fixed pihole server via prerouting

2022-05-02 21:38:32 -04:00
parent 255bc9cb4b
commit 86ad4dfb37
4 changed files with 32 additions and 12 deletions
--- a/ansible/roles/podman/tasks/container-pihole.yml
+++ b/ansible/roles/podman/tasks/container-pihole.yml
@@ -30,20 +30,19 @@
    cap_add:
      - CAP_NET_BIND_SERVICE
      - NET_ADMIN
-    network:
-      - host
    env:
      DNSMASQ_USER: "root"
+      INTERFACE: "tap0"
      PIHOLE_UID: 0
      TZ: "America/New_York"
+      VIRTUAL_HOST: "{{ pi_server_name }}"
      WEBPASSWORD: "{{ pihole_password }}"
-      WEB_PORT: 8082
    volumes:
      - "{{ pihole_path }}/config:/etc/pihole"
      - "{{ pihole_path }}/dnsmasq:/etc/dnsmasq.d"
    ports:
-      - 53:53/udp
-      - 53:53/tcp
+      - 1153:53/udp
+      - 1153:53/tcp
      - 8082:80
  tags: pihole

@@ -52,3 +51,22 @@
  vars:
    container_name: pihole
  tags: pihole
+
+- name: Redirect DNS, DHCP, HTTP and HTTPS to pihole
+  become: true
+  ansible.builtin.iptables:
+    table: nat
+    chain: PREROUTING
+    in_interface: eno1
+    protocol: "{{ item }}"
+    match: "{{ item }}"
+    destination_port: 53
+    jump: REDIRECT
+    to_ports: 1153
+    comment: Redirect DNS traffic to port 1153
+  loop:
+    - udp
+    - tcp
+  tags:
+    - pihole
+    - firewall
--- a/ansible/roles/podman/tasks/firewall.yml
+++ b/ansible/roles/podman/tasks/firewall.yml
@@ -4,16 +4,18 @@
  ansible.posix.firewalld:
    port: "{{ item }}"
    permanent: true
+    immediate: true
+    zone: "public"
    state: enabled
  loop:
    - 53/tcp
    - 53/udp
+    - 1153/tcp
+    - 1153/udp
    - 80/tcp
    - 443/tcp
    - "{{ syslog_udp_default }}/udp"
    - "{{ syslog_udp_error }}/udp"
    - "{{ syslog_udp_unifi }}/udp"
  notify: restart firewalld
-  tags:
-    - firewall
-    - http
+  tags: firewall
--- a/ansible/roles/podman/tasks/podman.yml
+++ b/ansible/roles/podman/tasks/podman.yml
@@ -91,7 +91,7 @@
  become: true
  ansible.posix.sysctl:
    name: net.ipv4.ip_unprivileged_port_start
-    value: "53"
+    value: "80"
    sysctl_set: true
    state: present
    reload: true
--- a/ansible/roles/podman/templates/nginx/sites/pi.bdebyl.net.conf.j2
+++ b/ansible/roles/podman/templates/nginx/sites/pi.bdebyl.net.conf.j2
@@ -22,9 +22,9 @@ server {
    allow 127.0.0.1;
    deny all;

-    proxy_set_header X-Forwarded-For $remote_addr;
-    proxy_set_header Upgrade         $http_upgrade;
-    proxy_set_header Connection      $connection_upgrade;
+    proxy_set_header X-Forwarded-For  $remote_addr;
+    proxy_set_header Upgrade          $http_upgrade;
+    proxy_set_header Connection       $connection_upgrade;

    proxy_buffering off;
    proxy_pass http://pihole;