diff --git a/.etckeeper b/.etckeeper index 97e0e181..8810e79b 100755 --- a/.etckeeper +++ b/.etckeeper @@ -601,6 +601,8 @@ maybe chmod 0755 'dhcp/.git/objects/18' maybe chmod 0444 'dhcp/.git/objects/18/85ed3cbc03eba3dc2440435189540340338889' maybe chmod 0755 'dhcp/.git/objects/1e' maybe chmod 0444 'dhcp/.git/objects/1e/af530529e64ffc8337a67a5141bb4878d3ce7c' +maybe chmod 0755 'dhcp/.git/objects/22' +maybe chmod 0444 'dhcp/.git/objects/22/1ced2a48e038e41a847dac9d869c5b27600045' maybe chmod 0755 'dhcp/.git/objects/3b' maybe chmod 0444 'dhcp/.git/objects/3b/d38dcc122be1859f47e083e24af89820df27e6' maybe chmod 0755 'dhcp/.git/objects/47' @@ -629,6 +631,8 @@ maybe chmod 0755 'dhcp/.git/objects/a9' maybe chmod 0444 'dhcp/.git/objects/a9/eff0800f0c85706e4ae8a7472ce2e2d1db5c04' maybe chmod 0755 'dhcp/.git/objects/b0' maybe chmod 0444 'dhcp/.git/objects/b0/194cd648bd47c73e78ce5e89de83d57cb5c471' +maybe chmod 0755 'dhcp/.git/objects/b4' +maybe chmod 0444 'dhcp/.git/objects/b4/b46470257f7d5e6229d78dab89c09a9651162c' maybe chmod 0755 'dhcp/.git/objects/b7' maybe chmod 0444 'dhcp/.git/objects/b7/7b713acfb1a0437f438b20a71fbdbba4d9d288' maybe chmod 0444 'dhcp/.git/objects/b7/8a7c0610b5de094961bf2b6d492a80b6c53810' @@ -650,6 +654,8 @@ maybe chmod 0755 'dhcp/.git/objects/e7' maybe chmod 0444 'dhcp/.git/objects/e7/67214abab058ee2af123641d9fa94d45c05054' maybe chmod 0755 'dhcp/.git/objects/e9' maybe chmod 0444 'dhcp/.git/objects/e9/d158fe37c5e3c5f2566359e91f8af0af92edae' +maybe chmod 0755 'dhcp/.git/objects/f0' +maybe chmod 0444 'dhcp/.git/objects/f0/08ffdb9148b9d430c6806fb1c9b3caa11b6991' maybe chmod 0755 'dhcp/.git/objects/f3' maybe chmod 0444 'dhcp/.git/objects/f3/950790d5f3de2cdb5f29882cc2c843bb68b5db' maybe chmod 0755 'dhcp/.git/objects/f4' @@ -692,6 +698,7 @@ maybe chmod 0644 'dhcpcd.duid' maybe chmod 0644 'dnsmasq.conf' maybe chmod 0755 'dnsmasq.d' maybe chmod 0644 'dnsmasq.d/01-pihole.conf' +maybe chmod 0644 'dnsmasq.d/02-custom.conf' maybe chmod 0644 'dphys-swapfile' maybe chmod 0755 'dpkg' maybe chmod 0644 'dpkg/dpkg.cfg' @@ -6051,6 +6058,7 @@ maybe chmod 0644 'nginx/scgi_params' maybe chmod 0755 'nginx/sites-available' maybe chmod 0644 'nginx/sites-available/default' maybe chmod 0644 'nginx/sites-available/novnc' +maybe chmod 0644 'nginx/sites-available/pihole' maybe chmod 0644 'nginx/sites-available/rss' maybe chmod 0644 'nginx/sites-available/rush' maybe chmod 0644 'nginx/sites-available/slim' @@ -6174,6 +6182,7 @@ maybe chown 'pihole' 'pihole/regex.list' maybe chgrp 'www-data' 'pihole/regex.list' maybe chmod 0664 'pihole/regex.list' maybe chmod 0644 'pihole/setupVars.conf' +maybe chmod 0644 'pihole/setupVars.conf.update.bak' maybe chmod 0644 'pihole/whitelist.txt' maybe chmod 0644 'pip.conf' maybe chmod 0755 'plymouth' @@ -6324,7 +6333,6 @@ maybe chmod 0644 'subuid-' maybe chmod 0440 'sudoers' maybe chmod 0755 'sudoers.d' maybe chmod 0440 'sudoers.d/010_at-export' -maybe chmod 0440 'sudoers.d/010_pi-nopasswd' maybe chmod 0440 