This repository has been archived by the owner on Jun 20, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathconfig.defaults.yml
197 lines (171 loc) · 8.79 KB
/
config.defaults.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
# pihole-dns - an Ansible playbook to configure a PiHole DNS server
# Copyright (C) 2024 Charles German <5donuts@pm.me>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
---
# This file has a number of default configuration options.
# Please copy this to `./config.yml` and overwrite any values specific to
# your installation/needs. Any values not specified in `./config.yml` will
# be set by this file.
# -------------------------------------------------------------------------------- #
# General Configuration Options #
# -------------------------------------------------------------------------------- #
firewall_allowed_cidrs:
- 192.168.0.0/16
pi_static_ip: 192.168.0.100 # Static IP address of the Pi to configure
pi_dhcp_fallback: no # If 'pi_static_ip' is unavailable, get a DHCP lease?
router_ip: 192.168.0.1 # IP address of the router
pihole_interface: "eth0"
# This option is only used if you configure DNS-over-TLS.
# On Debian-based systems it is typically /etc/ssl/certs/ca-certificates.crt
# On Fedora-based systems it is typically /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
system_certificate_bundle: /etc/ssl/certs/ca-certificates.crt
# -------------------------------------------------------------------------------- #
# PiHole Configuration Options #
# -------------------------------------------------------------------------------- #
install_pihole: yes
pihole_enable_blocking: yes
pihole_web_admin_password: "p@ssword123!" # change me!
# If you are not using Unbound as a DNS server, configure the upstream
# DNS servers to use here. By default, CloudFlare DNS is selected. If
# you are using Unbound, this variable is ignored.
pihole_upstream_dns:
- 1.1.1.1
- 1.0.0.1
# If you want to specify any custom domain names on your network, you can
# do so here.
# pihole_custom_dns_entries:
# - name: pihole.lan
# addr: 192.168.0.100
pihole_log_queries: yes
pihole_install_web_server: yes
pihole_install_web_frontend: yes
pihole_enable_lighttpd: yes
# This setting might be ignored when DNSSEC is enabled?
pihole_dnsmasq_cache_size: 10000
# This corresponds to the "Interface Settings" section in the web UI.
# Note that some of these options are dangerous if set on internet-connected devices.
# A typical home setup where the Pi sits within the local network (and port 53 is _not_
# forwarded!) is still safe with any of these options.
# * `local` corresponds to "allow only local requests"
# This setting only allows queries from devices that are at most one hop away.
# This is the default/recommended setting.
# * `all` corresponds to "permit all origins"
# This setting permits listening on internet origin subnets in addition to local.
# * `single` corresponds to "respond only on interface ..."
pihole_dnsmasq_listening: "local"
