feat: passwordless pihole admin interface

- Passwordless as it doesn't compromise security;
- Firewall blocks access to the interface in case the pihole is exposed
  to the internet;
- setupVars.conf needs to be 644 for non root commands to the pihole
  script to work, so the WEB_PASSWORD can be read as normal user,
  restricting root on pihole does not make sense, as it can modify the
  network setting via pihole web interface.
This commit is contained in:
Ben Grande 2024-01-05 16:32:42 +01:00
parent 417843ba75
commit 692659e22d
4 changed files with 11 additions and 9 deletions

View File

@ -61,14 +61,9 @@ Pi-hole will be installed with these default settings:
- Steven Black's Unified Hosts List is included
- Query logging is enabled to show everything.
You can change these settings via the admin interface:
You can change the settings via the admin interface:
- URL: http://localhost/admin
- default password: `UpSNQsy4`
You should change this password on first use by running in `sys-pihole`:
```sh
pihole -a -p
```
- There is no password (access allowed only through localhost)
If you want to view statistics or manage the server through a GUI, open
`sys-pihole` or `sys-pihole-browser` desktop file `pihole-browser.desktop`
@ -90,7 +85,7 @@ netvm chaining (will break tor's client stream isolation) as such:
- qube -> sys-pihole -> Tor-gateway -> sys-firewall -> sys-net
If you encounter problems with DNS after having upstream netvm route changes,
restart Pi-Hole DNS from `sys-pihole`:
restart Pi-Hole DNS from `sys-pihole` and run the following as root:
```sh
pihole restartdns
```

View File

@ -13,6 +13,6 @@ CACHE_SIZE=10000
DNS_FQDN_REQUIRED=true
DNS_BOGUS_PRIV=true
DNSMASQ_LISTENING=local
WEBPASSWORD=1832d74a8cd6d9b8cb0f9db646500f1ac9733d104ebbf9f9be157391fb051bfb
WEBPASSWORD=
BLOCKING_ENABLED=true
WEBTHEME=default-dark

View File

@ -23,6 +23,12 @@ insert rule ip6 qubes custom-forward udp dport 53 drop
flush chain ip qubes custom-input
flush chain ip6 qubes custom-input
## Admin Web Interface
insert rule ip qubes custom-input iifname != "lo" tcp dport 80 drop
insert rule ip qubes custom-input iifname != "lo" udp dport 80 drop
insert rule ip6 qubes custom-input iifname != "lo" tcp dport 80 drop
insert rule ip6 qubes custom-input iifname != "lo" udp dport 80 drop
## DNS
insert rule ip qubes custom-input iifname "vif*" tcp dport 53 accept
insert rule ip qubes custom-input iifname "vif*" udp dport 53 accept
insert rule ip6 qubes custom-input iifname "vif*" tcp dport 53 accept

View File

@ -67,6 +67,7 @@ include:
file.managed:
- name: /etc/pihole/setupVars.conf
- source: salt://{{ slsdotpath }}/files/server/pihole/setupVars.conf
- mode: '0644'
- user: root
- group: root
- makedirs: True