Skip to content

Instantly share code, notes, and snippets.

@bendews
Created April 5, 2018 09:17
Show Gist options
  • Save bendews/e09edfc60e581ec4c686c4b70297f543 to your computer and use it in GitHub Desktop.
Save bendews/e09edfc60e581ec4c686c4b70297f543 to your computer and use it in GitHub Desktop.
Ansible Playbook to set up PiHole with DNS-Over-HTTPS via cloudflared
!!!!!!!!!!!!!!!
NOTE THIS IS A BASIC EXAMPLE OF A CONFIGURATION.
YOU SHOULD COPY YOUR EXISTING CONFIGURATION FROM /etc/pihole/setupVars.conf
THIS CAN BE USED AS A "STARTER" CONFIGURATION FOR FRESH INSTALLS BUT WILL OVERWRITE ANY EXISTING CONFIG
!!!!!!!!!!!!!!!
PIHOLE_INTERFACE=ens192
IPV4_ADDRESS=10.1.1.250/24
IPV6_ADDRESS=
QUERY_LOGGING=true
INSTALL_WEB=true
LIGHTTPD_ENABLED=1
- hosts: pihole
become: yes
tasks:
- include_role:
name: bendews.cloudflared
vars:
cloudflared_port: 5053
- name: create pihole directory
file:
path: /etc/pihole
state: directory
- name: copy pihole conf
copy:
src: pihole-setupVars.conf
dest: /etc/pihole/setupVars.conf
register: pihole_config
- stat:
path: /usr/local/bin/pihole
register: pihole_binary
- set_fact:
pihole_installed: "{{ pihole_binary.stat.exists | default(false) }}"
- name: download install script
get_url:
url: https://raw.githubusercontent.com/pi-hole/pi-hole/master/automated%20install/basic-install.sh
dest: ~/pihole-install.sh
mode: u+rwx
when: not pihole_installed
- name: run install script
shell: ~/pihole-install.sh --unattended
when: not pihole_installed
- name: copy dnsmasq conf
copy:
src: pihole-dnsmasq-cloudflared.conf
dest: /etc/dnsmasq.d/50-cloudflared.conf
register: dnsmasq_config
- name: this should be done via a handler but is simplified for this gist
set_fact:
restart_dnsmasq: "{{ true if (pihole_config is changed or dnsmasq_config is changed) else false }}"
- name: restart dnsmasq service (this should be done via a handler but is simplified for this gist)
service:
name: dnsmasq
enabled: true
state: restarted
when: restart_dnsmasq
@TimeTravelersHackedMe
Copy link

Is there any security lost from running the pihole script as root?

@bendews
Copy link
Author

bendews commented Jul 28, 2020

@TimeTravelersHackedMe yes, there always will be. PiHole talk about this on their page here

If you are looking for something similar to PiHole but with support built-in for DNS-Over-HTTPS look in to AdGuard Home. Alternatively if you just want a DNS server that will do DNS-Over-HTTPS I recommend CoreDNS.

@jlagermann
Copy link

@bendews, can you be more specific about where PiHole talks about security issues when running as root? I don't see anything related on the page you referenced.

@bendews
Copy link
Author

bendews commented Jul 28, 2020

Hi @jlagermann, I think we are discussing two different concepts.
Security concerns when running the PiHole installation script is discussed on that page via the links on piping to bash. They cover general risks and security practice of running software from public sources - running these as root elevates the risks highly but at the cost of convenience.
Running PiHole as root is not something I’m familiar with doing but would definitely discourage regardless.

@TimeTravelersHackedMe
Copy link

@bendews A follow up question: How can we use Ansible to run the installer as a non-privileged user but automatically enter the sudo password when the script is running? i.e. How can we run the PiHole script without become: yes but still enter the password when PiHole runs a command with sudo

@jlagermann
Copy link

jlagermann commented Jul 28, 2020 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment