Add a role for Adguard Home

2020-09-13 19:27:58 +02:00 · 2020-09-13 19:27:58 +02:00 · 77ee7ef98c
parent 914204fb70
commit 77ee7ef98c
6 changed files with 265 additions and 0 deletions
--- a/roles/adguardhome/defaults/main.yml
+++ b/roles/adguardhome/defaults/main.yml
@ -0,0 +1,19 @@
+---
+adguardhome_version: v0.103.3
+adguardhome_tarball_armv7l: AdGuardHome_linux_armv7.tar.gz
+adguardhome_tarball_armv7l_sha256: c1a6028568440803126dd35e0d4324784eee6e350b2dc85890e36ae037449b16
+adguardhome_tarball_x86_64: AdGuardHome_linux_amd64.tar.gz
+adguardhome_tarball_x86_64_sha256: 077fb5262129535f3fdc47379fdd573a68aade62cdbdac02919b69de777df3ea
+
+adguardhome_tarball: "{{ lookup('vars', 'adguardhome_tarball_'+ansible_architecture|lower, default=adguardhome_tarball_x86_64) }}"
+adguardhome_tarball_sha256: "{{ lookup('vars', 'adguardhome_tarball_'+ansible_architecture|lower+'_sha256', default=adguardhome_tarball_x86_64_sha256) }}"
+
+adguardhome_download_url: "https://github.com/AdguardTeam/AdGuardHome/releases/download/{{ adguardhome_version }}/{{ adguardhome_tarball }}"
+
+adguardhome_dir: /srv/AdGuardHome
+adguardhome_file_version_dir: "{{ adguardhome_dir }}/version"
+
+adguardhome_user: admin
+adguardhome_password: changeme
+
+adguardhome_bind_host: 0.0.0.0
--- a/roles/adguardhome/handlers/main.yml
+++ b/roles/adguardhome/handlers/main.yml
@ -0,0 +1,11 @@
+---
+- name: systemctl daemon-reload
+  systemd:
+    daemon_reload: true
+  become: true
+
+- name: systemctl restart adguardhome
+  systemd:
+    name: adguardhome.service
+    state: restarted
+  become: true
--- a/roles/adguardhome/tasks/main.yml
+++ b/roles/adguardhome/tasks/main.yml
@ -0,0 +1,93 @@
+---
+- name: ensure adguardhome group exits
+  group:
+    name: adguardhome
+  become: true
+
+- name: ensure adguardhome user exists and has restrictive settings
+  user:
+    name: adguardhome
+    groups: adguardhome
+    password: "*"
+    shell: /usr/sbin/nologin
+  become: true
+
+- name: ensure that the directory where we deploy AdGuard Home exists
+  file:
+    path: "{{ adguardhome_dir }}"
+    state: directory
+    owner: adguardhome
+    group: adguardhome
+    mode: "0750"
+  become: true
+
+# TODO: download only if not installed or a new version.
+
+- name: download locally AdGuard Home in /tmp
+  get_url:
+    url: "{{ adguardhome_download_url }}"
+    dest: /tmp
+    checksum: "sha256:{{ adguardhome_tarball_sha256 }}"
+  delegate_to: localhost
+
+- name: unarchive locally AdGuard Home
+  unarchive:
+    src: "/tmp/{{ adguardhome_tarball }}"
+    dest: /tmp
+    remote_src: true
+  delegate_to: localhost
+
+- name: copy AdGuard Home binary
+  copy:
+    src: /tmp/AdGuardHome/AdGuardHome
+    dest: "{{ adguardhome_dir }}"
+    owner: adguardhome
+    group: adguardhome
+    mode: "0750"
+  become: true
+
+# NOTE: python3-passlib must be installed or this will fail silently.
