From f26d20dd02b65a972365fbdf1636b4f40e84a25d Mon Sep 17 00:00:00 2001 From: Campbell Vertesi Date: Wed, 5 Jun 2024 21:04:51 +0200 Subject: [PATCH 01/23] Include wildcard dns config in sync --- roles/sync/templates/pihole_sync.j2 | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/sync/templates/pihole_sync.j2 b/roles/sync/templates/pihole_sync.j2 index 6bd9ee0..f6c59a6 100644 --- a/roles/sync/templates/pihole_sync.j2 +++ b/roles/sync/templates/pihole_sync.j2 @@ -36,3 +36,11 @@ if [[ ! $(ip a | grep {{ sync_target }}) ]]; then fi fi fi + + RSYNC_WILDCARD=$(rsync -a --info=name -e "ssh $key $host_key_check" $target:$pihole_dir/dnsmasq.d/02-cluster.vert-wildcard.conf $sync_dir) + if [ $? -eq 0 ]; then + if [ -n "$RSYNC_WILDCARD" ]; then + sudo cp --preserve=timestamps $sync_dir/02-cluster.vert-wildcard.conf $pihole_dir/dnsmasq.d + fi + fi +fi From 009fd89fd07e88068443f16f365694f7185eba07 Mon Sep 17 00:00:00 2001 From: Campbell Vertesi Date: Thu, 6 Jun 2024 11:04:15 +0200 Subject: [PATCH 02/23] Add capabilities to the container per https://github.com/pi-hole/docker-pi-hole?tab=readme-ov-file#note-on-capabilities --- roles/pihole/tasks/main.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/pihole/tasks/main.yaml b/roles/pihole/tasks/main.yaml index 0d2b102..96b9dc9 100644 --- a/roles/pihole/tasks/main.yaml +++ b/roles/pihole/tasks/main.yaml @@ -55,6 +55,12 @@ log_options: max-size: "10m" max-file: "5" + capabilities: + - CAP_NET_BIND_SERVICE + - CAP_NET_RAW + - CAP_NET_ADMIN + - CAP_SYS_NICE + - CAP_CHOWN - name: Check pihole container uri: From c6dc143d3978c418e710e1bff21a7526e46bb0ce Mon Sep 17 00:00:00 2001 From: Campbell Vertesi Date: Thu, 6 Jun 2024 11:17:25 +0200 Subject: [PATCH 03/23] Fix extra closing fi in pihole_sync script template --- roles/sync/templates/pihole_sync.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/sync/templates/pihole_sync.j2 b/roles/sync/templates/pihole_sync.j2 index f6c59a6..8e1262f 100644 --- a/roles/sync/templates/pihole_sync.j2 +++ b/roles/sync/templates/pihole_sync.j2 @@ -35,7 +35,6 @@ if [[ ! $(ip a | grep {{ sync_target }}) ]]; then sudo cp --preserve=timestamps $sync_dir/05-pihole-custom-cname.conf $pihole_dir/dnsmasq.d fi fi -fi RSYNC_WILDCARD=$(rsync -a --info=name -e "ssh $key $host_key_check" $target:$pihole_dir/dnsmasq.d/02-cluster.vert-wildcard.conf $sync_dir) if [ $? -eq 0 ]; then From 7c4500b6bd2193db3f2d26990c6bd5662ecd89fb Mon Sep 17 00:00:00 2001 From: Campbell Vertesi Date: Mon, 17 Jun 2024 00:27:06 +0200 Subject: [PATCH 04/23] Add hardcoded dhcp check to keepalive script --- roles/keepalived/files/check_pihole.sh | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/roles/keepalived/files/check_pihole.sh b/roles/keepalived/files/check_pihole.sh index e265101..05f4639 100644 --- a/roles/keepalived/files/check_pihole.sh +++ b/roles/keepalived/files/check_pihole.sh @@ -1,3 +1,25 @@ #!/bin/bash +set -e -[ "$(docker inspect -f "{{.State.Health.Status}}" pihole)" = "healthy" ] +[ "$(docker inspect -f "{{.State.Health.Status}}" pihole)" = "healthy" ] && HEALTHY=0 || HEALTHY=1 + +PIHOLE_HOME="/home/ohthehugemanatee/pihole" + +# if all of these are true, then return 0, else return 1 +if [ ${HEALTHY} ]; then + # If we own the primary IP. + if /usr/sbin/ip a |grep -q 10.10.10.40 ; then + # Ensure DHCP is enabled. + if ! [ -f ${PIHOLE_HOME}/dnsmasq.d/02-pihole-dhcp.conf ]; then + /usr/bin/docker exec -d pihole /usr/local/bin/pihole -a enabledhcp "10.10.10.100" "10.10.10.251" "10.10.10.1" "24" "vert" + fi + else + # Ensure DHCP is disabled. + if [ -f ${PIHOLE_HOME}/dnsmasq.d/02-pihole-dhcp.conf ]; then + /usr/bin/docker exec -d pihole /usr/local/bin/pihole -a disabledhcp + fi + fi + exit $HEALTHY +else + exit $HEALTHY +fi From e8eedabd161296a20ee15082b452d7cedf309e7c Mon Sep 17 00:00:00 2001 From: Campbell Vertesi Date: Mon, 17 Jun 2024 15:47:32 +0200 Subject: [PATCH 05/23] Refactor check_pihole script --- roles/keepalived/files/check_pihole.sh | 40 +++++++++++++++++--------- 1 file changed, 26 insertions(+), 14 deletions(-) diff --git a/roles/keepalived/files/check_pihole.sh b/roles/keepalived/files/check_pihole.sh index 05f4639..6ef40a9 100644 --- a/roles/keepalived/files/check_pihole.sh +++ b/roles/keepalived/files/check_pihole.sh @@ -1,25 +1,37 @@ #!/bin/bash set -e +PIHOLE_HOME="/home/ohthehugemanatee/pihole" +DHCP_ENABLED=true +VNET_IP=10.10.10.40 +DHCP_START=10.10.10.100 +DHCP_END=10.10.10.251 +DHCP_GATEWAY=10.10.10.1 +DHCP_DOMAIN=vert +DHCP_LEASE_TIME=24 + +# Check if the pihole container is healthy (0) or not (1). [ "$(docker inspect -f "{{.State.Health.Status}}" pihole)" = "healthy" ] && HEALTHY=0 || HEALTHY=1 -PIHOLE_HOME="/home/ohthehugemanatee/pihole" +# If the container is not healthy, exit 1. +if ! [ ${HEALTHY} ]; then + exit ${HEALTHY} +fi -# if all of these are true, then return 0, else return 1 -if [ ${HEALTHY} ]; then - # If we own the primary IP. - if /usr/sbin/ip a |grep -q 10.10.10.40 ; then - # Ensure DHCP is enabled. - if ! [ -f ${PIHOLE_HOME}/dnsmasq.d/02-pihole-dhcp.conf ]; then - /usr/bin/docker exec -d pihole /usr/local/bin/pihole -a enabledhcp "10.10.10.100" "10.10.10.251" "10.10.10.1" "24" "vert" - fi - else +# If DHCP is not enabled, or we don't own the virtual IP +if ! ${DHCP_ENABLED} || ! /usr/sbin/ip a |grep -q ${VNET_IP} ; then # Ensure DHCP is disabled. if [ -f ${PIHOLE_HOME}/dnsmasq.d/02-pihole-dhcp.conf ]; then /usr/bin/docker exec -d pihole /usr/local/bin/pihole -a disabledhcp fi - fi - exit $HEALTHY -else - exit $HEALTHY + # Exit with the health status of the container (0). + exit ${HEALTHY} fi + +# Ensure DHCP is enabled. +if ! [ -f ${PIHOLE_HOME}/dnsmasq.d/02-pihole-dhcp.conf ]; then + /usr/bin/docker exec -d pihole /usr/local/bin/pihole -a enabledhcp "${DHCP_START}" "${DHCP_END}" "${DHCP_GATEWAY}" "${DHCP_LEASE_TIME}" "${DHCP_DOMAIN}" +fi + +# Exit with the health status of the container (0). +exit ${HEALTHY} From 1ab888d3f4b6c17f3b42d86f92006791a1597aec Mon Sep 17 00:00:00 2001 From: Campbell Vertesi Date: Mon, 17 Jun 2024 15:48:57 +0200 Subject: [PATCH 06/23] Move check_pihole to a template --- .../{files/check_pihole.sh => templates/check_pihole.j2} | 2 ++ 1 file changed, 2 insertions(+) rename roles/keepalived/{files/check_pihole.sh => templates/check_pihole.j2} (92%) diff --git a/roles/keepalived/files/check_pihole.sh b/roles/keepalived/templates/check_pihole.j2 similarity index 92% rename from roles/keepalived/files/check_pihole.sh rename to roles/keepalived/templates/check_pihole.j2 index 6ef40a9..52ab640 100644 --- a/roles/keepalived/files/check_pihole.sh +++ b/roles/keepalived/templates/check_pihole.j2 @@ -1,6 +1,8 @@ #!