-
-
Save bendews/e09edfc60e581ec4c686c4b70297f543 to your computer and use it in GitHub Desktop.
| server=127.0.0.1#5053 |
| !!!!!!!!!!!!!!! | |
| NOTE THIS IS A BASIC EXAMPLE OF A CONFIGURATION. | |
| YOU SHOULD COPY YOUR EXISTING CONFIGURATION FROM /etc/pihole/setupVars.conf | |
| THIS CAN BE USED AS A "STARTER" CONFIGURATION FOR FRESH INSTALLS BUT WILL OVERWRITE ANY EXISTING CONFIG | |
| !!!!!!!!!!!!!!! | |
| PIHOLE_INTERFACE=ens192 | |
| IPV4_ADDRESS=10.1.1.250/24 | |
| IPV6_ADDRESS= | |
| QUERY_LOGGING=true | |
| INSTALL_WEB=true | |
| LIGHTTPD_ENABLED=1 |
| - hosts: pihole | |
| become: yes | |
| tasks: | |
| - include_role: | |
| name: bendews.cloudflared | |
| vars: | |
| cloudflared_port: 5053 | |
| - name: create pihole directory | |
| file: | |
| path: /etc/pihole | |
| state: directory | |
| - name: copy pihole conf | |
| copy: | |
| src: pihole-setupVars.conf | |
| dest: /etc/pihole/setupVars.conf | |
| register: pihole_config | |
| - stat: | |
| path: /usr/local/bin/pihole | |
| register: pihole_binary | |
| - set_fact: | |
| pihole_installed: "{{ pihole_binary.stat.exists | default(false) }}" | |
| - name: download install script | |
| get_url: | |
| url: https://raw.githubusercontent.com/pi-hole/pi-hole/master/automated%20install/basic-install.sh | |
| dest: ~/pihole-install.sh | |
| mode: u+rwx | |
| when: not pihole_installed | |
| - name: run install script | |
| shell: ~/pihole-install.sh --unattended | |
| when: not pihole_installed | |
| - name: copy dnsmasq conf | |
| copy: | |
| src: pihole-dnsmasq-cloudflared.conf | |
| dest: /etc/dnsmasq.d/50-cloudflared.conf | |
| register: dnsmasq_config | |
| - name: this should be done via a handler but is simplified for this gist | |
| set_fact: | |
| restart_dnsmasq: "{{ true if (pihole_config is changed or dnsmasq_config is changed) else false }}" | |
| - name: restart dnsmasq service (this should be done via a handler but is simplified for this gist) | |
| service: | |
| name: dnsmasq | |
| enabled: true | |
| state: restarted | |
| when: restart_dnsmasq |
@TimeTravelersHackedMe yes, there always will be. PiHole talk about this on their page here
If you are looking for something similar to PiHole but with support built-in for DNS-Over-HTTPS look in to AdGuard Home. Alternatively if you just want a DNS server that will do DNS-Over-HTTPS I recommend CoreDNS.
@bendews, can you be more specific about where PiHole talks about security issues when running as root? I don't see anything related on the page you referenced.
Hi @jlagermann, I think we are discussing two different concepts.
Security concerns when running the PiHole installation script is discussed on that page via the links on piping to bash. They cover general risks and security practice of running software from public sources - running these as root elevates the risks highly but at the cost of convenience.
Running PiHole as root is not something I’m familiar with doing but would definitely discourage regardless.
@bendews A follow up question: How can we use Ansible to run the installer as a non-privileged user but automatically enter the sudo password when the script is running? i.e. How can we run the PiHole script without become: yes but still enter the password when PiHole runs a command with sudo
Is there any security lost from running the pihole script as root?