Update

2022-10-26 21:44:25 +02:00 · 2022-10-26 21:44:25 +02:00 · d3d9f21665
commit d3d9f21665
parent ba85eec922
22 changed files with 156056 additions and 2 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -101,7 +101,7 @@ services:
      - "traefik.http.routers.grafana-secure.tls.certresolver=http"
      - "traefik.http.routers.grafana-secure.service=grafana"
      - "traefik.http.services.grafana.loadbalancer.server.port=3000"
-      - "traefik.docker.network=web"
+      - "traefik.docker.network=proxy"

 networks:
  internal:
--- a/4
+++ b/4
@ -42,7 +42,9 @@ iptables -A OUTPUT -o lo -j ACCEPT

 # Autorisation des échanges avec le serveur DNS (53)
 iptables -A OUTPUT -p udp -m udp --dport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-iptables -A INPUT -p udp -m udp --sport 53 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+iptables -A INPUT -p udp -m udp --sport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
+iptables -A OUTPUT -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
+iptables -A INPUT -p tcp -m tcp --sport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT

 # NTP (123)
 iptables -A INPUT -p udp --sport 123 -j ACCEPT
--- a/pihole/docker-compose.yml
+++ b/pihole/docker-compose.yml
@ -0,0 +1,30 @@
+version: "3"
+
+services:
+  pihole:
+    container_name: pihole
+    image: pihole/pihole:latest
+    networks:
+      - proxy
+    ports:
+      - "53:53/tcp"
+      - "53:53/udp"
+    environment:
+      TZ: 'Europe/Paris'
+    volumes:
+      - './etc-pihole:/etc/pihole'
+      - './etc-dnsmasq.d:/etc/dnsmasq.d'
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.middlewares.pihole-auth.basicauth.users=mrdev023:$$2y$$05$$t51tXUW6zO9dndSK1JEFS.utJ3th/RYVSgDlouOZhUigjbkTX1zQC$$"
+      - "traefik.http.routers.pihole-secure.entrypoints=https"
+      - "traefik.http.routers.pihole-secure.rule=Host(`pihole.mrdev023.fr`)"
+      - "traefik.http.routers.pihole-secure.middlewares=pihole-auth"
+      - "traefik.http.routers.pihole-secure.tls=true"
+      - "traefik.http.routers.pihole-secure.tls.certresolver=http"
+      - "traefik.docker.network=proxy"
+    restart: always
+
+networks:
+  proxy:
+    external: true
--- a/pihole/etc-dnsmasq.d/01-pihole.conf
+++ b/pihole/etc-dnsmasq.d/01-pihole.conf
@ -0,0 +1,37 @@
+# Pi-hole: A black hole for Internet advertisements
+# (c) 2017 Pi-hole, LLC (https://pi-hole.net)
+# Network-wide ad blocking via your own hardware.
+#
+# Dnsmasq config for Pi-hole's FTLDNS
+#
+# This file is copyright under the latest version of the EUPL.
+# Please see LICENSE file for your rights under this license.
+
+###############################################################################
+#      FILE AUTOMATICALLY POPULATED BY PI-HOLE INSTALL/UPDATE PROCEDURE.      #
+# ANY CHANGES MADE TO THIS FILE AFTER INSTALL WILL BE LOST ON THE NEXT UPDATE #
+#                                                                             #
+#        IF YOU WISH TO CHANGE THE UPSTREAM SERVERS, CHANGE THEM IN:          #
+#                      /etc/pihole/setupVars.conf                             #
+#                                                                             #
+#        ANY OTHER CHANGES SHOULD BE MADE IN A SEPARATE CONFIG FILE           #
+#                    WITHIN /etc/dnsmasq.d/yourname.conf                      #
+###############################################################################
+
+addn-hosts=/etc/pihole/local.list
+addn-hosts=/etc/pihole/custom.list
+
+
+localise-queries
+
+
+no-resolv
+
+log-queries
+log-facility=/var/log/pihole/pihole.log
+
+log-async
+cache-size=10000
+server=8.8.8.8
+server=8.8.4.4
+interface=eth0
--- a/pihole/etc-dnsmasq.d/06-rfc6761.conf
+++ b/pihole/etc-dnsmasq.d/06-rfc6761.conf
@ -0,0 +1,42 @@
+# Pi-hole: A black hole for Internet advertisements
+# (c) 2021 Pi-hole, LLC (https://pi-hole.net)
+# Network-wide ad blocking via your own hardware.
