Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Ansible Playbook to set up PiHole with DNS-Over-HTTPS via cloudflared
!!!!!!!!!!!!!!!
NOTE THIS IS A BASIC EXAMPLE OF A CONFIGURATION.
YOU SHOULD COPY YOUR EXISTING CONFIGURATION FROM /etc/pihole/setupVars.conf
THIS CAN BE USED AS A "STARTER" CONFIGURATION FOR FRESH INSTALLS BUT WILL OVERWRITE ANY EXISTING CONFIG
!!!!!!!!!!!!!!!
PIHOLE_INTERFACE=ens192
IPV4_ADDRESS=10.1.1.250/24
IPV6_ADDRESS=
QUERY_LOGGING=true
INSTALL_WEB=true
LIGHTTPD_ENABLED=1
- hosts: pihole
become: yes
tasks:
- include_role:
name: bendews.cloudflared
vars:
cloudflared_port: 5053
- name: create pihole directory
file:
path: /etc/pihole
state: directory
- name: copy pihole conf
copy:
src: pihole-setupVars.conf
dest: /etc/pihole/setupVars.conf
register: pihole_config
- stat:
path: /usr/local/bin/pihole
register: pihole_binary
- set_fact:
pihole_installed: "{{ pihole_binary.stat.exists | default(false) }}"
- name: download install script
get_url:
url: https://raw.githubusercontent.com/pi-hole/pi-hole/master/automated%20install/basic-install.sh
dest: ~/pihole-install.sh
mode: u+rwx
when: not pihole_installed
- name: run install script
shell: ~/pihole-install.sh --unattended
when: not pihole_installed
- name: copy dnsmasq conf
copy:
src: pihole-dnsmasq-cloudflared.conf
dest: /etc/dnsmasq.d/50-cloudflared.conf
register: dnsmasq_config
- name: this should be done via a handler but is simplified for this gist
set_fact:
restart_dnsmasq: "{{ true if (pihole_config is changed or dnsmasq_config is changed) else false }}"
- name: restart dnsmasq service (this should be done via a handler but is simplified for this gist)
service:
name: dnsmasq
enabled: true
state: restarted
when: restart_dnsmasq
@TimeTravelersHackedMe

This comment has been minimized.

Copy link

@TimeTravelersHackedMe TimeTravelersHackedMe commented Jul 28, 2020

Is there any security lost from running the pihole script as root?

@bendews

This comment has been minimized.

Copy link
Owner Author

@bendews bendews commented Jul 28, 2020

@TimeTravelersHackedMe yes, there always will be. PiHole talk about this on their page here

If you are looking for something similar to PiHole but with support built-in for DNS-Over-HTTPS look in to AdGuard Home. Alternatively if you just want a DNS server that will do DNS-Over-HTTPS I recommend CoreDNS.

@jlagermann

This comment has been minimized.

Copy link

@jlagermann jlagermann commented Jul 28, 2020

@bendews, can you be more specific about where PiHole talks about security issues when running as root? I don't see anything related on the page you referenced.

@bendews

This comment has been minimized.

Copy link
Owner Author

@bendews bendews commented Jul 28, 2020

Hi @jlagermann, I think we are discussing two different concepts.
Security concerns when running the PiHole installation script is discussed on that page via the links on piping to bash. They cover general risks and security practice of running software from public sources - running these as root elevates the risks highly but at the cost of convenience.
Running PiHole as root is not something I’m familiar with doing but would definitely discourage regardless.

@TimeTravelersHackedMe

This comment has been minimized.

Copy link

@TimeTravelersHackedMe TimeTravelersHackedMe commented Jul 28, 2020

@bendews A follow up question: How can we use Ansible to run the installer as a non-privileged user but automatically enter the sudo password when the script is running? i.e. How can we run the PiHole script without become: yes but still enter the password when PiHole runs a command with sudo

@jlagermann

This comment has been minimized.

Copy link

@jlagermann jlagermann commented Jul 28, 2020

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.