/bin/bash set -e +## This script checks the health of the pihole container and enables/disables DHCP as needed. + PIHOLE_HOME="/home/ohthehugemanatee/pihole" DHCP_ENABLED=true VNET_IP=10.10.10.40 From 3695a285901c6bcf5b332778cce0b09761977b5b Mon Sep 17 00:00:00 2001 From: Campbell Vertesi Date: Mon, 17 Jun 2024 15:59:23 +0200 Subject: [PATCH 07/23] Add ansible vars to check_pihole script --- roles/keepalived/templates/check_pihole.j2 | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/roles/keepalived/templates/check_pihole.j2 b/roles/keepalived/templates/check_pihole.j2 index 52ab640..a889388 100644 --- a/roles/keepalived/templates/check_pihole.j2 +++ b/roles/keepalived/templates/check_pihole.j2 @@ -3,14 +3,14 @@ set -e ## This script checks the health of the pihole container and enables/disables DHCP as needed. -PIHOLE_HOME="/home/ohthehugemanatee/pihole" -DHCP_ENABLED=true -VNET_IP=10.10.10.40 -DHCP_START=10.10.10.100 -DHCP_END=10.10.10.251 -DHCP_GATEWAY=10.10.10.1 -DHCP_DOMAIN=vert -DHCP_LEASE_TIME=24 +PIHOLE_DIR="{{ ansible_user_dir }}/pihole" +DHCP_ENABLED="{{ dhcp_server }}" +VIP="{{ pihole_vip_ipv4 }}" +DHCP_START="{{ dhcp_start }}" +DHCP_END="{{ dhcp_end }}" +DHCP_GATEWAY="{{ dhcp_gateway }}" +DHCP_DOMAIN="{{ dhcp_domain }}" +DHCP_LEASE_TIME="{{ dhcp_lease_time }}" # Check if the pihole container is healthy (0) or not (1). [ "$(docker inspect -f "{{.State.Health.Status}}" pihole)" = "healthy" ] && HEALTHY=0 || HEALTHY=1 @@ -21,9 +21,9 @@ if ! [ ${HEALTHY} ]; then fi # If DHCP is not enabled, or we don't own the virtual IP -if ! ${DHCP_ENABLED} || ! /usr/sbin/ip a |grep -q ${VNET_IP} ; then +if ! ${DHCP_ENABLED} || ! /usr/sbin/ip a |grep -q ${VIP} ; then # Ensure DHCP is disabled. - if [ -f ${PIHOLE_HOME}/dnsmasq.d/02-pihole-dhcp.conf ]; then + if [ -f ${PIHOLE_DIR}/dnsmasq.d/02-pihole-dhcp.conf ]; then /usr/bin/docker exec -d pihole /usr/local/bin/pihole -a disabledhcp fi # Exit with the health status of the container (0). @@ -31,7 +31,7 @@ if ! ${DHCP_ENABLED} || ! /usr/sbin/ip a |grep -q ${VNET_IP} ; then fi # Ensure DHCP is enabled. -if ! [ -f ${PIHOLE_HOME}/dnsmasq.d/02-pihole-dhcp.conf ]; then +if ! [ -f ${PIHOLE_DIR}/dnsmasq.d/02-pihole-dhcp.conf ]; then /usr/bin/docker exec -d pihole /usr/local/bin/pihole -a enabledhcp "${DHCP_START}" "${DHCP_END}" "${DHCP_GATEWAY}" "${DHCP_LEASE_TIME}" "${DHCP_DOMAIN}" fi From f6b23ddda6c0cbda0200d9b04b87a936ee917e0e Mon Sep 17 00:00:00 2001 From: Campbell Vertesi Date: Mon, 17 Jun 2024 16:09:16 +0200 Subject: [PATCH 08/23] Add dhcp options to inventory --- inventory.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/inventory.yaml b/inventory.yaml index 3ab3d62..35d7a96 100644 --- a/inventory.yaml +++ b/inventory.yaml @@ -25,3 +25,9 @@ all: pihole_vip_ipv4: "192.168.178.10/24" pihole_vip_ipv6: "fd00::10/64" sync_target: "{{ pihole_vip_ipv4.split('/')[0] }}" + dhcp_server: "true" + dhcp_start: "192.168.178.100" + dhcp_end: "192.168.178.250" + dhcp_router: "192.168.178.1" + dhcp_domain: "local" + dhcp_lease_time: "24" \ No newline at end of file From b1ba41c5d935cdab624d364af6a4d5d3d6b96eb6 Mon Sep 17 00:00:00 2001 From: Campbell Vertesi Date: Mon, 17 Jun 2024 16:09:24 +0200 Subject: [PATCH 09/23] Add dhcp options to README --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 6260c3c..68dd4fd 100644 --- a/README.md +++ b/README.md @@ -48,6 +48,7 @@ These roles are included: The options prefixed with `pihole_ftl_` are