From 6364edd132eedea3fd445ddd0b661d6fe486a194 Mon Sep 17 00:00:00 2001 From: Morten Amundsen Date: Fri, 20 Dec 2024 16:19:45 +0100 Subject: [PATCH] feat: set DNS for containers (#26) * vars: set vars for container DNS * task(pihole): add task to include pihole in DNS list var * task: set pihole as the first deployment task * template: add option for DNS server for containers * ci(molecule): override DNS server list for containers --- defaults/main/main.yml | 9 +++++++++ molecule/default/converge.yml | 3 +++ tasks/deploy_pihole.yml | 19 +++++++++++++++++++ tasks/main.yml | 10 +++++----- templates/compose/authentik.yml.j2 | 12 ++++++++++++ templates/compose/godns.yml.j2 | 3 +++ templates/compose/graylog.yml.j2 | 9 +++++++++ templates/compose/uptimekuma.yml.j2 | 3 +++ templates/compose/vaultwarden.yml.j2 | 3 +++ 9 files changed, 66 insertions(+), 5 deletions(-) diff --git a/defaults/main/main.yml b/defaults/main/main.yml index de03f08..f4f0a94 100644 --- a/defaults/main/main.yml +++ b/defaults/main/main.yml @@ -15,6 +15,10 @@ infra_tz: Etc/UTC infra_domain: "{{ svc_domain }}" # Domain name, external infra_domain_ext: ~ +# Whether to override the DNS for containers (does not apply to wireguard, unifi, pihole, and unbound) +infra_containers_override_dns: true +# Whether to use pihole as DNS for other containers (requires 'infra_use_pihole' and 'infra_containers_override_dns' to be true) +infra_containers_use_pihole_dns: true ### Directories ### # Manage directories @@ -32,6 +36,11 @@ infra_file_mode: 640 infra_restart_policy: always # Max. wait time for compose deployment infra_compose_wait_timeout: 120 +# DNS servers to use for containers (does not apply to wireguard, unifi, pihole, and unbound). Requires 'infra_containers_override_dns' to be true +infra_container_dns_servers: + - "{{ ansible_host }}" + - 1.1.1.1 + - 1.0.0.1 ### Services ### # Configure Graylog diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index d5feff3..1ead7e6 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -12,6 +12,9 @@ infra_use_graylog: false # skip testing due to GH actions space constraint infra_use_authentik: false # skip testing due to GH actions space constraint infra_use_unifi: true + infra_container_dns_servers: # override to remove '{{ ansible_host }}' for GH actions runner + - 1.1.1.1 + - 1.0.0.1 pre_tasks: - name: Update package repository cache diff --git a/tasks/deploy_pihole.yml b/tasks/deploy_pihole.yml index ac6e1b9..0bb3c15 100644 --- a/tasks/deploy_pihole.yml +++ b/tasks/deploy_pihole.yml @@ -167,4 +167,23 @@ ansible.builtin.file: path: "{{ infra_pihole_dnsmasq_edns_conf_file_path }}" state: absent + +- name: Add Pihole to the container DNS server list + when: infra_containers_use_pihole_dns and infra_use_pihole + block: + - name: Get pihole container settings + block: + - name: Query for pihole container + community.docker.docker_container_info: + name: "{{ infra_pihole_service_name }}" + register: pihole_container_output + + - name: Set pihole container IP fact + ansible.builtin.set_fact: + pihole_container_ip: "{{ pihole_container_output.container.NetworkSettings.Networks[svc_docker_network_name].IPAddress }}" + + - name: Update the DNS server variable to include pihole + when: pihole_container_ip is defined + ansible.builtin.set_fact: + infra_container_dns_servers: "{{ [pihole_container_ip] + infra_container_dns_servers }}" ... diff --git a/tasks/main.yml b/tasks/main.yml index c4cb03b..d273c43 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -8,16 +8,16 @@ ansible.builtin.import_tasks: directories.yml when: infra_manage_directories -# Manage graylog deployment -- name: Include 'graylog' tasks - ansible.builtin.import_tasks: deploy_graylog.yml - when: infra_use_graylog - # Manage pihole deployment - name: Include 'pihole' tasks ansible.builtin.import_tasks: deploy_pihole.yml when: infra_use_pihole +# Manage graylog deployment +- name: Include 'graylog' tasks + ansible.builtin.import_tasks: deploy_graylog.yml + when: infra_use_graylog + # Manage unifi deployment - name: Include 'unifi' tasks ansible.builtin.import_tasks: deploy_unifi.yml diff --git a/templates/compose/authentik.yml.j2 b/templates/compose/authentik.yml.j2 index b7533f9..5d6b2b1 100644 --- a/templates/compose/authentik.yml.j2 +++ b/templates/compose/authentik.yml.j2 @@ -13,6 +13,9 @@ services: mem_limit: {{ infra_authentik_redis_container_memory }} networks: - default +{% if infra_containers_override_dns %} + dns: {{ infra_container_dns_servers }} +{% endif %} command: --save 60 1 --loglevel warning healthcheck: test: ["CMD-SHELL", "redis-cli ping | grep PONG"] @@ -37,6 +40,9 @@ services: mem_limit: {{ infra_authentik_db_container_memory }} networks: - default +{% if infra_containers_override_dns %} + dns: {{ infra_container_dns_servers }} +{% endif %} healthcheck: test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"] start_period: 20s @@ -72,6 +78,9 @@ services: networks: - default - {{ svc_docker_network_name }} +{% if infra_containers_override_dns %} + dns: {{ infra_container_dns_servers }} +{% endif %} depends_on: - {{ infra_authentik_redis_service_name }} - {{ infra_authentik_db_service_name }} @@ -93,6 +102,9 @@ services: mem_limit: {{ infra_authentik_worker_container_memory }} networks: - default +{% if infra_containers_override_dns %} + dns: {{ infra_container_dns_servers }} +{% endif %} depends_on: - {{ infra_authentik_redis_service_name }} - {{ infra_authentik_db_service_name }} diff --git a/templates/compose/godns.yml.j2 b/templates/compose/godns.yml.j2 index 53131f5..f92e4b8 100644 --- a/templates/compose/godns.yml.j2 +++ b/templates/compose/godns.yml.j2 @@ -14,6 +14,9 @@ services: mem_limit: {{ infra_godns_container_memory }} networks: {{ svc_docker_network_name }}: +{% if infra_containers_override_dns %} + dns: {{ infra_container_dns_servers }} +{% endif %} networks: {{ svc_docker_network_name }}: diff --git a/templates/compose/graylog.yml.j2 b/templates/compose/graylog.yml.j2 index 96221e7..e58e64e 100644 --- a/templates/compose/graylog.yml.j2 +++ b/templates/compose/graylog.yml.j2 @@ -17,6 +17,9 @@ services: mem_limit: {{ infra_graylog_db_container_memory }} networks: - default +{% if infra_containers_override_dns %} + dns: {{ infra_container_dns_servers }} +{% endif %} group_add: - {{ infra_group_gid }} @@ -35,6 +38,9 @@ services: mem_limit: {{ infra_graylog_opensearch_container_memory }} networks: - default +{% if infra_containers_override_dns %} + dns: {{ infra_container_dns_servers }} +{% endif %} ulimits: memlock: soft: {{ infra_graylog_opensearch_ulimits_memlock_soft }} @@ -74,6 +80,9 @@ services: networks: - default - {{ svc_docker_network_name }} +{% if infra_containers_override_dns %} + dns: {{ infra_container_dns_servers }} +{% endif %} depends_on: - {{ infra_graylog_db_service_name }} - {{ infra_graylog_opensearch_service_name }} diff --git a/templates/compose/uptimekuma.yml.j2 b/templates/compose/uptimekuma.yml.j2 index 01d86e8..49d7841 100644 --- a/templates/compose/uptimekuma.yml.j2 +++ b/templates/compose/uptimekuma.yml.j2 @@ -23,6 +23,9 @@ services: traefik.http.routers.{{ infra_uptimekuma_service_name }}-rtr.middlewares: lan-mwr@file networks: {{ svc_docker_network_name }}: +{% if infra_containers_override_dns %} + dns: {{ infra_container_dns_servers }} +{% endif %} volumes: {{ infra_uptimekuma_volume_name_data }}: diff --git a/templates/compose/vaultwarden.yml.j2 b/templates/compose/vaultwarden.yml.j2 index beea88a..0331ca6 100644 --- a/templates/compose/vaultwarden.yml.j2 +++ b/templates/compose/vaultwarden.yml.j2 @@ -23,6 +23,9 @@ services: traefik.http.routers.{{ infra_vaultwarden_service_name }}-rtr.middlewares: lan-mwr@file networks: {{ svc_docker_network_name }}: +{% if infra_containers_override_dns %} + dns: {{ infra_container_dns_servers }} +{% endif %} volumes: {{ infra_vaultwarden_volume_name_data }}: