Project to create a Ansible playbook based of the one at: https://github.com/tomgelbling/Securing-your-Raspberry-Pi-with-Ansible and creating a Pi Hole docker installation from here: https://github.com/shaderecker/ansible-pihole
The aim is to create a Pi Hole Raspberry Pi install with the relevant ufw rules via an Ansible playbook, using an Unbound DNS server.
The playbook will perform configuration modifications in the following areas:
- Change the password of the pi user
- Create an alternative superuser
- Make sudo require a password
- Establish Cronjob to update the openssh-server package on a daily basis
- Set users that are allowed to use SSH
- Set users that are not allowed to use SSH
- Establish key-based authentication and disable all other authenticaton methods
- Install & enable ufw and fail2ban
- Set default and ssh firewall rules
- Install Docker
- Add the alternate superuser to the docker group
- Add an instance of WatchTower that will update containers with a CRON job
- Create a Unbound Docker container see also the none pi docker image
- Configured to use host network slight modifications from the guide found here
- Test the container is running, inspiration taken from here
- Create a Pi Hole Docker container
- Test the container is running
- Auto conifgured to use the Unbound DNS Server
The following software packages have to be installed on your local machine and the Raspberry Pi.
-
Python 2.6 or later
-
Ansible
-
For macOS and Linux only
-
Raspbian
-
Python 2.6 or later
This chapter describes how to
- get a copy of the project.
- edit the config files.
- run the Ansible playbook to secure your Raspberry Pi.
git clone https://github.com/timrwwatson/Ansible-Pi-Hole-Set-Up.git
cd Ansible-Pi-Hole-Set-Up/
On your Ansible Host machine you may need to add/edit the ansible.cfg file
For me this was located in the /etc/ansible/ folder and I added/changed:
host_key_checking = False
interpreter_python=auto_silent
The first allows ssh connections without the host being in the known host file and the latter silences warnings about the location of the python dir.
Add your Raspberry Pi IP address to the pi host group
echo "192.168.2.110" >> hosts
Add your public key to the authorized_keys files
cat /.ssh/id_rsa.pub >> roles/security/files/authorized_keys
Edit the variables file to set e.g. the custom password for the pi user, the name of the alternative user etc.
vim roles/security/vars/main.yaml
vim group_vars/pi.yaml
Edit the variables file to set the relevant IP addresses for Pi Hole etc
vim roles/pihole/vars/main.yaml
Edit the Watchtower CRON update schedule
vim roles/docker/vars/main.yml
ansible-playbook -i hosts playbook.yaml
-
Desktop Raspian OS VM 2021-01-11
Note however that using the desktop/windows vm images I found that they weren't able to install Docker correctly
The base of this project comes from the work done below:
Tom Gelbling - Project initiator/Securing a Pi using Ansible
shaderecker and relaxdiego - I took elements from this project too/ ansible-pihole
There is also a list of contributors who participated in the original security project.
Ansible playbook to secure your Raspberry Pi. Based on Securing your Raspberry Pi by the Raspberry Pi Foundation.
This project is licensed under the GNU General Public License v3.0 - see the LICENSE.md file for details