Created
April 5, 2018 09:17
-
-
Save bendews/e09edfc60e581ec4c686c4b70297f543 to your computer and use it in GitHub Desktop.
Ansible Playbook to set up PiHole with DNS-Over-HTTPS via cloudflared
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| server=127.0.0.1#5053 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| !!!!!!!!!!!!!!! | |
| NOTE THIS IS A BASIC EXAMPLE OF A CONFIGURATION. | |
| YOU SHOULD COPY YOUR EXISTING CONFIGURATION FROM /etc/pihole/setupVars.conf | |
| THIS CAN BE USED AS A "STARTER" CONFIGURATION FOR FRESH INSTALLS BUT WILL OVERWRITE ANY EXISTING CONFIG | |
| !!!!!!!!!!!!!!! | |
| PIHOLE_INTERFACE=ens192 | |
| IPV4_ADDRESS=10.1.1.250/24 | |
| IPV6_ADDRESS= | |
| QUERY_LOGGING=true | |
| INSTALL_WEB=true | |
| LIGHTTPD_ENABLED=1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - hosts: pihole | |
| become: yes | |
| tasks: | |
| - include_role: | |
| name: bendews.cloudflared | |
| vars: | |
| cloudflared_port: 5053 | |
| - name: create pihole directory | |
| file: | |
| path: /etc/pihole | |
| state: directory | |
| - name: copy pihole conf | |
| copy: | |
| src: pihole-setupVars.conf | |
| dest: /etc/pihole/setupVars.conf | |
| register: pihole_config | |
| - stat: | |
| path: /usr/local/bin/pihole | |
| register: pihole_binary | |
| - set_fact: | |
| pihole_installed: "{{ pihole_binary.stat.exists | default(false) }}" | |
| - name: download install script | |
| get_url: | |
| url: https://raw.githubusercontent.com/pi-hole/pi-hole/master/automated%20install/basic-install.sh | |
| dest: ~/pihole-install.sh | |
| mode: u+rwx | |
| when: not pihole_installed | |
| - name: run install script | |
| shell: ~/pihole-install.sh --unattended | |
| when: not pihole_installed | |
| - name: copy dnsmasq conf | |
| copy: | |
| src: pihole-dnsmasq-cloudflared.conf | |
| dest: /etc/dnsmasq.d/50-cloudflared.conf | |
| register: dnsmasq_config | |
| - name: this should be done via a handler but is simplified for this gist | |
| set_fact: | |
| restart_dnsmasq: "{{ true if (pihole_config is changed or dnsmasq_config is changed) else false }}" | |
| - name: restart dnsmasq service (this should be done via a handler but is simplified for this gist) | |
| service: | |
| name: dnsmasq | |
| enabled: true | |
| state: restarted | |
| when: restart_dnsmasq |
Hi @jlagermann, I think we are discussing two different concepts.
Security concerns when running the PiHole installation script is discussed on that page via the links on piping to bash. They cover general risks and security practice of running software from public sources - running these as root elevates the risks highly but at the cost of convenience.
Running PiHole as root is not something I’m familiar with doing but would definitely discourage regardless.
@bendews A follow up question: How can we use Ansible to run the installer as a non-privileged user but automatically enter the sudo password when the script is running? i.e. How can we run the PiHole script without become: yes but still enter the password when PiHole runs a command with sudo
Here's an Ansible task that will modify the sudoers to allow members of the
sudo group to sudo without a password. When sudo prompts for a password,
you enter your own password anyway.
- name: Update sudoers
lineinfile:
path: /etc/sudoers
state: present
regexp: '%sudo ALL=\(ALL:ALL\) ALL'
line: '%sudo ALL=(ALL:ALL) NOPASSWD: ALL'
validate: '/usr/sbin/visudo -cf %s'
This would allow Pi-hole to run as a non-privileged user and sudo without a
password (as long as it is a member of the sudo group).
Thank you,
*James Lagermann* | Systems Engineer
c: 636-575-7249
[email protected]
[image: Corelight]
<https://app.salesforceiq.com/r?target=5e7232c4c9e77c0076f38131&t=AFwhZf1GBKQ82RfBl_ysPyfYtIb4-WUzgM9l0iNVWBIqb_rgJA6A_i_PiheVB7MySqXaf4jk7R3BN_1qqCJwESAmpTGqB3USK-m7p13jpRaw7yrTkQE7BefEBLoHXx0GG29WYKwQp0eW&url=https%3A%2F%2Fwww.corelight.com%2F>
…On Tue, Jul 28, 2020 at 12:19 PM Brian Zalewski ***@***.***> wrote:
***@***.**** commented on this gist.
------------------------------
@bendews <https://github.com/bendews> A follow up question: How can we
use Ansible to run the installer as a non-privileged user but automatically
enter the sudo password when the script is running? i.e. How can we run the
PiHole script without become: yes but still enter the password when PiHole
runs a command with sudo
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<https://gist.github.com/e09edfc60e581ec4c686c4b70297f543#gistcomment-3395212>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AEO7LSXUJ727WPV625HNQW3R54CBXANCNFSM4K2MCKLA>
.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@bendews, can you be more specific about where PiHole talks about security issues when running as root? I don't see anything related on the page you referenced.