From 6b9c8197fa22b19d4c5969376b4d14ad29235ac5 Mon Sep 17 00:00:00 2001 From: Robert Pufky Date: Sun, 30 Jul 2023 22:01:58 -0700 Subject: [PATCH] Add FTL-DNS cofiguration support. Added: * FTL-DNS configuration is now managed. Changed: * Updated defaults to use YAML datatypes for setupVars.conf. This is backwards compatible with existing configurations. * added global pihole_disable_warning to disable warning pause when applying changes; allowing for consumers time to cancel role application if enabled to set updated configurations. * Separated configuration to three files: main, blocklist, ftl. Most users will Use main; more advanced will use blocklist, and very few will use ftl. * 'insert or ignore' migrated to 'insert or replace'; enabling management of the default blocklist (stevenblack); defaults updated to reflect this change. --- README.md | 32 +++ defaults/main/blocklist.yml | 114 +++++++++ defaults/main/ftl.yml | 443 +++++++++++++++++++++++++++++++++++ defaults/main/main.yml | 144 ++---------- tasks/install.yml | 27 +++ templates/pihole-FTL.conf.j2 | 78 ++++++ templates/setupVars.conf.j2 | 2 +- vars/main.yml | 14 +- 8 files changed, 719 insertions(+), 135 deletions(-) create mode 100644 defaults/main/blocklist.yml create mode 100644 defaults/main/ftl.yml create mode 100644 templates/pihole-FTL.conf.j2 diff --git a/README.md b/README.md index 754f414..f9095f0 100644 --- a/README.md +++ b/README.md @@ -11,6 +11,10 @@ Settings have been throughly documented for usage. [defaults/main.yml](https://github.com/r-pufky/ansible_pihole/blob/main/defaults/main/main.yml). +[defaults/blocklist.yml](https://github.com/r-pufky/ansible_pihole/blob/main/defaults/main/blocklist.yml). + +[defaults/ftl.yml](https://github.com/r-pufky/ansible_pihole/blob/main/defaults/main/ftl.yml). + ### Ports All ports and protocols have been defined for the role. @@ -33,6 +37,10 @@ group_vars/pihole/vars/pihole.yml pihole_webpassword: '{{ vault_pihole_webpassword }}' pihole_ad_sources: + - id: 1 + address: 'https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts' + enabled: true + comment: 'Migrated from /etc/pihole/adlists.list' - id: 2 address: 'https://adaway.org/hosts.txt' enabled: true @@ -82,6 +90,30 @@ site.yml - 'r_pufky.pihole' ``` +## Versions + +**3.x: FTL Configuration Support** +* Add FTL-DNS configuration support. +* Standardize setupvars to YAML datatypes (no existing change required). +* Enable management of default adlist. + +Consumers who have set custom FTL settings should ensure they have set these in +*_vars before applying this version. See: + +[defaults/ftl.yml](https://github.com/r-pufky/ansible_pihole/blob/main/defaults/main/ftl.yml). + +**2.x: RedHat Support** +* Redhat support. This is best-effort support only. +* Conditional forwarding configuration support. +* Added ports.yml usage reference for data consumption. + +**1.x: Initial Release** +* Add support for updating pihole installation. +* Add DHCP configuration, CLI domain list management. +* Allow running in check_mode. +* Reconfigure pihole on configuration change (opposed to restart). +* Support for pihole CLI domain whitelist/blacklist management. + ## Issues Create a bug and provide as much information as possible. diff --git a/defaults/main/blocklist.yml b/defaults/main/blocklist.yml new file mode 100644 index 0000000..8164b93 --- /dev/null +++ b/defaults/main/blocklist.yml @@ -0,0 +1,114 @@ +--- +############################################################################### +# Pi-Hole Adlist Table +############################################################################### +# Define Adlist sources for generating domain blocklists. +# +# pihole_ad_sources: +# - id: int (unique id starting at 1) +# address: str (URL for adlist) +# enabled: bool (enable use) +# comment: str (user comment) +# +# Reference: +# * https://docs.pi-hole.net/database/gravity/#adlist-table-adlist + +# Pi-Hole currently adds the stevenblack adlist when installing, as ID 1. +pihole_ad_sources: + - id: 1 + address: 'https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts' + enabled: true + comment: 'Migrated from /etc/pihole/adlists.list' + +############################################################################### +# Pi-Hole Domain Blocklist Table +############################################################################### +# Define domain blocking behavior (whitelist, blacklist). +# +# pihole_domain_blocklists: +# - id: int (unique id starting at 1) +# type: int (0 = exact whitelist, +# 1 = exact blacklist, +# 2 = regex whitelist, +# 3 = regex blacklist) +# domain: str (domain) +# enabled: bool (enable use) +# comment: