Git-Mirrors/qusal
1
0
Fork 0
mirror of https://github.com/ben-grande/qusal.git synced 2025-03-03 20:29:26 -05:00
Code Issues Packages Projects Releases Wiki Activity

feat: bump Pi-hole version

Browse Source
This commit is contained in:
Ben Grande 2025-02-21 14:28:57 +01:00
parent 599f044d58
commit f3a5d31e30
No known key found for this signature in database
GPG Key ID: 00C64E14F51F9E56
4 changed files with 103 additions and 71 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
salt/sys-pihole/README.md
View File

@ -29,7 +29,9 @@ to it.
Pi-Hole commits and tags are not signed by individuals, but as they are done Pi-Hole commits and tags are not signed by individuals, but as they are done
through the web interface, they have GitHub Web-Flow signature. This is the through the web interface, they have GitHub Web-Flow signature. This is the
best verification we can get for Pi-Hole. If you don't trust the hosting best verification we can get for Pi-Hole. If you don't trust the hosting
provider however, don't install this package. provider however, don't install this package. Besides that, future updates to
Pi-hole modules are not verified as it is done via by the native update
mechanism provided by upstream.
* Top: * Top:

11
salt/sys-pihole/files/server/lighttpd/50-pihole.conf
View File

@ -1,11 +0,0 @@
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
$HTTP["remoteip"] !~ "127.0.0.1" {
$HTTP["url"] =~ "^/admin/" {
url.access-deny = ( "" )
}
}
# vim: ft=apache

18
salt/sys-pihole/files/server/pihole/setupVars.conf
View File

@ -1,18 +0,0 @@
# SPDX-FileCopyrightText: 2022 - 2023 unman <unman@thirdeyesecurity.org>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
PIHOLE_INTERFACE=eth0
PIHOLE_DNS_1=9.9.9.9
PIHOLE_DNS_2=149.112.112.112
QUERY_LOGGING=true
INSTALL_WEB_SERVER=true
INSTALL_WEB_INTERFACE=true
LIGHTTPD_ENABLED=true
CACHE_SIZE=10000
DNS_FQDN_REQUIRED=true
DNS_BOGUS_PRIV=true
DNSMASQ_LISTENING=local
WEBPASSWORD=
BLOCKING_ENABLED=true
WEBTHEME=default-dark

