diff --git a/playbooks/assets/01-netcfg.yaml.j2 b/ansible/assets/01-netcfg.yaml.j2 similarity index 51% rename from playbooks/assets/01-netcfg.yaml.j2 rename to ansible/assets/01-netcfg.yaml.j2 index 215a49a..d884b0f 100644 --- a/playbooks/assets/01-netcfg.yaml.j2 +++ b/ansible/assets/01-netcfg.yaml.j2 @@ -5,8 +5,8 @@ network: addresses: - {{ pi_ip }}/{{ pi_mask }} nameservers: - search: [injust.us] - addresses: [127.0.0.1, 1.1.1.1] + search: [{{ pi_searchdomains }}] + addresses: [127.0.0.1, {{pi_additional_upstream_dnsservers}}] routes: - to: default - via: 10.11.1.1 + via: {{ pi_gateway }} diff --git a/playbooks/assets/docker-compose.yml.j2 b/ansible/assets/docker-compose.yml.j2 similarity index 100% rename from playbooks/assets/docker-compose.yml.j2 rename to ansible/assets/docker-compose.yml.j2 diff --git a/playbooks/assets/unbound.conf.j2 b/ansible/assets/unbound.conf.j2 similarity index 93% rename from playbooks/assets/unbound.conf.j2 rename to ansible/assets/unbound.conf.j2 index 801a621..50e8008 100644 --- a/playbooks/assets/unbound.conf.j2 +++ b/ansible/assets/unbound.conf.j2 @@ -36,8 +36,8 @@ server: # when fragmentation does work, it may not be secure; it is theoretically # possible to spoof parts of a fragmented DNS message, without easy # detection at the receiving end. Recently, there was an excellent study - # >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<< - # by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/) + # Defragmenting DNS - Determining the optimal maximum UDP response size for DNS < + ### by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/) # in collaboration with NLnet Labs explored DNS using real world data from the # the RIPE Atlas probes and the researchers suggested different values for # IPv4 and IPv6 and in different scenarios. They advise that servers should diff --git a/ansible/inventory/host_vars/basementpi.local/vars b/ansible/inventory/host_vars/basementpi.local/vars new file mode 100644 index 0000000..c371b91 --- /dev/null +++ b/ansible/inventory/host_vars/basementpi.local/vars @@ -0,0 +1,12 @@ +--- +pi_ip: 10.11.1.10 +pi_mask: 255.255.255.0 +pi_gateway: 10.11.1.1 +pi_searchdomains: injust.us +# Comma separated, e.g.: 1.1.1.1,8.8.8.8 +pi_additional_upstream_dnsservers: 1.1.1.1 +# Semicolon separated, e.g.: 1.1.1.1;8.8.8.8 +pihole_additional_upstream_dnsservers: 1.1.1.1 +pihole_password: "{{ vault_pihole_password }}" +pihole_hostname: pihole +pihole_domain: injust.us diff --git a/ansible/inventory/host_vars/basementpi.local/vault b/ansible/inventory/host_vars/basementpi.local/vault new file mode 100644 index 0000000..cfd3e92 --- /dev/null +++ b/ansible/inventory/host_vars/basementpi.local/vault @@ -0,0 +1,7 @@ +$ANSIBLE_VAULT;1.1;AES256 +63316634376238666334353461363362303966656336393664613438666132383632396534343130 +3230373762323563323464616135366433623932633936640a316562643636616666373965613735 +35353235336264653963633561326262623265613466366231653837666430383634343439626362 +3836306635393731330a396261336435653639633065366637303431346632366631343537333939 +30353965633538636436373865313864386462656662633932376466353264346162346466363034 +3262646561313939626166346662313631646433343463623632 diff --git a/ansible/inventory/hosts b/ansible/inventory/hosts new file mode 100644 index 0000000..966bdc0 --- /dev/null +++ b/ansible/inventory/hosts @@ -0,0 +1,2 @@ +[rasperrypi] +basementpi.local ansible_host=10.11.1.10 ansible_ssh_user=root diff --git a/playbooks/setup.yaml b/ansible/setup.yaml similarity index 88% rename from playbooks/setup.yaml rename to ansible/setup.yaml index e09dc50..a472d8c 100644 --- a/playbooks/setup.yaml +++ b/ansible/setup.yaml @@ -3,11 +3,6 @@ hosts: all remote_user: root vars: - pi_ip: 10.11.1.10 - pihole_additional_upstream_dnsservers: 1.1.1.1 - pihole_password: password! - pihole_hostname: pihole - pihole_domain: injust.us tasks: - name: Disable cloud-init network config @@ -17,12 +12,13 @@ ansible.builtin.command: rm -f /etc/netplan/* - name: Copy netplan - ansible.builtin.copy: - src: configfiles/01-netcfg.yaml + ansible.builtin.template: + src: assets/01-netcfg.yaml.j2 dest: /etc/netplan + - name: Copy unbound config - ansible.builtin.copy: - src: configfiles/unbound.conf + ansible.builtin.template: + src: assets/unbound.conf.j2 dest: ./unbound/ - name: Apply Netplan diff --git a/inventory/inventory.yaml b/inventory/inventory.yaml deleted file mode 100644 index 391c22b..0000000 --- a/inventory/inventory.yaml +++ /dev/null @@ -1,3 +0,0 @@ -all: - hosts: - basementpi.local diff --git a/playbooks/configfiles/01-netcfg.yaml b/playbooks/configfiles/01-netcfg.yaml deleted file mode 100644 index 7133033..0000000 --- a/playbooks/configfiles/01-netcfg.yaml +++ /dev/null @@ -1,12 +0,0 @@ -network: - version: 2 - ethernets: - eth0: - addresses: - - 10.11.1.10/24 - nameservers: - search: [injust.us] - addresses: [127.0.0.1, 1.1.1.1] - routes: - - to: default - via: 10.11.1.1 diff --git a/playbooks/configfiles/unbound.conf b/playbooks/configfiles/unbound.conf deleted file mode 100644 index 801a621..0000000 --- a/playbooks/configfiles/unbound.conf +++ /dev/null @@ -1,67 +0,0 @@ -server: - # If no logfile is specified, syslog is used - # logfile: "/var/log/unbound/unbound.log" - verbosity: 0 - - interface: 127.0.0.1 - port: 53 - do-ip4: yes - do-udp: yes - do-tcp: yes - - # May be set to yes if you have IPv6 connectivity - do-ip6: no - - # You want to leave this to no unless you have *native* IPv6. With 6to4 and - # Terredo tunnels your web browser should favor IPv4 for the same reasons - prefer-ip6: no - - # Use this only when you downloaded the list of primary root servers! - # If you use the default dns-root-data package, unbound will find it automatically - #root-hints: "/var/lib/unbound/root.hints" - - # Trust glue only if it is within the server's authority - harden-glue: yes - - # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS - harden-dnssec-stripped: yes - - # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes - # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details - use-caps-for-id: no - - # Reduce EDNS reassembly buffer size. - # IP fragmentation is unreliable on the Internet today, and can cause - # transmission failures when large DNS messages are sent via UDP. Even - # when fragmentation does work, it may not be secure; it is theoretically - # possible to spoof parts of a fragmented DNS message, without easy - # detection at the receiving end. Recently, there was an excellent study - # >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<< - # by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/) - # in collaboration with NLnet Labs explored DNS using real world data from the - # the RIPE Atlas probes and the researchers suggested different values for - # IPv4 and IPv6 and in different scenarios. They advise that servers should - # be configured to limit DNS messages sent over UDP to a size that will not - # trigger fragmentation on typical network links. DNS servers can switch - # from UDP to TCP when a DNS response is too big to fit in this limited - # buffer size. This value has also been suggested in DNS Flag Day 2020. - edns-buffer-size: 1232 - - # Perform prefetching of close to expired message cache entries - # This only applies to domains that have been frequently queried - prefetch: yes - - # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1. - num-threads: 1 - - # Ensure kernel buffer is large enough to not lose messages in traffic spikes - so-rcvbuf: 1m - - # Ensure privacy of local IP ranges - private-address: 192.168.0.0/16 - private-address: 169.254.0.0/16 - private-address: 172.16.0.0/12 - private-address: 10.0.0.0/8 - private-address: fd00::/8 - private-address: fe80::/10 - diff --git a/playbooks/dockercompose/docker-compose.yml b/playbooks/dockercompose/docker-compose.yml deleted file mode 100644 index 650ea0c..0000000 --- a/playbooks/dockercompose/docker-compose.yml +++ /dev/null @@ -1,76 +0,0 @@ -version: "3" - -# https://github.com/pi-hole/docker-pi-hole/blob/master/README.md - -services: - nginx-proxy: - image: nginxproxy/nginx-proxy - ports: - - '80:80' - environment: - DEFAULT_HOST: pihole.injust.us - volumes: - - '/var/run/docker.sock:/tmp/docker.sock' - restart: always - - pihole: - image: pihole/pihole:latest - ports: - - '53:53/tcp' - - '53:53/udp' - - "67:67/udp" - - '8053:80/tcp' - volumes: - - './etc-pihole:/etc/pihole' - - './etc-dnsmasq.d:/etc/dnsmasq.d' - # run `touch ./var-log/pihole.log` first unless you like errors - # - './var-log/pihole.log:/var/log/pihole/pihole.log' - # Recommended but not required (DHCP needs NET_ADMIN) - # https://github.com/pi-hole/docker-pi-hole#note-on-capabilities - cap_add: - - NET_ADMIN - expose: - - 80 - environment: - ServerIP: 10.11.1.10 - PIHOLE_DNS_: 127.0.0.1#5053;1.1.1.1 - PROXY_LOCATION: pihole - VIRTUAL_HOST: pihole.injust.us - VIRTUAL_PORT: 80 - WEBPASSWORD: password - FTLCONF_LOCAL_IPV4: 10.11.1.10 - - extra_hosts: - # Resolve to nothing domains (terminate connection) - - 'nw2master.bioware.com nwn2.master.gamespy.com:0.0.0.0' - # LAN hostnames for other docker containers using nginx-proxy - - 'yourDomain.lan:192.168.41.55' - - 'pihole pihole.injust.us:10.11.1.10' - - 'ghost ghost.yourDomain.lan:192.168.41.55' - - 'wordpress wordpress.yourDomain.lan:192.168.41.55' - restart: always - - unbound: - image: klutchell/unbound - volumes: - - ./unbound:/etc/unbound/unbound.conf.d - ports: - - '5335:53/tcp' - - '5335:53/udp' - restart: always - - - -# Another container you might want to have running through the proxy -# Note it also have ENV Vars like pihole and a host under pihole's extra_hosts -# ghost: -# image: fractalf/ghost -# ports: -# - '2368:2368/tcp' -# volumes: -# - '/etc/ghost:/ghost-override' -# environment: -# PROXY_LOCATION: ghost -# VIRTUAL_HOST: ghost.yourDomain.lan -# VIRTUAL_PORT: 2368 -# restart: always