# This is the "Never forward non-FQDN A and AAAA queries" option in the web UI.
# When there is a Pi-hole domain set and this option is set, this asks FTL that this
# domain is purely local and FTL may answer queries from /etc/hosts or DHCP leases
# but should never forward queries on that domain to any upstream servers. If
# Conditional Forwarding is enabled, unsetting this option may cause a partial DNS
# loop under certain circumstances (e.g. if a client would send TLD DNSSEC queries).
pihole_never_forward_non_fqdn: yes
# This is the "Never forward reverse lookups for private IP ranges" option in the web UI.
# All reverse lookups for private IP ranges (i.e., 192.168.0.x/24, etc.) which are not
# found in /etc/hosts or the DHCP leases are answered with "no such domain" rather than
# being forwarded upstream. The set of prefixes affected is the list given in RFC6303.
# Important: Enabling this and `pihole_never_forward_non_fqdn` may increase your privacy,
# but may also prevent you from being able to access local hostnames if the Pi-hole is not
# used as the DHCP server.
pihole_never_forward_private_rev_lookups: yes
# This is the "Use DNSSEC" option in the web UI.
# Validate DNS replies and cache DNSSEC data. When forwarding DNS queries, Pi-hole requests
# the DNSSEC records needed to validate the replies. If a domain fails validation or the
# upstream does not support DNSSEC, this setting can cause issues resolving domains. Use an
# upstream DNS server which supports DNSSEC when activating DNSSEC. Note that the size of
# your log might increase significantly when enabling DNSSEC.
pihole_use_dnssec: yes
# These options correspond to the "Conditional Fowarding" section in the web UI.
# If not configured as your DHCP server, Pi-hole typically won't be able to determine the names
# of devices on your local network. As a result, tables such as Top Clients will only show IP
# addresses. One solution for this is to configure Pi-hole to forward these requests to your
# DHCP server (most likely your router), but only for devices on your home network.
# Enabling Conditional Forwarding will also forward all hostnames (i.e., non-FQDNs) to the
# router when "Never forward non-FQDNs" is not enabled.
pihole_enable_conditional_forwarding: no # TODO: need to figure out why this config is broken
pihole_local_network_cidr: 192.168.0.0/16
pihole_local_domain_name: "home.lan"
# -------------------------------------------------------------------------------- #
# PiHole DHCP Configuration Options #
# -------------------------------------------------------------------------------- #
# Be sure to disable DHCP on your router before enabling this setting!!
enable_pihole_dhcp: no
pihole_dhcp_start: 192.168.1.2 # Allocate 192.168.1.0/24 for dynamic addresses
pihole_dhcp_end: 192.168.1.254
pihole_dhcp_router: 192.168.0.1
pihole_dhcp_lease_time: 24 # in hours
pihole_dhcp_ipv6: no
pihole_dhcp_rapid_commit: no
# Configure any static leases on your network.
# To ensure a DHCP client is never given a reserved address, ensure there is no
# overlap between the static addresses here and the DHCP range given above.
# pihole_dhcp_static_leases:
# - mac_addr: ab:cd:ef:12:34:56
# hostname: example-host
# ip_addr: 192.168.0.10
# -------------------------------------------------------------------------------- #
# Unbound Configuration Options #
# -------------------------------------------------------------------------------- #
# See: https://docs.pi-hole.net/guides/dns/unbound/#configure-unbound
install_unbound: no
unbound_bind_addr: 127.0.0.1
unbound_port: 5335
# See: https://docs.pi-hole.net/guides/dns/unbound/#add-logging-to-unbound
unbound_log_verbosity: 0
unbound_log_queries: "no"
# unbound_logfile: "/var/log/unbound/unbound.log" # if unset, use syslog
unbound_do_ipv4: "yes"
unbound_do_udp: "yes"
unbound_do_tcp: "yes"
unbound_do_ipv6: "no"
unbound_prefer_ipv6: "no"
# Trust glue only if it is within the server's authority
unbound_harden_glue: "yes"
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
unbound_harden_dnssec_stripped: "yes"
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
unbound_prefetch: "yes"
# One thread should be sufficient, can be increased on beefy machines.
# In reality for most users running on small networks or on a single machine, it should be
# unnecessary to seek performance enhancement by increasing num-threads above 1.
unbound_num_threads: 1
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
unbound_kernel_buffer: 1m
# Ensure privacy of local IP ranges
unbound_local_ip_cidrs:
- 192.168.0.0/16
- 169.254.0.0/16
- 172.16.0.0/12
- 10.0.0.0/8
- fd00::/8
- fe80::/10
# See:
# * https://docs.pi-hole.net/guides/dns/unbound/#configure-unbound
# * https://indico.dns-oarc.net/event/36/contributions/776/
unbound_edns_buffer_size: 1232
# Configure encrypted DNS using DNS-over-TLS (DoT)
# For a primer, see: https://en.wikipedia.org/wiki/DNS_over_TLS
unbound_enable_dot: no
unbound_dot_providers:
- addr: 1.1.1.1
name: cloudflare-dns.com
# port: 853 # Only specify this if it's _not_ 853
- addr: 1.0.0.1
name: cloudflare-dns.com
- addr: 2606:4700:4700::1111
name: cloudflare-dns.com
- addr: 2606:4700:4700::1001
name: cloudflare-dns.com