pihole 6

Author: ildoc

ansible/inventory/group_vars/all.yml

@@ -7,6 +7,8 @@ install_oh_my_zsh: true
 push_ssh_keys: true
 
 pihole:
+  api_url: "https://pihole.local.ildoc.it/admin"
+  api_key: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/pihole:api_key') }}"
   dns_records:
 
     - { ip: 192.168.0.10, domain: "pve01" }
@@ -83,7 +85,102 @@ pihole:
     - { mac: AA:AA:AA:AA:CA:CE, ip: 192.168.0.40, hostname: redis }
 
     - { mac: aa:bb:cc:11:22:88, ip: 192.168.0.41, hostname: webserver-app }
-    - { mac: aa:bb:cc:22:11:77, ip: 192.168.0.42, hostname: mongodb-db }   
+    - { mac: aa:bb:cc:22:11:77, ip: 192.168.0.42, hostname: mongodb-db }
+      
+  adlists:
+    - url: "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
+      comment: "Steven Black's Unified Hosts List"
+      enabled: true
+    
+    - url: "https://raw.githubusercontent.com/PolishFiltersTeam/KADhosts/master/KADhosts.txt"
+      comment: "KAD hosts"
+      enabled: true
+    
+    - url: https://v.firebog.net/hosts/AdguardDNS.txt
+      comment: "Adguard DNS"
+      enabled: true
+    
+    - url: "https://v.firebog.net/hosts/Easyprivacy.txt"
+      comment: "EasyPrivacy"
+      enabled: true
+    
+    - url: "https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt"
+      comment: "Ads and tracking extended"
+      enabled: true
+
+    - url: "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Spam/hosts"
+      comment: "FadeMind List"
+      enabled: true
+    
+    - url: "https://v.firebog.net/hosts/static/w3kbl.txt"
+      comment: "Firebog w3kbl list"
+      enabled: true
+
+    - url: "https://v.firebog.net/hosts/Prigent-Ads.txt"
+      comment: "Firebog Prigent ads list"
+      enabled: true
+
+    - url: "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/pro.txt"
+      comment: "Hagezi Pro Blocklist"
+      enabled: true
+
+    - url: "https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV-AGH.txt"
+      comment: "Smart TV AGH Blocklist"
+      enabled: true
+    
+    - url: "https://raw.githubusercontent.com/AdAway/adaway.github.io/master/hosts.txt"
+      comment: "AdAway Hosts"
+      enabled: true
+    
+    - url: "https://mirror1.malwaredomains.com/files/justdomains"
+      comment: "Malware Domains"
+      enabled: true
+
+    - url: "https://big.oisd.nl"
+      comment: "OISD Full"
+      enabled: true
+
+    - url: "https://someonewhocares.org/hosts/zero/hosts"
+      comment: "Dan Pollock's List"
+      enabled: false  # Esempio di lista disabilitata
+
+  # Whitelist - Domini sempre permessi
+  whitelist:
+    domains:
+      - domain: "clicks.eventbrite.com"
+        comment: "Google Play Store"
+        enabled: true
+      
+      - domain: "click.discord.com"
+        comment: "Google Services"
+        enabled: true
+      
+      - domain: "oci.external-secrets.io"
+        comment: "YouTube"
+        enabled: true
+
+    # Whitelist regex - Pattern permessi
+    regex:     
+      - domain: "^(.+[-.])?local\\.ildoc\\.it$"
+        comment: "All local subdomains"
+        enabled: false
+
+  # Blacklist - Domini sempre bloccati
+  blacklist:
+    domains:      
+      - domain: "facebook.com"
+        comment: "Block Facebook completely"
+        enabled: false  # Esempio di blocco disabilitato
+      
+      - domain: "analytics.google.com"
+        comment: "Google Analytics"
+        enabled: true
+
+    # Blacklist regex - Pattern bloccati
+    regex:     
+      - domain: "^(.+[-.])?tracking?\\..*$"
+        comment: "Block tracking"
+        enabled: false
 
 nut:
   ups_name: ups

ansible/pihole6.yml

@@ -0,0 +1,7 @@
+---
+- name: Manage dns and dhcp reservations
+  hosts: pihole
+  become: true
+  gather_facts: true
+  roles:
+    - role: pihole6

ansible/roles/pihole6/tasks/main.yml

@@ -0,0 +1,37 @@
+---
+- name: Ensure required variables are defined
+  ansible.builtin.assert:
+    that:
+      - pihole_api_key is defined
+      - pihole_api_url is defined
+    fail_msg: "pihole_api_key and pihole_api_url must be defined"
+
+- name: Manage DNS records via API
+  ansible.builtin.include_tasks: manage_dns_records.yml
+
+- name: Manage DHCP reservations via API
+  ansible.builtin.include_tasks: manage_dhcp_reservations.yml
+
+- name: Manage Adlists via API
+  ansible.builtin.include_tasks: manage_adlists.yml
+  when: pihole.adlists is defined
+
+- name: Manage Whitelist domains via API
+  ansible.builtin.include_tasks: manage_whitelist_domains.yml
+  when: pihole.whitelist.domains is defined
+
+- name: Manage Whitelist regex via API
+  ansible.builtin.include_tasks: manage_whitelist_regex.yml
+  when: pihole.whitelist.regex is defined
+
+- name: Manage Blacklist domains via API
+  ansible.builtin.include_tasks: manage_blacklist_domains.yml
+  when: pihole.blacklist.domains is defined
+
+- name: Manage Blacklist regex via API
+  ansible.builtin.include_tasks: manage_blacklist_regex.yml
+  when: pihole.blacklist.regex is defined
+
+- name: Update gravity if lists changed
+  ansible.builtin.include_tasks: update_gravity.yml
+  when: adlists_changed is defined and adlists_changed

