diff --git a/ansible/dev-requirements.txt b/ansible/dev-requirements.txt index 6b182f6..66548f2 100644 --- a/ansible/dev-requirements.txt +++ b/ansible/dev-requirements.txt @@ -1,3 +1,4 @@ ansible-lint==6.22.1 yamllint==1.33.0 ansible +passlib diff --git a/ansible/main.yml b/ansible/main.yml index e34444d..c5cd2af 100644 --- a/ansible/main.yml +++ b/ansible/main.yml @@ -129,7 +129,7 @@ - hosts: tang roles: - - pihole + - adguardhome - role: prometheus.prometheus.node_exporter become: true diff --git a/ansible/roles/adguardhome/files/adguardhome.yml b/ansible/roles/adguardhome/files/adguardhome.yml new file mode 100644 index 0000000..2b20673 --- /dev/null +++ b/ansible/roles/adguardhome/files/adguardhome.yml @@ -0,0 +1,176 @@ +http: + pprof: + port: 6060 + enabled: false + address: 0.0.0.0:80 + session_ttl: 720h +users: + - name: jake + password: "{{ vault_adguardhome_password | password_hash('bcrypt', 'A' * 22) }}" +auth_attempts: 5 +block_auth_min: 15 +http_proxy: "" +language: en +theme: auto +dns: + bind_hosts: + - 0.0.0.0 + port: 53 + anonymize_client_ip: false + ratelimit: 20 + ratelimit_subnet_len_ipv4: 24 + ratelimit_subnet_len_ipv6: 56 + ratelimit_whitelist: [] + refuse_any: true + upstream_dns: + - tls://dns10.quad9.net + upstream_dns_file: "" + bootstrap_dns: + - 9.9.9.10 + - 149.112.112.10 + - 2620:fe::10 + - 2620:fe::fe:10 + fallback_dns: [] + all_servers: false + fastest_addr: false + fastest_timeout: 1s + allowed_clients: [] + disallowed_clients: [] + blocked_hosts: + - version.bind + - id.server + - hostname.bind + trusted_proxies: + - 127.0.0.0/8 + - ::1/128 + cache_size: 4194304 + cache_ttl_min: 0 + cache_ttl_max: 0 + cache_optimistic: false + bogus_nxdomain: [] + aaaa_disabled: false + enable_dnssec: false + edns_client_subnet: + custom_ip: "" + enabled: false + use_custom: false + max_goroutines: 300 + handle_ddr: true + ipset: [] + ipset_file: "" + bootstrap_prefer_ipv6: false + upstream_timeout: 10s + private_networks: [] + use_private_ptr_resolvers: true + local_ptr_upstreams: [] + use_dns64: false + dns64_prefixes: [] + serve_http3: false + use_http3_upstreams: false + serve_plain_dns: true +tls: + enabled: false + server_name: "" + force_https: false + port_https: 443 + port_dns_over_tls: 853 + port_dns_over_quic: 853 + port_dnscrypt: 0 + dnscrypt_config_file: "" + allow_unencrypted_doh: false + certificate_chain: "" + private_key: "" + certificate_path: "" + private_key_path: "" + strict_sni_check: false +querylog: + ignored: [] + interval: 720h + size_memory: 1000 + enabled: true + file_enabled: true +statistics: + ignored: [] + interval: 168h + enabled: true +filters: + - enabled: true + url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt + name: AdGuard DNS filter + id: 1 + - enabled: true + url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt + name: AdAway Default Blocklist + id: 2 +whitelist_filters: [] +user_rules: [] +dhcp: + enabled: true + interface_name: enp2s0 + local_domain_name: lan + dhcpv4: + gateway_ip: 192.168.1.1 + subnet_mask: 255.255.252.0 + range_start: 192.168.1.10 + range_end: 192.168.1.199 + lease_duration: 86400 + icmp_timeout_msec: 1000 + options: [] + dhcpv6: + range_start: "" + lease_duration: 86400 + ra_slaac_only: false + ra_allow_slaac: false +filtering: + blocking_ipv4: "" + blocking_ipv6: "" + blocked_services: + schedule: + time_zone: Local + ids: [] + protection_disabled_until: null + safe_search: + enabled: false + bing: true + duckduckgo: true + google: true + pixabay: true + yandex: true + youtube: true + blocking_mode: default + parental_block_host: family-block.dns.adguard.com + safebrowsing_block_host: standard-block.dns.adguard.com + rewrites: + - domain: pve.sys.theorangeone.net + answer: "{{ pve_hosts.ingress.external_ip }}" + safebrowsing_cache_size: 1048576 + safesearch_cache_size: 1048576 + parental_cache_size: 1048576 + cache_time: 30 + filters_update_interval: 24 + blocked_response_ttl: 10 + filtering_enabled: true + parental_enabled: false + safebrowsing_enabled: false + protection_enabled: true +clients: + runtime_sources: + whois: true + arp: true + rdns: true + dhcp: true + hosts: true + persistent: [] +log: + file: "" + max_backups: 0 + max_size: 100 + max_age: 3 + compress: false + local_time: false + verbose: false +os: + group: "" + user: "" + rlimit_nofile: 0 +schema_version: 27 diff --git a/ansible/roles/adguardhome/handlers/main.yml b/ansible/roles/adguardhome/handlers/main.yml new file mode 100644 index 0000000..2577cfb --- /dev/null +++ b/ansible/roles/adguardhome/handlers/main.yml @@ -0,0 +1,5 @@ +- name: restart adguardhome + service: + name: adguardhome + state: restarted + become: true diff --git a/ansible/roles/adguardhome/tasks/main.yml b/ansible/roles/adguardhome/tasks/main.yml new file mode 100644 index 0000000..f3fcb64 --- /dev/null +++ b/ansible/roles/adguardhome/tasks/main.yml @@ -0,0 +1,17 @@ +- name: Include vault + include_vars: vault.yml + +- name: Install adguardhome + kewlfft.aur.aur: + name: adguardhome-bin + become: true + +- name: Install config file + template: + src: files/adguardhome.yml + dest: /var/lib/adguardhome/AdGuardHome.yaml + validate: /var/lib/adguardhome/AdGuardHome --check-config --config %s + owner: root + mode: "0600" + notify: restart adguardhome + become: true diff --git a/ansible/roles/adguardhome/vars/vault.yml b/ansible/roles/adguardhome/vars/vault.yml new file mode 100644 index 0000000..2395852 --- /dev/null +++ b/ansible/roles/adguardhome/vars/vault.yml @@ -0,0 +1,10 @@ +$ANSIBLE_VAULT;1.1;AES256 +33623662646661366339613865663836343531336662626131323033666535636165333961646439 +3764313866316331343539663336346263633236663135340a383262396663356635656439346563 +63376662386539373639656237353964626534376536363832303764643565396635663536663938 +3935363734393839610a353862623739396336323030373539363963616232663130336262316365 +34653237383665343063666437653633363134336638346338326366363934613334666663383762 +32633964376464613163376363326465353939623838333033363038323235623035396661323963 +39646161623333386237393433376438363962643064363730336530313462323638646332353535 +37623132616563373737633066303664376361613032366230353662393161356463316234363366 +6433 diff --git a/ansible/roles/forrest/files/prometheus/prometheus.yml b/ansible/roles/forrest/files/prometheus/prometheus.yml index d8f606a..6829bf8 100644 --- a/ansible/roles/forrest/files/prometheus/prometheus.yml +++ b/ansible/roles/forrest/files/prometheus/prometheus.yml @@ -141,7 +141,7 @@ scrape_configs: static_configs: - targets: - "{{ pve_hosts.pve.ip }}:9100" - - pi.hole:9100 + - 192.168.1.53:9100 # adguardhome metric_relabel_configs: - source_labels: [__name__] regex: go_.