str (user comment) +# +# Reference: +# * https://docs.pi-hole.net/database/gravity/#domain-tables-domainlist + +pihole_domain_blocklists: [] + +############################################################################### +# Pi-Hole Clients Table +############################################################################### +# Define Pi-Hole clients. +# +# pihole_clients: +# - id: int (unique id starting at 1) +# ip: str (IPv4,IPv6,CIDR) +# comment: str (user comment) +# +# Reference: +# * https://docs.pi-hole.net/database/gravity/#client-table-client + +pihole_clients: [] + +############################################################################### +# Pi-Hole Groups Table +############################################################################### +# Define Pi-Hole group management. +# +# pihole_groups: +# - id: int (unique id starting at 1) +# enabled: bool (enable use) +# name: str (group name) +# description: str (description) +# +# Reference: +# * https://docs.pi-hole.net/database/gravity/groups/#group-management + +pihole_groups: [] + +############################################################################### +# Pi-Hole Groups Adlist Table +############################################################################### +# Define Pi-Hole group adlist management. +# +# pihole_ad_groups_blocklist: +# - adlist_id: int (existing adlist ID) +# group_id: int (existing group ID) +# +# Reference: +# * https://docs.pi-hole.net/database/gravity/groups/ + +pihole_ad_groups_blocklist: [] + +############################################################################### +# Pi-Hole Groups Clients Table +############################################################################### +# Define Pi-Hole group clients management. +# +# pihole_ad_groups_blocklist: +# - client_id: int (existing client ID) +# group_id: int (existing group ID) +# +# Reference: +# * https://docs.pi-hole.net/database/gravity/groups/ + +pihole_client_groups_blocklist: [] + +############################################################################### +# Pi-Hole Groups Domain Blocklists Table +############################################################################### +# Define Pi-Hole group domain blocklists management. +# +# pihole_ad_groups_blocklist: +# - domainlist_id: int (existing domain blocklist ID) +# group_id: int (existing group ID) +# +# Reference: +# * https://docs.pi-hole.net/database/gravity/groups/ + +pihole_domain_groups_blocklist: [] diff --git a/defaults/main/ftl.yml b/defaults/main/ftl.yml new file mode 100644 index 0000000..43a0dd5 --- /dev/null +++ b/defaults/main/ftl.yml @@ -0,0 +1,443 @@ +--- +############################################################################### +# Pi-Hole pihole-FTL.conf +############################################################################### +# Customize FTL-DNS configuration for pihole. See reference for detailed +# configuration information. These are more advanced options that most users +# typically do not need to change. +# +# Reference: +# * https://docs.pi-hole.net/ftldns/configfile/ + +############################################################################### +# DNS Settings +############################################################################### + +# How should FTL reply to blocked queries? +# +# Datatype: string +# Special case: +# * null: +# Blocked queries will be answered with the 'unspecified address' (0.0.0.0 +# or ::). The 'unspecified address' is a reserved IP address specified by +# RFC3513 (default). +# * ip-nodata-aaaa: +# Blocked queries will be answered with the local IPv4 addresses of your +# Pi-hole. Blocked AAAA queries will be answered with NODATA-IPV6 and +# clients will only try to reach your Pi-hole over its static IPv4 address. +# * ip: +# Blocked queries will be answered with the local IP addresses of your +# Pi-hole. +# * nxdomain: +# Blocked queries will be answered with an empty response (i.e., there +# won't be an answer section) and status NXDOMAIN. A NXDOMAIN response +# should indicate that there is no such domain to the client making the +# query. +# * nodata: +# Blocked queries will be answered with an empty response (no answer +# section) and status NODATA. A NODATA response indicates that the domain +# exists, but there is no record for the requested query type. +# +# Reference: +# * https://docs.pi-hole.net/ftldns/blockingmode/ +pihole_ftl_blockingmode: 'null' + +# Disable deep CNAME inspection? Might be beneficial for very low-end devices. +pihole_ftl_cname_deep_inspect: true + +# Prevent SNI from being used to determine which websites users are visiting? +# +# Encrypted