Pi-hole - update for 4.2

2024-10-01 01:25:41 -04:00 · 2024-02-03 05:35:48 +00:00 · 2024-02-03 05:35:48 +00:00 · 8ed3baa258
commit 8ed3baa258
parent 461f6195ef
9 changed files with 38 additions and 50 deletions
--- a/pihole/README
+++ b/pihole/README
@ -21,10 +21,10 @@ Run `sudo /srv/salt/pihole/change_netvm.sh` .
 Pi-hole will be installed with these default settings:
 The DNS provider is Quad9 (filtered, DNSSEC)
 StevenBlack's Unified Hosts List is included
- The web interface is availble at http://localhost
+ The web interface is availble at http://localhost/admin
 Query logging is enabled to show everything.

-You can change these settings by logging in to the admin interface at http://localhost.
+You can change these settings by logging in to the admin interface at http://localhost/admin
 The default Admin Webpage login password is UpSNQsy4
 You should change this on first use, by running:
 `pihole -a -p`
@ -32,7 +32,7 @@ You should change this on first use, by running:

 The implementation is based on work by Patrizio Tufarolo, 
 (https://blog.tufarolo.eu/how-to-configure-pihole-in-qubesos-proxyvm/ ), 
-and updated for Qubes 4.1
+and updated for Qubes 4.2

  for i in `qvm-ls -O NAME,NETVM | awk '/ sys-firewall/{ print $1 }'`; do qvm-prefs $i netvm sys-pihole; done
  if [[ $(qubes-prefs default_netvm sys-firewall |grep sys-firewall ) ]]; then qubes-prefs default_netvm sys-pihole; fi
--- a/pihole/create.sls
+++ b/pihole/create.sls
@ -1,11 +1,11 @@
 pihole_depends:
  qvm.template_installed:
-    - name: debian-11-minimal
+    - name: debian-12-minimal

 pihole-present-id:
  qvm.present:
    - name: sys-pihole
-    - template: debian-11-minimal
+    - template: debian-12-minimal
    - label: green
    - class: StandaloneVM

--- a/pihole/enX0
+++ b/pihole/enX0
@ -1,5 +1,5 @@
-auto eth0
-iface eth0 inet static
+auto enX0
+iface enX0 inet static
 address
 netmask 255.0.0.0
 gateway
--- a/pihole/flush
+++ b/pihole/flush
@ -1,4 +0,0 @@
-#!/usr/sbin/nft -f
-flush chain nat PR-QBS
-insert rule nat PR-QBS iifname "vif*" tcp dport 53 dnat to 127.0.0.1
-insert rule nat PR-QBS iifname "vif*" udp dport 53 dnat to 127.0.0.1
--- a/pihole/flush.sh
+++ b/pihole/flush.sh
@ -1,2 +0,0 @@
-#!/bin/sh
-nft -f /rw/config/network-hooks.d/flush
--- a/pihole/install.sls
+++ b/pihole/install.sls
@ -16,24 +16,24 @@
 {% set IP = salt['cmd.shell']('qubesdb-read /qubes-ip') %}
 {% set GW = salt['cmd.shell']('qubesdb-read /qubes-gateway') %}

-/etc/network/interfaces.d/eth0:
+/etc/network/interfaces.d/enX0:
  file.managed:
    - source:
-      - salt://pihole/eth0
+      - salt://pihole/enX0
    - user: root
    - group: root
    - makedirs: True

 set_ip:
  file.line:
-    - name: /etc/network/interfaces.d/eth0
+    - name: /etc/network/interfaces.d/enX0
    - match: address
    - mode: replace
    - content: "address {{IP}}"

 set_gw:
  file.line:
-    - name: /etc/network/interfaces.d/eth0
+    - name: /etc/network/interfaces.d/enX0
    - match: gateway
    - mode: replace
    - content: "gateway {{GW}}"
@ -67,10 +67,6 @@ Pihole_installed:
      - php-xml
      - unzip

-Pihole-systemd-mask:
-  cmd.run:
-    - name: systemctl disable systemd-resolved
-
 https://github.com/pi-hole/pi-hole.git:
  git.latest:
    - name: https://github.com/pi-hole/pi-hole.git
@ -89,13 +85,6 @@ Pihole-setup:
  cmd.run:
    - name: '/root/pi-hole/automated\ install/basic-install.sh --unattended'

-/rw/config/qubes-firewall-user-script:
-  file.append:
-    - text:
-      - nft flush chain nat PR-QBS
-      - nft insert rule nat PR-QBS iifname "vif*" tcp dport 53 dnat to 127.0.0.1
-      - nft insert rule nat PR-QBS iifname "vif*" udp dport 53 dnat to 127.0.0.1
-
 /rw/config/qubes-firewall.d/update_nft.sh:
  file.managed:
    - source:
@ -105,6 +94,15 @@ Pihole-setup:
    - makedirs: True
    - mode: 755

+/rw/config/qubes-firewall.d/update_nft.nft:
+  file.managed:
+    - source:
+      - salt://pihole/update_nft.nft
+    - user: root
+    - group: root
+    - makedirs: True
+    - mode: 755
+
 /rw/config/network-hooks.d/internalise.sh:
  file.managed:
    - source:
@ -114,19 +112,10 @@ Pihole-setup:
    - makedirs: True
    - mode: 755

-/rw/config/network-hooks.d/flush.sh:
+/rw/config/network-hooks.d/update_nft.sh:
  file.managed:
    - source:
-      - salt://pihole/flush.sh
-    - user: root
-    - group: root
-    - makedirs: True
-    - mode: 755
-
-/rw/config/network-hooks.d/flush:
-  file.managed:
-    - source:
-      - salt://pihole/flush
+      - salt://pihole/update_nft.sh
    - user: root
    - group: root
    - makedirs: True
--- a/pihole/setupVars.conf
+++ b/pihole/setupVars.conf
@ -1,4 +1,4 @@
-PIHOLE_INTERFACE=eth0
+PIHOLE_INTERFACE=enX0
 PIHOLE_DNS_1=9.9.9.9
 PIHOLE_DNS_2=149.112.112.112
 QUERY_LOGGING=true
--- a/pihole/update_nft.nft
+++ b/pihole/update_nft.nft
@ -0,0 +1,14 @@
+#!/usr/sbin/nft -f
+flush chain qubes dnat-dns
+
+flush chain qubes custom-forward
+insert rule qubes custom-forward tcp dport 53 drop
+insert rule qubes custom-forward udp dport 53 drop
+
+flush chain qubes custom-input
+insert rule qubes custom-input tcp dport 53 accept
+insert rule qubes custom-input udp dport 53 accept
+
+flush chain qubes dnat-dns
+insert rule qubes dnat-dns iifname "vif*" tcp dport 53 dnat to 127.0.0.1
+insert rule qubes dnat-dns iifname "vif*" udp dport 53 dnat to 127.0.0.1
--- a/pihole/update_nft.sh
+++ b/pihole/update_nft.sh
@ -1,12 +1,3 @@
 #!/bin/sh
-get_handle(){
-local my_handle=$( nft -a list table $1|awk 'BEGIN{c0} /related,established/{c++; if (c==1) print $NF}' )
-echo $my_handle
-}
+nft -f /rw/config/qubes-firewall.d/update_nft.nft

-nft insert rule filter FORWARD tcp dport 53 drop
-nft insert rule filter FORWARD udp dport 53 drop
-
-handle=$(get_handle filter)
-nft add rule filter INPUT position $handle iifname "vif*" tcp dport 53 accept
-nft add rule filter INPUT position $handle iifname "vif*" udp dport 53 accept