Replace pihole with adguardhome

AGH is much simpler to install and manage, and does DoH natively.

ansible/dev-requirements.txt

@@ -1,3 +1,4 @@
 ansible-lint==6.22.1
 yamllint==1.33.0
 ansible
+passlib

ansible/main.yml

@@ -129,7 +129,7 @@
 
 - hosts: tang
   roles:
-    - pihole
+    - adguardhome
     - role: prometheus.prometheus.node_exporter
       become: true
 

ansible/roles/adguardhome/files/adguardhome.yml

@@ -0,0 +1,176 @@
+http:
+  pprof:
+    port: 6060
+    enabled: false
+  address: 0.0.0.0:80
+  session_ttl: 720h
+users:
+  - name: jake
+    password: "{{ vault_adguardhome_password | password_hash('bcrypt', 'A' * 22) }}"
+auth_attempts: 5
+block_auth_min: 15
+http_proxy: ""
+language: en
+theme: auto
+dns:
+  bind_hosts:
+    - 0.0.0.0
+  port: 53
+  anonymize_client_ip: false
+  ratelimit: 20
+  ratelimit_subnet_len_ipv4: 24
+  ratelimit_subnet_len_ipv6: 56
+  ratelimit_whitelist: []
+  refuse_any: true
+  upstream_dns:
+    - tls://dns10.quad9.net
+  upstream_dns_file: ""
+  bootstrap_dns:
+    - 9.9.9.10
+    - 149.112.112.10
+    - 2620:fe::10
+    - 2620:fe::fe:10
+  fallback_dns: []
+  all_servers: false
+  fastest_addr: false
+  fastest_timeout: 1s
+  allowed_clients: []
+  disallowed_clients: []
+  blocked_hosts:
+    - version.bind
+    - id.server
+    - hostname.bind
+  trusted_proxies:
+    - 127.0.0.0/8
+    - ::1/128
+  cache_size: 4194304
+  cache_ttl_min: 0
+  cache_ttl_max: 0
+  cache_optimistic: false
+  bogus_nxdomain: []
+  aaaa_disabled: false
+  enable_dnssec: false
+  edns_client_subnet:
+    custom_ip: ""
+    enabled: false
+    use_custom: false
+  max_goroutines: 300
+  handle_ddr: true
+  ipset: []
+  ipset_file: ""
+  bootstrap_prefer_ipv6: false
+  upstream_timeout: 10s
+  private_networks: []
+  use_private_ptr_resolvers: true
+  local_ptr_upstreams: []
+  use_dns64: false
+  dns64_prefixes: []
+  serve_http3: false
+  use_http3_upstreams: false
+  serve_plain_dns: true
+tls:
+  enabled: false
+  server_name: ""
+  force_https: false
+  port_https: 443
+  port_dns_over_tls: 853
+  port_dns_over_quic: 853
+  port_dnscrypt: 0
+  dnscrypt_config_file: ""
+  allow_unencrypted_doh: false
+  certificate_chain: ""
+  private_key: ""
+  certificate_path: ""
+  private_key_path: ""
+  strict_sni_check: false
+querylog:
+  ignored: []
+  interval: 720h
+  size_memory: 1000
+  enabled: true
+  file_enabled: true
+statistics:
+  ignored: []
+  interval: 168h
+  enabled: true
+filters:
+  - enabled: true
+    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt
+    name: AdGuard DNS filter
+    id: 1
+  - enabled: true
+    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt
+    name: AdAway Default Blocklist
+    id: 2
+whitelist_filters: []
+user_rules: []
+dhcp:
+  enabled: true
+  interface_name: enp2s0
+  local_domain_name: lan
+  dhcpv4:
+    gateway_ip: 192.168.1.1
+    subnet_mask: 255.255.252.0
+    range_start: 192.168.1.10
+    range_end: 192.168.1.199
+    lease_duration: 86400
+    icmp_timeout_msec: 1000
+    options: []
+  dhcpv6:
+    range_start: ""
+    lease_duration: 86400
+    ra_slaac_only: false
+    ra_allow_slaac: false
+filtering:
+  blocking_ipv4: ""
+  blocking_ipv6: ""
+  blocked_services:
+    schedule:
+      time_zone: Local
+    ids: []
+  protection_disabled_until: null
+  safe_search:
+    enabled: false
+    bing: true
+    duckduckgo: true
+    google: true
+    pixabay: true
+    yandex: true
+    youtube: true
+  blocking_mode: default
+  parental_block_host: family-block.dns.adguard.com
+  safebrowsing_block_host: standard-block.dns.adguard.com
+  rewrites:
+    - domain: pve.sys.theorangeone.net
+      answer: "{{ pve_hosts.ingress.external_ip }}"
+  safebrowsing_cache_size: 1048576
+  safesearch_cache_size: 1048576
+  parental_cache_size: 1048576
+  cache_time: 30
+  filters_update_interval: 24
+  blocked_response_ttl: 10
+  filtering_enabled: true
+  parental_enabled: false
+  safebrowsing_enabled: false
+  protection_enabled: true
+clients:
+  runtime_sources:
+    whois: true
+    arp: true
+    rdns: true
+    dhcp: true
+    hosts: true
+  persistent: []
+log:
+  file: ""
+  max_backups: 0
+  max_size: 100
+  max_age: 3
+  compress: false
+  local_time: false
+  verbose: false
+os:
+  group: ""
+  user: ""
+  rlimit_nofile: 0
+schema_version: 27

