diff options
Diffstat (limited to 'roles/pihole')
| -rw-r--r-- | roles/pihole/defaults/main.yaml | 8 | ||||
| -rw-r--r-- | roles/pihole/files/pihole.service | 14 | ||||
| -rw-r--r-- | roles/pihole/files/pihole/.helmignore | 23 | ||||
| -rw-r--r-- | roles/pihole/files/pihole/Chart.yaml | 6 | ||||
| -rw-r--r-- | roles/pihole/files/pihole/templates/deployment.yaml | 37 | ||||
| -rw-r--r-- | roles/pihole/files/pihole/templates/ingress.yaml | 34 | ||||
| -rw-r--r-- | roles/pihole/files/pihole/templates/pv.yaml | 16 | ||||
| -rw-r--r-- | roles/pihole/files/pihole/templates/pvc.yaml | 14 | ||||
| -rw-r--r-- | roles/pihole/files/pihole/templates/service.yaml | 21 | ||||
| -rw-r--r-- | roles/pihole/tasks/k8s.yaml | 15 | ||||
| -rw-r--r-- | roles/pihole/tasks/main.yaml | 10 | ||||
| -rw-r--r-- | roles/pihole/tasks/pihole.yaml | 73 | ||||
| -rw-r--r-- | roles/pihole/templates/pihole.yaml.j2 | 20 |
13 files changed, 291 insertions, 0 deletions
diff --git a/roles/pihole/defaults/main.yaml b/roles/pihole/defaults/main.yaml new file mode 100644 index 0000000..d31e2f0 --- /dev/null +++ b/roles/pihole/defaults/main.yaml @@ -0,0 +1,8 @@ +pihole: + enabled: false + baremetal: false + version: 2025.02.6 + replicas: 1 + image: pihole/pihole +nfs: + path: "/mnt/nfs/k3s/pihole" diff --git a/roles/pihole/files/pihole.service b/roles/pihole/files/pihole.service new file mode 100644 index 0000000..6d992d0 --- /dev/null +++ b/roles/pihole/files/pihole.service @@ -0,0 +1,14 @@ +[Unit] +Description=Manage PiHole +After=network-online.target +Wants=network-online.target + +[Service] +Type=oneshot +RemainAfterExit=true +User=root +ExecStart=/usr/local/bin/podman-compose -f /opt/containers/pihole.yaml up -d +ExecStop=/usr/local/bin/podman-compose -f /opt/containers/pihole.yaml down + +[Install] +WantedBy=multi-user.target diff --git a/roles/pihole/files/pihole/.helmignore b/roles/pihole/files/pihole/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/roles/pihole/files/pihole/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/roles/pihole/files/pihole/Chart.yaml b/roles/pihole/files/pihole/Chart.yaml new file mode 100644 index 0000000..e472ab4 --- /dev/null +++ b/roles/pihole/files/pihole/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +name: pihole +description: PiHole on K8s +type: application + +version: 0.1.0 diff --git a/roles/pihole/files/pihole/templates/deployment.yaml b/roles/pihole/files/pihole/templates/deployment.yaml new file mode 100644 index 0000000..4fc7faa --- /dev/null +++ b/roles/pihole/files/pihole/templates/deployment.yaml @@ -0,0 +1,37 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "{{ .Chart.Name }}-deployment" + labels: + app: {{ .Chart.Name }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Chart.Name }} + template: + metadata: + labels: + app: {{ .Chart.Name }} + spec: + containers: + - name: pihole + image: "{{ .Values.image }}:{{ .Values.version }}" + ports: + - containerPort: 53 + protocol: TCP + - containerPort: 53 + protocol: UDP + - containerPort: 80 + protocol: TCP + volumeMounts: + - mountPath: "/etc/pihole" + name: "{{ .Chart.Name }}-volume" + subPath: "pihole" + - mountPath: "/etc/dnsmasq.d" + name: "{{ .Chart.Name }}-volume" + subPath: "dnsmasq" + volumes: + - name: "{{ .Chart.Name }}-volume" + persistentVolumeClaim: + claimName: "{{ .Chart.Name }}-pvc" diff --git a/roles/pihole/files/pihole/templates/ingress.yaml b/roles/pihole/files/pihole/templates/ingress.yaml new file mode 100644 index 0000000..8e84845 --- /dev/null +++ b/roles/pihole/files/pihole/templates/ingress.yaml @@ -0,0 +1,34 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: pihole + annotations: + cert-manager.io/cluster-issuer: "ca-issuer" +spec: + ingressClassName: traefik + tls: + - hosts: + - dns.aadityadhruv.com + - dns.home + secretName: pihole-tls + rules: + - host: dns.home + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: pihole-service + port: + number: 80 + - host: dns.aadityadhruv.com + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: pihole-service + port: + number: 80 diff --git a/roles/pihole/files/pihole/templates/pv.yaml b/roles/pihole/files/pihole/templates/pv.yaml new file mode 100644 index 0000000..498fbd5 --- /dev/null +++ b/roles/pihole/files/pihole/templates/pv.