From 95f3ffa79a1506d536d95766fe9c3e53748198f7 Mon Sep 17 00:00:00 2001
From: Sam Al-Sapti <sam@sapti.me>
Date: Sun, 28 May 2023 17:58:12 +0200
Subject: [PATCH] Add Pi-hole

---
 provision.sh                                  |  6 +--
 roles/docker_services/defaults/main.yml       |  4 ++
 .../docker_services/tasks/services/pihole.yml | 41 +++++++++++++++++++
 roles/os_config/tasks/firewall.yml            |  5 +++
 roles/os_config/tasks/main.yml                |  4 ++
 5 files changed, 57 insertions(+), 3 deletions(-)
 create mode 100644 roles/docker_services/tasks/services/pihole.yml

diff --git a/provision.sh b/provision.sh
index 7ad4caf..14d8b51 100755
--- a/provision.sh
+++ b/provision.sh
@@ -32,9 +32,9 @@ shift
 
 case $TAG in
     "")
-        install_modules; $BASE_CMD ;;
-    os|docker)
-        install_modules; $BASE_CMD --tags "$TAG" ;;
+        install_modules; $EXEC "$BASE_CMD" ;;
+    os|docker|firewall|ssh)
+        install_modules; $EXEC "$BASE_CMD --tags '$TAG'" ;;
     users)
         install_modules
 
diff --git a/roles/docker_services/defaults/main.yml b/roles/docker_services/defaults/main.yml
index 0101561..03933c7 100644
--- a/roles/docker_services/defaults/main.yml
+++ b/roles/docker_services/defaults/main.yml
@@ -32,6 +32,10 @@ services:
   snowflake:
     version: latest
 
+  pihole:
+    volume: "{{ base_volume }}/pi-hole"
+    version: 2023.05.0
+
   wireguard:
     domain: wg01.vpn.{{ base_domain }}
     volume: "{{ base_volume }}/wireguard"
diff --git a/roles/docker_services/tasks/services/pihole.yml b/roles/docker_services/tasks/services/pihole.yml
new file mode 100644
index 0000000..0e7263a
--- /dev/null
+++ b/roles/docker_services/tasks/services/pihole.yml
@@ -0,0 +1,41 @@
+# vim: ft=yaml.ansible
+---
+- name: Create Pi-hole volume directories
+  ansible.builtin.file:
+    name: "{{ services.pihole.volume }}/{{ dir }}"
+    owner: root
+    mode: u=rwx,g=rx,o=rx
+    state: directory
+  loop:
+    - pihole
+    - dnsmasq.d
+  loop_control:
+    loop_var: dir
+
+- name: Create Docker network for Pi-hole
+  community.docker.docker_network:
+    name: pi-hole
+    state: present
+
+- name: Deploy Pi-hole Docker container
+  community.docker.docker_container:
+    name: pi-hole
+    state: "{{ 'absent' if stop is defined and stop else 'started' }}"
+    restart: "{{ stop is undefined or not stop }}"
+    image: pihole/pihole:{{ services.pihole.version }}
+    restart_policy: always
+    default_host_ip: ''
+    networks:
+      - name: pi-hole
+    env:
+      DNSMASQ_LISTENING: all
+      TZ: "{{ timezone }}"
+    volumes:
+      - "{{ services.pihole.volume }}/pihole:/etc/pihole:rw"
+      - "{{ services.pihole.volume }}/dnsmasq.d:/etc/dnsmasq.d:rw"
+    published_ports:
+      - 53:53/tcp
+      - 53:53/udo
+      - 81:80/tcp
+    capabilities:
+      - net_admin
diff --git a/roles/os_config/tasks/firewall.yml b/roles/os_config/tasks/firewall.yml
index 53d5ea6..9e02edd 100644
--- a/roles/os_config/tasks/firewall.yml
+++ b/roles/os_config/tasks/firewall.yml
@@ -7,7 +7,12 @@
     proto: "{{ item.proto | default('tcp') }}"
   loop:
     - port: '22'     # SSH
+    - port: '53'     # Pi-hole
+      proto: tcp
+    - port: '53'     # Pi-hole
+      proto: udp
     - port: '80'     # HTTP
+    - port: '81'     # Pi-hole
     - port: '443'    # HTTPS
     - port: '18080'  # monerod P2P
     - port: '18089'  # monerod RPC
diff --git a/roles/os_config/tasks/main.yml b/roles/os_config/tasks/main.yml
index 43d76a0..e1bab68 100644
--- a/roles/os_config/tasks/main.yml
+++ b/roles/os_config/tasks/main.yml
@@ -15,9 +15,13 @@
 
 - name: Configure firewall
   ansible.builtin.import_tasks: firewall.yml
+  tags:
+    - firewall
 
 - name: Configure SSH
   ansible.builtin.import_tasks: ssh.yml
+  tags:
+    - ssh
 
 - name: Configure disks
   ansible.builtin.import_tasks: disks.yml