ansible/roles/pihole6/tasks/manage_adlists.yml

@@ -0,0 +1,106 @@
+---
+- name: Get existing adlists
+  ansible.builtin.uri:
+    url: "{{ pihole.api_url }}/api/lists/adlist"
+    method: GET
+    headers:
+      X-FTL-SID: "{{ pihole.api_key }}"
+    return_content: true
+  register: existing_adlists
+
+- name: Create lookup dict for existing adlists
+  ansible.builtin.set_fact:
+    existing_adlists_dict: "{{ dict(existing_adlists.json.adlists | default([]) | 
+                               map(attribute='address') | 
+                               zip(existing_adlists.json.adlists | default([]))) }}"
+
+- name: Create lookup dict for desired adlists
+  ansible.builtin.set_fact:
+    desired_adlists_dict: "{{ dict(pihole.adlists | 
+                              map(attribute='url') | 
+                              zip(pihole.adlists)) }}"
+
+- name: Get list of existing adlist URLs
+  ansible.builtin.set_fact:
+    existing_adlist_urls: "{{ existing_adlists.json.adlists | default([]) | map(attribute='address') | list }}"
+
+- name: Get list of desired adlist URLs
+  ansible.builtin.set_fact:
+    desired_adlist_urls: "{{ pihole.adlists | map(attribute='url') | list }}"
+
+- name: Identify adlists to add
+  ansible.builtin.set_fact:
+    adlists_to_add: "{{ desired_adlist_urls | difference(existing_adlist_urls) }}"
+
+- name: Identify adlists to remove
+  ansible.builtin.set_fact:
+    adlists_to_remove: "{{ existing_adlist_urls | difference(desired_adlist_urls) }}"
+
+- name: Identify adlists to update
+  ansible.builtin.set_fact:
+    adlists_to_update: []
+
+- name: Check for adlists needing updates
+  ansible.builtin.set_fact:
+    adlists_to_update: "{{ adlists_to_update + [item] }}"
+  loop: "{{ desired_adlist_urls | intersect(existing_adlist_urls) }}"
+  when:
+    - existing_adlists_dict[item].enabled != (desired_adlists_dict[item].enabled | default(true) | int) or
+      existing_adlists_dict[item].comment != (desired_adlists_dict[item].comment | default(''))
+
+- name: Add new adlists
+  ansible.builtin.uri:
+    url: "{{ pihole.api_url }}/api/lists/adlist"
+    method: POST
+    headers:
+      X-FTL-SID: "{{ pihole.api_key }}"
+      Content-Type: "application/json"
+    body_format: json
+    body:
+      address: "{{ desired_adlists_dict[item].url }}"
+      enabled: "{{ desired_adlists_dict[item].enabled | default(true) }}"
+      comment: "{{ desired_adlists_dict[item].comment | default('') }}"
+    status_code: [200, 201]
+  loop: "{{ adlists_to_add }}"
+  when: adlists_to_add | length > 0
+  register: adlists_add_result
+
+- name: Update existing adlists
+  ansible.builtin.uri:
+    url: "{{ pihole.api_url }}/api/lists/adlist/{{ existing_adlists_dict[item].id }}"
+    method: PUT
+    headers:
+      X-FTL-SID: "{{ pihole.api_key }}"
+      Content-Type: "application/json"
+    body_format: json
+    body:
+      enabled: "{{ desired_adlists_dict[item].enabled | default(true) }}"
+      comment: "{{ desired_adlists_dict[item].comment | default('') }}"
+    status_code: [200, 204]
+  loop: "{{ adlists_to_update }}"
+  when: adlists_to_update | length > 0
+  register: adlists_update_result
+
+- name: Remove obsolete adlists
+  ansible.builtin.uri:
+    url: "{{ pihole.api_url }}/api/lists/adlist/{{ existing_adlists_dict[item].id }}"
+    method: DELETE
+    headers:
+      X-FTL-SID: "{{ pihole.api_key }}"
+    status_code: [200, 204]
+  loop: "{{ adlists_to_remove }}"
+  when: adlists_to_remove | length > 0
+  register: adlists_remove_result
+
+- name: Set flag for gravity update
+  ansible.builtin.set_fact:
+    adlists_changed: true
+  when: (adlists_to_add | length > 0) or (adlists_to_update | length > 0) or (adlists_to_remove | length > 0)
+
+- name: Display adlists changes summary
+  ansible.builtin.debug:
+    msg:
+      - "Adlists added: {{ adlists_to_add | length }}"
+      - "Adlists updated: {{ adlists_to_update | length }}"
+      - "Adlists removed: {{ adlists_to_remove | length }}"
+  when: (adlists_to_add | length > 0) or (adlists_to_update | length > 0) or (adlists_to_remove | length > 0)

