Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found

Target

Select target project
  • infrastruktur/ansible-warpzone
  • specki/ansible-warpzone
2 results
Show changes
Commits on Source (48)
Hide whitespace changes
Inline Side-by-side
Showing
with 1506 additions and 172 deletions
group_vars/prod
View file @ a568db47
......@@ -136,4 +136,5 @@ oauth_global:
oidc_global:
provider_url: https://uffd.warpzone.ms
logout_url: https://uffd.warpzone.ms/logout
\ No newline at end of file
logout_url: https://uffd.warpzone.ms/logout
ldap_base_dn: "dc=warpzone,dc=ms"
group_vars/test
View file @ a568db47
......@@ -47,10 +47,11 @@ oauth_global:
oidc_global:
provider_url: https://uffd.test-warpzone.de
logout_url: https://uffd.test-warpzone.de/logout
ldap_base_dn: "dc=test-warpzone,dc=de"
# Matrix Settings
matrix:
domain: matrix.warpzone.ms
public_url: https://matrix.warpzone.ms
identity_server: https://matrix.warpzone.ms
notifications_room_id: "!QxrpmOPYwofaPFqKMY:matrix.warpzone.ms"
\ No newline at end of file
domain: matrix.test-warpzone.de
public_url: https://matrix.test-warpzone.de
identity_server: https://matrix.test-warpzone.de
notifications_room_id: "!QxrpmOPYwofaPFqKMY:matrix.test-warpzone.de"
host_vars/ogg
View file @ a568db47
......@@ -31,8 +31,15 @@ webserver_ssl: false
# Liste der gehosteten Domänen
webserver_domains:
- "esphome.warpzone"
- "unifi.warpzone"
- "warpsrvint.warpzone"
- "esphome.warpzone.lan"
- "fridgeserver.warpzone.lan"
- "grafana.warpzone.lan"
- "services.warpzone.lan"
- "ha.warpzone.lan"
- "omada.warpzone.lan"
- "tasmoadmin.warpzone.lan"
- "zigbee2mqtt.warpzone.lan"
administratorenteam:
- "void"
......
host_vars/pihole 0 → 100644
View file @ a568db47
# Host spezifische Variablen
motd_lines:
- "pihole - Interner pihole DNS @ warpzone"
- "Haupt-IP @ eth0: {{ansible_eth0.ipv4.address}}"
- "IPv6-IP @ eth0: {{ ext_ip6 }}"
debian_sources:
- "deb http://ftp2.de.debian.org/debian/ bookworm main contrib non-free non-free-firmware"
- "deb http://ftp.debian.org/debian bookworm-updates main contrib non-free non-free-firmware"
- "deb http://security.debian.org/ bookworm-security main contrib non-free non-free-firmware"
- "deb https://download.docker.com/linux/debian bookworm stable"
debian_keys_id:
debian_keys_url:
- "https://download.docker.com/linux/debian/gpg"
# Primäre IP Adressen des Hosts
#ext_ip4: <keine>
ext_ip6: 2a02:1799:7:1337::2
int_ip4: 10.0.0.2
# Art des Hosts: physical, vm, lxc
host_type: "lxc"
# SSL deaktivieren
webserver_ssl: false
# Liste der gehosteten Domänen
webserver_domains:
- "pihole.warpzone.lan"
administratorenteam:
- "void"
- "sandhome"
- "3d"
- "jabertwo"
# Monitoring aktivieren
alert:
load:
warn: 15
crit: 30
containers:
- { name: "dockerstats-app-1" }
- { name: "pihole-app-1" }
disks:
- { mountpoint: "/", warn: "1 GB", crit: "512 MB" }
\ No newline at end of file
host_vars/test-warpzone-de
View file @ a568db47
......@@ -58,6 +58,7 @@ administratorenteam:
- "void"
- "sandhome"
- "jabertwo"
- "supervirus"
# Docker konfigurationen
docker:
......
host_vars/webserver
View file @ a568db47
......@@ -39,6 +39,7 @@ webserver_domains:
- "ldap.warpzone.ms"
- "keycloak.warpzone.ms"
- "md.warpzone.ms"
- "privatebin.warpzone.ms"
# - "turn.warpzone.ms"
- "wiki.warpzone.ms"
- "www.warpzone.ms"
......@@ -82,9 +83,6 @@ alert:
- { name: "icinga-app-1" }
- { name: "icinga-db-1" }
- { name: "icinga-graphite-1" }
- { name: "keycloak-app-1" }
- { name: "keycloak-db-1" }
- { name: "keycloak-sync-group-active-1" }
- { name: "ldap-openldap-1" }
- { name: "ldap-phpldapadmin-1" }
- { name: "mail-admin-1" }
......@@ -109,6 +107,7 @@ alert:
- { name: "matterbridge-wz-1" }
- { name: "matterbridge-web-1" }
- { name: "matterbridge-restarter-1" }
- { name: "privatebin-app-1" }
- { name: "traefik-app-1" }
- { name: "uffd-app-1" }
- { name: "uffd-db-1" }
......
hosts.yml
View file @ a568db47
......@@ -37,6 +37,10 @@ prod:
carrot:
ansible_ssh_host: 192.168.0.202
ansible_user: root
pihole:
ansible_ssh_host: 10.0.0.2
ansible_user: root
# Öffentlicher Webserver Warpzone
# VM auf Tiffany
......
intern/docker_homeassistant/templates/config/configuration.yaml
View file @ a568db47
......@@ -132,6 +132,50 @@ sensor:
- 'date_time'
automation ansible:
# Autodiscovery für Licht Hackcenter
# Das Licht Hackcenter besteht eigentlich aus zwei geräten, einem DALI-Controller und einem Tasmota-Schalter.
# - Der Tasmota Schalter, schaltet generell den Strom ein und aus.
# - Der Dali Controller ist für die Regelung der Helligkeit verantwortlich. (Wertebereich 0 - 255)
# Die Automatisierung erstellt eine Autodiscovery-Konfiguration für HomeAssistant,
# die beide Geräte als ein Licht darstellt.
# Die Autodiscovery Message wird automatisch beim Start von HomeAssistant gesendet.
- alias: ANSIBLE_autodiscovery_light_hackcenter
description: "MQTT Autodiscovery für Licht Hackcenter"
mode: single
triggers:
- trigger: homeassistant
event: start
action:
- service: mqtt.publish
data:
topic: "homeassistant/light/licht_hackcenter_01/config"
retain: true
qos: 0
payload: >
{
"name": "Licht Hackcenter",
"unique_id": "licht_hackcenter_01",
"object_id": "licht_hackcenter",
"state_topic": "stat/tasmota_B1233C/POWER",
"command_topic": "cmnd/tasmota_B1233C/Power1",
"brightness_state_topic": "light/dali_out",
"brightness_command_topic": "light/dali_in",
"qos": 0,
"payload_on": "ON",
"payload_off": "OFF",
"optimistic": false,
"device": {
"identifiers": ["licht_hackcenter_01"],
"name": "Licht Hackcenter",
"manufacturer": "warpzone",
"model": "DALI"
}
}
# Abluft dauerhaft an
- alias: ANSIBLE_Abluft_dauer_an
description: Verhindert Ausschalten der Abluft und setzt festen Wert bei schließen der Zone
......@@ -176,93 +220,6 @@ automation ansible:
target:
device_id: 96844a416179e61fff99195b6a16522e
# Licht im Hackcenter dimmen
- alias: ANSIBLE_dali_licht_hackcenter_helligkeit-anpassen
description: Ruft den Helper aus um per MQTT das Licht zu dimmen
trigger:
- platform: state
entity_id:
- input_number.dali_licht_hackcenter
for:
hours: 0
minutes: 0
seconds: 0
action:
- service: mqtt.publish
data:
topic: light/dali
payload_template: "{{ '{{' }} states('input_number.dali_licht_hackcenter') | int {{ '}}' }}"
mode: restart
- alias: ANSIBLE_Dimmer_Hackcenter_down
description: ""
mode: single
triggers:
- domain: mqtt
device_id: 868d603a22c4f1f6d5cc6d050f962e1a
type: action
subtype: rotate_left
trigger: device
- domain: mqtt
device_id: a35a891d445fc54d0aab7c5e2fce40a1
