Working config w/ WG & unbound

inventory/inventory.yaml

@@ -0,0 +1,3 @@
+all:
+  hosts:
+    basementpi.local

playbooks/assets/01-netcfg.yaml.j2

@@ -0,0 +1,12 @@
+network:
+  version: 2
+  ethernets:
+    eth0:
+      addresses:
+      - {{ pi_ip }}/{{ pi_mask }}
+      nameservers:
+        search: [injust.us]
+        addresses: [127.0.0.1, 1.1.1.1]
+      routes:
+        - to: default
+          via: 10.11.1.1

playbooks/assets/docker-compose.yml.j2

@@ -0,0 +1,74 @@
+version: "3"
+
+# https://github.com/pi-hole/docker-pi-hole/blob/master/README.md
+
+services:
+  nginx-proxy:
+    image: nginxproxy/nginx-proxy
+    ports:
+      - '80:80'
+    environment:
+      DEFAULT_HOST: {{ pihole_hostname }}.{{ pihole_domain }}
+    volumes:
+      - '/var/run/docker.sock:/tmp/docker.sock'
+    restart: always
+
+  pihole:
+    image: pihole/pihole:latest
+    ports:
+      - '53:53/tcp'
+      - '53:53/udp'
+      - "67:67/udp"
+      - '8053:80/tcp'
+    volumes:
+      - './etc-pihole:/etc/pihole'
+      - './etc-dnsmasq.d:/etc/dnsmasq.d'
+      # run `touch ./var-log/pihole.log` first unless you like errors
+      # - './var-log/pihole.log:/var/log/pihole/pihole.log'
+    # Recommended but not required (DHCP needs NET_ADMIN)
+    #   https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
+    cap_add:
+      - NET_ADMIN
+    expose:
+      - 80
+    environment:
+      ServerIP: 10.11.1.10
+      PIHOLE_DNS_: unbound#53;{{ pihole_additional_upstream_dnsservers }}
+      PROXY_LOCATION: {{ pihole_hostname }}
+      VIRTUAL_HOST: {{ pihole_hostname}}.{{ pihole_domain }}
+      VIRTUAL_PORT: 80
+      WEBPASSWORD: {{ pihole_password }}
+      FTLCONF_LOCAL_IPV4: {{ pi_ip }}
+
+    extra_hosts:
+      # Resolve to nothing domains (terminate connection)
+      - 'nw2master.bioware.com nwn2.master.gamespy.com:0.0.0.0'
+      # LAN hostnames for other docker containers using nginx-proxy
+      - 'yourDomain.lan:192.168.41.55'
+      - '{{ pihole_hostname }} {{ pihole_hostname }}.{{ pihole_domain }}:{{ pi_ip }}'
+    restart: always
+
+  unbound:
+    image: klutchell/unbound
+    volumes:
+      - ./unbound:/etc/unbound/unbound.conf.d
+    ports:
+      - '5335:53/tcp'
+      - '5335:53/udp'
+    restart: always
+
+
+
+#   Another container you might want to have running through the proxy
+#   Note it also have ENV Vars like pihole and a host under pihole's extra_hosts
+#  ghost:
+#    image: fractalf/ghost
+#    ports:
+#      - '2368:2368/tcp'
+#    volumes:
+#      - '/etc/ghost:/ghost-override'
+#    environment:
+#      PROXY_LOCATION: ghost
+#      VIRTUAL_HOST: ghost.yourDomain.lan
+#      VIRTUAL_PORT: 2368
+#    restart: always

playbooks/assets/unbound.conf.j2

@@ -0,0 +1,67 @@
+server:
+    # If no logfile is specified, syslog is used
+    # logfile: "/var/log/unbound/unbound.log"
+    verbosity: 0
+
+    interface: 127.0.0.1
+    port: 53
+    do-ip4: yes
+    do-udp: yes
+    do-tcp: yes
+
+    # May be set to yes if you have IPv6 connectivity
+    do-ip6: no
+
+    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
+    # Terredo tunnels your web browser should favor IPv4 for the same reasons
+    prefer-ip6: no
+
+    # Use this only when you downloaded the list of primary root servers!
+    # If you use the default dns-root-data package, unbound will find it automatically
+    #root-hints: "/var/lib/unbound/root.hints"
+
+    # Trust glue only if it is within the server's authority
+    harden-glue: yes
+
+    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
+    harden-dnssec-stripped: yes
+
+    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
+    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
+    use-caps-for-id: no
+
+    # Reduce EDNS reassembly buffer size.
+    # IP fragmentation is unreliable on the Internet today, and can cause
+    # transmission failures when large DNS messages are sent via UDP. Even
+    # when fragmentation does work, it may not be secure; it is theoretically
+    # possible to spoof parts of a fragmented DNS message, without easy
+    # detection at the receiving end. Recently, there was an excellent study
+    # >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<<
+    # by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/)
+    # in collaboration with NLnet Labs explored DNS using real world data from the
+    # the RIPE Atlas probes and the researchers suggested different values for
+    # IPv4 and IPv6 and in different scenarios. They advise that servers should
+    # be configured to limit DNS messages sent over UDP to a size that will not
+    # trigger fragmentation on typical network links. DNS servers can switch
+    # from UDP to TCP when a DNS response is too big to fit in this limited
+    # buffer size. This value has also been suggested in DNS Flag Day 2020.
+    edns-buffer-size: 1232
+
+    # Perform prefetching of close to expired message cache entries
+    # This only applies to domains that have been frequently queried
+    prefetch: yes
+
+    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
+    num-threads: 1
+
+    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
+    so-rcvbuf: 1m
+
+    # Ensure privacy of local IP ranges
+    private-address: 192.168.0.0/16
+    private-address: 169.254.0.0/16
+    private-address: 172.16.0.0/12
+    private-address: 10.0.0.0/8
+    private-address: fd00::/8
+    private-address: fe80::/10
+

