alihan/wg-pihole-docker
1
0
Fork 0
mirror of https://github.com/Oliems/wg-pihole-docker.git synced 2022-12-02 01:11:47 +03:00
Code Issues Packages Projects Releases Wiki Activity

Removed pi-docker and wg-docker and updated README

Browse Source
This commit is contained in:
Oliems
2022-03-15 18:37:58 +01:00
parent 6ea1d85ade
commit af24eeed04
5 changed files with 41 additions and 108 deletions
Download Patch File Download Diff File Expand all files Collapse all files

75
README.md
View File

@@ -3,39 +3,16 @@
These instructions are meant for a Debian server and assume that you are using Linux or macOS.
## Server configuration
### User setup
## Creating a user
- SSH into the server using `ssh root@serverip` and run `apt-get update && apt-get upgrade`.
- Create a new user with `useradd -m username` and set a password for this user with `passwd username`.
- Add the newly created user to the `sudo` group with `adduser username sudo`.
- Use `su username` to connect as the user you have just created.
- By default Debian does not use `bash`, which means you won't have tab completion or syntax colouring. To remedy that use `chsh -s /bin/bash` then log out and log back in with `exit` and then `su username`.
- If you get this error message :
```
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LANG = "en_US.UTF-8"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
```
You can add the following lines to your `.bashrc` :
```
export LANGUAGE=en_US.UTF-8
export LC_ALL=en_US.UTF-8
export LANG=en_US.UTF-8
export LC_CTYPE=en_US.UTF-8
```
- In you home directory create a `.ssh` folder as well as a file named `authorized_keys` in it with `mkdir ~/.ssh && touch ~/.ssh/authorized_keys`.
### SSH
## Configuring SSH
https://linux-audit.com/audit-and-harden-your-ssh-configuration/
@@ -49,28 +26,48 @@ https://linux-audit.com/audit-and-harden-your-ssh-configuration/
- Once you have made changes in the `sshd_config` file restart the daemon using `sudo systemctl restart sshd`. If you have changed the SSH port, make sure to change the firewall rules accordingly before you log off.
- From now on, in order to log back into your server you will have to use the following command `ssh -2 -i ~/.ssh/yourkey username@serverip -p portnumber`.
### Firewall configuration
https://docs.pi-hole.net/guides/vpn/openvpn/firewall/
https://upcloud.com/community/tutorials/configure-iptables-debian/
## Configuring the firewall
- Install git with `sudo apt-get install git`
- Clone this repository with `git clone https://github.com/Oliems/wg-pihole-docker.git`
- Read, make changes if needed and then run the firewall script. Note that this script will erase all `iptables` rules and chains and replace them. If you run this script after the installation of Docker, you will need to run `service docker restart` in order to re-install the rules and chains Docker needs to run properly.
- Make changes persistent
- Read, make changes if needed and then run the firewall script with `sudo bash firewall-config.sh`. Note that this script will erase all `iptables` rules and chains and replace them. If you run this script after the installation of Docker, you will need to run `service docker restart` in order to re-install the rules and chains Docker needs to run properly.
- By default, `iptables` rules are reset after a reboot. In order to restore them automatically you will need to install the package `iptables-persistent` with `sudo apt-get install iptables-persistent`. The installer will ask you if you want to save your current IPv4 and IPv6 rules, select `Yes` for both. If you were to make changes to the rules and want to save them again, use `sudo iptables-save > /etc/iptables/rules.v4` and/or or `sudo ip6tables-save > /etc/iptables/rules.v6`. You can also use `sudo netfilter-persistent save` to save both files at once and `sudo netfilter-persistent reload` to restore back to how they were last time you saved them.
## Docker and Docker-compose installation
## Installing Docker and Docker-compose
curl -sSL https://get.docker.com | sh
sudo usermod -aG docker $(whoami)
exit
The following instruction are taken from https://docs.docker.com/engine/install/debian/, go to this page for more details.
```
# Update the apt package index and install packages to allow apt to use a repository over HTTPS
sudo apt-get update && sudo apt-get install ca-certificates curl gnupg lsb-release
# Add Dockers official GPG key:
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
# Use the following command to set up the stable repository:
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian \
$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
# Update the apt package index, and install the latest version of Docker Engine and containerd:
sudo apt-get update && sudo apt-get install docker-ce docker-ce-cli containerd.io
```
At this point the Docker Engine should be up and running, you can check if docker.service is running with `systemctl --type=service`. Docker adds its own rules and chains to the `iptables` so you need to save them again so that they are restored at reboot using `sudo netfilter-persistent save`.
https://docs.docker.com/compose/install/
## Wireguard configuration
- Install Docker-compose
https://github.com/WeeJeWel/wg-easy/
## Deploying wg-easy and docker-pi-hole
## Pi-hole configuration
## Usefull resources
https://github.com/pi-hole/docker-pi-hole
- https://github.com/pi-hole/docker-pi-hole
- https://github.com/WeeJeWel/wg-easy
- https://docs.pi-hole.net
- https://docs.docker.com