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: "{{ .Chart.Name }}-pv" + labels: + app: "{{ .Chart.Name }}-pv" +spec: + storageClassName: nfs + capacity: + storage: 2Gi + accessModes: + - ReadWriteMany + nfs: + server: {{ .Values.nfs.server }} + path: {{ .Values.nfs.path }} + readOnly: false diff --git a/roles/pihole/files/pihole/templates/pvc.yaml b/roles/pihole/files/pihole/templates/pvc.yaml new file mode 100644 index 0000000..71b9b85 --- /dev/null +++ b/roles/pihole/files/pihole/templates/pvc.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ .Chart.Name }}-pvc +spec: + storageClassName: nfs + accessModes: + - ReadWriteMany + resources: + requests: + storage: 2Gi + selector: + matchLabels: + app: "{{ .Chart.Name }}-pv" diff --git a/roles/pihole/files/pihole/templates/service.yaml b/roles/pihole/files/pihole/templates/service.yaml new file mode 100644 index 0000000..72612c0 --- /dev/null +++ b/roles/pihole/files/pihole/templates/service.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Chart.Name }}-service +spec: + type: LoadBalancer + selector: + app: {{ .Chart.Name }} + ports: + - name: dns-tcp + port: 53 + targetPort: 53 + protocol: TCP + - name: dns-udp + port: 53 + targetPort: 53 + protocol: UDP + - name: web + port: 80 + targetPort: 80 + protocol: TCP diff --git a/roles/pihole/tasks/k8s.yaml b/roles/pihole/tasks/k8s.yaml new file mode 100644 index 0000000..a4fcb81 --- /dev/null +++ b/roles/pihole/tasks/k8s.yaml @@ -0,0 +1,15 @@ +- name: Deploy PiHole + kubernetes.core.helm: + name: pihole + chart_ref: "{{ lookup('env', 'PWD') }}/roles/pihole/files/pihole" + namespace: default + state: "{%- if pihole.enabled -%} present {%- else -%} absent {%- endif -%}" + values: + replicas: "{{ pihole.replicas }}" + image: "{{ pihole.image }}" + version: "{{ pihole.version }}" + nfs: + server: "{{ nfs.server }}" + path: "{{ nfs.path }}" + delegate_to: localhost + run_once: true diff --git a/roles/pihole/tasks/main.yaml b/roles/pihole/tasks/main.yaml new file mode 100644 index 0000000..7fa1cef --- /dev/null +++ b/roles/pihole/tasks/main.yaml @@ -0,0 +1,10 @@ +--- +- name: Setup PiHole (cluster) + import_tasks: k8s.yaml + when: not pihole.baremetal + +- name: Setup PiHole (baremetal) + import_tasks: pihole.yaml + when: pihole.enabled and pihole.baremetal and inventory_hostname in group["pi"] + + diff --git a/roles/pihole/tasks/pihole.yaml b/roles/pihole/tasks/pihole.yaml new file mode 100644 index 0000000..c4b1959 --- /dev/null +++ b/roles/pihole/tasks/pihole.yaml @@ -0,0 +1,73 @@ +--- +- name: Ensure podman exists + ansible.builtin.dnf: + name: podman + state: latest + become: true + +- name: Ensure pip exists + ansible.builtin.dnf: + name: python3-pip + state: latest + become: true + +- name: Install podman compose via pip + pip: + name: podman-compose + become: true + +- name: Create containers directory + ansible.builtin.file: + path: /opt/containers/ + state: directory + mode: '0755' + become: true + +- name: Copy compose file to containers directory + ansible.builtin.template: + src: pihole.yaml.j2 + dest: /opt/containers/pihole.yaml + become: true + +- name: Copy pihole service file to systemd directory + ansible.builtin.copy: + src: pihole.service + dest: /etc/systemd/system/ + become: true + +- name: Ensure systemd-resovled is disabled + ansible.builtin.systemd_service: + enabled: false + name: systemd-resolved + state: stopped + ignore_errors: true + become: true + +- name: Enable PiHole serivce + ansible.builtin.systemd_service: + daemon_reload: true + enabled: true + state: restarted + name: pihole + become: true + +- name: Open DNS Port TCP + ansible.posix.firewalld: + port: 53/tcp + permanent: true + state: enabled + become: true + +- name: Open DNS Port UDP + ansible.posix.firewalld: + port: 53/udp + permanent: true + state: enabled + become: true + +- name: Open Webserver port + ansible.posix.firewalld: + port: 8000/tcp + permanent: true + state: enabled + become: true diff --git a/roles/pihole/templates/pihole.yaml.j2 b/roles/pihole/templates/pihole.yaml.j2 new file mode 100644 index 0000000..7e744df --- /dev/null +++ b/roles/pihole/templates/pihole.yaml.j2 @@ -0,0 +1,20 @@ +version: "3" +services: + pihole: + image: docker.io/pihole/pihole:{{ pihole.tag }} + container_name: pihole + ports: + - "{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}:53:53/tcp" + - "{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}:53:53/udp" + - "{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}:8000:80/tcp" + environment: + TZ: 'America/Chicago' + WEBPASSWORD: {{ pihole.password }} + volumes: + - 'pihole:/etc/pihole:Z' + - 'pihole_dnsmaq:/etc/dnsmasq.d:Z' + restart: unless-stopped +volumes: + pihole: + pihole_dnsmaq: + |