory
+    dest: '{{ pihole_base }}/{{ item.path }}'
+  with_filetree: '../templates'
+  when: item.state == 'directory'
+
+- name: Build pihole compose files
+  ansible.builtin.template:
+    src: '{{ item.src }}'
+    dest: '{{ pihole_base }}/{{ item.path }}'
+  with_filetree: '../templates'
+  when: item.state == 'file'
+
+- name: Deploy Pihole stack
+  ansible.builtin.command:
+    cmd: "docker stack deploy -c {{ pihole_base }}/stacks/docker-compose.yml pihole"
diff --git a/playbooks/roles/pihole/templates/stacks/docker-compose.yml b/playbooks/roles/pihole/templates/stacks/docker-compose.yml
new file mode 100644
index 0000000..be3150e
--- /dev/null
+++ b/playbooks/roles/pihole/templates/stacks/docker-compose.yml
@@ -0,0 +1,38 @@
+version: '3.2'
+
+services:
+  pihole:
+    image: pihole/pihole:latest
+    volumes:
+      - {{ pihole_base }}/volumes/pihole:/etc/pihole
+      - {{ pihole_base }}/volumes/dnsmasq:/etc/dnsmasq.d
+    environment:
+      - TZ={{ timezone }}
+      - FTLCONF_webserver_api_password={{ pihole_webpwd }}
+      - FTLCONF_dns_upstreams={{ upstream_dns_servers | join(';') }}
+    networks:
+      - proxy
+    deploy:
+      mode: replicated
+      replicas: 1
+      labels:
+        - traefik.enable=true
+        - traefik.swarm.network=proxy
+        - traefik.http.routers.piholeweb.tls=true
+        - traefik.http.routers.piholeweb.tls.certResolver=letsencrypt
+        - traefik.http.routers.piholeweb.rule=Host(`pihole.{{ traefik_domain }}`)
+        - traefik.http.routers.piholeweb.entrypoints=websecure
+        - traefik.http.services.piholeweb.loadbalancer.server.port=80
+        # 53/udp
+        - traefik.udp.routers.pihole-dns-udp.entrypoints=dns_udp
+        - traefik.udp.routers.pihole-dns-udp.service=pihole-dns-udp
+        - traefik.udp.services.pihole-dns-udp.loadbalancer.server.port=53
+        # 53/tcp
+        - traefik.tcp.routers.pihole-dns-tcp.rule=HostSNI(`*`)
+        - traefik.tcp.routers.pihole-dns-tcp.entrypoints=dns_tcp
+        - traefik.tcp.routers.pihole-dns-tcp.service=pihole-dns-tcp
+        - traefik.tcp.services.pihole-dns-tcp.loadbalancer.server.port=53
+
+networks:
+  proxy:
+    external: true
diff --git a/playbooks/roles/pihole/templates/volumes/dnsmasq/.gitkeep b/playbooks/roles/pihole/templates/volumes/dnsmasq/.gitkeep
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/playbooks/roles/pihole/templates/volumes/dnsmasq/.gitkeep
diff --git a/playbooks/roles/pihole/templates/volumes/pihole/.gitkeep b/playbooks/roles/pihole/templates/volumes/pihole/.gitkeep
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/playbooks/roles/pihole/templates/volumes/pihole/.gitkeep
diff --git a/playbooks/roles/traefik/templates/stacks/docker-compose.yml b/playbooks/roles/traefik/templates/stacks/docker-compose.yml
index 4504af9..9f999e3 100644
--- a/playbooks/roles/traefik/templates/stacks/docker-compose.yml
+++ b/playbooks/roles/traefik/templates/stacks/docker-compose.yml
@@ -5,6 +5,8 @@ services:
     ports:
       - 80:80
       - 443:443
+      - 53:53
+      - 53:53/udp
     environment:
       - TZ={{ timezone }}
       - CF_API_EMAIL={{ cloudflare_email }}
diff --git a/playbooks/roles/traefik/templates/stacks/traefik.yml b/playbooks/roles/traefik/templates/stacks/traefik.yml
index feac37f..5dcb19e 100644
--- a/playbooks/roles/traefik/templates/stacks/traefik.yml
+++ b/playbooks/roles/traefik/templates/stacks/traefik.yml
@@ -16,8 +16,10 @@ entryPoints:
           scheme: https
   websecure:
     address: ":443"
-  dns:
+  dns_udp:
     address: ":53/udp"
+  dns_tcp:
+    address: ":53/tcp"
 serversTransport:
   insecureSkipVerify: true
 providers:
diff --git a/secrets.txt b/secrets.txt
index 1b142e1..f75cc8d 100644
--- a/secrets.txt
+++ b/secrets.txt
@@ -4,3 +4,4 @@ cloudflare_token
 cloudflare_dns_api_token
 cloudflare_email
 ceph_secret
+pihole_webpwd