4
example-sshd_config
View File

@@ -87,6 +87,7 @@ ChallengeResponseAuthentication no
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
PasswordAuthentication no
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
@@ -122,5 +123,4 @@ Subsystem sftp /usr/lib/openssh/sftp-server
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
PasswordAuthentication no
# ForceCommand cvs server

6
firewall-config.sh
View File

@@ -1,6 +1,6 @@
#!/bin/bash
# https://docs.pi-hole.net/guides/vpn/openvpn/firewall/
# More informations about these rules at https://docs.pi-hole.net/guides/vpn/openvpn/firewall/
# Clear out the entire firewall
@@ -33,7 +33,7 @@ iptables-legacy -X
iptables -A INPUT -p tcp --destination-port 53 -j ACCEPT
iptables -A INPUT -p udp --destination-port 53 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 22 -j ACCEPT # Change the port to match the one you chose in sshd_config
iptables -A INPUT -p tcp --destination-port 22 -j ACCEPT # Change the port to match the one you chose in /etc/ssh/sshd_config
iptables -A INPUT -p tcp --destination-port 51821 -j ACCEPT
iptables -A INPUT -p udp --destination-port 51820 -j ACCEPT
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
@@ -48,7 +48,7 @@ iptables -P INPUT DROP
ip6tables -A INPUT -p tcp --destination-port 53 -j ACCEPT
ip6tables -A INPUT -p udp --destination-port 53 -j ACCEPT
ip6tables -A INPUT -p tcp --destination-port 80 -j ACCEPT
ip6tables -A INPUT -p tcp --destination-port 22 -j ACCEPT # Change the port to match the one you chose in sshd_config
ip6tables -A INPUT -p tcp --destination-port 22 -j ACCEPT # Change the port to match the one you chose in /etc/ssh/sshd_config
ip6tables -A INPUT -p tcp --destination-port 51821 -j ACCEPT
ip6tables -A INPUT -p udp --destination-port 51820 -j ACCEPT
ip6tables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

44
pi-docker.sh
View File

@@ -1,44 +0,0 @@
#!/bin/bash
# https://github.com/pi-hole/docker-pi-hole/blob/master/README.md
docker stop pihole && \
docker rm pihole && \
docker pull pihole/pihole:latest && \
PIHOLE_BASE="${PIHOLE_BASE:-$(pwd)}"
[[ -d "$PIHOLE_BASE" ]] || mkdir -p "$PIHOLE_BASE" || { echo "Couldn't create storage directory: $PIHOLE_BASE"; exit 1; }
# Note: ServerIP should be replaced with your external ip.
docker run -d \
--name pihole \
-p 53:53/tcp -p 53:53/udp \
-p :80:80 \
-e TZ="Europe/Paris" \
-e WEBPASSWORD="LxAyDgAw" \
-v "${PIHOLE_BASE}/etc-pihole:/etc/pihole" \
-v "${PIHOLE_BASE}/etc-dnsmasq.d:/etc/dnsmasq.d" \
--ip 172.17.0.3 \
--dns=127.0.0.1 --dns=1.1.1.1 \
--restart=unless-stopped \
--hostname pi.hole \
-e VIRTUAL_HOST="pi.hole" \
-e PROXY_LOCATION="pi.hole" \
-e ServerIP="199.247.12.9" \
pihole/pihole:latest
printf 'Starting up pihole container '
for i in $(seq 1 20); do
if [ "$(docker inspect -f "{{.State.Health.Status}}" pihole)" == "healthy" ] ; then
printf ' OK'
echo -e "\n$(docker logs pihole 2> /dev/null | grep 'password:') for your pi-hole: https://${IP}/admin/"
exit 0
else
sleep 3
printf '.'
fi
if [ $i -eq 20 ] ; then
echo -e "\nTimed out waiting for Pi-hole start, consult your container logs for more info (\`docker logs pihole\`)"
exit 1
fi
done;

20
wg-docker.sh
View File

@@ -1,20 +0,0 @@
#!/bin/bash
docker stop wg-easy && \
docker rm wg-easy && \
docker pull weejewel/wg-easy && \
docker run -d \
--name=wg-easy \
-e WG_HOST=199.247.12.9 \
-e PASSWORD=nDWuUylpKJ5fRwgiT9NCfND6ZMIAIaxf \
-e WG_DEFAULT_DNS=172.17.0.3 \
-v ~/wg-easy:/etc/wireguard \
-p 51820:51820/udp \
-p 51821:51821/tcp \
--ip 172.17.0.2 \
--cap-add=NET_ADMIN \
--cap-add=SYS_MODULE \
--sysctl="net.ipv4.conf.all.src_valid_mark=1" \
--sysctl="net.ipv4.ip_forward=1" \
--restart unless-stopped \
weejewel/wg-easy