playbooks/configfiles/01-netcfg.yaml

@@ -0,0 +1,12 @@
+network:
+  version: 2
+  ethernets:
+    eth0:
+      addresses:
+        - 10.11.1.10/24
+      nameservers:
+        search: [injust.us]
+        addresses: [127.0.0.1, 1.1.1.1]
+      routes:
+        - to: default
+          via: 10.11.1.1

playbooks/configfiles/unbound.conf

@@ -0,0 +1,67 @@
+server:
+    # If no logfile is specified, syslog is used
+    # logfile: "/var/log/unbound/unbound.log"
+    verbosity: 0
+
+    interface: 127.0.0.1
+    port: 53
+    do-ip4: yes
+    do-udp: yes
+    do-tcp: yes
+
+    # May be set to yes if you have IPv6 connectivity
+    do-ip6: no
+
+    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
+    # Terredo tunnels your web browser should favor IPv4 for the same reasons
+    prefer-ip6: no
+
+    # Use this only when you downloaded the list of primary root servers!
+    # If you use the default dns-root-data package, unbound will find it automatically
+    #root-hints: "/var/lib/unbound/root.hints"
+
+    # Trust glue only if it is within the server's authority
+    harden-glue: yes
+
+    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
+    harden-dnssec-stripped: yes
+
+    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
+    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
+    use-caps-for-id: no
+
+    # Reduce EDNS reassembly buffer size.
+    # IP fragmentation is unreliable on the Internet today, and can cause
+    # transmission failures when large DNS messages are sent via UDP. Even
+    # when fragmentation does work, it may not be secure; it is theoretically
+    # possible to spoof parts of a fragmented DNS message, without easy
+    # detection at the receiving end. Recently, there was an excellent study
+    # >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<<
+    # by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/)
+    # in collaboration with NLnet Labs explored DNS using real world data from the
+    # the RIPE Atlas probes and the researchers suggested different values for
+    # IPv4 and IPv6 and in different scenarios. They advise that servers should
+    # be configured to limit DNS messages sent over UDP to a size that will not
+    # trigger fragmentation on typical network links. DNS servers can switch
+    # from UDP to TCP when a DNS response is too big to fit in this limited
+    # buffer size. This value has also been suggested in DNS Flag Day 2020.
+    edns-buffer-size: 1232
+
+    # Perform prefetching of close to expired message cache entries
+    # This only applies to domains that have been frequently queried
+    prefetch: yes
+
+    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
+    num-threads: 1
+
+    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
+    so-rcvbuf: 1m
+
+    # Ensure privacy of local IP ranges
+    private-address: 192.168.0.0/16
+    private-address: 169.254.0.0/16
+    private-address: 172.16.0.0/12
+    private-address: 10.0.0.0/8
+    private-address: fd00::/8
+    private-address: fe80::/10
+