ansible/roles/adguardhome/handlers/main.yml

@@ -0,0 +1,5 @@
+- name: restart adguardhome
+  service:
+    name: adguardhome
+    state: restarted
+  become: true

ansible/roles/adguardhome/tasks/main.yml

@@ -0,0 +1,17 @@
+- name: Include vault
+  include_vars: vault.yml
+
+- name: Install adguardhome
+  kewlfft.aur.aur:
+    name: adguardhome-bin
+  become: true
+
+- name: Install config file
+  template:
+    src: files/adguardhome.yml
+    dest: /var/lib/adguardhome/AdGuardHome.yaml
+    validate: /var/lib/adguardhome/AdGuardHome --check-config --config %s
+    owner: root
+    mode: "0600"
+  notify: restart adguardhome
+  become: true

ansible/roles/adguardhome/vars/vault.yml

@@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.1;AES256
+33623662646661366339613865663836343531336662626131323033666535636165333961646439
+3764313866316331343539663336346263633236663135340a383262396663356635656439346563
+63376662386539373639656237353964626534376536363832303764643565396635663536663938
+3935363734393839610a353862623739396336323030373539363963616232663130336262316365
+34653237383665343063666437653633363134336638346338326366363934613334666663383762
+32633964376464613163376363326465353939623838333033363038323235623035396661323963
+39646161623333386237393433376438363962643064363730336530313462323638646332353535
+37623132616563373737633066303664376361613032366230353662393161356463316234363366
+6433

ansible/roles/forrest/files/prometheus/prometheus.yml

@@ -141,7 +141,7 @@ scrape_configs:
     static_configs:
       - targets:
           - "{{ pve_hosts.pve.ip }}:9100"
-          - pi.hole:9100
+          - 192.168.1.53:9100  # adguardhome
     metric_relabel_configs:
       - source_labels: [__name__]
         regex: go_.+

ansible/roles/pihole/files/internal-alias.conf

@@ -1 +0,0 @@
-alias={{ vps_hosts.casey_ip }},{{ pve_hosts.ingress.external_ip }}

ansible/roles/pihole/files/setup-vars.conf

@@ -1,34 +0,0 @@
-PIHOLE_INTERFACE=eth0
-QUERY_LOGGING=false
-INSTALL_WEB_SERVER=true
-INSTALL_WEB_INTERFACE=true
-LIGHTTPD_ENABLED=true
-CACHE_SIZE=10000
-DNS_FQDN_REQUIRED=true
-DNS_BOGUS_PRIV=true
-DNSMASQ_LISTENING=bind
-WEBPASSWORD={{ vault_pihole_web_password | hash("sha256") | hash("sha256") }}
-BLOCKING_ENABLED=true
-DNSSEC=false
-REV_SERVER=false
-DHCP_ACTIVE=true
-DHCP_START=192.168.1.10
-DHCP_END=192.168.1.199
-DHCP_ROUTER=192.168.1.1
-DHCP_LEASETIME=24
-PIHOLE_DOMAIN=lan
-DHCP_IPv6=true
-DHCP_rapid_commit=false
-PIHOLE_DNS_1=9.9.9.9
-PIHOLE_DNS_2=149.112.112.112
-PIHOLE_DNS_3=2620:fe::fe
-PIHOLE_DNS_4=2620:fe::9
-PIHOLE_DNS_5=9.9.9.10
-PIHOLE_DNS_6=149.112.112.10
-PIHOLE_DNS_7=2620:fe::10
-PIHOLE_DNS_8=2620:fe::fe:10
-PIHOLE_DNS_9=9.9.9.11
-PIHOLE_DNS_10=149.112.112.11
-PIHOLE_DNS_11=2620:fe::11
-PIHOLE_DNS_12=2620:fe::fe:11
-TEMPERATUREUNIT=C

ansible/roles/pihole/handlers/main.yml

@@ -1,5 +0,0 @@
-- name: restart pihole FTL
-  service:
-    name: pihole-FTL
-    state: restarted
-  become: true

ansible/roles/pihole/tasks/main.yml

@@ -1,18 +0,0 @@
-- name: Include vault
-  include_vars: vault.yml
-
-- name: Install internal alias config
-  template:
-    src: files/internal-alias.conf
-    dest: /etc/dnsmasq.d/internal-alias.conf
-    mode: "644"
-  notify: restart pihole FTL
-  become: true
-
-- name: Install pihole config
-  template:
-    src: files/setup-vars.conf
-    dest: /etc/pihole/setupVars.conf
-    mode: "644"
-  notify: restart pihole FTL
-  become: true

ansible/roles/pihole/vars/vault.yml

@@ -1,9 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-66636263396334636539636365646537653432613831363035306465623566623636623464326562
-3335626466373839346639653537363162623664333432340a383061366238386564346265353835
-35373961616632643831363864643436383031383231346338353735633134383539613533663935
-3766666364623362630a633564343038316131306561363730663930393234303839613565373336
-61366230326239336635316366363238633061313138303132663563613131383033366661313165
-66353961343234643536336531313734336331643938666631616665316133386233303633663032
-62633733646131396634343932636561306636323635323536353562626334653866343337613336
-61633136303336633966