feat(wireguard): use pihole for dns (#24)

fix(wireguard): resolve initial deployment connectivity issue
netr0m · Aug 11, 2024 · abf527e · abf527e
1 parent 8e14e41
commit abf527e
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 6 deletions.
diff --git a/defaults/main/wireguard.yml b/defaults/main/wireguard.yml
@@ -16,13 +16,16 @@ infra_wireguard_ui_session_secret_name: "wgui_session_secret"
 infra_wireguard_ui_password_name: "wg_ui_admin_password"
 
 ## Wireguard settings
-# Peers to create. Can also be created manually in the UI. See https://github.com/linuxserver/docker-wireguard#parameters
-infra_wireguard_peers: []
+# Peers to create. Can also be created manually in the UI. See https://github.com/linuxserver/docker-wireguard#parameters.
+# NB: Must contain at least one peer to start wireguard in server mode.
+#   Otherwise, you must reboot the wireguard container after generating (and applying) clients in the wireguard UI.
+infra_wireguard_peers:
+  - autogen
   # - laptop
   # - desktop
   # - phone
 # Comma-separated list of CIDR ranges to use for the AllowedIPs field
-infra_wireguard_allowed_ips: '0.0.0.0/0, ::0/0'
+infra_wireguard_allowed_ips: '0.0.0.0/0'
 # Internal subnet for wireguard
 infra_wireguard_internal_subnet: 10.13.13.0
 # Host port to use for the wireguard VPN
@@ -89,11 +92,13 @@ infra_wireguard_ui_restart_policy: "{{ infra_restart_policy }}"
 infra_wireguard_container_memory: 1g
 # Memory limit for the wireguard-ui container
 infra_wireguard_ui_container_memory: 1g
-# DNS servers to use for the wireguard Docker container
+# DNS servers to use for the wireguard Docker container.
 infra_wireguard_container_dns_servers:
   - "{{ ansible_host }}"
   - 1.1.1.1
   - 1.0.0.1
+# Whether to use Pihole for Wireguard DNS. Requires 'infra_use_pihole' to be true
+infra_wireguard_use_pihole_dns: "{{ infra_use_pihole }}"
 
 ## Docker volume configs
 # Name of the config files' Docker volume

diff --git a/tasks/deploy_wireguard.yml b/tasks/deploy_wireguard.yml
@@ -7,6 +7,25 @@
     group: "{{ infra_wireguard_directory_group }}"
     mode: "{{ infra_wireguard_directory_mode }}"
 
+- name: Add Pihole as a DNS server for wireguard
+  when: infra_wireguard_use_pihole_dns and infra_use_pihole
+  block:
+    - name: Get pihole container settings
+      block:
+        - name: Query for pihole container
+          community.docker.docker_container_info:
+            name: "{{ infra_pihole_service_name }}"
+          register: pihole_container_output
+
+        - name: Set pihole container IP fact
+          ansible.builtin.set_fact:
+            pihole_container_ip: "{{ pihole_container_output.container.NetworkSettings.Networks[svc_docker_network_name].IPAddress }}"
+
+    - name: Update the DNS server variable to include pihole
+      when: pihole_container_ip is defined
+      ansible.builtin.set_fact:
+        infra_wireguard_dns_servers: "{{ [pihole_container_ip] + infra_wireguard_container_dns_servers }}"
+
 - name: Manage service files
   block:
     - name: Write session-secret secret to file

diff --git a/templates/compose/wireguard.yml.j2 b/templates/compose/wireguard.yml.j2
@@ -13,14 +13,17 @@ services:
       - {{ infra_wireguard_volume_name_config }}:/config
       - /lib/modules:/lib/modules
     mem_limit: {{ infra_wireguard_container_memory }}
+    networks:
+      - {{ svc_docker_network_name }}
     ports:
       - {{ infra_wireguard_port_vpn }}:{{ infra_wireguard_port_vpn }}/udp
     cap_add:
       - NET_ADMIN
       - SYS_MODULE
     sysctls:
       net.ipv4.ip_forward: '1'
-    dns: {{ infra_wireguard_container_dns_servers }}
+      net.ipv4.conf.all.src_valid_mark: '1'
+    dns: {{ infra_wireguard_dns_servers }}
 
 {% if infra_use_wireguard_ui %}
   {{ infra_wireguard_ui_service_name }}:
@@ -64,6 +67,10 @@ volumes:
     labels: {{ infra_wireguard_volume_labels | combine(infra_docker_volume_shared_labels) }}
 {% endif %}
 
+networks:
+  {{ svc_docker_network_name }}:
+    external: 'true'
+
 secrets:
   {{ infra_wireguard_ui_session_secret_name }}:
     file: {{ infra_wireguard_ui_session_secret_file_path }}

diff --git a/vars/main/wireguard.yml b/vars/main/wireguard.yml
@@ -10,6 +10,8 @@ _wg_interface: "{{ _wg_subnet_split[:3] + ['1'] }}"
 wg_interface_addr: "{{ _wg_interface | join('.') }}"
 # Convert to CIDR range, i.e. '10.13.13.1' => '10.13.13.1/24'. Needed due to mismatching default in wireguard-ui
 wg_interface_cidr: "{{ wg_interface_addr }}/24"
+# Placeholder for wireguard DNS settings
+infra_wireguard_dns_servers: "{{ infra_wireguard_container_dns_servers }}"
 
 # Environment variables for the Wireguard container.
 infra_wireguard_env_vars:
@@ -35,7 +37,7 @@ infra_wireguard_ui_env_vars:
   WGUI_SERVER_INTERFACE_ADDRESSES: "{{ wg_interface_cidr }}"
   WGUI_DEFAULT_CLIENT_ALLOWED_IPS: "{{ infra_wireguard_allowed_ips }}"
   SUBNET_RANGES: "Internal:{{ infra_wireguard_internal_subnet }}/24"
-  WGUI_DNS: "{{ ([wg_interface_addr] + infra_wireguard_container_dns_servers) | join(',') }}"
+  WGUI_DNS: "{{ infra_wireguard_dns_servers | join(',') }}"
   WGUI_USERNAME: "{{ infra_wireguard_ui_username }}"
   WGUI_PASSWORD: "{{ infra_wireguard_ui_password }}"
   WGUI_MANAGE_START: "{{ infra_wireguard_ui_manage_wireguard }}"