playbooks/dockercompose/docker-compose.yml

@@ -0,0 +1,76 @@
+version: "3"
+
+# https://github.com/pi-hole/docker-pi-hole/blob/master/README.md
+
+services:
+  nginx-proxy:
+    image: nginxproxy/nginx-proxy
+    ports:
+      - '80:80'
+    environment:
+      DEFAULT_HOST: pihole.injust.us
+    volumes:
+      - '/var/run/docker.sock:/tmp/docker.sock'
+    restart: always
+
+  pihole:
+    image: pihole/pihole:latest
+    ports:
+      - '53:53/tcp'
+      - '53:53/udp'
+      - "67:67/udp"
+      - '8053:80/tcp'
+    volumes:
+      - './etc-pihole:/etc/pihole'
+      - './etc-dnsmasq.d:/etc/dnsmasq.d'
+      # run `touch ./var-log/pihole.log` first unless you like errors
+      # - './var-log/pihole.log:/var/log/pihole/pihole.log'
+    # Recommended but not required (DHCP needs NET_ADMIN)
+    #   https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
+    cap_add:
+      - NET_ADMIN
+    expose:
+      - 80
+    environment:
+      ServerIP: 10.11.1.10
+      PIHOLE_DNS_: 127.0.0.1#5053;1.1.1.1
+      PROXY_LOCATION: pihole
+      VIRTUAL_HOST: pihole.injust.us
+      VIRTUAL_PORT: 80
+      WEBPASSWORD: password
+      FTLCONF_LOCAL_IPV4: 10.11.1.10
+
+    extra_hosts:
+      # Resolve to nothing domains (terminate connection)
+      - 'nw2master.bioware.com nwn2.master.gamespy.com:0.0.0.0'
+      # LAN hostnames for other docker containers using nginx-proxy
+      - 'yourDomain.lan:192.168.41.55'
+      - 'pihole pihole.injust.us:10.11.1.10'
+      - 'ghost ghost.yourDomain.lan:192.168.41.55'
+      - 'wordpress wordpress.yourDomain.lan:192.168.41.55'
+    restart: always
+
+  unbound:
+    image: klutchell/unbound
+    volumes:
+      - ./unbound:/etc/unbound/unbound.conf.d
+    ports:
+      - '5335:53/tcp'
+      - '5335:53/udp'
+    restart: always
+
+
+
+#   Another container you might want to have running through the proxy
+#   Note it also have ENV Vars like pihole and a host under pihole's extra_hosts
+#  ghost:
+#    image: fractalf/ghost
+#    ports:
+#      - '2368:2368/tcp'
+#    volumes:
+#      - '/etc/ghost:/ghost-override'
+#    environment:
+#      PROXY_LOCATION: ghost
+#      VIRTUAL_HOST: ghost.yourDomain.lan
+#      VIRTUAL_PORT: 2368
+#    restart: always

playbooks/setup.yaml

@@ -0,0 +1,77 @@
+---
+- name: Setup
+  hosts: all
+  remote_user: root
+  vars:
+    pi_ip: 10.11.1.10
+    pihole_additional_upstream_dnsservers: 1.1.1.1
+    pihole_password: password!
+    pihole_hostname: pihole
+    pihole_domain: injust.us
+
+  tasks:
+    - name: Disable cloud-init network config
+      ansible.builtin.command: 'echo "network: {config: disabled}" > /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg'
+
+    - name: Delete existing netplan
+      ansible.builtin.command: rm -f /etc/netplan/*
+      
+    - name: Copy netplan
+      ansible.builtin.copy:
+        src: configfiles/01-netcfg.yaml
+        dest: /etc/netplan
+    - name: Copy unbound config
+      ansible.builtin.copy:
+        src: configfiles/unbound.conf
+        dest: ./unbound/
+
+    - name: Apply Netplan
+      ansible.builtin.command: netplan apply
+
+    - name: Docker Prereqs
+      ansible.builtin.apt:
+        update_cache: true
+        name:
+          - ca-certificates
+          - curl
+          - gnupg
+          - lsb-release
+    - name: Create keyring directory
+      ansible.builtin.file:
+        path: /etc/apt/keyrings
+        state: directory
+    - name: Create Docker directory
+      ansible.builtin.file:
+        path: /root/docker
+        state: directory
+    - name: Download Docker GPG keys
+      ansible.builtin.shell: curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg --batch --yes
+    - name: Add Docker repo
+      ansible.builtin.shell: echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
+
+    - name: Disable Ubunut stub DNS resolver
+      ansible.builtin.shell: sed -r -i.orig 's/#?DNSStubListener=yes/DNSStubListener=no/g' /etc/systemd/resolved.conf
+    - name: symlink /etc/resolv to /run/systemd/resolve/resolv.conf
+      ansible.builtin.shell: sudo sh -c 'rm /etc/resolv.conf && ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf'
+
+    - name: Restart resolved
+      ansible.builtin.shell: systemctl restart systemd-resolved
+      
+    - name: Install Docker
+      ansible.builtin.apt:
+        update_cache: true
+        name:
+          - docker-ce
+          - docker-ce-cli
+          - containerd.io
+          - docker-compose-plugin
+
+    - name: Copy Docker Compose file
+      ansible.builtin.template:
+        src: assets/docker-compose.yml.j2
+        dest: /root/docker/docker-compose.yml
+
+    - name: Run Docker
+      ansible.builtin.shell: docker compose up -d
+      args:
+        chdir: /root/docker

requirements.txt

@@ -0,0 +1,10 @@
+ansible==7.1.0
+ansible-core==2.14.1
+cffi==1.15.1
+cryptography==39.0.0
+Jinja2==3.1.2
+MarkupSafe==2.1.1
+packaging==23.0
+pycparser==2.21
+PyYAML==6.0
+resolvelib==0.8.1