+- name: set the AdGuardHome config file
+  template:
+    src: templates/AdGuardHome.yaml.j2
+    dest: "{{ adguardhome_dir }}/AdGuardHome.yaml"
+    owner: adguardhome
+    group: adguardhome
+    mode: 0640
+  become: true
+  notify: systemctl restart adguardhome
+
+- name: set cap_net_bind_service=+ep on AdGuardHome binary
+  capabilities:
+    path: "{{ adguardhome_dir }}/AdGuardHome"
+    capability: cap_net_bind_service=+ep
+  become: true
+
+- name: write AdGuard Home version file
+  copy:
+    content: "{{ adguardhome_version }}"
+    dest: "{{ adguardhome_file_version_dir }}"
+    owner: adguardhome
+    group: adguardhome
+    mode: "0640"
+  become: true
+
+- name: install adguardhome systemd unit file
+  template:
+    src: etc/systemd/system/adguardhome.service.j2
+    dest: /etc/systemd/system/adguardhome.service
+  notify:
+    - systemctl daemon-reload
+  become: true
+
+- name: systemctl enable adguardhome
+  systemd:
+    name: adguardhome
+    enabled: true
+  become: true
+
+- name: ensure AdGuard Home is running
+  systemd:
+    name: adguardhome
+    state: started
+  become: true
--- a/roles/adguardhome/templates/AdGuardHome.yaml.j2
+++ b/roles/adguardhome/templates/AdGuardHome.yaml.j2
@ -0,0 +1,127 @@
+bind_host: {{ adguardhome_bind_host }}
+bind_port: 80
+users:
+- name: {{ adguardhome_user }}
+  password: {{ adguardhome_password | password_hash('bcrypt') }}
+http_proxy: ""
+language: ""
+rlimit_nofile: 0
+debug_pprof: false
+web_session_ttl: 720
+dns:
+  bind_host: {{ adguardhome_bind_host }}
+  port: 53
+  statistics_interval: 7
+  querylog_enabled: true
+  querylog_file_enabled: true
+  querylog_interval: 90
+  protection_enabled: true
+  blocking_mode: null_ip
+  blocking_ipv4: ""
+  blocking_ipv6: ""
+  blocked_response_ttl: 10
+  parental_block_host: family-block.dns.adguard.com
+  safebrowsing_block_host: standard-block.dns.adguard.com
+  ratelimit: 20
+  ratelimit_whitelist: []
+  refuse_any: true
+  upstream_dns:
+  - tls://dns.quad9.net
+  - tls://1.1.1.1
+  bootstrap_dns:
+  - 9.9.9.10
+  - 149.112.112.10
+  - 2620:fe::10
+  - 2620:fe::fe:10
+  all_servers: false
+  fastest_addr: false
+  allowed_clients: []
+  disallowed_clients: []
+  blocked_hosts: []
+  cache_size: 4194304
+  cache_ttl_min: 0
+  cache_ttl_max: 0
+  bogus_nxdomain: []
+  aaaa_disabled: false
+  enable_dnssec: false
+  edns_client_subnet: false
+  filtering_enabled: true
+  filters_update_interval: 24
+  parental_enabled: false
+  safesearch_enabled: false
+  safebrowsing_enabled: false
+  safebrowsing_cache_size: 1048576
+  safesearch_cache_size: 1048576
+  parental_cache_size: 1048576
+  cache_time: 30
+  rewrites: []
+  blocked_services: []
+tls:
+  enabled: false
+  server_name: ""
+  force_https: false
+  port_https: 443
+  port_dns_over_tls: 853
+  allow_unencrypted_doh: false
+  strict_sni_check: false
+  certificate_chain: ""
+  private_key: ""
+  certificate_path: ""
+  private_key_path: ""
+filters:
+- enabled: true
+  url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
+  name: AdGuard DNS filter
+  id: 1
+- enabled: true
+  url: https://adaway.org/hosts.txt
+  name: AdAway
+  id: 2
+- enabled: true
+  url: https://hosts-file.net/ad_servers.txt
+  name: hpHosts - Ad and Tracking servers only
+  id: 3
+- enabled: true
+  url: https://www.malwaredomainlist.com/hostslist/hosts.txt
+  name: MalwareDomainList.com Hosts List
+  id: 4
+- enabled: true
+  url: https://filters.adtidy.org/extension/chromium/filters/2.txt
+  name: AdGuard Base filter
+  id: 5
+- enabled: true
+  url: https://filters.adtidy.org/extension/chromium/filters/3.txt
+  name: AdGuard Tracking Protection filter
+  id: 6
+- enabled: true
+  url: https://filters.adtidy.org/extension/chromium/filters/4.txt
+  name: AdGuard Social Media filter
+  id: 7
+- enabled: true
+  url: https://filters.adtidy.org/extension/chromium/filters/14.txt
+  name: AdGuard Annoyances filter
+  id: 8
+- enabled: true
+  url: https://filters.adtidy.org/extension/chromium/filters/11.txt
+  name: AdGuard Mobile Ads filter
+  id: 9
+whitelist_filters: []
+user_rules: []
+dhcp:
+  enabled: false
+  interface_name: ""
+  gateway_ip: ""
+  subnet_mask: ""
+  range_start: ""
+  range_end: ""
+  lease_duration: 86400
+  icmp_timeout_msec: 1000
+clients: []
+log_compress: false
+log_localtime: false
+log_max_backups: 0
+log_max_size: 100
+log_max_age: 3
+log_file: ""
+verbose: false
+schema_version: 6
--- a/roles/adguardhome/templates/etc/systemd/system/adguardhome.service.j2
+++ b/roles/adguardhome/templates/etc/systemd/system/adguardhome.service.j2
@ -0,0 +1,14 @@
+# Managed by Ansible
+[Unit]
+Description=AdGuard Home
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+ExecStart="{{ adguardhome_dir }}/AdGuardHome"
+User=adguardhome
+Group=adguardhome
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target
--- a/tests/test.yml
+++ b/tests/test.yml
@ -21,3 +21,4 @@
    # Uncomment to test wikijs role: it's commented since the tarball that we
    # have to download is more than 60MB.
    # - {role: ../roles/wikijs, become: true, wikijs_db_type: sqlite}
+    - {role: ../roles/adguardhome}