'sudoers.d/README' maybe chmod 0440 'sudoers.d/pihole' maybe chmod 0644 'sysctl.conf' diff --git a/bind/named.conf.local b/bind/named.conf.local index 2241256e..aa946379 100644 --- a/bind/named.conf.local +++ b/bind/named.conf.local @@ -9,17 +9,11 @@ zone "natalieandjoshua.com" { type slave; file "/var/cache/bind/db.natalieandjoshua"; - masters { 10.3.14.15; }; -}; - -zone "blackhole" { - type slave; - file "/var/cache/bind/db.blackhole"; - masters { 10.3.14.15; }; + masters port 8053 { 10.3.14.15; }; }; zone "10.in-addr.arpa" { type slave; file "/var/cache/bind/db.10.42"; - masters { 10.3.14.15; }; + masters port 8053 { 10.3.14.15; }; }; diff --git a/bind/named.conf.options b/bind/named.conf.options index 47d3cca8..d20ad14c 100644 --- a/bind/named.conf.options +++ b/bind/named.conf.options @@ -23,7 +23,9 @@ options { dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 - listen-on { any; }; + listen-on-v6 {none;}; + listen-on { 127.0.0.1; }; + listen-on port 8053 {any;}; allow-notify { 10.3.14.15; }; transfer-source 10.3.14.92; }; diff --git a/cron.d/pihole b/cron.d/pihole index 723214c4..9915fb4f 100644 --- a/cron.d/pihole +++ b/cron.d/pihole @@ -18,7 +18,7 @@ # early morning. Download any updates from the adlists # Squash output to log, then splat the log to stdout on error to allow for # standard crontab job error handling. -23 3 * * 7 root PATH="$PATH:/usr/local/bin/" pihole updateGravity >/var/log/pihole_updateGravity.log || cat /var/log/pihole_updateGravity.log +9 4 * * 7 root PATH="$PATH:/usr/local/bin/" pihole updateGravity >/var/log/pihole_updateGravity.log || cat /var/log/pihole_updateGravity.log # Pi-hole: Flush the log daily at 00:00 # The flush script will use logrotate if available @@ -32,5 +32,5 @@ */10 * * * * root PATH="$PATH:/usr/local/bin/" pihole updatechecker local # Pi-hole: Grab remote version every 24 hours -51 16 * * * root PATH="$PATH:/usr/local/bin/" pihole updatechecker remote +51 17 * * * root PATH="$PATH:/usr/local/bin/" pihole updatechecker remote @reboot root PATH="$PATH:/usr/local/bin/" pihole updatechecker remote reboot diff --git a/dhcp b/dhcp index 9bb6f52c..f008ffdb 160000 --- a/dhcp +++ b/dhcp @@ -1 +1 @@ -Subproject commit 9bb6f52cb636a4c88603aef0dcd558ebe53b24ec +Subproject commit f008ffdb9148b9d430c6806fb1c9b3caa11b6991 diff --git a/dnsmasq.d/01-pihole.conf b/dnsmasq.d/01-pihole.conf index 1f84921f..69072f98 100644 --- a/dnsmasq.d/01-pihole.conf +++ b/dnsmasq.d/01-pihole.conf @@ -43,6 +43,7 @@ log-async # This fixes a security hole. see CERT Vulnerability VU#598349 dhcp-name-match=set:wpad-ignore,wpad dhcp-ignore-names=tag:wpad-ignore -server=127.0.0.1 -server=127.0.0.1 +server=127.0.0.1#53 +server=127.0.0.1#53 +domain-needed interface=eth0 diff --git a/dnsmasq.d/02-custom.conf b/dnsmasq.d/02-custom.conf new file mode 100644 index 00000000..44970770 --- /dev/null +++ b/dnsmasq.d/02-custom.conf @@ -0,0 +1,2 @@ +bind-interfaces +except-interface=lo diff --git a/nginx/sites-available/pihole