mirror of
https://github.com/unman/shaker.git
synced 2025-01-22 04:31:16 -05:00
Pi-hole - update for 4.2
This commit is contained in:
parent
461f6195ef
commit
8ed3baa258
@ -21,10 +21,10 @@ Run `sudo /srv/salt/pihole/change_netvm.sh` .
|
||||
Pi-hole will be installed with these default settings:
|
||||
The DNS provider is Quad9 (filtered, DNSSEC)
|
||||
StevenBlack's Unified Hosts List is included
|
||||
The web interface is availble at http://localhost
|
||||
The web interface is availble at http://localhost/admin
|
||||
Query logging is enabled to show everything.
|
||||
|
||||
You can change these settings by logging in to the admin interface at http://localhost.
|
||||
You can change these settings by logging in to the admin interface at http://localhost/admin
|
||||
The default Admin Webpage login password is UpSNQsy4
|
||||
You should change this on first use, by running:
|
||||
`pihole -a -p`
|
||||
@ -32,7 +32,7 @@ You should change this on first use, by running:
|
||||
|
||||
The implementation is based on work by Patrizio Tufarolo,
|
||||
(https://blog.tufarolo.eu/how-to-configure-pihole-in-qubesos-proxyvm/ ),
|
||||
and updated for Qubes 4.1
|
||||
and updated for Qubes 4.2
|
||||
|
||||
for i in `qvm-ls -O NAME,NETVM | awk '/ sys-firewall/{ print $1 }'`; do qvm-prefs $i netvm sys-pihole; done
|
||||
if [[ $(qubes-prefs default_netvm sys-firewall |grep sys-firewall ) ]]; then qubes-prefs default_netvm sys-pihole; fi
|
||||
|
@ -1,11 +1,11 @@
|
||||
pihole_depends:
|
||||
qvm.template_installed:
|
||||
- name: debian-11-minimal
|
||||
- name: debian-12-minimal
|
||||
|
||||
pihole-present-id:
|
||||
qvm.present:
|
||||
- name: sys-pihole
|
||||
- template: debian-11-minimal
|
||||
- template: debian-12-minimal
|
||||
- label: green
|
||||
- class: StandaloneVM
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
auto eth0
|
||||
iface eth0 inet static
|
||||
auto enX0
|
||||
iface enX0 inet static
|
||||
address
|
||||
netmask 255.0.0.0
|
||||
gateway
|
@ -1,4 +0,0 @@
|
||||
#!/usr/sbin/nft -f
|
||||
flush chain nat PR-QBS
|
||||
insert rule nat PR-QBS iifname "vif*" tcp dport 53 dnat to 127.0.0.1
|
||||
insert rule nat PR-QBS iifname "vif*" udp dport 53 dnat to 127.0.0.1
|
@ -1,2 +0,0 @@
|
||||
#!/bin/sh
|
||||
nft -f /rw/config/network-hooks.d/flush
|
@ -16,24 +16,24 @@
|
||||
{% set IP = salt['cmd.shell']('qubesdb-read /qubes-ip') %}
|
||||
{% set GW = salt['cmd.shell']('qubesdb-read /qubes-gateway') %}
|
||||
|
||||
/etc/network/interfaces.d/eth0:
|
||||
/etc/network/interfaces.d/enX0:
|
||||
file.managed:
|
||||
- source:
|
||||
- salt://pihole/eth0
|
||||
- salt://pihole/enX0
|
||||
- user: root
|
||||
- group: root
|
||||
- makedirs: True
|
||||
|
||||
set_ip:
|
||||
file.line:
|
||||
- name: /etc/network/interfaces.d/eth0
|
||||
- name: /etc/network/interfaces.d/enX0
|
||||
- match: address
|
||||
- mode: replace
|
||||
- content: "address {{IP}}"
|
||||
|
||||
set_gw:
|
||||
file.line:
|
||||
- name: /etc/network/interfaces.d/eth0
|
||||
- name: /etc/network/interfaces.d/enX0
|
||||
- match: gateway
|
||||
- mode: replace
|
||||
- content: "gateway {{GW}}"
|
||||
@ -67,10 +67,6 @@ Pihole_installed:
|
||||
- php-xml
|
||||