Server Name Indication (ESNI) prevents on-path observers, including +# ISPs, coffee shop owners and firewalls, from intercepting the TLS Server Name +# Indication (SNI) extension by encrypting it. This prevents the SNI from being +# used to determine which websites users are visiting. +# +# Reference: +# * https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-06 +pihole_ftl_block_esni: true + +# Overwrite the query source when client information is provided through EDNS0 +# client subnet (ECS) information? +# +# This allows Pi-hole to obtain client IPs even if they are hidden behind the +# NAT of a router. +# +# Reference: +# * https://discourse.pi-hole.net/t/support-for-add-subnet-option-from-dnsmasq-ecs-edns0-client-subnet/35940 +pihole_ftl_edns0_ecs: true + +# Control FTL's query rate-limiting. +# +# Rate-limited queries are answered with a REFUSED reply and not further +# processed by FTL. The default settings for FTL's rate-limiting are to permit +# no more than 1000 queries in 60 seconds. Both numbers can be customized +# independently. It is important to note that rate-limiting is happening on a +# per-client basis. Other clients can continue to use FTL while rate-limited +# clients are short-circuited at the same time. +# +# Rate-limiting may be disabled altogether by setting RATE_LIMIT=0/0 (this +# results in the same behavior as before FTL v5.7). +# +# Datatype: string +# Special case: +# * 0/0: +# Disables rate rate-limiting. +# * 1000/60: +# Limit to 1000 queries every 60 seconds (default). +# * {QUERIES}/{SECONDS}: +# Limit max number of {QUERIES} per {SECEONDS}. +pihole_ftl_rate_limit: '1000/60' + +# Use this address for responding to A queries. Default: '' (autodetect). +pihole_ftl_local_ipv4: '' + +# Use this address for responding to AAAA queries. Default: '' (autodetect). +pihole_ftl_local_ipv6: '' + +# Use this address for responding to blocked A queries. +# Default: '' (autodetect). +pihole_ftl_block_ipv4: '' + +# Use this address for responding to blocked AAAA queries. +# Default: '' (autodetect). +pihole_ftl_block_ipv6: '' + +# DROP|ALLOW|BLOCK|REFUSE + +# When gravity database is locked/busy, how should Pi-hole handle queries? +# +# Datatype: string +# Special case: +# * allow: +# Allow all queries when the database is busy. +# * block: +# Block all queries when the database is busy. This uses the configured +# pihole_ftl_blockingmode. +# * refuse: +# Refuse all queries which arrive while the database is busy. Despite +# REFUSE sounding similar to DROP, it turned out that many clients will +# just immediately retry, causing up to several thousands of queries per +# second. This does not happen in DROP mode. +# * drop: +# Just drop the queries, i.e., never reply to them at all (default). +pihole_ftl_reply_when_busy: 'drop' + +# Should Pi-hole always reply with NXDOMAIN to A and AAAA queries of +# use-application-dns.net to disable Firefox's automatic DNS-over-HTTP? +# +# Reference: +# * https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https +pihole_ftl_mozilla_canary: true + +# FTL's internal TTL for blocked queries in seconds. Default: 2. +pihole_ftl_block_ttl: 2 + +# Should Pi-hole always reply with NXDOMAIN to A and AAAA queries of +# mask.icloud.com and mask-h2.icloud.com to disable Apple's iCloud Private +# Relay to prevent Apple devices from bypassing Pi-hole? +# +# Reference: +# * https://developer.apple.com/support/prepare-your-network-for-icloud-private-relay +pihole_ftl_block_icloud_pr: true + +############################################################################### +# Statistics Settings +############################################################################### + +# How many hours of queries should be imported from the database and logs? +# Default: 24 (max 24). +pihole_ftl_maxlogage: 24 + +# Which privacy level to use? +# +# Datatype: int +# Special case: +# * 0: +# Show everything (default). +# * 1: +# Hide domains as 'hidden'. Disables: Top Domains, Top Ads. +# * 2: +# Hide domains and clients as 0.0.0.0. Disables: Top Domains, Top Ads, +# Top Clients, Clients over time. +# * 3: +# Anonymous mode (anonymize everything). Disables: Top Domains, Top Ads, +# Top Clients, Clients over time, Query Log, Long-term database logging. +# +# Reference: +# * https://docs.pi-hole.net/ftldns/privacylevels/ +pihole_ftl_privacylevel: 0 + +# Should FTL ignore queries coming from the local machine? +pihole_ftl_ignore_localhost: false + +# Should FTL analyze AAAA queries? This option is considered obsolete as will +# be removed in the future. +pihole_ftl_aaaa_query_analysis: true + +# Should FTL only analyze A and AAAA