Add Unbound for Pi-hole DoT forwarding

roles/docker_services/defaults/main.yml

@@ -35,6 +35,7 @@ services:
   pihole:
     volume: "{{ base_volume }}/pi-hole"
     version: 2023.05.0
+    unbound_version: latest
 
   wireguard:
     domain: wg01.vpn.{{ base_domain }}

roles/docker_services/files/pihole/forward-records.conf

@@ -0,0 +1,8 @@
+forward-zone:
+    name: "."
+    forward-tls-upstream: yes
+    forward-no-cache: yes
+    forward-addr: 91.239.100.100@853#anycast.censurfridns.dk
+    forward-addr: 2001:67c:28a4::@853#anycast.censurfridns.dk
+    forward-addr: 89.233.43.71@853#unicast.censurfridns.dk
+    forward-addr: 2a01:3a0:53:53::@853#unicast.censurfridns.dk

roles/docker_services/tasks/services/pihole.yml

@@ -1,41 +1,68 @@
 # vim: ft=yaml.ansible
 ---
-- name: Create Pi-hole volume directories
+- name: Create Pi-hole volume base directory
+  ansible.builtin.file:
+    name: "{{ services.pihole.volume }}"
+    owner: root
+    mode: u=rwx,g=rx,o=rx
+    state: directory
+
+- name: Create Pi-hole volume directory pihole
+  ansible.builtin.file:
+    name: "{{ services.pihole.volume }}/pihole"
+    owner: '999'
+    group: '1000'
+    mode: u=rwx,g=rx,o=rx
+    state: directory
+
+- name: Create other Pi-hole volume directories
   ansible.builtin.file:
     name: "{{ services.pihole.volume }}/{{ dir }}"
     owner: root
     mode: u=rwx,g=rx,o=rx
     state: directory
   loop:
-    - pihole
     - dnsmasq.d
+    - unbound
   loop_control:
     loop_var: dir
 
-- name: Create Docker network for Pi-hole
+- name: Copy forward-records.conf for Unbound
-  community.docker.docker_network:
+  ansible.builtin.copy:
-    name: pi-hole
+    src: pihole/forward-records.conf
-    state: present
+    dest: "{{ services.pihole.volume }}/unbound/forward-records.conf"
+    owner: root
+    mode: u=rw,g=r,o=r
 
-- name: Deploy Pi-hole Docker container
+- name: Deploy Pi-hole with Docker Compose
-  community.docker.docker_container:
+  community.docker.docker_compose:
-    name: pi-hole
+    project_name: pihole
-    state: "{{ 'absent' if stop is defined and stop else 'started' }}"
+    state: "{{ 'absent' if stop is defined and stop else 'present' }}"
-    restart: "{{ stop is undefined or not stop }}"
+    restarted: "{{ stop is undefined or not stop }}"
-    image: pihole/pihole:{{ services.pihole.version }}
+    pull: true
-    restart_policy: always
+    definition:
-    default_host_ip: ''
+      version: '3.8'
-    networks:
+
-      - name: pi-hole
+      services:
-    env:
+        app:
-      DNSMASQ_LISTENING: all
+          image: pihole/pihole:{{ services.pihole.version }}
-      TZ: "{{ timezone }}"
+          restart: always
-    volumes:
+          environment:
-      - "{{ services.pihole.volume }}/pihole:/etc/pihole:rw"
+            DNSMASQ_LISTENING: all
-      - "{{ services.pihole.volume }}/dnsmasq.d:/etc/dnsmasq.d:rw"
+            PIHOLE_DNS_: unbound
-    published_ports:
+            TZ: "{{ timezone }}"
-      - 53:53/tcp
+          volumes:
-      - 53:53/udp
+            - "{{ services.pihole.volume }}/pihole:/etc/pihole:rw"
-      - 81:80/tcp
+            - "{{ services.pihole.volume }}/dnsmasq.d:/etc/dnsmasq.d:rw"
-    capabilities:
+          ports:
-      - net_admin
+            - 53:53/tcp
+            - 53:53/udp
+            - 81:80/tcp
+          cap_add:
+            - net_admin
+
+        unbound:
+          image: mvance/unbound-rpi:{{ services.pihole.unbound_version }}
+          restart: always
+          volumes:
+            - "{{ services.pihole.volume }}/unbound/forward-records.conf:/opt/unbound/etc/unbound/forward-records.conf:ro"