described in the official [Pi-hole FTL Configuration](https://docs.pi-hole.net/ftldns/configfile/) - The [`pihole_ha_mode`](inventory.yaml#L24) option is used to switch between HA or Single mode to determine the IPv4/IPv6 addresses for the Pi-hole services (bind IPs for Web/DNS, pi.hole DNS record) and is enabled by default. ⚠️ Disable this if you don't intend to deploy a HA setup with keepalived. + - The [`dhcp_server`](inventory.yaml#L28) option and other options prefixed with `dhcp_` are for configuring Pihole's optional DHCP support. ## `update-pihole.yaml` This playbook is for subsequent runs after the `bootstrap-pihole.yaml` playbook was run at least once. From acb5eed9bf00077f0281c94babc3c664b96c83f9 Mon Sep 17 00:00:00 2001 From: Campbell Vertesi Date: Mon, 17 Jun 2024 16:17:29 +0200 Subject: [PATCH 10/23] Add explanatory comments to new inventory items --- inventory.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/inventory.yaml b/inventory.yaml index 35d7a96..8613e7e 100644 --- a/inventory.yaml +++ b/inventory.yaml @@ -25,9 +25,9 @@ all: pihole_vip_ipv4: "192.168.178.10/24" pihole_vip_ipv6: "fd00::10/64" sync_target: "{{ pihole_vip_ipv4.split('/')[0] }}" - dhcp_server: "true" + dhcp_server: "false" # If enabled, consider a shorter sync interval to catch dhcp leases (see README) dhcp_start: "192.168.178.100" dhcp_end: "192.168.178.250" dhcp_router: "192.168.178.1" dhcp_domain: "local" - dhcp_lease_time: "24" \ No newline at end of file + dhcp_lease_time: "24" # In hours \ No newline at end of file From 4b1e1eaedc6d61310ec6b85d41f5f75a1cd73be9 Mon Sep 17 00:00:00 2001 From: Campbell Vertesi Date: Mon, 17 Jun 2024 16:18:02 +0200 Subject: [PATCH 11/23] Tell ansible about the check_pihole template --- roles/keepalived/tasks/main.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/keepalived/tasks/main.yaml b/roles/keepalived/tasks/main.yaml index efd2d1c..dd5f9ba 100644 --- a/roles/keepalived/tasks/main.yaml +++ b/roles/keepalived/tasks/main.yaml @@ -14,10 +14,10 @@ force_apt_get: yes name: keepalived -- name: Copy check_pihole.sh - copy: +- name: Configure check_pihole.sh + template: dest: /etc/keepalived/check_pihole.sh - src: check_pihole.sh + src: check_pihole.j2 mode: 0755 - name: Configure keepalived From fc44c1c35073e517bbeb887c7745f3688bf806fb Mon Sep 17 00:00:00 2001 From: Campbell Vertesi Date: Mon, 17 Jun 2024 16:18:28 +0200 Subject: [PATCH 12/23] Add dhcp options to pihole role --- roles/pihole/tasks/main.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/pihole/tasks/main.yaml b/roles/pihole/tasks/main.yaml index 96b9dc9..3570068 100644 --- a/roles/pihole/tasks/main.yaml +++ b/roles/pihole/tasks/main.yaml @@ -44,6 +44,11 @@ REV_SERVER_TARGET: "{{ pihole_rev_server_target }}" REV_SERVER_CIDR: "{{ pihole_rev_server_cidr }}" FTLCONF_MAXDBDAYS: "{{ pihole_ftl_max_db_days }}" + DHCP_ACTIVE: "{{ dhcp_server }}" + DHCP_START: "{{ dhcp_start }}" + DHCP_END: "{{ dhcp_end }}" + DHCP_ROUTER: "{{ dhcp_router }}" + DHCP_LEASETIME: "{{ dhcp_lease_time }}" dns_servers: - 127.0.0.1 - "{{ static_dns }}" From a833affc218f03644aabaa71e670504ef9693953 Mon Sep 17 00:00:00 2001 From: Campbell Vertesi Date: Mon, 17 Jun 2024 16:19:17 +0200 Subject: [PATCH 13/23] Explain DHCP options in readme --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 68dd4fd..56f20b8 100644 --- a/README.md +++ b/README.md @@ -48,7 +48,7 @@ These roles are included: The options prefixed with `pihole_ftl_` are described in the official [Pi-hole FTL Configuration](https://docs.pi-hole.net/ftldns/configfile/) - The [`pihole_ha_mode`](inventory.yaml#L24) option is used to switch between HA or Single mode to determine the IPv4/IPv6 addresses for the Pi-hole services (bind IPs for Web/DNS, pi.hole DNS record) and is enabled by default. ⚠️ Disable this if you don't intend to deploy a HA setup with keepalived. - - The [`dhcp_server`](inventory.yaml#L28) option and other options prefixed with `dhcp_` are for configuring Pihole's optional DHCP support. + - The [`dhcp_server`](inventory.yaml#L28) option and other options prefixed with `dhcp_` are for configuring Pihole's optional DHCP support. This is disabled by default. If you enable the DHCP server, consider a shorter sync cron interval [here](master/roles/sync/tasks/main.yaml#L33) to catch changes in dhcp leases. ## `update-pihole.yaml` This playbook is for subsequent runs after the `bootstrap-pihole.yaml` playbook was run at least once. From 59c790a88b0aa31c213ae9912d81a40826bacd41 Mon Sep 17 00:00:00 2001 From: Campbell Vertesi Date: Mon, 17 Jun 2024 16:39:51 +0200 Subject: [PATCH 14/23] Change how DHCP_ENABLED var is set in check_pihole.sh --- roles/keepalived/templates/check_pihole.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/keepalived/templates/check_pihole.j2 b/roles/keepalived/templates/check_pihole.j2 index a889388..4d7f48d 100644 --- a/roles/keepalived/templates/check_pihole.j2 +++ b/roles/keepalived/templates/check_pihole.j2 @@ -4,7 +4,7 @@ set -e ## This script checks the health of the pihole container and enables/disables DHCP as needed. PIHOLE_DIR="{{ ansible_user_dir }}/pihole" -DHCP_ENABLED="{{ dhcp_server }}" +[ "{{ dhcp_server }}" = "true" ] && DHCP_ENABLED=0 || DHCP_ENABLED=1 VIP="{{ pihole_vip_ipv4 }}" DHCP_START="{{ dhcp_start }}" DHCP_END="{{ dhcp_end }}" From 846106b47c41257ee3ef6332009511741ae0a61b Mon Sep 17 00:00:00 2001 From: Campbell Vertesi Date: Mon, 17 Jun 2024 16:45:21 +0200 Subject: [PATCH 15/23] Sync leases and the whole dnsmasq directory Leases sync will fail gracefully if it doesn't exist or is empty (ie if dhcp server is disabled) --- roles/sync/templates/pihole_sync.j2 | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/roles/sync/templates/pihole_sync.j2 b/roles/sync/templates/pihole_sync.j2 index 8e1262f..31869fd 100644 --- a/roles/sync/templates/pihole_sync.j2 +++ b/roles/sync/templates/pihole_sync.j2 @@ -5,6 +5,7 @@ host_key_check="-o StrictHostKeyChecking=no" target="{{ ansible_user }}@{{ sync_target }}" sync_dir="{{ ansible_user_dir }}/{{ sync_dir.path }}" pihole_dir="{{ ansible_user_dir }}/pihole" +dhcp_server="{{ dhcp_server }} if [[ $(ip a | grep {{ sync_target }}) ]]; then nice -n 19 sqlite3 $pihole_dir/pihole/gravity.db ".backup $sync_dir/gravity.dump" @@ -42,4 +43,23 @@ if [[ ! $(ip a | grep {{ sync_target }}) ]]; then sudo cp --preserve=timestamps $sync_dir/02-cluster.vert-wildcard.conf $pihole_dir/dnsmasq.d fi fi + + + RSYNC_LEASES=$(rsync -a --info=name -e "ssh $key $host_key_check" $target:$pihole_dir/pihole/dhcp.leases $sync_dir) + if [ $? -eq 0 ]; then + if [ -n "$RSYNC_LEASES" ]; then + sudo cp --preserve=timestamps $sync_dir/dhcp.leases $pihole_dir/pihole + fi + fi + + if ! [ -d ${pihole_dir}/dnsmasq.d ]; then + mkdir -p ${pihole_dir}/dnsmasq.d + fi + + RSYNC_DNSMASQ=$(rsync -a --info=name -e "ssh $key $host_key_check" --exclude '02-pihole-dhcp.conf' $target:$pihole_dir/dnsmasq.d/* $sync_dir/dnsmasq.d/) + if [ $? -eq 0 ]; then + if [ -n "$RSYNC_DNSMASQ" ]; then + sudo cp --preserve=timestamps $sync_dir/dnsmasq.d/* $pihole_dir/dnsmasq.d + fi + fi fi From ddec71b22f06c38da5f4ebe1b253a8d83a821715 Mon Sep 17 00:00:00 2001 From: Campbell Vertesi Date: Mon, 17 Jun 2024 16:58:10 +0200 Subject: [PATCH 16/23] Debug ansible template --- roles/keepalived/templates/check_pihole.j2 | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/roles/keepalived/templates/check_pihole.j2 b/roles/keepalived/templates/check_pihole.j2 index 4d7f48d..46bcc64 100644 --- a/roles/keepalived/templates/check_pihole.j2 +++ b/roles/keepalived/templates/check_pihole.j2 @@ -2,18 +2,17 @@ set -e ## This script checks the health of the pihole container and enables/disables DHCP as needed. - -PIHOLE_DIR="{{ ansible_user_dir }}/pihole" +PIHOLE_DIR="{{ ansible_user_dir }}}}/pihole" [ "{{ dhcp_server }}" = "true" ] && DHCP_ENABLED=0 || DHCP_ENABLED=1 VIP="{{ pihole_vip_ipv4 }}" DHCP_START="{{ dhcp_start }}" DHCP_END="{{ dhcp_end }}" -DHCP_GATEWAY="{{ dhcp_gateway }}" +DHCP_GATEWAY="{{ dhcp_router }}" DHCP_DOMAIN="{{ dhcp_domain }}" DHCP_LEASE_TIME="{{ dhcp_lease_time }}" # Check if the pihole container is healthy (0) or not (1). -[ "$(docker inspect -f "{{.State.Health.Status}}" pihole)" = "healthy" ] && HEALTHY=0 || HEALTHY=1 +[ "$(docker inspect -f "{{ '{{' }}.State.Health.Status{{ '}}' }}" pihole)" = "healthy" ] && HEALTHY=0 || HEALTHY=1 # If the container is not healthy, exit 1. if ! [ ${HEALTHY} ]; then From 9f7a735c2a98b6b245daa12b9b79af75feb4ac58 Mon Sep 17 00:00:00 2001 From: Campbell Vertesi Date: Mon, 17 Jun 2024 17:03:23 +0200 Subject: [PATCH 17/23] Clarify true/false in check_pihole script --- roles/keepalived/templates/check_pihole.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/keepalived/templates/check_pihole.j2 b/roles/keepalived/templates/check_pihole.j2 index 46bcc64..38a1482 100644 --- a/roles/keepalived/templates/check_pihole.j2 +++ b/roles/keepalived/templates/check_pihole.j2 @@ -3,7 +3,7 @@ set -e ## This script checks the health of the pihole container and enables/disables DHCP as needed. PIHOLE_DIR="{{ ansible_user_dir }}}}/pihole" -[ "{{ dhcp_server }}" = "true" ] && DHCP_ENABLED=0 || DHCP_ENABLED=1 +[ "{{ dhcp_server }}" = "true" ] && DHCP_ENABLED=0 || DHCP_ENABLED=1 # enabled=0, disabled=1 VIP="{{ pihole_vip_ipv4 }}" DHCP_START="{{ dhcp_start }}" DHCP_END="{{ dhcp_end }}" @@ -15,12 +15,12 @@ DHCP_LEASE_TIME="{{ dhcp_lease_time }}" [ "$(docker inspect -f "{{ '{{' }}.State.Health.Status{{ '}}' }}" pihole)" = "healthy" ] && HEALTHY=0 || HEALTHY=1 # If the container is not healthy, exit 1. -if ! [ ${HEALTHY} ]; then +if ! [ ${HEALTHY} -eq 1 ]; then exit ${HEALTHY} fi # If DHCP is not enabled, or we don't own the virtual IP -if ! ${DHCP_ENABLED} || ! /usr/sbin/ip a |grep -q ${VIP} ; then +if [ ${DHCP_ENABLED} -eq 1 ] || ! /usr/sbin/ip a |grep -q ${VIP} ; then # Ensure DHCP is disabled. if [ -f ${PIHOLE_DIR}/dnsmasq.d/02-pihole-dhcp.conf ]; then /usr/bin/docker exec -d pihole /usr/local/bin/pihole -a disabledhcp From f497600b684f7e21f3d201100e1f5949783dadae Mon Sep 17 00:00:00 2001 From: Campbell Vertesi Date: Mon, 17 Jun 2024 17:04:29 +0200 Subject: [PATCH 18/23] Fix typo --- roles/keepalived/templates/check_pihole.