First of all, totally love the blog posts on this, and love your approach, thanks so much for teaching and sharing. I have bits and pieces of your setup implemented on my home network but I haven't tied it all together like you have.

I just recently heard about a good VPN company called Tailscale that uses Wireguard under the hood. They have an article about how to integrate that with Pi-Hole. I wonder if/how we could incorporate that into this setup.

I will do some research and see if it's possible, just posting it here to surface the idea and see if you (or anyone else reading this) thought of something.

Thanks.

Describe the bug

It seems that community.general.ufw doesn't work with the task "Allow all access to SSH, DNS, and WWW".
When playing that task, we see:

TASK [Allow all access to SSH, DNS, and WWW] ********************************************************************************************************************************
failed: [192.168.1.2] (item=SSH) => {"ansible_loop_var": "item", "changed": false, "commands": ["/usr/sbin/ufw status verbose", "/usr/bin/grep -h '^### tuple' /lib/ufw/user.rules /lib/ufw/user6.rules /etc/ufw/user.rules /etc/ufw/user6.rules /var/lib/ufw/user.rules /var/lib/ufw/user6.rules", "/usr/sbin/ufw --version", "/usr/sbin/ufw allow from any to any port SSH"], "item": "SSH", "msg": "ERROR: Bad port 'SSH'\n"}
failed: [192.168.1.2] (item=DNS) => {"ansible_loop_var": "item", "changed": false, "commands": ["/usr/sbin/ufw status verbose", "/usr/bin/grep -h '^### tuple' /lib/ufw/user.rules /lib/ufw/user6.rules /etc/ufw/user.rules /etc/ufw/user6.rules /var/lib/ufw/user.rules /var/lib/ufw/user6.rules", "/usr/sbin/ufw --version", "/usr/sbin/ufw allow from any to any port DNS"], "item": "DNS", "msg": "ERROR: Bad port 'DNS'\n"}
failed: [192.168.1.2] (item=WWW) => {"ansible_loop_var": "item", "changed": false, "commands": ["/usr/sbin/ufw status verbose", "/usr/bin/grep -h '^### tuple' /lib/ufw/user.rules /lib/ufw/user6.rules /etc/ufw/user.rules /etc/ufw/user6.rules /var/lib/ufw/user.rules /var/lib/ufw/user6.rules", "/usr/sbin/ufw --version", "/usr/sbin/ufw allow from any to any port WWW"], "item": "WWW", "msg": "ERROR: Bad port 'WWW'\n"}
failed: [192.168.1.2] (item=WWW Secure) => {"ansible_loop_var": "item", "changed": false, "commands": ["/usr/sbin/ufw status verbose", "/usr/bin/grep -h '^### tuple' /lib/ufw/user.rules /lib/ufw/user6.rules /etc/ufw/user.rules /etc/ufw/user6.rules /var/lib/ufw/user.rules /var/lib/ufw/user6.rules", "/usr/sbin/ufw --version", "/usr/sbin/ufw allow from any to any port WWW Secure"], "item": "WWW Secure", "msg": "ERROR: Wrong number of arguments\n"}

Proposed fix:

Change port into name in the task:

@@ -163,7 +177,7 @@
       become: true
       community.general.ufw:
         rule: allow
-        port: '{{ item }}'
+        name: '{{ item }}'
       loop:
         - SSH
         - DNS

Context

First of all, thank you for your excellent blog and for this automated template! I wasn't aware of several of the techniques and packages you describe -- it was awesome for me to discover Pi-hole, Cloudflare, Caddy and Ansible.

I've been spending a few hours trying to get the step:

Sit back and wait until I have a fully configured PiHole running in about 5-10 minutes.

to work... ;-)

So far, I've learned a lot, and found a few issues and tricks in the ansible config. I hope you don't mind if I address them in separate tickets. As a preview, so far:

• (bug, this issue): nmcli is not working out of the box on Raspbian.
• (feature): using Bitwarden instead of 1Password for secrets management.
• (bug): GPG error when trying to sign the docker repo.
• (bug): incorrect usage (perhaps as a result of a change?) of community.general.ufw ("ERROR: Bad port 'SSH'").
• (needs clarification): what is the content/source of your private repo [email protected]:benbalter/pi-hole.git? Is it a private fork of the official docker-pi-hole with some config changes, or something else entirely (note to self: to make a private fork, see e.g. here)?
• (needs clarification): more details about the overall procedure (e.g.: how to set up the Raspberry Pi to the point when we can ssh into it and start running the ansible playbook).

nmcli not working out of the box on Raspbian

Symptoms

When running ansible-playbook playbook.yml --inventory hosts.yml, I get:

fatal: [192.168.1.2]: FAILED! => {"changed": false, "msg": "Error: unknown connection 'eth0'.\n", "name": "eth0", "rc": 10}

It appears that nmcli is not working out of the box on Raspbian. See e.g. here.

A potential fix is this gist:

# already done in the playbook
sudo apt update
sudo apt install network-manager

# new steps
sudo apt purge openresolv dhcpcd5
sudo reboot

Steps to reproduce the behavior

1. Clone this repo.
2. ssh to a freshly flashed Raspbian 10 Raspberry Pi.
3. adjust the image and set up the RPi to be reachable by ssh (see below)
4. ansible-playbook playbook.yml --inventory hosts.yml

Note: Adjustments to fresh image
When I flash a new Raspberry image, I always tweak the content of the SD card as it is still in the card reader:

1. mount the boot and rootfs partitions locally, say in /Volumes (Mac) or /media/$USER/ (Ubuntu); whatever the exact location, below I use $mp;
2. create wpa_supplicant.conf under $mp/boot/ (see e.g. here)
3. enable ssh (touch $mp/boot/ssh);
4. mkdir -p $mp/rootfs/home/pi/.ssh and cat ~/.ssh/id_rsa.pub >> $mp/rootfs/home/pi/.ssh/authorized_keys.
5. put the SD card in the Raspberry, power it on
6. find the address that was given by the router
7. ssh pi@that-address
8. set a static IP address, see e.g. here.

Expected behavior

I expect nmcli to be operational and work as the ansible playbook intentended.

It is relatively straightforward to use Bitwarden instead of 1Password for secrets management.

As a feature request, I propose to add this in the documentation as an example for this alternative.

• install ansible-modules-bitwarden;
• change e.g.:
  token: "{{ lookup('community.general.onepassword', 'PiHole', field='GitHub Token') }}" into
  token: "{{ lookup('bitwarden', 'pi-hole', field='GitHub Token', custom_field=true) }}"

Describe the bug

In the task: "add docker repository to apt", there is a failure:

Failed to update apt cache: W:GPG error:
https://download.docker.com/linux/debian buster InRelease: The following signatures couldn't
be verified because the public key is not available: NO_PUBKEY 7EA0A9C3F273FCD8,
E:The repository 'https://download.docker.com/linux/debian buster InRelease' is not signed.

Possibly related to: this SO issue.

As a workaround, I changed the task to not check signature (potential vulnerability):

    - name: add docker repository to apt
      become: true
      apt_repository:
        # we won't try to sign the repo. If we do, we get: "Failed to update apt cache: W:GPG error:
        # https://download.docker.com/linux/debian buster InRelease: The following signatures couldn't
        # be verified because the public key is not available: NO_PUBKEY 7EA0A9C3F273FCD8,
        # E:The repository 'https://download.docker.com/linux/debian buster InRelease' is not signed."
        # repo: deb [arch=armhf signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian buster stable
        repo: deb [arch=armhf] https://download.docker.com/linux/debian buster stable
        state: present