From a8687db2f17d72856b4374e81bee33bebcb3ff9c Mon Sep 17 00:00:00 2001
From: unman <unman@thirdeyesecurity.org>
Date: Fri, 5 Aug 2022 15:07:59 +0000
Subject: [PATCH] Pi-hole - set up and packaging

---
 pihole.spec            | 60 ++++++++++++++++++++++++++++++++++++++++++
 pihole/README          | 35 ++++++++++++++++++++++++
 pihole/change_netvm.sh |  7 +++++
 3 files changed, 102 insertions(+)
 create mode 100644 pihole.spec
 create mode 100644 pihole/README
 create mode 100644 pihole/change_netvm.sh

diff --git a/pihole.spec b/pihole.spec
new file mode 100644
index 0000000..10760f8
--- /dev/null
+++ b/pihole.spec
@@ -0,0 +1,60 @@
+Name:           3isec-qubes-pihole
+Version:  	    1.0
+Release:        1%{?dist}
+Summary:        Creates Pi-hole server for Qubes
+
+License:        GPLv3+
+SOURCE0:	      pihole
+
+%description
+This is Pi-hole.
+It blocks advertisements and internet trackers by providing a DNS sinkhole.
+
+The package will create a new standalone qube, sys-pihole.
+It is a drop in replacement for sys-firewall.
+Sys-pihole is attached to sys-net.
+If you have sys-firewall as the default netvm, this will be changed to sys-pihole.
+sys-firewall will *not* be removed, so you can still use it for some qubes if you want.
+To use sys-pihole simply change the netvm.
+If you want to change all your qubes from sys-firewall to sys-pihole, a script is provided:
+Run `sudo /srv/salt/pihole/change_netvm.sh` .
+
+ If you want to use Tor, then you should reconfigure your system like this:
+ qubes -> sys-pihole ->Tor-gateway -> sys-firewall -> sys-net
+
+You can clone sys-pihole.
+If you do you must manually change the IP address of the clone.
+
+Pi-hole will be installed with these default settings:
+ The DNS provider is Quad9 (filtered, DNSSEC)
+ StevenBlack's Unified Hosts List is included
+ The web interface is availble at http://localhost
+ Query logging is enabled to show everything.
+
+You can change these settings by logging in to the admin interface at http://localhost.
+The default Admin Webpage login password is UpSNQsy4
+You should change this on first use, by running:
+`pihole -a -p`
+
+%install
+rm -rf %{buildroot}
+mkdir -p %{buildroot}/srv/salt
+cp -rv %{SOURCE0}/  %{buildroot}/srv/salt
+
+%files
+%defattr(-,root,root,-)
+/srv/salt/pihole/*
+
+%post
+if [ $1 -eq 1 ]; then
+  qubesctl state.apply pihole.create
+  qubesctl --skip-dom0 --targets=sys-pihole state.apply pihole.install
+  if [[ $(qubes-prefs default_netvm sys-firewall |grep sys-firewall ) ]]; then qubes-prefs default_netvm sys-pihole; fi
+fi
+
+%preun
+
+
+%changelog
+* Fri Aug 5 2022 unman <unman@thirdeyesecurity.org>
+- First Build
diff --git a/pihole/README b/pihole/README
new file mode 100644
index 0000000..eee377e
--- /dev/null
+++ b/pihole/README
@@ -0,0 +1,35 @@
+This is Pi-hole.
+It blocks advertisements and internet trackers by providing a DNS sinkhole.
+
+The package will create a new standalone qube, sys-pihole.
+It is a drop in replacement for sys-firewall.
+Sys-pihole is attached to sys-net.
+If you have sys-firewall as the default netvm, this will be changed to sys-pihole.
+sys-firewall will *not* be removed, so you can still use it for some qubes if you want.
+To use sys-pihole simply change the netvm.
+If you want to change all your qubes from sys-firewall to sys-pihole, a script is provided:
+Run `sudo /srv/salt/pihole/change_netvm.sh` .
+
+ If you want to use Tor, then you should reconfigure your system like this:
+ qubes -> sys-pihole -> Tor-gateway -> sys-firewall -> sys-net
+
+ You can clone sys-pihole, and use each in different places:
+ qubes -> sys-pihole -> sys-net
+ qubes -> sys-pihole -> Tor-gateway -> sys-firewall -> sys-net
+ You will have to adjust the network settings for eth0 in the clone.
+
+Pi-hole will be installed with these default settings:
+ The DNS provider is Quad9 (filtered, DNSSEC)
+ StevenBlack's Unified Hosts List is included
+ The web interface is availble at http://localhost
+ Query logging is enabled to show everything.
+
+You can change these settings by logging in to the admin interface at http://localhost.
+The default Admin Webpage login password is UpSNQsy4
+You should change this on first use, by running:
+`pihole -a -p`
+
+
+  for i in `qvm-ls -O NAME,NETVM | awk '/ sys-firewall/{ print $1 }'`; do qvm-prefs $i netvm sys-pihole; done
+  if [[ $(qubes-prefs default_netvm sys-firewall |grep sys-firewall ) ]]; then qubes-prefs default_netvm sys-pihole; fi
+
diff --git a/pihole/change_netvm.sh b/pihole/change_netvm.sh
new file mode 100644
index 0000000..770aff1
--- /dev/null
+++ b/pihole/change_netvm.sh
@@ -0,0 +1,7 @@
+#!/usr/bin/bash
+qvm-start sys-pihole
+if [ $(qubes-prefs default_netvm sys-firewall |grep sys-firewall ) ]; then qubes-prefs default_netvm sys-pihole; fi
+sleep 3
+for i in `qvm-ls -O NAME,NETVM | awk '/ sys-firewall/{ print $1 }'`; do qvm-prefs $i netvm sys-pihole; done
+
+