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/keepalived/templates/check_pihole.j2 b/roles/keepalived/templates/check_pihole.j2 index 38a1482..c3f6b29 100644 --- a/roles/keepalived/templates/check_pihole.j2 +++ b/roles/keepalived/templates/check_pihole.j2 @@ -2,7 +2,7 @@ set -e ## This script checks the health of the pihole container and enables/disables DHCP as needed. -PIHOLE_DIR="{{ ansible_user_dir }}}}/pihole" +PIHOLE_DIR="{{ ansible_user_dir }}/pihole" [ "{{ dhcp_server }}" = "true" ] && DHCP_ENABLED=0 || DHCP_ENABLED=1 # enabled=0, disabled=1 VIP="{{ pihole_vip_ipv4 }}" DHCP_START="{{ dhcp_start }}" From fc449f91d87803c74e05bce5a25327ebb4c99388 Mon Sep 17 00:00:00 2001 From: Campbell Vertesi Date: Mon, 17 Jun 2024 17:08:30 +0200 Subject: [PATCH 19/23] Fix logical error in health check --- roles/keepalived/templates/check_pihole.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/keepalived/templates/check_pihole.j2 b/roles/keepalived/templates/check_pihole.j2 index c3f6b29..88b66f6 100644 --- a/roles/keepalived/templates/check_pihole.j2 +++ b/roles/keepalived/templates/check_pihole.j2 @@ -15,7 +15,7 @@ DHCP_LEASE_TIME="{{ dhcp_lease_time }}" [ "$(docker inspect -f "{{ '{{' }}.State.Health.Status{{ '}}' }}" pihole)" = "healthy" ] && HEALTHY=0 || HEALTHY=1 # If the container is not healthy, exit 1. -if ! [ ${HEALTHY} -eq 1 ]; then +if [ ${HEALTHY} -eq 1 ]; then exit ${HEALTHY} fi From da8964affe4f65e274750a4c77ee34c1b1cfbd5c Mon Sep 17 00:00:00 2001 From: Campbell Vertesi Date: Mon, 17 Jun 2024 18:27:07 +0200 Subject: [PATCH 20/23] Create dnsmasq config for DHCP/DNS config in pihole role --- roles/pihole/tasks/main.yaml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/roles/pihole/tasks/main.yaml b/roles/pihole/tasks/main.yaml index 3570068..69e8323 100644 --- a/roles/pihole/tasks/main.yaml +++ b/roles/pihole/tasks/main.yaml @@ -21,6 +21,27 @@ execution_mode: "HA setup with keepalived" when: pihole_ha_mode +- name: Create dnsmasq.d directory for DHCP config (HA mode) + file: + path: "/home/{{ ansible_user }}/pihole/dnsmasq.d" + owner: "root" + group: "root" + state: directory + mode: 0755 + when: + - pihole_ha_mode + - dhcp_server + +- name: Set DHCP to give out HA mode IP + copy: + dest: "/home/{{ ansible_user }}/pihole/dnsmasq.d/03-pihole-dhcp-static-dns.conf" + owner: "root" + group: "root" + content: dhcp-option=6,{{pihole_local_ipv4}} + when: + - pihole_ha_mode + - dhcp_server + - name: Determine Pi-hole host IPs (single mode) set_fact: pihole_local_ipv4: "{{ ansible_host }}" From 5d6fcbebd2770b337912e3e88b06ead451c44cf4 Mon Sep 17 00:00:00 2001 From: Campbell Vertesi Date: Mon, 17 Jun 2024 18:53:58 +0200 Subject: [PATCH 21/23] Only sync gravity every 12 hours --- roles/sync/templates/pihole_sync.j2 | 36 +++++++++++++++++------------ 1 file changed, 21 insertions(+), 15 deletions(-) diff --git a/roles/sync/templates/pihole_sync.j2 b/roles/sync/templates/pihole_sync.j2 index 31869fd..6657230 100644 --- a/roles/sync/templates/pihole_sync.j2 +++ b/roles/sync/templates/pihole_sync.j2 @@ -5,23 +5,30 @@ host_key_check="-o StrictHostKeyChecking=no" target="{{ ansible_user }}@{{ sync_target }}" sync_dir="{{ ansible_user_dir }}/{{ sync_dir.path }}" pihole_dir="{{ ansible_user_dir }}/pihole" -dhcp_server="{{ dhcp_server }} +dhcp_server="{{ dhcp_server }}" +[ $(ip a | grep {{ sync_target }}) ] && am_master=0 || am_master=1 # If the sync target is on this host, we are the master (0). -if [[ $(ip a | grep {{ sync_target }}) ]]; then - nice -n 19 sqlite3 $pihole_dir/pihole/gravity.db ".backup $sync_dir/gravity.dump" -fi - -if [[ ! $(ip a | grep {{ sync_target }}) ]]; then - sleep 60 - - RSYNC_GRAVITY=$(rsync -a --info=name -e "ssh $key $host_key_check" $target:$sync_dir/gravity.dump $sync_dir) - if [ $? -eq 0 ]; then - if [ -n "$RSYNC_GRAVITY" ]; then - docker stop pihole - sudo sqlite3 $pihole_dir/pihole/gravity.db ".restore $sync_dir/gravity.dump" - docker start pihole +# If the gravity dump file is more than 12 hours old, sync it. +if [[ -f $sync_dir/gravity.dump ]] && [[ $(find $sync_dir/gravity.dump -mmin +719) ]]; then + # master generates a dump file. + if [[ $am_master -eq 0 ]]; then + nice -n 19 sqlite3 $pihole_dir/pihole/gravity.db ".backup $sync_dir/gravity.dump" + else + # not master waits for the dump, then rsyncs and imports it. + sleep 60 + RSYNC_GRAVITY=$(rsync -a --info=name -e "ssh $key $host_key_check" $target:$sync_dir/gravity.dump $sync_dir) + if [ $? -eq 0 ]; then + if [ -n "$RSYNC_GRAVITY" ]; then + docker stop pihole + sudo sqlite3 $pihole_dir/pihole/gravity.db ".restore $sync_dir/gravity.dump" + docker start pihole + fi fi fi +fi + +# not master syncs everything else. +if [[ $am_master -eq 1 ]]; then RSYNC_DNS=$(rsync -a --info=name -e "ssh $key $host_key_check" $target:$pihole_dir/pihole/custom.list $sync_dir) if [ $? -eq 0 ]; then @@ -44,7 +51,6 @@ if [[ ! $(ip a | grep {{ sync_target }}) ]]; then fi fi - RSYNC_LEASES=$(rsync -a --info=name -e "ssh $key $host_key_check" $target:$pihole_dir/pihole/dhcp.leases $sync_dir) if [ $? -eq 0 ]; then if [ -n "$RSYNC_LEASES" ]; then From 6d9736aee7d44b235e40b9a759cc4867effd21a2 Mon Sep 17 00:00:00 2001 From: Campbell Vertesi Date: Mon, 17 Jun 2024 18:54:32 +0200 Subject: [PATCH 22/23] Increase sync frequency to every 5 minutes. --- roles/sync/tasks/main.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/sync/tasks/main.yaml b/roles/sync/tasks/main.yaml index b5d6348..b04bf07 100644 --- a/roles/sync/tasks/main.yaml +++ b/roles/sync/tasks/main.yaml @@ -32,7 +32,7 @@ - name: Schedule sync with cron ansible.builtin.cron: - hour: "2,14" - minute: "0" + hour: "*" + minute: "*/5" job: "{{ ansible_user_dir }}/{{ sync_dir.path }}/pihole_sync.sh" name: pihole-sync From 0bcaf482d9d5a5609954f4e6bc9e5c6346e42895 Mon Sep 17 00:00:00 2001 From: Campbell Vertesi Date: Sat, 22 Jun 2024 13:46:17 +0200 Subject: [PATCH 23/23] fix wrong user directory in check_pihole --- roles/keepalived/templates/check_pihole.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/keepalived/templates/check_pihole.j2 b/roles/keepalived/templates/check_pihole.j2 index 88b66f6..abe3f85 100644 --- a/roles/keepalived/templates/check_pihole.j2 +++ b/roles/keepalived/templates/check_pihole.j2 @@ -2,7 +2,7 @@ set -e ## This script checks the health of the pihole container and enables/disables DHCP as needed. -PIHOLE_DIR="{{ ansible_user_dir }}/pihole" +PIHOLE_DIR="/home/{{ ansible_user }}/pihole" [ "{{ dhcp_server }}" = "true" ] && DHCP_ENABLED=0 || DHCP_ENABLED=1 # enabled=0, disabled=1 VIP="{{ pihole_vip_ipv4 }}" DHCP_START="{{ dhcp_start }}"