1. You have installed Raspberry Pi OS.
2. You can connect to the raspberry-pi.
3. The raspberry-pi can reach the Internet.
4. You have configured a static IP address for your raspberry-pi.
5. You have created an SSH key pair and copied the public key onto the rasberry-pi for a non-root user.
6. You have Ansible installed or otherwise available.
7. If you want to configure WireGuard, you have configured port-forwarding and dynamic DNS on your router.

1. SSHD
   • Basic secure measures like disabling password authentication and root login.
2. Pi-hole
3. dnscrypt-proxy (optional)
   • Anonymous relays
4. WireGuard (optional)
   • Local devices accessible
   • Tunnel all Internet traffic to the raspberry-pi

Besides all of the assumptions, this does not configure WireGuard clients. Check the Pi-hole guide for that.

Aside from the documentation already linked, I borrowed the iptables configuration from u/Annonymoiuse on Reddit.

There are default variables in each role, you should explore those.

The following variables are in ./vars.yml and you must set them:

The commands to generate the WireGuard secrets are not idempotent. If you lose one of the created files, new values will be generated when Ansible runs again and you will likely need to reconfigure your clients.

dnscrypt-proxy is configured to use all relays and all resolvers. This may not be optimal.

If you plan to connect a device within the LAN via WireGuard, you should edit the client config file to use the local IP instead of the dynamic DNS entry.

When the dynamic DNS entry changes you will need to disconnect and re-connect remote devices. Wireguard only resolves DNS enties once.

1. Clone this repo.
2. Update ./hosts with the local IP of the raspberry-pi.
3. Update ./vars.yml.
4. Run make apply (and hope it works).
5. Test that you can resolve DNS entries.
   • dig google.com @<rapsberry-pi-addr>
6. Update your router to use the rapsberry-pi.
7. Connect clients to WireGuard.