+#
+# RFC 6761 config file for Pi-hole
+#
+# This file is copyright under the latest version of the EUPL.
+# Please see LICENSE file for your rights under this license.
+
+###############################################################################
+#      FILE AUTOMATICALLY POPULATED BY PI-HOLE INSTALL/UPDATE PROCEDURE.      #
+# ANY CHANGES MADE TO THIS FILE AFTER INSTALL WILL BE LOST ON THE NEXT UPDATE #
+#                                                                             #
+#             CHANGES SHOULD BE MADE IN A SEPARATE CONFIG FILE                #
+#                    WITHIN /etc/dnsmasq.d/yourname.conf                      #
+###############################################################################
+
+# RFC 6761: Caching DNS servers SHOULD recognize
+#     test, localhost, invalid
+# names as special and SHOULD NOT attempt to look up NS records for them, or
+# otherwise query authoritative DNS servers in an attempt to resolve these
+# names.
+server=/test/
+server=/localhost/
+server=/invalid/
+
+# The same RFC requests something similar for
+#     10.in-addr.arpa.      21.172.in-addr.arpa.  27.172.in-addr.arpa.
+#     16.172.in-addr.arpa.  22.172.in-addr.arpa.  28.172.in-addr.arpa.
+#     17.172.in-addr.arpa.  23.172.in-addr.arpa.  29.172.in-addr.arpa.
+#     18.172.in-addr.arpa.  24.172.in-addr.arpa.  30.172.in-addr.arpa.
+#     19.172.in-addr.arpa.  25.172.in-addr.arpa.  31.172.in-addr.arpa.
+#     20.172.in-addr.arpa.  26.172.in-addr.arpa.  168.192.in-addr.arpa.
+# Pi-hole implements this via the dnsmasq option "bogus-priv" (see
+# 01-pihole.conf) because this also covers IPv6.
+
+# OpenWRT furthermore blocks    bind, local, onion    domains
+# see https://git.openwrt.org/?p=openwrt/openwrt.git;a=blob_plain;f=package/network/services/dnsmasq/files/rfc6761.conf;hb=HEAD
+# and https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml
+# We do not include the ".local" rule ourselves, see https://github.com/pi-hole/pi-hole/pull/4282#discussion_r689112972
+server=/bind/
+server=/onion/
--- a/pihole/etc-pihole/adlists.list
+++ b/pihole/etc-pihole/adlists.list
@ -0,0 +1 @@
+https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
--- a/pihole/etc-pihole/custom.list
+++ b/pihole/etc-pihole/custom.list
--- a/pihole/etc-pihole/dhcp.leases
+++ b/pihole/etc-pihole/dhcp.leases
--- a/pihole/etc-pihole/dns-servers.conf
+++ b/pihole/etc-pihole/dns-servers.conf
@ -0,0 +1,9 @@
+Google (ECS, DNSSEC);8.8.8.8;8.8.4.4;2001:4860:4860:0:0:0:0:8888;2001:4860:4860:0:0:0:0:8844
+OpenDNS (ECS, DNSSEC);208.67.222.222;208.67.220.220;2620:119:35::35;2620:119:53::53
+Level3;4.2.2.1;4.2.2.2;;
+Comodo;8.26.56.26;8.20.247.20;;
+DNS.WATCH (DNSSEC);84.200.69.80;84.200.70.40;2001:1608:10:25:0:0:1c04:b12f;2001:1608:10:25:0:0:9249:d69b
+Quad9 (filtered, DNSSEC);9.9.9.9;149.112.112.112;2620:fe::fe;2620:fe::9
+Quad9 (unfiltered, no DNSSEC);9.9.9.10;149.112.112.10;2620:fe::10;2620:fe::fe:10
+Quad9 (filtered, ECS, DNSSEC);9.9.9.11;149.112.112.11;2620:fe::11;2620:fe::fe:11