141
salt/sys-pihole/install.sls
View File

@ -7,7 +7,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later
{% if grains['nodename'] != 'dom0' %} {% if grains['nodename'] != 'dom0' %}
{% set pihole_tag = 'v5.18.4' -%} {% set pihole_tag = 'v6.0.4' -%}
include: include:
- utils.tools.common.update - utils.tools.common.update
@ -28,53 +28,19 @@ include:
- qubes-core-agent-dom0-updates - qubes-core-agent-dom0-updates
- qubes-core-agent-networking - qubes-core-agent-networking
- systemd-timesyncd - systemd-timesyncd
- ca-certificates
- curl
- dnsutils
- git - git
- idn2 - idn2
- lighttpd
- netcat-openbsd
- php-cgi
- php-common
- php-intl
- php-json
- php-sqlite3
- php-xml
- unzip
- bash-completion
- man-db - man-db
## Other dependencies brought by local package pihole-meta.
"{{ slsdotpath }}-disable-external-admin-interface": "{{ slsdotpath }}-disable-lighttpd":
file.managed: service.disabled:
- name: /etc/lighttpd/conf-available/50-pihole.conf - name: lighttpd
- source: salt://{{ slsdotpath }}/files/server/lighttpd/50-pihole.conf
- mode: '0644'
- user: root
- group: root
- makedirs: True
"{{ slsdotpath }}-disable-external-admin-interface-symlink":
file.symlink:
- require:
- file: "{{ slsdotpath }}-disable-external-admin-interface"
- name: /etc/lighttpd/conf-enabled/50-pihole.conf
- target: /etc/lighttpd/conf-available/50-pihole.conf
- force: True
"{{ slsdotpath }}-disable-systemd-resolved": "{{ slsdotpath }}-disable-systemd-resolved":
service.disabled: service.disabled:
- name: systemd-resolved - name: systemd-resolved
"{{ slsdotpath }}-setupVars.conf":
file.managed:
- name: /etc/pihole/setupVars.conf
- source: salt://{{ slsdotpath }}/files/server/pihole/setupVars.conf
- mode: '0644'
- user: root
- group: root
- makedirs: True
"{{ slsdotpath }}-git-clone": "{{ slsdotpath }}-git-clone":
git.latest: git.latest:
- name: https://github.com/pi-hole/pi-hole.git - name: https://github.com/pi-hole/pi-hole.git
@ -132,20 +98,113 @@ include:
"{{ slsdotpath }}-git-checkout-tag-{{ pihole_tag }}": "{{ slsdotpath }}-git-checkout-tag-{{ pihole_tag }}":
cmd.run: cmd.run:
- name: git checkout {{ pihole_tag }}
- require: - require:
- cmd: "{{ slsdotpath }}-git-verify-tag-pihole" - cmd: "{{ slsdotpath }}-git-verify-tag-pihole"
- name: git checkout {{ pihole_tag }}
- cwd: /root/pi-hole - cwd: /root/pi-hole
- runas: root - runas: root
"{{ slsdotpath }}-setup": "{{ slsdotpath }}-setup":
cmd.run: cmd.run:
- name: ./basic-install.sh --unattended
- require: - require:
- cmd: "{{ slsdotpath }}-git-checkout-tag-{{ pihole_tag }}" - cmd: "{{ slsdotpath }}-git-checkout-tag-{{ pihole_tag }}"
- name: ./basic-install.sh --unattended
- cwd: '/root/pi-hole/automated install' - cwd: '/root/pi-hole/automated install'
- runas: root - runas: root
"{{ slsdotpath }}-add-user-to-pihole-group":
group.present:
- require:
- cmd: "{{ slsdotpath }}-setup"
- name: pihole
- addusers:
- user
"{{ slsdotpath }}-set-empty-api-password":
cmd.run:
- require:
- cmd: "{{ slsdotpath }}-setup"
- name: printf '' | pihole setpassword
- runas: root
"{{ slsdotpath }}-set-upstream-dns-servers":
cmd.run:
- require:
- cmd: "{{ slsdotpath }}-setup"
- name: pihole-FTL --config dns.upstreams '[ "9.9.9.9", "149.112.112.112" ]'
- runas: root
"{{ slsdotpath }}-enable-blocking":
cmd.run:
- require:
- cmd: "{{ slsdotpath }}-setup"
- name: pihole-FTL --config dns.blocking.active true
- runas: root
"{{ slsdotpath }}-set-domain-interface":
cmd.run:
- require:
- cmd: "{{ slsdotpath }}-setup"
- name: pihole-FTL --config dns.interface eth0
- runas: root
"{{ slsdotpath }}-enable-domain-needed-fqdn":
cmd.run:
- require:
- cmd: "{{ slsdotpath }}-setup"
- name: pihole-FTL --config dns.domainNeeded true
- runas: root
"{{ slsdotpath }}-enable-expand-hosts-fqdn":
cmd.run:
- require:
- cmd: "{{ slsdotpath }}-setup"
- name: pihole-FTL --config dns.expandHosts true
- runas: root
"{{ slsdotpath }}-set-dark-theme":
cmd.run:
- require:
- cmd: "{{ slsdotpath }}-setup"
- name: pihole-FTL --config webserver.interface.theme default-dark
- runas: root
"{{ slsdotpath }}-restrict-webserver-acl-to-localhost":
cmd.run:
- require:
- cmd: "{{ slsdotpath }}-setup"
- name: pihole-FTL --config webserver.acl "+127.0.0.1,+[::1]"
- runas: root
"{{ slsdotpath }}-disable-ntp-sync":
cmd.run:
- require:
- cmd: "{{ slsdotpath }}-setup"
- name: pihole-FTL --config ntp.sync.active false
- runas: root
"{{ slsdotpath }}-disable-ntp-ipv4":
cmd.run:
- require:
- cmd: "{{ slsdotpath }}-setup"
- name: pihole-FTL --config ntp.ipv4.active false
- runas: root
"{{ slsdotpath }}-disable-ntp-ipv6":
cmd.run:
- require:
- cmd: "{{ slsdotpath }}-setup"
- name: pihole-FTL --config ntp.ipv6.active false
- runas: root
"{{ slsdotpath }}-enable-loading-dnsmasq.d":
cmd.run:
- require:
- cmd: "{{ slsdotpath }}-setup"
- name: pihole-FTL --config misc.etc_dnsmasq_d true
- runas: root
"{{ slsdotpath }}-firewall": "{{ slsdotpath }}-firewall":
file.managed: file.managed:
- name: /rw/config/qubes-firewall.d/50-sys-pihole - name: /rw/config/qubes-firewall.d/50-sys-pihole