ansible/roles/pihole6/tasks/manage_blacklist_domains.yml

@@ -0,0 +1,98 @@
+---
+- name: Get existing blacklist domains
+  ansible.builtin.uri:
+    url: "{{ pihole.api_url }}/api/lists/blacklist"
+    method: GET
+    headers:
+      X-FTL-SID: "{{ pihole.api_key }}"
+    return_content: true
+  register: existing_blacklist
+
+- name: Create lookup dict for existing blacklist
+  ansible.builtin.set_fact:
+    existing_blacklist_dict: "{{ dict(existing_blacklist.json.blacklist | default([]) | 
+                                 map(attribute='domain') | 
+                                 zip(existing_blacklist.json.blacklist | default([]))) }}"
+
+- name: Create lookup dict for desired blacklist
+  ansible.builtin.set_fact:
+    desired_blacklist_dict: "{{ dict(pihole.blacklist.domains | 
+                                map(attribute='domain') | 
+                                zip(pihole.blacklist.domains)) }}"
+
+- name: Get list of existing blacklist domains
+  ansible.builtin.set_fact:
+    existing_blacklist_domains: "{{ existing_blacklist.json.blacklist | default([]) | map(attribute='domain') | list }}"
+
+- name: Get list of desired blacklist domains
+  ansible.builtin.set_fact:
+    desired_blacklist_domains: "{{ pihole.blacklist.domains | map(attribute='domain') | list }}"
+
+- name: Identify blacklist domains to add
+  ansible.builtin.set_fact:
+    blacklist_to_add: "{{ desired_blacklist_domains | difference(existing_blacklist_domains) }}"
+
+- name: Identify blacklist domains to remove
+  ansible.builtin.set_fact:
+    blacklist_to_remove: "{{ existing_blacklist_domains | difference(desired_blacklist_domains) }}"
+
+- name: Identify blacklist domains to update
+  ansible.builtin.set_fact:
+    blacklist_to_update: []
+
+- name: Check for blacklist domains needing updates
+  ansible.builtin.set_fact:
+    blacklist_to_update: "{{ blacklist_to_update + [item] }}"
+  loop: "{{ desired_blacklist_domains | intersect(existing_blacklist_domains) }}"
+  when:
+    - existing_blacklist_dict[item].enabled != (desired_blacklist_dict[item].enabled | default(true) | int) or
+      existing_blacklist_dict[item].comment != (desired_blacklist_dict[item].comment | default(''))
+
+- name: Add new blacklist domains
+  ansible.builtin.uri:
+    url: "{{ pihole.api_url }}/api/lists/blacklist"
+    method: POST
+    headers:
+      X-FTL-SID: "{{ pihole.api_key }}"
+      Content-Type: "application/json"
+    body_format: json
+    body:
+      domain: "{{ desired_blacklist_dict[item].domain }}"
+      enabled: "{{ desired_blacklist_dict[item].enabled | default(true) }}"
+      comment: "{{ desired_blacklist_dict[item].comment | default('') }}"
+    status_code: [200, 201]
+  loop: "{{ blacklist_to_add }}"
+  when: blacklist_to_add | length > 0
+
+- name: Update existing blacklist domains
+  ansible.builtin.uri:
+    url: "{{ pihole.api_url }}/api/lists/blacklist/{{ existing_blacklist_dict[item].id }}"
+    method: PUT
+    headers:
+      X-FTL-SID: "{{ pihole.api_key }}"
+      Content-Type: "application/json"
+    body_format: json
+    body:
+      enabled: "{{ desired_blacklist_dict[item].enabled | default(true) }}"
+      comment: "{{ desired_blacklist_dict[item].comment | default('') }}"
+    status_code: [200, 204]
+  loop: "{{ blacklist_to_update }}"
+  when: blacklist_to_update | length > 0
+
+- name: Remove obsolete blacklist domains
+  ansible.builtin.uri:
+    url: "{{ pihole.api_url }}/api/lists/blacklist/{{ existing_blacklist_dict[item].id }}"
+    method: DELETE
+    headers:
+      X-FTL-SID: "{{ pihole.api_key }}"
+    status_code: [200, 204]
+  loop: "{{ blacklist_to_remove }}"
+  when: blacklist_to_remove | length > 0
+
+- name: Display blacklist domains changes summary
+  ansible.builtin.debug:
+    msg:
+      - "Blacklist domains added: {{ blacklist_to_add | length }}"
+      - "Blacklist domains updated: {{ blacklist_to_update | length }}"
+      - "Blacklist domains removed: {{ blacklist_to_remove | length }}"
+  when: (blacklist_to_add | length > 0) or (blacklist_to_update | length > 0) or (blacklist_to_remove | length > 0)