qusal/salt/sys-pihole
Ben Grande 692659e22d feat: passwordless pihole admin interface
- Passwordless as it doesn't compromise security;
- Firewall blocks access to the interface in case the pihole is exposed
  to the internet;
- setupVars.conf needs to be 644 for non root commands to the pihole
  script to work, so the WEB_PASSWORD can be read as normal user,
  restricting root on pihole does not make sense, as it can modify the
  network setting via pihole web interface.
2024-01-05 16:32:42 +01:00
..
files feat: passwordless pihole admin interface 2024-01-05 16:32:42 +01:00
appmenus.sls refactor: initial commit 2023-11-13 14:33:28 +00:00
appmenus.top refactor: initial commit 2023-11-13 14:33:28 +00:00
configure-browser.sls refactor: move appended states to drop-in rc.local 2023-12-19 22:50:59 +01:00
configure-browser.top refactor: initial commit 2023-11-13 14:33:28 +00:00
create.sls feat: clockvm also present in sys-pihole 2023-12-23 21:05:24 +01:00
create.top refactor: initial commit 2023-11-13 14:33:28 +00:00
init.top refactor: initial commit 2023-11-13 14:33:28 +00:00
install.sls feat: passwordless pihole admin interface 2024-01-05 16:32:42 +01:00
install.top refactor: initial commit 2023-11-13 14:33:28 +00:00
prefs.sls refactor: initial commit 2023-11-13 14:33:28 +00:00
prefs.top refactor: initial commit 2023-11-13 14:33:28 +00:00
README.md feat: passwordless pihole admin interface 2024-01-05 16:32:42 +01:00

sys-pihole

Pi-hole DNS Sinkhole in Qubes OS.

Table of Contents

Description

The package will create a standalone qube "sys-pihole". It blocks advertisements and internet trackers by providing a DNS sinkhole. It is a drop in replacement for sys-firewall.

The qube will be attached to the "netvm" of the "default_netvm", in other words, if you are using Qubes OS default setup, it will use "sys-net" as the "netvm", else it will try to figure out what is your upstream link and attach to it.

Installation

Pi-Hole commits and tags are not signed by individuals, but as they are done through the web interface, they have GitHub Web-Flow signature. This is the best verification we can get for Pi-Hole. If you don't trust the hosting provider however, don't install this package.

  • Top:
qubesctl top.enable sys-pihole browser
qubesctl --targets=tpl-browser,sys-pihole-browser,sys-pihole state.apply
qubesctl top.disable sys-pihole browser
qubesctl state.apply sys-pihole.appmenus
  • State:
qubesctl state.apply sys-pihole.create
qubesctl --skip-dom0 --targets=tpl-browser state.apply browser.install
qubesctl --skip-dom0 --targets=sys-pihole state.apply sys-pihole.install
qubesctl --skip-dom0 --targets=sys-pihole-browser state.apply sys-pihole.configure-browser
qubesctl state.apply sys-pihole.appmenus

If you want to change the global preferences updatevm and default_netvm and the per-qube preference netvm of all qubes from sys-firewall to sys-pihole, run:

qubesctl state.apply sys-pihole.prefs

Usage

Pi-hole will be installed with these default settings:

  • The DNS provider is Quad9 (filtered, DNSSEC)
  • Steven Black's Unified Hosts List is included
  • Query logging is enabled to show everything.

You can change the settings via the admin interface:

If you want to view statistics or manage the server through a GUI, open sys-pihole or sys-pihole-browser desktop file pihole-browser.desktop from Dom0. Addresses starting with http or https will be redirected to sys-pihole-browser.

The browser separation from the server is to avoid browsing malicious sites and exposing the browser to direct network on the same machine the server is running. The browser qube is offline and only has access to the admin interface. In other words, it has control over the server functions, if the browser is compromised, it can compromise the server.

You can clone sys-pihole. If you do, you must manually change the IP address of the clone.

If you want to combine Pi-Hole with Tor, then you should reconfigure your netvm chaining (will break tor's client stream isolation) as such:

  • qube -> sys-pihole -> Tor-gateway -> sys-firewall -> sys-net

If you encounter problems with DNS after having upstream netvm route changes, restart Pi-Hole DNS from sys-pihole and run the following as root:

pihole restartdns

Credits