queries? +pihole_ftl_analyze_only_a_and_aaaa: false + +# Should FTL analyze and include generated DNSSEC queries in the Query Log? +pihole_ftl_show_dnssec: true + +############################################################################### +# Other Settings +############################################################################### + +# Listen only for local socket connections or permit all connections? +# +# Datatype: string +# Special case: +# * localonly: +# Listen only for local socket connections only (default). +# * all: +# Permit all connections. +pihole_ftl_socket_listening: 'localonly' + +# On which port should FTL be listening? +pihole_ftl_port: 4711 + +# Should FTL try to resolve IPv4 addresses to hostnames? +pihole_ftl_resolve_ipv4: true + +# Should FTL try to resolve IPv6 addresses to hostnames? +pihole_ftl_resolve_ipv6: true + +# How FTL will reply for address for which a local interface exists. +# +# Datatype: string +# Special case: +# * pi.hole: +# Respond with pi.hole (default). +# * hostname: +# Serve the machine's global hostname. +# * hostnamefqdn: +# Serve the machine's global hostname as fully qualified domain by adding +# the local suffix. If no local suffix has been defined, FTL appends the +# local domain .no_fqdn_available. In this case you should either add +# domain=whatever.com to a custom config file inside /etc/dnsmasq.d/ (to +# set whatever.com as local domain) or use domain=# which will try to +# derive the local domain from /etc/resolv.conf (or whatever is set with +# resolv-file, when multiple search directives exist, the first one is +# used). +# * none: +# Pi-hole will not respond automatically on PTR requests to local interface +# addresses. Ensure pi.hole and/or hostname records exist elsewhere. +pihole_ftl_pihole_ptr: 'pi.hole' + +# Wait specified number of seconds before trying to start the DNS revolver. +# +# During startup, in some configurations, network interfaces appear only late +# during system startup and are not ready when FTL tries to bind to them. To +# prevent delayed startup while the system is already running and FTL is +# restarted, the delay only takes place within the first 180 seconds +# (hard-coded) after booting. +# +# Datatype: int +# Special case: +# * 0: +# No delay (default). Minimum value. +# * 300: +# Maximum value. +pihole_ftl_delay_startup: 0 + +# Set niceness of Pi-hole FTL. +# +# Defaults to -10 and can be disabled altogether by setting a value of -999. +# +# The nice value is an attribute that can be used to influence the CPU +# scheduler to favor or disfavor a process in scheduling decisions. The range +# of the nice value varies across UNIX systems. On modern Linux, the range is +# -20 (high priority = not very nice to other processes) to +19 (low priority). +# +# Datatype: int +# Special case: +# * -999: +# Disable niceness. Minimum value. +# * -10: +# Default niceness (default). +# +# Reference: +# * https://en.wikipedia.org/wiki/Nice_(Unix) +pihole_ftl_nice: -10 + +# Remove IP addresses (and associated host names) older than the specified +# number of days to avoid dead entries in the network overview table. +# +# Default: same as 'pihole_ftl_maxdbdays'. +pihole_ftl_maxnetage: 365 + +# Should FTL use the fallback option to try to obtain client names from +# checking the network table? +pihole_ftl_names_from_netdb: true + +# How hourly PTR refresh lookups are handled. +# Datatype: string +# Special case: +# * ipv4: +# Do the hourly PTR lookups only for IPv4 addresses (default). +# * all: +# Do the hourly PTR lookups for all addresses. +# * unknown: +# Only resolve unknown hostnames. Already existing hostnames are never +# refreshed. +# * none: +# Don't do any hourly PTR lookups. Lookup host names up exactly once (when +# we first see a client) and never again. May miss future hostname changes. +pihole_ftl_refresh_hostnames: 'ipv4' + +# Parse ARP cache? +pihole_ftl_parse_arp_cache: true + +# Check and warn when system load is high? +# +# FTL warns about excessive load when the 15 minute system load average exceeds +# the number of cores. +pihole_ftl_check_load: true + +# Warn if shared memory usage exceeds given percentage. +# +# FTL stores history in shared memory to allow inter-process communication with +# forked dedicated TCP workers. If FTL runs out of memory, it cannot continue +# to work as queries cannot be analyzed any further. Hence, FTL checks if +# enough shared memory is available on your system and warns you if this is not +# the case. +# +# Datatype: int +# Special case: +# * 0: +# Disables warning. Minimum value. +# * 90: +# Warn when shared memory is 90%+ (default). +# * 100: +# Warn