ansible-nas
ansible-nas copied to clipboard
davestephens
Add Pi-hole (DNS & Network-wide Ad Blocking) docker container support
Pi-hole is something I've been wanting to test out but haven't had the time. I think a containerized DNS server that does ad blocking is something everyone is going to want and Pi-hole seems to be "it."
https://hub.docker.com/r/pihole/pihole
I tested both Pi-hole and AdGuard Home (https://github.com/AdguardTeam/AdGuardHome) and I preferred the latter. It has more features out-of-the-box (there's a comparison table on the project's GitHub page) and I found the web interface easier to use.
Cool. Thanks. Never heard of it. On my RADAR now as that comparison chart is great at pointing out the features. It does have a docker container, https://hub.docker.com/r/adguard/adguardhome. I'd vote for both but am going to bump this one up on my personal list for testing.
It's worth anyone interested in this reading #54. There are issues in supporting ad-blocking services as it's required to have 80/443 dedicated to them, which we can't do easily/simply due to Traefik.
RE: AdGuardHome - management via port 3000 will also conflict with Grafana.
Both Pi-hole and AdGuardHome have mentions of working via proxy. I'm sure it ads a lot of configuration overhead, but it looks doable.
Maybe we can leave this open until someone can work through it and share (help wanted). If so, this issue can be renamed for AdGuardHome to make it not a duplicate and the original Pi-hole issue could be re-opened.
@davestephens I'd have thought this would be best addressed by using bridged networking so the PiHole container has its own local IP address.
@bcurran3 The port 3000 conflict isn't an issue as you can map the external port separately to the internal port in the container settings.
Bridged networking doesn't solve the problem, sadly. The reasons are detailed further up in this issue, but tl;dr; to work correctly ad blockers need port 80 and 443 on the box you host the software on.
On Sun, 5 Jan 2020, 14:03 animeai, [email protected] wrote:
@davestephens https://github.com/davestephens I'd have thought this would be best addressed by using bridged networking so the PiHole container has its own local IP address.
@bcurran3 https://github.com/bcurran3 The port 3000 conflict isn't an issue as you can map the external port separately to the internal port in the container settings.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/davestephens/ansible-nas/issues/147?email_source=notifications&email_token=AAFDGMEZG6ABMOQ72Q3MWV3Q4HSDRA5CNFSM4JAYKUC2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEIDXVIQ#issuecomment-570915490, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAFDGMCLOH4X3LMJN5TUHRDQ4HSDRANCNFSM4JAYKUCQ .
Looks like it IS possible: https://www.smarthomebeginner.com/run-pihole-in-docker-on-ubuntu-with-reverse-proxy/
I'll try it at some point in the future.
No reason it shouldn't work inside a container with bridged networking; piHole is really only doing its magic on port 53 (DNS); 80 and 443 are there for administration to my understanding.
EDIT: might also be worth looking at enabling DNS-over-HTTPS via CloudFlare, but that could get even messier. (https://scotthelme.co.uk/securing-dns-across-all-of-my-devices-with-pihole-dns-over-https-1-1-1-1/)
Port 80 and 443 absolutely are used for ad blocking. See https://github.com/davestephens/ansible-nas/issues/54#issuecomment-488426062 for info.
Traefik internal ports were made configurable for this reason.
On Mon, 4 May 2020, 23:11 Eric, [email protected] wrote:
No reason it shouldn't work inside a container with bridged networking; piHole is really only doing its magic on port 53 (DNS); 80 and 443 are there for administration to my understanding.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/davestephens/ansible-nas/issues/147#issuecomment-623735078, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAFDGMD6U7GXC4ZANV2GOZLRP44RTANCNFSM4JAYKUCQ .
I stand corrected/knowledge-upgraded, especially after reading more of the docs. :)
I've got this done and working. Very happy about the results. I'll submit a PR once I create the pihole_without_traefik task...
24 hour results:
What is the status of this request? This would be an awesome feature for me (and others) to be included in Ansible-NAS
@nicpayne713 if you want to have it and can live with doing a bit more work than setting pihole_enabled: true you can do it in portainer (the example uses the pihole-unbound image as it's what I use).
- make sure your nas has a static ip in your home network
- create a
pihole-unbounddirectory where all your other applications config live (yourdocker_home) - create a new stack in portainer
- set the name to whatever you want
- add this as docker-compose entry
version: '2'
services:
pihole:
container_name: pihole-unbound
image: cbcrowe/pihole-unbound:latest
environment:
FTLCONF_REPLY_ADDR4: ${FTLCONF_REPLY_ADDR4}
TZ: ${TZ}
WEB_PORT: ${WEB_PORT}
PIHOLE_DNS_: 127.0.0.1#5335
DNSSEC: "true"
INTERFACE: ${INTERFACE}
volumes:
- ${CONFIG_FOLDER}/etc-pihole:/etc/pihole:rw
- ${CONFIG_FOLDER}/etc-dnsmasq:/etc/dnsmasq.d:rw
restart: unless-stopped
network_mode: host
mem_limit: 1Gb
- in the environment variables section, add these lines
FTLCONF_REPLY_ADDR4=# your nas ip
TZ= # your TZ
CONFIG_FOLDER=# your `docker_home` full path + /pihole-unbound
WEB_PORT=8182
INTERFACE=# i have enp4s0 here, if your network adapter has a different name use that
Deploy the stack, pihole won't work as it's trying to bind port 53. This is fine as we needed dns access when deploying the stack. shut down the resolved service on your nas with sudo systemctl disable systemd-resolved and sudo systemctl stop systemd-resolved. Restart the pihole container and it should now work, check out the ui page.
Now you can use pihole as dns resolver for all your network, just set your nas ip as primary dns server on your router page (and leave the secondary server set to 0.0.0.0). If you have connected devices just disconnect from the network and rejoin it to update the dns preferences
Thanks @HitLuca , personally I decided to move pi-hole to a VM to isolate it (and pi-vpn with wireguard) from the rest of my setup. I tried it with docker and had some network issues I couldn't figure out with my vpn.
@nicpayne713 - Ha! Me too. I moved pihole (using diet-pi and love it) to a VM on an ESXI server that gets rebooted a lot less than my ansible-nas server (Linux kernels seem to come out every week now days).