Skip to content

Commit

Permalink
fix(pihole): resolve network issues with unbound
Browse files Browse the repository at this point in the history
  • Loading branch information
netr0m committed Aug 2, 2024
1 parent 0a94388 commit d5d0603
Show file tree
Hide file tree
Showing 7 changed files with 34 additions and 30 deletions.
12 changes: 11 additions & 1 deletion defaults/main/pihole.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,12 @@ infra_pihole_directory_group: "{{ infra_directory_group }}"
infra_pihole_directory_mode: "{{ infra_directory_mode }}"
# pihole dnsmasq.d directory path
infra_pihole_dnsmasq_d_directory_path: "{{ infra_pihole_directory_path }}/dnsmasq.d"
# pihole dnsmasq.d directory user ownership
infra_pihole_dnsmasq_d_directory_owner: root
# pihole dnsmasq.d directory group ownership
infra_pihole_dnsmasq_d_directory_group: root
# pihole dnsmasq.d directory mode
infra_pihole_dnsmasq_d_directory_mode: "0755"

## File paths
# File mode
Expand All @@ -44,8 +50,12 @@ infra_pihole_env_file_mode: "0600"
infra_pihole_secret_file_mode: "0600"
# dnsmasq edns config file path
infra_pihole_dnsmasq_edns_conf_file_path: "{{ infra_pihole_dnsmasq_d_directory_path }}/99-edns.conf"
# Permissions (user) for the pihole-dnsmasq EDNS config file (user inside the container)
infra_pihole_dnsmasq_edns_conf_file_owner: "{{ infra_pihole_dnsmasq_d_directory_owner }}"
# Permissions (group) for the pihole-dnsmasq EDNS config file (group inside the container)
infra_pihole_dnsmasq_edns_conf_file_group: "{{ infra_pihole_dnsmasq_d_directory_group }}"
# Permissions (mode) for the dnsmasq edns conf file (as an octal)
infra_pihole_dnsmasq_edns_conf_file_mode: "0644"
infra_pihole_dnsmasq_edns_conf_file_mode: "0664"

## Docker service configs
# Name of the pihole Docker service
Expand Down
10 changes: 0 additions & 10 deletions defaults/main/unbound.yml
Original file line number Diff line number Diff line change
Expand Up @@ -72,14 +72,4 @@ infra_unbound_container_hostname: "{{ infra_unbound_service_name }}"
infra_unbound_restart_policy: "{{ infra_restart_policy }}"
# Memory limit for the unbound container
infra_unbound_container_memory: 2g

## Docker network configs
# IP address for the unbound Docker container
infra_unbound_docker_network_ip_address: 172.53.53.53
# Subnet for the unbound Docker network
infra_unbound_docker_network_subnet: 172.53.53.0/24
# Gateway IP for the unbound Docker network
infra_unbound_docker_network_gateway: 172.53.53.1
# IP range for the unbound Docker network
infra_unbound_docker_network_ip_range: "{{ infra_unbound_docker_network_subnet }}"
...
2 changes: 1 addition & 1 deletion tasks/deploy_graylog.yml
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@
mode: "{{ infra_graylog_secret_file_mode }}"
backup: true
vars:
_secret: "{{ infra_graylog_password_secret}}"
_secret: "{{ infra_graylog_password_secret }}"
register: graylog_password_secret_file_output

- name: Write graylog password sha2 (hash) secret to file
Expand Down
19 changes: 18 additions & 1 deletion tasks/deploy_pihole.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,14 @@
group: "{{ infra_pihole_directory_group }}"
mode: "{{ infra_pihole_directory_mode }}"

- name: Ensure pihole dnsmasq.d directory is present
ansible.builtin.file:
path: "{{ infra_pihole_dnsmasq_d_directory_path }}"
state: directory
owner: "{{ infra_pihole_dnsmasq_d_directory_owner }}"
group: "{{ infra_pihole_dnsmasq_d_directory_group }}"
mode: "{{ infra_pihole_dnsmasq_d_directory_mode }}"