- unzip
|
||||
|
||||
Pihole-systemd-mask:
|
||||
cmd.run:
|
||||
- name: systemctl disable systemd-resolved
|
||||
|
||||
https://github.com/pi-hole/pi-hole.git:
|
||||
git.latest:
|
||||
- name: https://github.com/pi-hole/pi-hole.git
|
||||
@ -89,13 +85,6 @@ Pihole-setup:
|
||||
cmd.run:
|
||||
- name: '/root/pi-hole/automated\ install/basic-install.sh --unattended'
|
||||
|
||||
/rw/config/qubes-firewall-user-script:
|
||||
file.append:
|
||||
- text:
|
||||
- nft flush chain nat PR-QBS
|
||||
- nft insert rule nat PR-QBS iifname "vif*" tcp dport 53 dnat to 127.0.0.1
|
||||
- nft insert rule nat PR-QBS iifname "vif*" udp dport 53 dnat to 127.0.0.1
|
||||
|
||||
/rw/config/qubes-firewall.d/update_nft.sh:
|
||||
file.managed:
|
||||
- source:
|
||||
@ -105,6 +94,15 @@ Pihole-setup:
|
||||
- makedirs: True
|
||||
- mode: 755
|
||||
|
||||
/rw/config/qubes-firewall.d/update_nft.nft:
|
||||
file.managed:
|
||||
- source:
|
||||
- salt://pihole/update_nft.nft
|
||||
- user: root
|
||||
- group: root
|
||||
- makedirs: True
|
||||
- mode: 755
|
||||
|
||||
/rw/config/network-hooks.d/internalise.sh:
|
||||
file.managed:
|
||||
- source:
|
||||
@ -114,19 +112,10 @@ Pihole-setup:
|
||||
- makedirs: True
|
||||
- mode: 755
|
||||
|
||||
/rw/config/network-hooks.d/flush.sh:
|
||||
/rw/config/network-hooks.d/update_nft.sh:
|
||||
file.managed:
|
||||
- source:
|
||||
- salt://pihole/flush.sh
|
||||
- user: root
|
||||
- group: root
|
||||
- makedirs: True
|
||||
- mode: 755
|
||||
|
||||
/rw/config/network-hooks.d/flush:
|
||||
file.managed:
|
||||
- source:
|
||||
- salt://pihole/flush
|
||||
- salt://pihole/update_nft.sh
|
||||
- user: root
|
||||
- group: root
|
||||
- makedirs: True
|
||||
|
@ -1,4 +1,4 @@
|
||||
PIHOLE_INTERFACE=eth0
|
||||
PIHOLE_INTERFACE=enX0
|
||||
PIHOLE_DNS_1=9.9.9.9
|
||||
PIHOLE_DNS_2=149.112.112.112
|
||||
QUERY_LOGGING=true
|
||||
|
14
pihole/update_nft.nft
Normal file
14
pihole/update_nft.nft
Normal file
@ -0,0 +1,14 @@
|
||||
#!/usr/sbin/nft -f
|
||||
flush chain qubes dnat-dns
|
||||
|
||||
flush chain qubes custom-forward
|
||||
insert rule qubes custom-forward tcp dport 53 drop
|
||||
insert rule qubes custom-forward udp dport 53 drop
|
||||
|
||||
flush chain qubes custom-input
|
||||
insert rule qubes custom-input tcp dport 53 accept
|
||||
insert rule qubes custom-input udp dport 53 accept
|
||||
|
||||
flush chain qubes dnat-dns
|
||||
insert rule qubes dnat-dns iifname "vif*" tcp dport 53 dnat to 127.0.0.1
|
||||
insert rule qubes dnat-dns iifname "vif*" udp dport 53 dnat to 127.0.0.1
|
@ -1,12 +1,3 @@
|
||||
#!/bin/sh
|
||||
get_handle(){
|
||||
local my_handle=$( nft -a list table $1|awk 'BEGIN{c0} /related,established/{c++; if (c==1) print $NF}' )
|
||||
echo $my_handle
|
||||
}
|
||||
nft -f /rw/config/qubes-firewall.d/update_nft.nft
|
||||
|
||||
nft insert rule filter FORWARD tcp dport 53 drop
|
||||
nft insert rule filter FORWARD udp dport 53 drop
|
||||
|
||||
handle=$(get_handle filter)
|
||||
nft add rule filter INPUT position $handle iifname "vif*" tcp dport 53 accept
|
||||
nft add rule filter INPUT position $handle iifname "vif*" udp dport 53 accept
|
||||
|
Loading…
Reference in New Issue
Block a user