+ diff --git a/ansible/roles/pihole/files/internal-alias.conf b/ansible/roles/pihole/files/internal-alias.conf deleted file mode 100644 index 2cf7993..0000000 --- a/ansible/roles/pihole/files/internal-alias.conf +++ /dev/null @@ -1 +0,0 @@ -alias={{ vps_hosts.casey_ip }},{{ pve_hosts.ingress.external_ip }} diff --git a/ansible/roles/pihole/files/setup-vars.conf b/ansible/roles/pihole/files/setup-vars.conf deleted file mode 100644 index 7ebd0de..0000000 --- a/ansible/roles/pihole/files/setup-vars.conf +++ /dev/null @@ -1,34 +0,0 @@ -PIHOLE_INTERFACE=eth0 -QUERY_LOGGING=false -INSTALL_WEB_SERVER=true -INSTALL_WEB_INTERFACE=true -LIGHTTPD_ENABLED=true -CACHE_SIZE=10000 -DNS_FQDN_REQUIRED=true -DNS_BOGUS_PRIV=true -DNSMASQ_LISTENING=bind -WEBPASSWORD={{ vault_pihole_web_password | hash("sha256") | hash("sha256") }} -BLOCKING_ENABLED=true -DNSSEC=false -REV_SERVER=false -DHCP_ACTIVE=true -DHCP_START=192.168.1.10 -DHCP_END=192.168.1.199 -DHCP_ROUTER=192.168.1.1 -DHCP_LEASETIME=24 -PIHOLE_DOMAIN=lan -DHCP_IPv6=true -DHCP_rapid_commit=false -PIHOLE_DNS_1=9.9.9.9 -PIHOLE_DNS_2=149.112.112.112 -PIHOLE_DNS_3=2620:fe::fe -PIHOLE_DNS_4=2620:fe::9 -PIHOLE_DNS_5=9.9.9.10 -PIHOLE_DNS_6=149.112.112.10 -PIHOLE_DNS_7=2620:fe::10 -PIHOLE_DNS_8=2620:fe::fe:10 -PIHOLE_DNS_9=9.9.9.11 -PIHOLE_DNS_10=149.112.112.11 -PIHOLE_DNS_11=2620:fe::11 -PIHOLE_DNS_12=2620:fe::fe:11 -TEMPERATUREUNIT=C diff --git a/ansible/roles/pihole/handlers/main.yml b/ansible/roles/pihole/handlers/main.yml deleted file mode 100644 index 2e4a1d1..0000000 --- a/ansible/roles/pihole/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ -- name: restart pihole FTL - service: - name: pihole-FTL - state: restarted - become: true diff --git a/ansible/roles/pihole/tasks/main.yml b/ansible/roles/pihole/tasks/main.yml deleted file mode 100644 index f2c8e74..0000000 --- a/ansible/roles/pihole/tasks/main.yml +++ /dev/null @@ -1,18 +0,0 @@ -- name: Include vault - include_vars: vault.yml - -- name: Install internal alias config - template: - src: files/internal-alias.conf - dest: /etc/dnsmasq.d/internal-alias.conf - mode: "644" - notify: restart pihole FTL - become: true - -- name: Install pihole config - template: - src: files/setup-vars.conf - dest: /etc/pihole/setupVars.conf - mode: "644" - notify: restart pihole FTL - become: true diff --git a/ansible/roles/pihole/vars/vault.yml b/ansible/roles/pihole/vars/vault.yml deleted file mode 100644 index 73fe04d..0000000 --- a/ansible/roles/pihole/vars/vault.yml +++ /dev/null @@ -1,9 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -66636263396334636539636365646537653432613831363035306465623566623636623464326562 -3335626466373839346639653537363162623664333432340a383061366238386564346265353835 -35373961616632643831363864643436383031383231346338353735633134383539613533663935 -3766666364623362630a633564343038316131306561363730663930393234303839613565373336 -61366230326239336635316366363238633061313138303132663563613131383033366661313165 -66353961343234643536336531313734336331643938666631616665316133386233303633663032 -62633733646131396634343932636561306636323635323536353562626334653866343337613336 -61633136303336633966