- name: Ensure unbound directory is present
ansible.builtin.file:
path: "{{ infra_unbound_directory_path }}"
Expand All @@ -19,6 +27,15 @@
- name: Manage unbound configuration
when: infra_use_unbound
block:
- name: Query for docker network details of '{{ svc_docker_network_name }}'
community.docker.docker_network_info:
name: "{{ svc_docker_network_name }}"
register: _svc_net_res

- name: Set svc_network_subnet fact
ansible.builtin.set_fact:
_svc_network_subnet: "{{ _svc_net_res.network.IPAM.Config[0].Subnet }}"

- name: Ensure unbound.conf.d subdirectory is present
ansible.builtin.file:
path: "{{ infra_unbound_conf_d_directory_path }}"
Expand Down Expand Up @@ -50,7 +67,7 @@
- name: Set DNS environment variable setting for pihole
ansible.builtin.set_fact:
infra_pihole_env_vars_dns:
PIHOLE_DNS_: "{{ infra_unbound_docker_network_ip_address }}#{{ infra_unbound_listening_port }}"
PIHOLE_DNS_: "{{ infra_unbound_service_name }}#{{ infra_unbound_listening_port }}"

- name: Manage service files
block:
Expand Down
16 changes: 1 addition & 15 deletions templates/compose/pihole.yml.j2
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,7 @@ services:
- {{ infra_unbound_conf_d_directory_path }}:/opt/unbound/etc/unbound/unbound.conf.d
mem_limit: {{ infra_unbound_container_memory }}
networks:
unbound_net:
ipv4_address: {{ infra_unbound_docker_network_ip_address }}
- {{ svc_docker_network_name }}
cap_add:
- NET_ADMIN

Expand Down Expand Up @@ -62,9 +61,6 @@ services:
traefik.udp.services.pihole-dns-udp-svc.loadbalancer.server.port: "53"
traefik.udp.routers.pihole-dns-udp-rtr.service: pihole-dns-udp-svc
networks:
{% if infra_use_unbound %}
- unbound_net
{% endif %}
- {{ svc_docker_network_name }}
ports:
- {{ infra_pihole_port_dns }}:53/tcp
Expand All @@ -84,16 +80,6 @@ volumes:
labels: {{ infra_pihole_volume_labels | combine(infra_docker_volume_shared_labels) }}

networks:
{% if infra_use_unbound %}
unbound_net:
internal: true
ipam:
driver: default
config:
- subnet: {{ infra_unbound_docker_network_subnet }}
gateway: {{ infra_unbound_docker_network_gateway }}
ip_range: {{ infra_unbound_docker_network_ip_range }}
{% endif %}
{{ svc_docker_network_name }}:
external: 'true'

Expand Down
4 changes: 2 additions & 2 deletions templates/etc/unbound/unbound.conf.d/pi-hole.conf.j2
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,8 @@ server:
{% for _subnet in infra_unbound_access_control_allowed_subnets %}
access-control: {{ _subnet }} allow
{% endfor %}
{% if infra_unbound_docker_network_subnet is defined %}
access-control: {{ infra_unbound_docker_network_subnet }} allow
{% if _svc_network_subnet is defined %}
access-control: {{ _svc_network_subnet }} allow
{% endif %}
{% endif %}
port: {{ infra_unbound_listening_port }}
Expand Down
1 change: 1 addition & 0 deletions vars/main/pihole.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ infra_pihole_env_vars:
WEBPASSWORD_FILE: "/run/secrets/{{ infra_pihole_password_name }}"
VIRTUAL_HOST: "{{ infra_pihole_fqdn }}"
DNSMASQ_LISTENING: "{{ infra_pihole_dnsmasq_listening }}"
FTLCONF_LOCAL_IPV4: "{{ ansible_host }}"

# DNS environment variables placeholder for the Pihole container
infra_pihole_env_vars_dns: {}
Expand Down

0 comments on commit d5d0603

Please sign in to comment.