when shared memroy is full. Maxmimum value. +pihole_ftl_check_shmem: 90 + +# Warn if disk usage holding any crucial file exceeds percentage. +# +# FTL stores its long-term history in a database file on disk and log files. +# +# Datatype: int +# Special case: +# * 0: +# Disables warning. Minimum value. +# * 90: +# Warn when disk usage is 90%+ (default). +# * 100: +# Warn when disk is full. Maxmimum value. +pihole_ftl_check_disk: 90 + +############################################################################### +# Database Settings +############################################################################### + +# Load DB information on startup? +pihole_ftl_dbimport: true + +# How long should queries be stored in the database? 0 disables. Default: 365. +pihole_ftl_maxdbdays: 365 + +# How often do we write queries to FTL's database in minutes? +pihole_ftl_dbinterval: 1 + +# Database location on disk. Empty disables. +pihole_ftl_dbfile: '/etc/pihole/pihole-FTL.db' + +############################################################################### +# File Settings +############################################################################### + +# Location of log file. +pihole_ftl_logfile: '/var/log/pihole/FTL.log' + +# Location of pid file. +pihole_ftl_pidfile: '/run/pihole-FTL.pid' + +# Location FTL socket listener. +pihole_ftl_socketfile: '/run/pihole/FTL.sock' + +# Location of setupVars.conf file. +pihole_ftl_setupvarsfile: '/etc/pihole/setupVars.conf' + +# Location of MAC -> Vendor mapping. +pihole_ftl_macvendordb: '/etc/pihole/macvendor.db' + +# Location of SQLite3 gravity database. +pihole_ftl_gravitydb: '/etc/pihole/gravity.db' + +############################################################################### +# Debug Settings +############################################################################### + +# Enable all debug flags. All other debug options are ignored if set. +pihole_ftl_debug_all: false + +# Enable database debugging. +pihole_ftl_debug_database: false + +# Enable network debugging. +pihole_ftl_debug_networking: false + +# Enable EDNS0 debugging. +pihole_ftl_debug_edns0: false + +# Enable shared memory lock debugging. +pihole_ftl_debug_locks: false + +# Enable extensive query debugging. +pihole_ftl_debug_queries: false + +# Enable DNS flag debugging. +pihole_ftl_debug_flags: false + +# Enable shared memory buffer debugging. +pihole_ftl_debug_shmem: false + +# Enable garbage collector debugging. +pihole_ftl_debug_gc: false + +# Enable ARP debugging. +pihole_ftl_debug_arp: false + +# Enable REGEX debugging. +pihole_ftl_debug_regex: false + +# Enable API debugging. +pihole_ftl_debug_api: false + +# Enable overtime memory operation debugging. +pihole_ftl_debug_overtime: false + +# Enable status change debugging. +pihole_ftl_debug_status: false + +# Enable granted capabilities to FTL debugging. +pihole_ftl_debug_caps: false + +# Enable dnsmasq event debugging. +pihole_ftl_debug_dnsmasq_lines: false + +# Enable vector allocation, referencing, deletion, appending debugging. +pihole_ftl_debug_vectors: false + +# Enable DNS resolver debugging. +pihole_ftl_debug_resolver: false + +# Enable client debugging. +pihole_ftl_debug_clients: false + +# Enable alias client processing debugging. +pihole_ftl_debug_aliasclients: false + +# Enable embedded event handling queue debugging. +pihole_ftl_debug_events: false + +# Enable script helper (e.g. DHCP script) debugging. +pihole_ftl_debug_helper: false + +# Should FTL translate stack addresses into code lines during bug backtrace? +pihole_ftl_addr2line: true + +# Enable extra debugging. Information may change at any time and is generally +# used when testing new features. +pihole_ftl_debug_extra: false diff --git a/defaults/main/main.yml b/defaults/main/main.yml index 2031833..0d2c2c4 100644 --- a/defaults/main/main.yml +++ b/defaults/main/main.yml @@ -25,152 +25,42 @@ pihole_use_cli: false # via the GUI or CLI. Default: False. pihole_update_enable: false +# Disable role behavior change warnings. Default: True. +pihole_disable_warning: true + ############################################################################### # Pi-Hole setupVars.conf ############################################################################### -# Pihole reads True/False as STRINGS; use strings or install will fail. -pihole_blocking_enabled: 'true' +pihole_blocking_enabled: true pihole_admin_email: '' pihole_webui_boxed_layout: 'boxed' pihole_webtheme: 'default-dark' # A random password will be set if empty. pihole_webpassword: '' pihole_dnsmasq_listening: 'single' -pihole_dns_fqdn_required: 'false' -pihole_dns_bogus_priv: 