Ansible Playbook to set up PiHole with DNS-Over-HTTPS via cloudflared

pihole-dnsmasq-cloudflared.conf

server=127.0.0.1#5053

pihole-setupVars.conf

!!!!!!!!!!!!!!!
NOTE THIS IS A BASIC EXAMPLE OF A CONFIGURATION.
YOU SHOULD COPY YOUR EXISTING CONFIGURATION FROM /etc/pihole/setupVars.conf 
THIS CAN BE USED AS A "STARTER" CONFIGURATION FOR FRESH INSTALLS BUT WILL OVERWRITE ANY EXISTING CONFIG
!!!!!!!!!!!!!!!
PIHOLE_INTERFACE=ens192
IPV4_ADDRESS=10.1.1.250/24
IPV6_ADDRESS=
QUERY_LOGGING=true
INSTALL_WEB=true
LIGHTTPD_ENABLED=1

pihole.yml

- hosts: pihole
  become: yes
  tasks:

  - include_role:
      name: bendews.cloudflared
    vars:
      cloudflared_port: 5053

  - name: create pihole directory
    file:
      path: /etc/pihole
      state: directory

  - name: copy pihole conf
    copy:
      src: pihole-setupVars.conf
      dest: /etc/pihole/setupVars.conf
    register: pihole_config

  - stat:
      path: /usr/local/bin/pihole
    register: pihole_binary
  
  - set_fact:
      pihole_installed: "{{ pihole_binary.stat.exists | default(false) }}"

  - name: download install script
    get_url:
      url: https://raw.githubusercontent.com/pi-hole/pi-hole/master/automated%20install/basic-install.sh
      dest: ~/pihole-install.sh
      mode: u+rwx
    when: not pihole_installed

  - name: run install script
    shell: ~/pihole-install.sh --unattended
    when: not pihole_installed

  - name: copy dnsmasq conf
    copy:
      src:  pihole-dnsmasq-cloudflared.conf
      dest: /etc/dnsmasq.d/50-cloudflared.conf
    register: dnsmasq_config

  - name: this should be done via a handler but is simplified for this gist
    set_fact:
      restart_dnsmasq: "{{ true if (pihole_config is changed or dnsmasq_config is changed) else false }}"

  - name: restart dnsmasq service (this should be done via a handler but is simplified for this gist)
    service: 
      name: dnsmasq 
      enabled: true 
      state: restarted
    when: restart_dnsmasq

Is there any security lost from running the pihole script as root?

@TimeTravelersHackedMe yes, there always will be. PiHole talk about this on their page here

If you are looking for something similar to PiHole but with support built-in for DNS-Over-HTTPS look in to AdGuard Home. Alternatively if you just want a DNS server that will do DNS-Over-HTTPS I recommend CoreDNS.

@bendews, can you be more specific about where PiHole talks about security issues when running as root? I don't see anything related on the page you referenced.

Hi @jlagermann, I think we are discussing two different concepts.
Security concerns when running the PiHole installation script is discussed on that page via the links on piping to bash. They cover general risks and security practice of running software from public sources - running these as root elevates the risks highly but at the cost of convenience.
Running PiHole as root is not something I’m familiar with doing but would definitely discourage regardless.

@bendews A follow up question: How can we use Ansible to run the installer as a non-privileged user but automatically enter the sudo password when the script is running? i.e. How can we run the PiHole script without become: yes but still enter the password when PiHole runs a command with sudo

Here's an Ansible task that will modify the sudoers to allow members of the sudo group to sudo without a password. When sudo prompts for a password, you enter your own password anyway. - name: Update sudoers lineinfile: path: /etc/sudoers state: present regexp: '%sudo ALL=\(ALL:ALL\) ALL' line: '%sudo ALL=(ALL:ALL) NOPASSWD: ALL' validate: '/usr/sbin/visudo -cf %s' This would allow Pi-hole to run as a non-privileged user and sudo without a password (as long as it is a member of the sudo group). Thank you, *James Lagermann* | Systems Engineer c: 636-575-7249 james.lagermann@corelight.com [image: Corelight] <https://app.salesforceiq.com/r?target=5e7232c4c9e77c0076f38131&t=AFwhZf1GBKQ82RfBl_ysPyfYtIb4-WUzgM9l0iNVWBIqb_rgJA6A_i_PiheVB7MySqXaf4jk7R3BN_1qqCJwESAmpTGqB3USK-m7p13jpRaw7yrTkQE7BefEBLoHXx0GG29WYKwQp0eW&url=https%3A%2F%2Fwww.corelight.com%2F>

…

On Tue, Jul 28, 2020 at 12:19 PM Brian Zalewski ***@***.***> wrote: *@TimeTravelersHackedMe* commented on this gist. ------------------------------ @bendews <https://github.com/bendews> A follow up question: How can we use Ansible to run the installer as a non-privileged user but automatically enter the sudo password when the script is running? i.e. How can we run the PiHole script without become: yes but still enter the password when PiHole runs a command with sudo — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <https://gist.github.com/e09edfc60e581ec4c686c4b70297f543#gistcomment-3395212>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AEO7LSXUJ727WPV625HNQW3R54CBXANCNFSM4K2MCKLA> .