From 692659e22d93a811dab09c4fca04cbe8679d6ff0 Mon Sep 17 00:00:00 2001 From: Ben Grande Date: Fri, 5 Jan 2024 16:32:42 +0100 Subject: [PATCH] feat: passwordless pihole admin interface - Passwordless as it doesn't compromise security; - Firewall blocks access to the interface in case the pihole is exposed to the internet; - setupVars.conf needs to be 644 for non root commands to the pihole script to work, so the WEB_PASSWORD can be read as normal user, restricting root on pihole does not make sense, as it can modify the network setting via pihole web interface. --- salt/sys-pihole/README.md | 11 +++-------- salt/sys-pihole/files/server/pihole/setupVars.conf | 2 +- .../files/server/qubes-firewall.d/50-sys-pihole | 6 ++++++ salt/sys-pihole/install.sls | 1 + 4 files changed, 11 insertions(+), 9 deletions(-) diff --git a/salt/sys-pihole/README.md b/salt/sys-pihole/README.md index ad1796c..d8d2f55 100644 --- a/salt/sys-pihole/README.md +++ b/salt/sys-pihole/README.md @@ -61,14 +61,9 @@ Pi-hole will be installed with these default settings: - Steven Black's Unified Hosts List is included - Query logging is enabled to show everything. -You can change these settings via the admin interface: +You can change the settings via the admin interface: - URL: http://localhost/admin -- default password: `UpSNQsy4` - -You should change this password on first use by running in `sys-pihole`: -```sh -pihole -a -p -``` +- There is no password (access allowed only through localhost) If you want to view statistics or manage the server through a GUI, open `sys-pihole` or `sys-pihole-browser` desktop file `pihole-browser.desktop` @@ -90,7 +85,7 @@ netvm chaining (will break tor's client stream isolation) as such: - qube -> sys-pihole -> Tor-gateway -> sys-firewall -> sys-net If you encounter problems with DNS after having upstream netvm route changes, -restart Pi-Hole DNS from `sys-pihole`: +restart Pi-Hole DNS from `sys-pihole` and run the following as root: ```sh pihole restartdns ``` diff --git a/salt/sys-pihole/files/server/pihole/setupVars.conf b/salt/sys-pihole/files/server/pihole/setupVars.conf index 775217e..b63c636 100644 --- a/salt/sys-pihole/files/server/pihole/setupVars.conf +++ b/salt/sys-pihole/files/server/pihole/setupVars.conf @@ -13,6 +13,6 @@ CACHE_SIZE=10000 DNS_FQDN_REQUIRED=true DNS_BOGUS_PRIV=true DNSMASQ_LISTENING=local -WEBPASSWORD=1832d74a8cd6d9b8cb0f9db646500f1ac9733d104ebbf9f9be157391fb051bfb +WEBPASSWORD= BLOCKING_ENABLED=true WEBTHEME=default-dark diff --git a/salt/sys-pihole/files/server/qubes-firewall.d/50-sys-pihole b/salt/sys-pihole/files/server/qubes-firewall.d/50-sys-pihole index 417900d..9a608ba 100644 --- a/salt/sys-pihole/files/server/qubes-firewall.d/50-sys-pihole +++ b/salt/sys-pihole/files/server/qubes-firewall.d/50-sys-pihole @@ -23,6 +23,12 @@ insert rule ip6 qubes custom-forward udp dport 53 drop flush chain ip qubes custom-input flush chain ip6 qubes custom-input +## Admin Web Interface +insert rule ip qubes custom-input iifname != "lo" tcp dport 80 drop +insert rule ip qubes custom-input iifname != "lo" udp dport 80 drop +insert rule ip6 qubes custom-input iifname != "lo" tcp dport 80 drop +insert rule ip6 qubes custom-input iifname != "lo" udp dport 80 drop +## DNS insert rule ip qubes custom-input iifname "vif*" tcp dport 53 accept insert rule ip qubes custom-input iifname "vif*" udp dport 53 accept insert rule ip6 qubes custom-input iifname "vif*" tcp dport 53 accept diff --git a/salt/sys-pihole/install.sls b/salt/sys-pihole/install.sls index 047dd26..62de6be 100644 --- a/salt/sys-pihole/install.sls +++ b/salt/sys-pihole/install.sls @@ -67,6 +67,7 @@ include: file.managed: - name: /etc/pihole/setupVars.conf - source: salt://{{ slsdotpath }}/files/server/pihole/setupVars.conf + - mode: '0644' - user: root - group: root - makedirs: True