+Cloudflare (DNSSEC);1.1.1.1;1.0.0.1;2606:4700:4700::1111;2606:4700:4700::1001
--- a/pihole/etc-pihole/gravity.db
+++ b/pihole/etc-pihole/gravity.db
--- a/pihole/etc-pihole/gravity_old.db
+++ b/pihole/etc-pihole/gravity_old.db
--- a/pihole/etc-pihole/list.1.raw.githubusercontent.com.domains
+++ b/pihole/etc-pihole/list.1.raw.githubusercontent.com.domains
--- a/pihole/etc-pihole/list.1.raw.githubusercontent.com.domains.sha1
+++ b/pihole/etc-pihole/list.1.raw.githubusercontent.com.domains.sha1
@ -0,0 +1 @@
+5b529d1cd9fb16b56c7b862f0f6ce3d17ebf5c85  /etc/pihole/list.1.raw.githubusercontent.com.domains
--- a/pihole/etc-pihole/local.list
+++ b/pihole/etc-pihole/local.list
@ -0,0 +1 @@
+### Do not modify this file, it will be overwritten by pihole -g
--- a/pihole/etc-pihole/logrotate
+++ b/pihole/etc-pihole/logrotate
@ -0,0 +1,21 @@
+/var/log/pihole/pihole.log {
+	su root root
+	daily
+	copytruncate
+	rotate 5
+	compress
+	delaycompress
+	notifempty
+	nomail
+}
+
+/var/log/pihole/FTL.log {
+	su root root
+	weekly
+	copytruncate
+	rotate 3
+	compress
+	delaycompress
+	notifempty
+	nomail
+}
--- a/pihole/etc-pihole/macvendor.db
+++ b/pihole/etc-pihole/macvendor.db
@ -0,0 +1 @@
+/macvendor.db
--- a/pihole/etc-pihole/migration_backup/adlists.list
+++ b/pihole/etc-pihole/migration_backup/adlists.list
@ -0,0 +1 @@
+https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
--- a/pihole/etc-pihole/pihole-FTL.conf
+++ b/pihole/etc-pihole/pihole-FTL.conf
@ -0,0 +1,3 @@
+#; Pi-hole FTL config file
+#; Comments should start with #; to avoid issues with PHP and bash reading this file
+LOCAL_IPV4=0.0.0.0
--- a/pihole/etc-pihole/pihole-FTL.db
+++ b/pihole/etc-pihole/pihole-FTL.db
--- a/pihole/etc-pihole/setupVars.conf
+++ b/pihole/etc-pihole/setupVars.conf
@ -0,0 +1,7 @@
+INSTALL_WEB_INTERFACE=true
+WEBPASSWORD=89fbcb6790ec6dcbd5f173e5c029ad7dbaa21676b39f00901d40afec2db905e7
+PIHOLE_DNS_1=8.8.8.8
+PIHOLE_DNS_2=8.8.4.4
+PIHOLE_INTERFACE=eth0
+QUERY_LOGGING=true
+BLOCKING_ENABLED=true
--- a/pihole/etc-pihole/setupVars.conf.update.bak
+++ b/pihole/etc-pihole/setupVars.conf.update.bak
@ -0,0 +1,7 @@
+INSTALL_WEB_INTERFACE=true
+WEBPASSWORD=89fbcb6790ec6dcbd5f173e5c029ad7dbaa21676b39f00901d40afec2db905e7
+PIHOLE_DNS_1=8.8.8.8
+PIHOLE_DNS_2=8.8.4.4
+PIHOLE_INTERFACE=eth0
+QUERY_LOGGING=true
+BLOCKING_ENABLED=true
--- a/pihole/etc-pihole/versions
+++ b/pihole/etc-pihole/versions
@ -0,0 +1,11 @@
+CORE_BRANCH=master
+WEB_BRANCH=master
+FTL_BRANCH=master
+CORE_VERSION=v5.13-0-g17779ba
+WEB_VERSION=v5.16-0-gc2afe42
+FTL_VERSION=v5.18.2
+DOCKER_VERSION=2022.10
+GITHUB_CORE_VERSION=v5.13
+GITHUB_WEB_VERSION=v5.16
+GITHUB_FTL_VERSION=v5.18.2
+GITHUB_DOCKER_VERSION=2022.10
				`@ -0,0 +1 @@`
				`https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts`
				`@ -0,0 +1 @@`
				`5b529d1cd9fb16b56c7b862f0f6ce3d17ebf5c85 /etc/pihole/list.1.raw.githubusercontent.com.domains`
				`@ -0,0 +1 @@`
				`### Do not modify this file, it will be overwritten by pihole -g`