b/nginx/sites-available/pihole new file mode 100644 index 00000000..fee9a255 --- /dev/null +++ b/nginx/sites-available/pihole @@ -0,0 +1,47 @@ +server { + listen 443 ssl; + server_name rss.natalieandjoshua.com; + root /var/www/html; + index index.php index.html index.htm; + ssl_certificate /etc/dehydrated/certs/rss.natalieandjoshua.com/fullchain.pem; + ssl_certificate_key /etc/dehydrated/certs/rss.natalieandjoshua.com/privkey.pem; + ssl_protocols TLSv1.2 TLSv1 TLSv1.1; + + error_log /var/log/nginx/rss.error; + access_log /var/log/nginx/rss.access; + + location / { + try_files $uri $uri/ =404; + } + + + autoindex off; + + index pihole/index.php index.php index.html index.htm; + + + location /*.js { + index pihole/index.js; + } + + location /admin { + root /var/www/html; + index index.php index.html index.htm; + } + + location ~ /\.ht { + deny all; + } + + location ~* \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + include fastcgi_params; + fastcgi_pass unix:/run/php/php7.3-fpm.sock; + fastcgi_index index.php; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_buffer_size 16k; + fastcgi_buffers 4 16k; + } + +} diff --git a/nginx/sites-available/rss b/nginx/sites-available/rss index 63d6d7fc..f07439ad 100644 --- a/nginx/sites-available/rss +++ b/nginx/sites-available/rss @@ -14,7 +14,41 @@ server { access_log /var/log/nginx/rss.access; location / { - try_files $uri $uri/ /index.php; + try_files $uri $uri/ /index.php =404; } + + autoindex off; + + index pihole/index.php index.php index.html index.htm; + + + location /*.js { + index pihole/index.js; + auth_basic "Restricted"; #For Basic Auth + auth_basic_user_file /etc/nginx/.htpasswd; #For Basic Auth + } + + location /admin { + root /var/www/html; + index index.php index.html index.htm; + auth_basic "Restricted"; #For Basic Auth + auth_basic_user_file /etc/nginx/.htpasswd; #For Basic Auth + } + + location ~ /\.ht { + deny all; + } + + location ~* \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + include fastcgi_params; + fastcgi_pass unix:/run/php/php7.3-fpm.sock; + fastcgi_index index.php; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_buffer_size 16k; + fastcgi_buffers 4 16k; + } + } diff --git a/nginx/sites-enabled/pihole b/nginx/sites-enabled/pihole new file mode 120000 index 00000000..97b2e913 --- /dev/null +++ b/nginx/sites-enabled/pihole @@ -0,0 +1 @@ +../sites-available/pihole \ No newline at end of file diff --git a/nginx/sites-enabled/rss b/nginx/sites-enabled/rss deleted file mode 120000 index 225a34ca..00000000 --- a/nginx/sites-enabled/rss +++ /dev/null @@ -1 +0,0 @@ -../sites-available/rss \ No newline at end of file diff --git a/pihole/GitHubVersions b/pihole/GitHubVersions index 136d0638..41962dfe 100644 --- a/pihole/GitHubVersions +++ b/pihole/GitHubVersions @@ -1 +1 @@ - \ No newline at end of file +v4.3.1 v4.3 v4.3.1 \ No newline at end of file diff --git a/pihole/install.log b/pihole/install.log index ae3f785b..76389e6b 100644 --- a/pihole/install.log +++ b/pihole/install.log @@ -1,8 +1,8 @@ - [i] Checking for user 'pihole'...  [✗] Checking for user 'pihole'  [i] Creating user 'pihole'...  [✓] Creating user 'pihole' + [i] Checking for user 'pihole'...  [✓] Checking for user 'pihole' [i] Installing scripts from /etc/.pihole...  [✓] Installing scripts from /etc/.pihole [i] Installing configs from /etc/.pihole... - [i] No dnsmasq.conf found... restoring default dnsmasq.conf...  [✓] No dnsmasq.conf found... restoring default dnsmasq.conf... + [i] Existing dnsmasq.conf found... it is not a Pi-hole file, leaving alone! [i] Copying 01-pihole.conf to /etc/dnsmasq.d/01-pihole.conf...  [✓] Copying 01-pihole.conf to /etc/dnsmasq.d/01-pihole.conf [i] Installing blocking page... @@ -16,6 +16,4 @@ [i] Installing latest logrotate script...  [✓] Installing latest logrotate script [i] Backing up /etc/dnsmasq.conf to /etc/dnsmasq.conf.old - -[?1049h[?1h=(B)0[?25l                                                   ┌───────────────────────────────────────────────┤ Firewall in use ├───────────────────────────────────────────────┐│ │ │ We have detected a running firewall │ │ │ │ Pi-hole currently requires HTTP and DNS port access. │ │ │ │ │ │ │ │ Install Pi-hole default firewall rules? │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ └─────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘  [?25h [?1l>[?1049l [i] Not installing firewall rulesets. [i] Testing man page installation  [✓] man pages installed and database updated diff --git a/pihole/setupVars.conf b/pihole/setupVars.conf index 51ed46b0..c71ed0cb 100644 --- a/pihole/setupVars.conf +++ b/pihole/setupVars.conf @@ -1,11 +1,16 @@ +BLOCKING_ENABLED=true PIHOLE_INTERFACE=eth0 IPV4_ADDRESS=10.3.14.92/10 IPV6_ADDRESS= -PIHOLE_DNS_1=127.0.0.1 -PIHOLE_DNS_2=127.0.0.1 QUERY_LOGGING=true INSTALL_WEB_SERVER=false INSTALL_WEB_INTERFACE=true LIGHTTPD_ENABLED=false -WEBPASSWORD=4755d509df266ebbb1fe61d5363a2e71aea6a48f96907020e0e9464d1328a005 -BLOCKING_ENABLED=true +WEBPASSWORD=db7ee491a7432b842ef6fb2d7dd2cad174b223b9496da3552873dfb5cffc60fa +DNSMASQ_LISTENING=single +PIHOLE_DNS_1=127.0.0.1#53 +PIHOLE_DNS_2=127.0.0.1#53 +DNS_FQDN_REQUIRED=true +DNS_BOGUS_PRIV=false +DNSSEC=false +CONDITIONAL_FORWARDING=false diff --git a/pihole/setupVars.conf.update.bak b/pihole/setupVars.conf.update.bak new file mode 100644 index 00000000..51ed46b0 --- /dev/null +++ b/pihole/setupVars.conf.update.bak @@ -0,0 +1,11 @@ +PIHOLE_INTERFACE=eth0 +IPV4_ADDRESS=10.3.14.92/10 +IPV6_ADDRESS= +PIHOLE_DNS_1=127.0.0.1 +PIHOLE_DNS_2=127.0.0.1 +QUERY_LOGGING=true +INSTALL_WEB_SERVER=false +INSTALL_WEB_INTERFACE=true +LIGHTTPD_ENABLED=false +WEBPASSWORD=4755d509df266ebbb1fe61d5363a2e71aea6a48f96907020e0e9464d1328a005 +BLOCKING_ENABLED=true diff --git a/sudoers.d/010_pi-nopasswd b/sudoers.d/010_pi-nopasswd deleted file mode 100644 index 63b3566a..00000000 --- a/sudoers.d/010_pi-nopasswd +++ /dev/null @@ -1 +0,0 @@ -pi ALL=(ALL) NOPASSWD: ALL