Ansible Playbook to set up PiHole with DNS-Over-HTTPS via cloudflared

pihole-dnsmasq-cloudflared.conf

server=127.0.0.1#5053

pihole-setupVars.conf

!!!!!!!!!!!!!!!
NOTE THIS IS A BASIC EXAMPLE OF A CONFIGURATION.
YOU SHOULD COPY YOUR EXISTING CONFIGURATION FROM /etc/pihole/setupVars.conf 
THIS CAN BE USED AS A "STARTER" CONFIGURATION FOR FRESH INSTALLS BUT WILL OVERWRITE ANY EXISTING CONFIG
!!!!!!!!!!!!!!!
PIHOLE_INTERFACE=ens192
IPV4_ADDRESS=10.1.1.250/24
IPV6_ADDRESS=
QUERY_LOGGING=true
INSTALL_WEB=true
LIGHTTPD_ENABLED=1

pihole.yml

- hosts: pihole
  become: yes
  tasks:

  - include_role:
      name: bendews.cloudflared
    vars:
      cloudflared_port: 5053

  - name: create pihole directory
    file:
      path: /etc/pihole
      state: directory

  - name: copy pihole conf
    copy:
      src: pihole-setupVars.conf
      dest: /etc/pihole/setupVars.conf
    register: pihole_config

  - stat:
      path: /usr/local/bin/pihole
    register: pihole_binary
  
  - set_fact:
      pihole_installed: "{{ pihole_binary.stat.exists | default(false) }}"

  - name: download install script
    get_url:
      url: https://raw.githubusercontent.com/pi-hole/pi-hole/master/automated%20install/basic-install.sh
      dest: ~/pihole-install.sh
      mode: u+rwx
    when: not pihole_installed

  - name: run install script
    shell: ~/pihole-install.sh --unattended
    when: not pihole_installed

  - name: copy dnsmasq conf
    copy:
      src:  pihole-dnsmasq-cloudflared.conf
      dest: /etc/dnsmasq.d/50-cloudflared.conf
    register: dnsmasq_config

  - name: this should be done via a handler but is simplified for this gist
    set_fact:
      restart_dnsmasq: "{{ true if (pihole_config is changed or dnsmasq_config is changed) else false }}"

  - name: restart dnsmasq service (this should be done via a handler but is simplified for this gist)
    service: 
      name: dnsmasq 
      enabled: true 
      state: restarted
    when: restart_dnsmasq

@bendews A follow up question: How can we use Ansible to run the installer as a non-privileged user but automatically enter the sudo password when the script is running? i.e. How can we run the PiHole script without become: yes but still enter the password when PiHole runs a command with sudo

Here's an Ansible task that will modify the sudoers to allow members of the sudo group to sudo without a password. When sudo prompts for a password, you enter your own password anyway. - name: Update sudoers lineinfile: path: /etc/sudoers state: present regexp: '%sudo ALL=\(ALL:ALL\) ALL' line: '%sudo ALL=(ALL:ALL) NOPASSWD: ALL' validate: '/usr/sbin/visudo -cf %s' This would allow Pi-hole to run as a non-privileged user and sudo without a password (as long as it is a member of the sudo group). Thank you, *James Lagermann* | Systems Engineer c: 636-575-7249 [email protected] [image: Corelight] <https://app.salesforceiq.com/r?target=5e7232c4c9e77c0076f38131&t=AFwhZf1GBKQ82RfBl_ysPyfYtIb4-WUzgM9l0iNVWBIqb_rgJA6A_i_PiheVB7MySqXaf4jk7R3BN_1qqCJwESAmpTGqB3USK-m7p13jpRaw7yrTkQE7BefEBLoHXx0GG29WYKwQp0eW&url=https%3A%2F%2Fwww.corelight.com%2F>

…

On Tue, Jul 28, 2020 at 12:19 PM Brian Zalewski ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ @bendews <https://github.com/bendews> A follow up question: How can we use Ansible to run the installer as a non-privileged user but automatically enter the sudo password when the script is running? i.e. How can we run the PiHole script without become: yes but still enter the password when PiHole runs a command with sudo — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <https://gist.github.com/e09edfc60e581ec4c686c4b70297f543#gistcomment-3395212>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AEO7LSXUJ727WPV625HNQW3R54CBXANCNFSM4K2MCKLA> .