initial commit

.gitignore

@@ -0,0 +1 @@
+*.retry

hosts

@@ -0,0 +1,6 @@
+[rpi]
+raspberry-pi.itix.fr
+
+[rpi:vars]
+pihole_webadmin_enabled=no
+pihole_lighttpd_enabled=no

install.yml

@@ -0,0 +1,9 @@
+---
+
+- name: Install and configure my Raspberry PI
+  hosts: rpi
+  become: yes
+  roles:
+  - base
+  - pihole
+  

roles/base/handlers/main.yml

@@ -0,0 +1,4 @@
+---
+
+  - name: restart sshd
+    service: name=sshd state=reloaded

roles/base/tasks/main.yml

@@ -0,0 +1,73 @@
+---
+
+- name: Create groups
+  group: name={{ item.name }} state=present
+  with_items: "{{ itix_groups }}"
+  tags: bootstrap
+
+- name: Create users
+  user: state=present name={{ item.login }} group={{ item.group }} groups={{ item.groups }} uid={{ item.uid }} comment={{ item.comment }} password={{ item.password }}
+  with_items: "{{ itix_users }}"
+  tags: bootstrap
+
+- name: Create the .ssh directory for users
+  file: state=directory owner={{ item.login }} group={{ item.group }} mode=0700 path=/home/{{ item.login }}/.ssh
+  with_items: "{{ itix_users }}"
+  tags: bootstrap
+
+- name: Set a strong root password (only usable from console)
+  user: name=root password={{ root_password }}
+  tags: bootstrap
+
+- name: Set SSH key for users
+  authorized_key: user={{ item.login }} key="{{ item.ssh_public_key }}"
+  with_items: "{{ itix_users }}"
+  when: "item.ssh_public_key is defined"
+  tags: bootstrap
+
+- name: Tell SSHD not to use DNS
+  lineinfile: dest=/etc/ssh/sshd_config regexp="^#* *UseDNS +" line="UseDNS no"
+  notify: restart sshd
+  tags: config
+
+- name: Tell SSHD to forbid root accesses
+  lineinfile: dest=/etc/ssh/sshd_config regexp="^#* *PermitRootLogin +" line="PermitRootLogin no"
+  notify: restart sshd
+  tags: config
+
+- name: Tell SSHD to forbid password accesses
+  lineinfile: dest=/etc/ssh/sshd_config regexp="^#* *PasswordAuthentication +" line="PasswordAuthentication no"
+  notify: restart sshd
+  tags: config
+
+- name: Install some software
+  dnf: name={{ item }} state=installed
+  with_items:
+    - vim-enhanced
+    - tmux
+    - unzip
+    - tcpdump
+    - telnet
+    - strace
+    - man-pages
+    - man
+    - iptraf
+    - wget
+    - openssh-clients
+  tags: rpm
+
+- name: Fix /etc/environment to include PATH
+  lineinfile: dest=/etc/environment regexp="^PATH=" line="PATH=/bin:/usr/bin:/sbin:/usr/sbin"
+  tags: config
+
+- name: Set the hostname
+  command: hostnamectl set-hostname {{ inventory_hostname_short }} --static
+  tags:
+    - config
+    - dns
+
+- name: Ensure consistent locale across systems (1/2)
+  lineinfile: dest=/etc/locale.conf regexp="^LANG=" line="LANG=en_US.utf8"
+
+- name: Ensure consistent locale across systems (2/2)
+  lineinfile: dest=/etc/locale.conf line="LC_CTYPE=en_US.utf8"

roles/pihole/defaults/main.yml

@@ -0,0 +1,6 @@
+---
+pihole_version: v3.3.1
+pihole_installer_sha256sum: cafa86b43a496dad113eac4afe1ce89eed0ada3f9a555e2d8c1742d60d1d11f2
+pihole_query_logging_enabled: yes
+pihole_webadmin_enabled: yes
+pihole_lighttpd_enabled: yes

roles/pihole/tasks/main.yml

@@ -0,0 +1,49 @@
+---
+
+- name: Create a folder for the pi-hole installer
+  file:
+    path: /usr/local/src/pi-hole
+    state: directory
+
+- name: 'Fetch the pi-hole installer'
+  get_url:
+      dest: /usr/local/src/pi-hole/basic-install.sh
+      url: https://raw.githubusercontent.com/pi-hole/pi-hole/{{ pihole_version }}/automated%20install/basic-install.sh
+      validate_certs: yes
+      sha256sum: '{{ pihole_installer_sha256sum|default(omit) }}'
+      mode: 0755
+  register: pihole_installer
+
+- name: 'Make sure /etc/pihole exists'
+  file:
+    state: directory
+    path: /etc/pihole
+    owner: root
+    group: root
+    mode: 0755
+
+- name: 'Generate the pi-hole unattended installation script'
+  template:
+    src: setupVars.conf.j2
+    dest: /etc/pihole/setupVars.conf
+    owner: root
+    group: root
+    mode: 0644
+  register: pihole_config
+
+- name: Run the pi-hole installer
+  command: /usr/local/src/pi-hole/basic-install.sh --unattended
+  when: pihole_config.changed or pihole_installer.changed
+
+- name: Fix dnsmasq logfile ownership
+  file:
+    path: /var/log/pihole.log
+    setype: dnsmasq_var_log_t
+    seuser: system_u
+  register: log_file_permissions
+
+- name: Restart dnsmasq
+  service: 
+    name: dnsmasq
+    state: restarted
+  when: log_file_permissions.changed

roles/pihole/templates/setupVars.conf.j2

@@ -0,0 +1,22 @@
+PIHOLE_INTERFACE={{ ansible_default_ipv4.interface }}
+{% if "address" in ansible_default_ipv4 %}
+IPV4_ADDRESS={{ ansible_default_ipv4.address }}/{{ ansible_default_ipv4.netmask|ipaddr('prefix') }}
+{% else %}
+IPV4_ADDRESS=
+{% endif %}
+{% if "address" in ansible_default_ipv6 %}
+IPV6_ADDRESS={{ ansible_default_ipv6.address }}/{{ ansible_default_ipv6.netmask|ipaddr('prefix') }}
+{% else %}
+IPV6_ADDRESS=
+{% endif %}
+{% for pihole_dns_ipaddress in ansible_dns.nameservers|default([]) %}
+PIHOLE_DNS_{{loop.index}}={{ pihole_dns_ipaddress }}
+{% endfor %}
+QUERY_LOGGING={{ pihole_query_logging_enabled|bool|ternary('true', 'false') }}
+INSTALL_WEB={{ pihole_webadmin_enabled|bool|ternary('true', 'false') }}
+LIGHTTPD_ENABLED={{ pihole_lighttpd_enabled|bool|ternary('1', '0') }}
+{% if pihole_webadmin_password is defined %}
+WEBPASSWORD={{ pihole_webadmin_password|hash('sha256')|hash('sha256') }}
+{% elif pihole_webadmin_password_hash is defined %}
+WEBPASSWORD={{ pihole_webadmin_password_hash }}
+{% endif %}