Skip to content

Latest commit

 

History

History
161 lines (107 loc) · 5.41 KB

README.md

File metadata and controls

161 lines (107 loc) · 5.41 KB

Project Aims

Project to create a Ansible playbook based of the one at: https://github.com/tomgelbling/Securing-your-Raspberry-Pi-with-Ansible and creating a Pi Hole docker installation from here: https://github.com/shaderecker/ansible-pihole

The aim is to create a Pi Hole Raspberry Pi install with the relevant ufw rules via an Ansible playbook, using an Unbound DNS server.

What will be achieved by this Ansible playbook?

The playbook will perform configuration modifications in the following areas:

Raspbian users

  • Change the password of the pi user
  • Create an alternative superuser
  • Make sudo require a password

Software package updates

  • Establish Cronjob to update the openssh-server package on a daily basis

SSH

  • Set users that are allowed to use SSH
  • Set users that are not allowed to use SSH
  • Establish key-based authentication and disable all other authenticaton methods

Firewall

  • Install & enable ufw and fail2ban
  • Set default and ssh firewall rules

Docker

  • Install Docker
  • Add the alternate superuser to the docker group
  • Add an instance of WatchTower that will update containers with a CRON job

Unbound

Pi Hole

  • Create a Pi Hole Docker container
  • Test the container is running
  • Auto conifgured to use the Unbound DNS Server

Prerequisites

The following software packages have to be installed on your local machine and the Raspberry Pi.

On your local machine

On your Raspberry Pi

Deployment

This chapter describes how to

  • get a copy of the project.
  • edit the config files.
  • run the Ansible playbook to secure your Raspberry Pi.

How to get a copy of the project

git clone https://github.com/timrwwatson/Ansible-Pi-Hole-Set-Up.git
cd Ansible-Pi-Hole-Set-Up/

How to edit the config files

On your Ansible Host machine you may need to add/edit the ansible.cfg file

For me this was located in the /etc/ansible/ folder and I added/changed:

host_key_checking = False
interpreter_python=auto_silent

The first allows ssh connections without the host being in the known host file and the latter silences warnings about the location of the python dir.

Add your Raspberry Pi IP address to the pi host group

echo "192.168.2.110" >> hosts

Add your public key to the authorized_keys files

cat /.ssh/id_rsa.pub >> roles/security/files/authorized_keys

Edit the variables file to set e.g. the custom password for the pi user, the name of the alternative user etc.

vim roles/security/vars/main.yaml
vim group_vars/pi.yaml

Edit the variables file to set the relevant IP addresses for Pi Hole etc

vim roles/pihole/vars/main.yaml

Edit the Watchtower CRON update schedule

vim roles/docker/vars/main.yml

How to run the Ansible playbook to secure your Raspberry Pi

ansible-playbook -i hosts playbook.yaml

Built With


Authors

The base of this project comes from the work done below:

Tom Gelbling - Project initiator/Securing a Pi using Ansible

shaderecker and relaxdiego - I took elements from this project too/ ansible-pihole

There is also a list of contributors who participated in the original security project.

References: Securing your Raspberry Pi with Ansible

Ansible playbook to secure your Raspberry Pi. Based on Securing your Raspberry Pi by the Raspberry Pi Foundation.

License

This project is licensed under the GNU General Public License v3.0 - see the LICENSE.md file for details