'false' -pihole_dnssec: 'false' -pihole_rev_server: 'false' +pihole_dns_fqdn_required: false +pihole_dns_bogus_priv: false +pihole_dnssec: false +pihole_rev_server: false pihole_rev_server_cidr: "{{ ansible_default_ipv4.address | ansible.utils.ipaddr('network/prefix') }}" pihole_rev_server_target: '{{ ansible_default_ipv4.gateway }}' pihole_rev_server_domain: 'lan' pihole_pihole_interface: '{{ ansible_default_ipv4.interface }}' pihole_ipv4_address: "{{ (ansible_default_ipv4.address + '/' + ansible_default_ipv4.netmask) | ansible.utils.ipaddr('address/prefix') }}" pihole_ipv6_address: '' -pihole_dhcp_active: 'false' +pihole_dhcp_active: false pihole_dhcp_start: "{{ (ansible_default_ipv4.address + '/' + ansible_default_ipv4.netmask) | ansible.utils.nthhost(200) }}" pihole_dhcp_end: "{{ (ansible_default_ipv4.address + '/' + ansible_default_ipv4.netmask) | ansible.utils.nthhost(-5) }}" pihole_dhcp_router: '{{ ansible_default_ipv4.gateway }}' -pihole_dhcp_leasetime: '24' +pihole_dhcp_leasetime: 24 pihole_pihole_domain: 'lan' -pihole_dhcp_ipv6: 'false' -pihole_dhcp_rapid_commit: 'false' +pihole_dhcp_ipv6: false +pihole_dhcp_rapid_commit: false pihole_pihole_dns_1: "{{ ansible_dns.nameservers | ansible.utils.ipv4() | first | default('1.1.1.1') }}#53" pihole_pihole_dns_2: '' -pihole_query_logging: 'true' -pihole_install_web_server: 'true' -pihole_install_web_interface: 'true' -pihole_lighttpd_enabled: 'true' -pihole_cache_size: '10000' - -############################################################################### -# Pi-Hole Adlist Table -############################################################################### -# Define Adlist sources for generating domain blocklists. -# -# Pi-Hole currently adds the stevenblack adlist when installing, as ID 1. -# https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts -# -# pihole_ad_sources: -# - id: int (unique id starting at 2) -# address: str (URL for adlist) -# enabled: bool (enable use) -# comment: str (user comment) -# -# Reference: -# * https://docs.pi-hole.net/database/gravity/#adlist-table-adlist - -pihole_ad_sources: [] - -############################################################################### -# Pi-Hole Domain Blocklist Table -############################################################################### -# Define domain blocking behavior (whitelist, blacklist). -# -# pihole_domain_blocklists: -# - id: int (unique id starting at 1) -# type: int (0 = exact whitelist, -# 1 = exact blacklist, -# 2 = regex whitelist, -# 3 = regex blacklist) -# domain: str (domain) -# enabled: bool (enable use) -# comment: str (user comment) -# -# Reference: -# * https://docs.pi-hole.net/database/gravity/#domain-tables-domainlist - -pihole_domain_blocklists: [] - -############################################################################### -# Pi-Hole Clients Table -############################################################################### -# Define Pi-Hole clients. -# -# pihole_clients: -# - id: int (unique id starting at 1) -# ip: str (IPv4,IPv6,CIDR) -# comment: str (user comment) -# -# Reference: -# * https://docs.pi-hole.net/database/gravity/#client-table-client - -pihole_clients: [] - -############################################################################### -# Pi-Hole Groups Table -############################################################################### -# Define Pi-Hole group management. -# -# pihole_groups: -# - id: int (unique id starting at 1) -# enabled: bool (enable use) -# name: str (group name) -# description: str (description) -# -# Reference: -# * https://docs.pi-hole.net/database/gravity/groups/#group-management - -pihole_groups: [] - -############################################################################### -# Pi-Hole Groups Adlist Table -############################################################################### -# Define Pi-Hole group adlist management. -# -# pihole_ad_groups_blocklist: -# - adlist_id: int (existing adlist ID) -# group_id: int (existing group ID) -# -# Reference: -# * https://docs.pi-hole.net/database/gravity/groups/ - -pihole_ad_groups_blocklist: [] - -############################################################################### -# Pi-Hole Groups Clients Table -############################################################################### -# Define Pi-Hole group clients management. -# -# pihole_ad_groups_blocklist: -# - client_id: int (existing client ID) -# group_id: int (existing group ID) -# -# Reference: -# * https://docs.pi-hole.net/database/gravity/groups/ - -pihole_client_groups_blocklist: [] - -############################################################################### -# Pi-Hole