boxen/on-fire-within/pi-hole.yml

- hosts: on-fire-within
  become: yes
  vars_files:
    - vars.private
  tasks:

    # Workaround for https://github.com/pi-hole/docker-pi-hole/issues/1048
    # - https://github.com/pi-hole/docker-pi-hole/issues/1042#issuecomment-1086728157
    # - https://github.com/pi-hole/docker-pi-hole/issues/1043#issuecomment-1086936352
    - name: Work around a Docker libseccomp issue w/Pi-Hole
      block:
        - apt_key:
            keyserver: keyserver.ubuntu.com
            id: "{{ item }}"
          loop:
            - 0E98404D386FA1D9
            - 6ED0E7B82643E131
        - apt_repository:
            repo: deb http://deb.debian.org/debian buster-backports main
            filename: buster-backports
            state: present
        - shell: apt-cache policy libseccomp2 | grep buster-backports -B1 | head -n1 | sed -e 's/^\s*\**\s*\(\S*\).*/\1/'
          register: libseccomp2_version
        - apt:
            update_cache: yes
            name: libseccomp2={{ libseccomp2_version.stdout_lines[0] }}

    # https://docs.pi-hole.net/guides/dns/unbound/
    - name: Set up Pi-hole as recursive DNS server
      block:
        - name: Install unbound
          apt:
            name: unbound
        - name: Configure unbound
          ansible.builtin.copy:
            src: unbound.conf
            dest: /etc/unbound/unbound.conf.d/pi-hole.conf
          notify: Restart unbound
        - name: Use the same limit for FTL as unbound
          ansible.builtin.lineinfile:
            path: /etc/dnsmasq.d/99-edns.conf
            line: edns-packet-max=1232
            create: true

        - name: Disable resolvconf.conf entry for unbound
          block:
            - name: Disable unbound-resolvconf.service
              service:
                name: unbound-resolvconf
                enabled: false
            - name: Disable resolvconf_resolvers.conf from being generated
              ansible.builtin.replace:
                path: /etc/resolvconf.conf
                regexp: '^unbound_conf='
                replace: '#unbound_conf='
            - name: Remove resolvconf_resolvers.conf
              ansible.builtin.file:
                path: /etc/unbound/unbound.conf.d/resolvconf_resolvers.conf
                state: absent
          notify: Restart unbound

  handlers:
    - name: Restart unbound
      ansible.builtin.service:
          name: unbound
          state: restarted
mu 1 year ago			`- hosts: on-fire-within`
			`become: yes`
			`vars_files:`
			`- vars.private`
			`tasks:`

			`# Workaround for https://github.com/pi-hole/docker-pi-hole/issues/1048`
			`# - https://github.com/pi-hole/docker-pi-hole/issues/1042#issuecomment-1086728157`
			`# - https://github.com/pi-hole/docker-pi-hole/issues/1043#issuecomment-1086936352`
			`- name: Work around a Docker libseccomp issue w/Pi-Hole`
			`block:`
			`- apt_key:`
			`keyserver: keyserver.ubuntu.com`
			`id: "{{ item }}"`
			`loop:`
			`- 0E98404D386FA1D9`
			`- 6ED0E7B82643E131`
			`- apt_repository:`
			`repo: deb http://deb.debian.org/debian buster-backports main`
			`filename: buster-backports`
			`state: present`
			`- shell: apt-cache policy libseccomp2 \| grep buster-backports -B1 \| head -n1 \| sed -e 's/^\s\\s\(\S\)./\1/'`
			`register: libseccomp2_version`
			`- apt:`
			`update_cache: yes`
			`name: libseccomp2={{ libseccomp2_version.stdout_lines[0] }}`

			`# https://docs.pi-hole.net/guides/dns/unbound/`
			`- name: Set up Pi-hole as recursive DNS server`
			`block:`
			`- name: Install unbound`
			`apt:`
			`name: unbound`
			`- name: Configure unbound`
			`ansible.builtin.copy:`
			`src: unbound.conf`
			`dest: /etc/unbound/unbound.conf.d/pi-hole.conf`
			`notify: Restart unbound`
			`- name: Use the same limit for FTL as unbound`
			`ansible.builtin.lineinfile:`
			`path: /etc/dnsmasq.d/99-edns.conf`
			`line: edns-packet-max=1232`
			`create: true`

			`- name: Disable resolvconf.conf entry for unbound`
			`block:`
			`- name: Disable unbound-resolvconf.service`
			`service:`
			`name: unbound-resolvconf`
			`enabled: false`
			`- name: Disable resolvconf_resolvers.conf from being generated`
			`ansible.builtin.replace:`
			`path: /etc/resolvconf.conf`
			`regexp: '^unbound_conf='`
			`replace: '#unbound_conf='`
			`- name: Remove resolvconf_resolvers.conf`
			`ansible.builtin.file:`
			`path: /etc/unbound/unbound.conf.d/resolvconf_resolvers.conf`
			`state: absent`
			`notify: Restart unbound`

			`handlers:`
			`- name: Restart unbound`
			`ansible.builtin.service:`
			`name: unbound`
			`state: restarted`