expand/pihole-dnsovertls
1
0
Fork 0
mirror of https://github.com/Expand-sys/pihole-dnsovertls synced 2025-12-15 15:02:13 +11:00
Code Issues Projects Releases Packages Wiki Activity Actions
pihole-dnsovertls/main.ansible.yml
Expand-sys 256f652a3f
Update main.ansible.yml
2024-07-17 19:16:46 +10:00

246 lines
7.1 KiB
YAML
Raw Permalink Blame History

---
- name: install and configure pihole and dns over tls
hosts: pihole
vars:
become: false
pre_tasks:
- name: Load variables
ansible.builtin.include_vars: '{{ item }}'
with_first_found:
- "vars/default.yml"
tasks:
- name: install required dependencies
ansible.builtin.apt:
pkg:
- python3
- python3-pip
- libaugeas0
- nginx
- libnginx-mod-stream
state: present
- name: install dependencies Debian 12
ansible.builtin.apt:
pkg:
- php-fpm
- php-cgi
- php-xml
- php-sqlite3
- php-intl
- python3-virtualenv
state: present
when: ansible_distribution_major_version == "12"
- name: Install dependencies Debian 11 and below
ansible.builtin.apt:
pkg:
- php7.4-fpm
- php7.4-cgi
- php7.4-xml
- php7.4-sqlite3
- php7.4-intl
state: present
when: ansible_distribution_major_version < "12"
- name: install virtualenv via pip3
ansible.builtin.pip:
name: virtualenv
state: present
when: ansible_distribution_major_version < "12"
- name: install certbot via pip3
ansible.builtin.pip:
name: certbot
virtualenv: /opt/certbot/
state: present
- name: install certbot via pip3
ansible.builtin.pip:
name: certbot-nginx
virtualenv: /opt/certbot/
state: present
- name: Check if lighttpd is installed
ansible.builtin.stat:
path: /usr/sbin/lighttpd
register: lightinstalled
- name: stop lighttpd, so that certbot can run
ansible.builtin.systemd_service:
name: lighttpd
state: stopped
when: lightinstalled.stat.exists is true
- name: stop nginx, so that certbot can run
ansible.builtin.systemd_service:
name: nginx
state: stopped
- name: link certbot to /usr/bin
ansible.builtin.shell:
cmd: |
ln -s /opt/certbot/bin/certbot /usr/bin/certbot
creates: /usr/bin/certbot
- name: run certbot cert grab
ansible.builtin.shell:
cmd: |
sudo systemctl stop nginx && sudo certbot certonly --standalone -m "{{ DNSEMAIL }}" -d "{{ DNSDOMAIN }}" -n --agree-tos --no-eff-email --preferred-chain="ISRG Root X1"
- name: configure nginx for streams
ansible.builtin.blockinfile:
content: |
stream {
include /etc/nginx/streams/*;
}
path: /etc/nginx/nginx.conf
- name: remove default site nginx
ansible.builtin.file:
state: absent
path: /etc/nginx/sites-enabled/default
- name: create new config for pihol configuration
ansible.builtin.blockinfile:
content: |
server {
listen 80;
listen 443 ssl;
listen [::]:80;
listen [::]:443 ssl;
ssl_certificate /etc/letsencrypt/live/{{ DNSDOMAIN }}/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/{{ DNSDOMAIN }}/privkey.pem; # managed by Certbot
root /var/www/html;
server_name {{ DNSDOMAIN }};
autoindex off;
index pihole/index.php index.php index.html index.htm;
location / {
expires max;
}
location ~ \.php$ {
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
fastcgi_param FQDN true;
}
location /*.js {
index pihole/index.js;
}
location /admin {
root /var/www/html;
index index.php index.html index.htm;
}
location ~ /\.ht {
deny all;
}
}
path: /etc/nginx/sites-enabled/dnsovertls.conf
create: true
- name: create new config for pihol configuration debian 12
ansible.builtin.blockinfile:
content: |
server {
listen 80;
listen 443 ssl;
listen [::]:80;
listen [::]:443 ssl;
ssl_certificate /etc/letsencrypt/live/{{ DNSDOMAIN }}/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/{{ DNSDOMAIN }}/privkey.pem; # managed by Certbot
root /var/www/html;
server_name {{ DNSDOMAIN }};
autoindex off;
index pihole/index.php index.php index.html index.htm;
location / {
expires max;
}
location ~ \.php$ {
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
fastcgi_param FQDN true;
}
location /*.js {
index pihole/index.js;
}
location /admin {
root /var/www/html;
index index.php index.html index.htm;
}
location ~ /\.ht {
deny all;
}
}
path: /etc/nginx/sites-enabled/dnsovertls.conf
create: true
when: ansible_distribution_major_version == "12"
- name: configure nginx stream for android privatedns
ansible.builtin.blockinfile:
content: |
upstream dns-servers {
server 127.0.0.1:53;
server [::1]:53;
}
server {
listen [::]:853 ssl;
listen 853 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/{{ DNSDOMAIN }}/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/{{ DNSDOMAIN }}/privkey.pem; # managed by Certbot
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_handshake_timeout 10s;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 4h;
proxy_pass dns-servers;
}
path: /etc/nginx/streams/dnsovertls.conf
create: true
- name: Start nginx
ansible.builtin.systemd_service:
name: php7.4-fpm
state: restarted
enabled: true
when: ansible_distribution_major_version < "12"
- name: Start nginx
ansible.builtin.systemd_service:
name: php8.2-fpm
state: restarted
enabled: true
when: ansible_distribution_major_version == "12"
- name: Start nginx
ansible.builtin.systemd_service:
name: nginx
state: restarted
enabled: true
- name: Add a cron job to run a script once a month
cron:
name: "Certbot Renew"
job: "sudo certbot certonly --standalone -m '{{ DNSEMAIL }}' -d '{{ DNSDOMAIN }}' -n --agree-tos --no-eff-email --preferred-chain='ISRG Root X1' && systemctl restart nginx"
user: "root"
minute: "0"
hour: "12"
day: "1"
Reference in a new issue View git blame Copy permalink