Groups Domain Blocklists Table -############################################################################### -# Define Pi-Hole group domain blocklists management. -# -# pihole_ad_groups_blocklist: -# - domainlist_id: int (existing domain blocklist ID) -# group_id: int (existing group ID) -# -# Reference: -# * https://docs.pi-hole.net/database/gravity/groups/ - -pihole_domain_groups_blocklist: [] +pihole_query_logging: true +pihole_install_web_server: true +pihole_install_web_interface: true +pihole_lighttpd_enabled: true +pihole_cache_size: 10000 diff --git a/tasks/install.yml b/tasks/install.yml index 67a82f4..92c47a3 100644 --- a/tasks/install.yml +++ b/tasks/install.yml @@ -32,6 +32,24 @@ mode: 0755 state: 'directory' +- name: 'install | WARNING ROLE BEHAVIOR CHANGED' + ansible.builtin.debug: + msg: | + This role has breaking changes from previous versions. + + ABORT and verify configuration before proceeding: + + https://github.com/r-pufky/ansible_pihole/tree/main/defaults/main + + Disable this message by setting 'pihole_disable_warning' to true. + when: not pihole_disable_warning + +- name: 'config | pause until manually confirmed' + ansible.builtin.pause: + echo: false + seconds: 30 + when: not pihole_disable_warning + - name: 'install | set deployment config' ansible.builtin.template: src: 'setupVars.conf.j2' @@ -41,6 +59,15 @@ mode: 0644 notify: 'restart pihole dns' +- name: 'install | set FTL config' + ansible.builtin.template: + src: 'pihole-FTL.conf.j2' + dest: '/etc/pihole/pihole-FTL.conf' + owner: 'pihole' + group: 'root' + mode: 0664 # installed permissions. + notify: 'restart pihole dns' + - name: 'install | set binary location' ansible.builtin.stat: path: '/usr/local/bin/pihole' diff --git a/templates/pihole-FTL.conf.j2 b/templates/pihole-FTL.conf.j2 new file mode 100644 index 0000000..b44d9c5 --- /dev/null +++ b/templates/pihole-FTL.conf.j2 @@ -0,0 +1,78 @@ +#; Pi-hole FTL config file +#; Comments should start with #; to avoid issues with PHP and bash reading this file +#; DNS +BLOCKINGMODE={{ pihole_ftl_blockingmode|default('null')|upper }} +CNAME_DEEP_INSPECT={{ pihole_ftl_cname_deep_inspect|default(true)|string|lower }} +BLOCK_ESNI={{ pihole_ftl_block_esni|default(true)|string|lower }} +EDNS0_ECS={{ pihole_ftl_edns0_ecs|default(true)|string|lower }} +RATE_LIMIT={{ pihole_ftl_rate_limit|default('1000/60') }} +LOCAL_IPV4={{ pihole_ftl_local_ipv4|default('') }} +LOCAL_IPV6={{ pihole_ftl_local_ipv6|default('') }} +BLOCK_IPV6={{ pihole_ftl_block_ipv4|default('') }} +BLOCK_IPV6={{ pihole_ftl_block_ipv6|default('') }} +REPLY_WHEN_BUSY={{ pihole_ftl_reply_when_busy|default('drop')|upper }} +MOZILLA_CANARY={{ pihole_ftl_mozilla_canary|default(true)|string|lower }} +BLOCK_TTL={{ pihole_ftl_block_ttl|default(2)|int }} +BLOCK_ICLOUD_PR={{ pihole_ftl_block_icloud_pr|default(true)|string|lower }} +#; Statistics +{# Records hours, but is a float in documentation. Force float. #} +MAXLOGAGE={{ pihole_ftl_maxlogage|default(24)|float }} +PRIVACYLEVEL={{ pihole_ftl_privacylevel|default(0)|int }} +IGNORE_LOCALHOST={{ 'yes' if pihole_ftl_ignore_localhost else 'no' }} +AAAA_QUERY_ANALYSIS={{ 'yes' if pihole_ftl_aaaa_query_analysis else 'no' }} +ANALYZE_ONLY_A_AND_AAAA={{ pihole_ftl_analyze_only_a_and_aaaa|default(false)|string|lower }} +SHOW_DNSSEC={{ pihole_ftl_show_dnssec|default(true)|string|lower }} +#; Other +SOCKET_LISTENING={{ pihole_ftl_socket_listening|default('localonly')|lower }} +FTLPORT={{ pihole_ftl_port|default(4711)|int }} +RESOLVE_IPV4={{ 'yes' if pihole_ftl_resolve_ipv4 else 'no' }} +RESOLVE_IPV6={{ 'yes' if pihole_ftl_resolve_ipv6 else 'no' }} +PIHOLE_PTR={{ pihole_ftl_pihole_ptr|default('pi.hole')|upper }} +DELAY_STARTUP={{ pihole_ftl_delay_startup|default(0)|int }} +NICE={{ pihole_ftl_nice|default(-10)|int }} +MAXNETAGE={{ pihole_ftl_maxnetage|default(365)|int }} +NAMES_FROM_NETDB={{ pihole_ftl_names_from_netdb|default(true)|string|lower }} +REFRESH_HOSTNAMES={{ pihole_ftl_refresh_hostnames|default('ipv4')|upper }} +PARSE_ARP_CACHE={{ pihole_ftl_parse_arp_cache|default(true)|string|lower }} +CHECK_LOAD={{ pihole_ftl_check_load|default(true)|string|lower }} +CHECK_SHMEM={{ pihole_ftl_check_shmem|default(90)|int }} +CHECK_DISK={{ pihole_ftl_check_disk|default(90)|int }} +#; Database +DBIMPORT={{ 'yes' if pihole_ftl_dbimport else 'no' }} +MAXDBDAYS={{ pihole_ftl_maxdbdays|default(365)|int }} +{# Records minutes, but is a float in documentation. Force float. #} +DBINTERVAL={{ pihole_ftl_dbinterval|default(1)|float }} +DBFILE={{ pihole_ftl_dbfile|default('/etc/pihole/pihole-FTL.db') }} +#; Files +LOGFILE={{ pihole_ftl_logfile|default('/var/log/pihole/FTL.log') }} +PIDFILE={{ pihole_ftl_pidfile|default('/run/pihole-FTL.pid') }} +SOCKETFILE={{ pihole_ftl_socketfile|default('/run/pihole/FTL.sock') }} +SETUPVARSFILE={{ pihole_ftl_setupvarsfile|default('/etc/pihole/setupVars.conf') }} +MACVENDORDB={{ pihole_ftl_macvendordb|default('/etc/pihole/macvendor.db') }} +GRAVITYDB={{ pihole_ftl_gravitydb|default('/etc/pihole/gravity.db') }} +#; Debug +DEBUG_ALL={{ pihole_ftl_debug_all|default(false)|string|lower }} +DEBUG_DATABASE={{ pihole_ftl_debug_database|default(false)|string|lower }} +DEBUG_NETWORKING={{ pihole_ftl_debug_networking|default(false)|string|lower }} +DEBUG_EDNS0={{ pihole_ftl_debug_edns0|default(false)|string|lower }} +DEBUG_LOCKS={{ pihole_ftl_debug_locks|default(false)|string|lower }} +DEBUG_QUERIES={{ pihole_ftl_debug_queries|default(false)|string|lower }} +DEBUG_FLAGS={{ pihole_ftl_debug_flags|default(false)|string|lower }} +DEBUG_SHMEM={{ pihole_ftl_debug_shmem|default(false)|string|lower }} +DEBUG_GC={{ pihole_ftl_debug_gc|default(false)|string|lower }} +DEBUG_ARP={{ pihole_ftl_debug_arp|default(false)|string|lower }} +DEBUG_REGEX={{ pihole_ftl_debug_regex|default(false)|string|lower }} +DEBUG_API={{ pihole_ftl_debug_api|default(false)|string|lower }} +DEBUG_OVERTIME={{ pihole_ftl_debug_overtime|default(false)|string|lower }} +DEBUG_STATUS={{ pihole_ftl_debug_status|default(false)|string|lower }} +DEBUG_CAPS={{ pihole_ftl_debug_caps|default(false)|string|lower }} +DEBUG_DNSMASQ_LINES={{ pihole_ftl_debug_dnsmasq_lines|default(false)|string|lower }} +DEBUG_VECTORS={{ pihole_ftl_debug_vectors|default(false)|string|lower }} +DEBUG_RESOLVER={{ pihole_ftl_debug_resolver|default(false)|string|lower }} +{# Duplicated: DEBUG_EDNS0 pihole_ftl_debug_edns0: false #} +DEBUG_CLIENTS={{ pihole_ftl_debug_clients|default(false)|string|lower }} +DEBUG_ALIASCLIENTS={{ pihole_ftl_debug_aliasclients|default(false)|string|lower }} +DEBUG_EVENTS={{ pihole_ftl_debug_events|default(false)|string|lower }} +DEBUG_HELPER={{ pihole_ftl_debug_helper|default(false)|string|lower }} +ADDR2LINE={{ pihole_ftl_addr2line|default(true)|string|lower }} +DEBUG_EXTRA={{ pihole_ftl_debug_extra|default(false)|string|lower }} diff --git a/templates/setupVars.conf.j2 b/templates/setupVars.conf.j2 index 7e555e6..4784540 100644 --- a/templates/setupVars.conf.j2 +++ b/templates/setupVars.conf.j2 @@ -23,7 +23,7 @@ PIHOLE_DNS_1={{ pihole_pihole_dns_1 }} PIHOLE_DNS_2={{ pihole_pihole_dns_2 }} QUERY_LOGGING={{ pihole_query_logging | bool | lower }} INSTALL_WEB_SERVER={{ pihole_install_web_server | bool | lower }} -INSTALL_WEB_INTERFACE={{ pihole_install_web_interface }} +INSTALL_WEB_INTERFACE={{ pihole_install_web_interface | bool | lower }} LIGHTTPD_ENABLED={{ pihole_lighttpd_enabled | bool | lower }} CACHE_SIZE={{ pihole_cache_size }} DNS_FQDN_REQUIRED={{ pihole_dns_fqdn_required | bool | lower }} diff --git a/vars/main.yml b/vars/main.yml index f3f5db2..ac40d70 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -25,10 +25,10 @@ pihole_default_packages_rpm: pihole_default_binary: '/usr/local/bin/pihole' pihole_default_sqlite3: '/usr/bin/sqlite3 /etc/pihole/gravity.db' -pihole_default_ad_insert: 'insert or ignore into \"adlist\" (id, address, enabled, comment) values' -pihole_default_domain_insert: 'insert or ignore into \"domainlist\" (id, type, domain, enabled, comment) values' -pihole_default_client_insert: 'insert or ignore into \"client\" (id, ip, comment) values' -pihole_default_groups_insert: 'insert or ignore into \"group\" (id, enabled, name, description) values' -pihole_default_ad_groups_insert: 'insert or ignore into \"adlist_by_group\" (adlist_id, group_id) values' -pihole_default_client_groups_insert: 'insert or ignore into \"client_by_group\" (client_id, group_id) values' -pihole_default_domain_groups_insert: 'insert or ignore into \"domainlist_by_group\" (domainlist_id, group_id) values' +pihole_default_ad_insert: 'insert or replace into \"adlist\" (id, address, enabled, comment) values' +pihole_default_domain_insert: 'insert or replace into \"domainlist\" (id, type, domain, enabled, comment) values' +pihole_default_client_insert: 'insert or replace into \"client\" (id, ip, comment) values' +pihole_default_groups_insert: 'insert or replace into \"group\" (id, enabled, name, description) values' +pihole_default_ad_groups_insert: 'insert or replace into \"adlist_by_group\" (adlist_id, group_id) values' +pihole_default_client_groups_insert: 'insert or replace into \"client_by_group\" (client_id, group_id) values' +pihole_default_domain_groups_insert: 'insert or replace into \"domainlist_by_group\" (domainlist_id, group_id) values'