Add Pi-hole Docker configuration and CNAME records; update Traefik settings for improved routing

Author: yousecjoe

src/docker/containers/bind9/dns.tf

@@ -15,7 +15,6 @@ resource "dns_a_record_set" "open-webui" {
     ]
     ttl = 30
 }
-
 resource "dns_a_record_set" "ollama" {
     zone = "home.youngsecurity.net."
     name = "ollama"
@@ -43,3 +42,15 @@ resource "dns_cname_record" "llm" {
     cname = "tfk-01.home.youngsecurity.net."
     ttl = 30
 }
+resource "dns_cname_record" "pihole" {
+    zone = "home.youngsecurity.net."
+    name = "pihole"
+    cname = "tfk-01.home.youngsecurity.net."
+    ttl = 30  
+}
+resource "dns_cname_record" "portainer" {
+    zone = "home.youngsecurity.net."
+    name = "portainer"
+    cname = "tfk-01.home.youngsecurity.net."
+    ttl = 30  
+}

src/docker/containers/bind9/main.plan

@@ -1,7 +1,7 @@
 services:
   pihole:
     container_name: pihole
-    image: pihole/pihole:2024.07.0    
+    image: pihole/pihole:2024.07.0
     environment:
       #WEBPASSWORD: "set a secure password here or it will be random"
       - TZ=America/New_York
@@ -14,7 +14,7 @@ services:
     #  - "81:80/tcp"
     networks:
       macvlan255:
-        ipv4_address: 10.0.255.155      
+        ipv4_address: 10.0.255.155
     volumes:
       - pihole_etc:/etc/pihole
       - pihole_etc_dnsmasq.d:/etc/dnsmasq.d

src/docker/containers/pihole/.terraform.lock.hcl

@@ -0,0 +1,99 @@
+terraform {
+  required_providers {
+    docker = {
+      source = "kreuzwerker/docker"
+      version = "3.0.2"
+    }
+  }
+}
+
+provider "docker" {
+  # Configuration options
+  host = "tcp://ignignokt.home.youngsecurity.net:2376/"
+  ca_material   = file(pathexpand("~/.docker/ca-docker.pem")) # this can be omitted
+  cert_material = file(pathexpand("~/.docker/client-docker-cert.pem"))
+  key_material  = file(pathexpand("~/.docker/key-docker-client.pem"))
+}
+
+# Pull the Docker image
+resource "docker_image" "pihole" {
+  name = "pihole/pihole:2024.07.0"
+}
+
+# Reference the existing external volume
+resource "docker_volume" "pihole_etc" {
+  name = "pihole_etc"
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+resource "docker_volume" "pihole_etc_dnsmasq_d" {
+  name = "pihole_etc_dnsmasq.d"
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+data "docker_network" "macvlan255" {
+  name = "macvlan255"
+}
+
+# Create the Docker container
+resource "docker_container" "pihole" {
+  image = docker_image.pihole.image_id
+  name  = "pihole"
+  hostname = "pihole"
+  tty = true
+  labels {
+    label = "traefik.enable"
+    value = "true"
+  }
+  labels {
+    label="traefik.http.routers.pihole.rule"
+    value="Host(`pihole.home.youngsecurity.net`) || Host(`pihole.youngsecurity.net`)"
+  }
+  labels {
+    label="traefik.http.routers.pihole.entrypoints"
+    value="websecure"
+  }
+  labels {
+    label="traefik.http.routers.pihole.tls"
+    value="true"
+  }
+  labels {
+    label="traefik.http.routers.pihole.tls.certresolver"
+    value="cloudflare"
+  }
+  labels {
+    label="traefik.http.services.pihole.loadbalancer.server.port"
+    value="80"
+  }
+
+  # Set environment variables
+  env = [
+    "TZ=America/New_York",
+    "VIRTUAL_HOST=pihole"
+  ]
+
+  # Mount the external volume
+  mounts {
+    target = "/etc/pihole"
+    source = resource.docker_volume.pihole_etc.name
+    type   = "volume"
+  }
+  mounts {
+    target = "/etc/dnsmasq.d"
+    source = resource.docker_volume.pihole_etc_dnsmasq_d.name
+    type   = "volume"
+  }
+  # Connect to the external network with a static IP
+  networks_advanced {
+    name         = data.docker_network.macvlan255.name
+    ipv4_address = "10.0.255.155"
+  }
+
+  # Set the restart policy
+  restart = "unless-stopped"
+}

src/docker/containers/pihole/docker-compose.yml

@@ -0,0 +1,37 @@
+http:
+  #middlewares:    
+  #  default-security-headers:
+  #    headers:
+  #      customBrowserXSSValue: 0                            # X-XSS-Protection=1; mode=block
+  #      contentTypeNosniff: true                          # X-Content-Type-Options=nosniff
+  #      forceSTSHeader: true                              # Add the Strict-Transport-Security header even when the connection is HTTP
+  #      frameDeny: false                                   # X-Frame-Options=deny
+  #      referrerPolicy: "strict-origin-when-cross-origin"
+  #      stsIncludeSubdomains: true                        # Add includeSubdomains to the Strict-Transport-Security header
+  #      stsPreload: true                                  # Add preload flag appended to the Strict-Transport-Security header
+  #      stsSeconds: 3153600                              # Set the max-age of the Strict-Transport-Security header (63072000 = 2 years)
+  #      contentSecurityPolicy: "default-src 'self'"     
+  #      customRequestHeaders:
+  #        X-Forwarded-Proto: https
+  #  https-redirectscheme:
+  #    redirectScheme:
+  #      scheme: https
+  #      permanent: true
+
+  routers:
+    portainer:
+      entryPoints:
+        - "websecure"
+      rule: "Host(`portainer.home.youngsecurity.net`)"
+      #middlewares:
+        #- default-security-headers
+        #- https-redirectscheme
+      tls: {}
+      service: portainer
+
+  services:
+    portainer:
+      loadBalancer:
+        servers:          
+          - url: "https://10.0.255.19:9443"
+        passHostHeader: true

src/docker/containers/pihole/main.plan

@@ -8,10 +8,10 @@ terraform {
 }
 provider "docker" {
   # Configuration options  
-  host = "${DOCKER_HOST}"
-  ca_material   = "${CA_MATERIAL}"
-  cert_material = "${CERT_MATERIAL}"
-  key_material  = "${KEY_MATERIAL}"
+  #host = ${DOCKER_HOST}
+  #ca_material   = ${CA_MATERIAL}
+  #cert_material = ${CERT_MATERIAL}
+  #key_material  = ${KEY_MATERIAL}
 }
 
 # Pull the Docker image