--- - name: install and configure pihole and dns over tls hosts: pihole vars: become: false pre_tasks: - name: Load variables ansible.builtin.include_vars: '{{ item }}' with_first_found: - "vars/default.yml" tasks: - name: install required dependencies ansible.builtin.apt: pkg: - python3 - python3-pip - libaugeas0 - nginx - libnginx-mod-stream state: present - name: install dependencies Debian 12 ansible.builtin.apt: pkg: - php-fpm - php-cgi - php-xml - php-sqlite3 - php-intl - python3-virtualenv state: present when: ansible_distribution_major_version == "12" - name: Install dependencies Debian 11 and below ansible.builtin.apt: pkg: - php7.4-fpm - php7.4-cgi - php7.4-xml - php7.4-sqlite3 - php7.4-intl state: present when: ansible_distribution_major_version < "12" - name: install virtualenv via pip3 ansible.builtin.pip: name: virtualenv state: present when: ansible_distribution_major_version < "12" - name: install certbot via pip3 ansible.builtin.pip: name: certbot virtualenv: /opt/certbot/ state: present - name: install certbot via pip3 ansible.builtin.pip: name: certbot-nginx virtualenv: /opt/certbot/ state: present - name: stop lighttpd, so that certbot can run ansible.builtin.systemd_service: name: lighttpd state: stopped - name: stop nginx, so that certbot can run ansible.builtin.systemd_service: name: nginx state: stopped - name: link certbot to /usr/bin ansible.builtin.shell: cmd: | ln -s /opt/certbot/bin/certbot /usr/bin/certbot creates: /usr/bin/certbot - name: run certbot cert grab ansible.builtin.shell: cmd: | sudo certbot certonly --standalone -m "{{ DNSEMAIL }}" -d "{{ DNSDOMAIN }}" -n --agree-tos --no-eff-email --preferred-chain="ISRG Root X1" - name: configure nginx for streams ansible.builtin.blockinfile: content: | stream { include /etc/nginx/streams/*; } path: /etc/nginx/nginx.conf - name: remove default site nginx ansible.builtin.file: state: absent path: /etc/nginx/sites-enabled/default - name: create new config for pihol configuration ansible.builtin.blockinfile: content: | server { listen 80; listen 443 ssl; listen [::]:80; listen [::]:443 ssl; ssl_certificate /etc/letsencrypt/live/{{ DNSDOMAIN }}/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/{{ DNSDOMAIN }}/privkey.pem; # managed by Certbot root /var/www/html; server_name {{ DNSDOMAIN }}; autoindex off; index pihole/index.php index.php index.html index.htm; location / { expires max; } location ~ \.php$ { include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name; fastcgi_pass unix:/run/php/php7.4-fpm.sock; fastcgi_param FQDN true; } location /*.js { index pihole/index.js; } location /admin { root /var/www/html; index index.php index.html index.htm; } location ~ /\.ht { deny all; } } path: /etc/nginx/sites-enabled/dnsovertls.conf create: true - name: create new config for pihol configuration debian 12 ansible.builtin.blockinfile: content: | server { listen 80; listen 443 ssl; listen [::]:80; listen [::]:443 ssl; ssl_certificate /etc/letsencrypt/live/{{ DNSDOMAIN }}/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/{{ DNSDOMAIN }}/privkey.pem; # managed by Certbot root /var/www/html; server_name {{ DNSDOMAIN }}; autoindex off; index pihole/index.php index.php index.html index.htm; location / { expires max; } location ~ \.php$ { include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name; fastcgi_pass unix:/run/php/php7.4-fpm.sock; fastcgi_param FQDN true; } location /*.js { index pihole/index.js; } location /admin { root /var/www/html; index index.php index.html index.htm; } location ~ /\.ht { deny all; } } path: /etc/nginx/sites-enabled/dnsovertls.conf create: true when: ansible_distribution_major_version == "12" - name: configure nginx stream for android privatedns ansible.builtin.blockinfile: content: | upstream dns-servers { server 127.0.0.1:53; server [::1]:53; } server { listen [::]:853 ssl; listen 853 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/{{ DNSDOMAIN }}/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/{{ DNSDOMAIN }}/privkey.pem; # managed by Certbot ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ssl_handshake_timeout 10s; ssl_session_cache shared:SSL:20m; ssl_session_timeout 4h; proxy_pass dns-servers; } path: /etc/nginx/streams/dnsovertls.conf create: true - name: Start nginx ansible.builtin.systemd_service: name: php7.4-fpm state: restarted enabled: true when: ansible_distribution_major_version < "12" - name: Start nginx ansible.builtin.systemd_service: name: php8.2-fpm state: restarted enabled: true when: ansible_distribution_major_version == "12" - name: Start nginx ansible.builtin.systemd_service: name: nginx state: restarted enabled: true