type: action
subtype: rotate_left
trigger: device
conditions: []
actions:
- repeat:
count: 25
sequence:
- target:
entity_id: input_number.dali_licht_hackcenter
data: {}
action: input_number.decrement
- alias: ANSIBLE_Dimmer_Hackcenter_up
description: ""
mode: single
triggers:
- domain: mqtt
device_id: 868d603a22c4f1f6d5cc6d050f962e1a
type: action
subtype: rotate_right
trigger: device
- domain: mqtt
device_id: a35a891d445fc54d0aab7c5e2fce40a1
type: action
subtype: rotate_right
trigger: device
conditions: []
actions:
- repeat:
count: 25
sequence:
- target:
entity_id: input_number.dali_licht_hackcenter
data: {}
action: input_number.increment
- alias: ANSIBLE_Dimmer_Hackcenter_toggle
description: ""
mode: single
triggers:
- domain: mqtt
device_id: 868d603a22c4f1f6d5cc6d050f962e1a
type: action
subtype: single
trigger: device
- domain: mqtt
device_id: a35a891d445fc54d0aab7c5e2fce40a1
type: action
subtype: single
trigger: device
conditions: []
actions:
- type: toggle
device_id: f65f71ef46e86492b79d75223670013a
entity_id: c522db6731a33bd27763830ddd2740e2
domain: switch
- alias: ANSIBLE_Zonenshutdown
mode: single
triggers:
......@@ -333,7 +290,7 @@ automation ansible:
data:
skip_condition: true
target:
entity_id: automation.ansible_hackcenter_licht_nach_shutdown
entity_id: automation.ANSIBLE_hackcenter_licht_nach_shutdown
- alias: ANSIBLE_Zonenboot
mode: single
......@@ -821,6 +778,46 @@ automation ansible:
area_id: schnackcenter
mode: single
- alias: ANSIBLE_ZONE_NoAutoOn_aus
description: ""
triggers: []
conditions: []
actions:
- action: light.turn_off
metadata: {}
data: {}
target:
area_id: NoAutoOn
- action: switch.turn_off
metadata: {}
data: {}
target:
area_id: NoAutoOn
mode: single
- alias: ANSIBLE_hackcenter_licht_nach_shutdown
description: ""
mode: single
triggers: []
conditions: []
actions:
- action: light.turn_on
metadata: {}
data:
brightness_pct: 50
target:
device_id: c4f8f83fb287ba7b1d66b674a1564c75
- delay:
hours: 0
minutes: 3
seconds: 0
milliseconds: 0
- action: light.turn_off
metadata: {}
data: {}
target:
device_id: c4f8f83fb287ba7b1d66b674a1564c75
- alias: ANSIBLE_ZONE_backcenter_an
description: ""
triggers: []
......@@ -972,37 +969,4 @@ automation ansible:
data: {}
target:
area_id: schnackcenter
mode: single
- alias: ANSIBLE_Hackcenter_licht_nach_shutdown
description: ""
mode: restart
triggers: []
conditions: []
actions:
- metadata: {}
data:
value: 255
target:
entity_id: input_number.dali_licht_hackcenter
action: input_number.set_value
- delay:
hours: 0
minutes: 1
seconds: 0
milliseconds: 0
- metadata: {}
data:
value: 150
target:
entity_id: input_number.dali_licht_hackcenter
action: input_number.set_value
- delay:
hours: 0
minutes: 0
seconds: 10
milliseconds: 0
- type: turn_off
device_id: f65f71ef46e86492b79d75223670013a
entity_id: c522db6731a33bd27763830ddd2740e2
domain: switch
\ No newline at end of file
mode: single
\ No newline at end of file
intern/docker_omada/templates/docker-compose.yml
View file @ a568db47
......@@ -5,15 +5,18 @@ services:
image: mbentley/omada-controller:latest
restart: always
ports:
- {{ omada_port_http }}:8088
- {{ omada_port_https }}:8043
- {{ omada_portal_https }}:8843
- "{{ omada_port_http }}:{{ omada_port_http }}"
- "{{ omada_port_https }}:{{ omada_port_https }}"
- "{{ omada_portal_https }}:{{ omada_portal_https }}"
- 27001:27001/udp
- 27002:27002
- 29810:29810/udp
- 29811:29811
- 29812:29812
- 29813:29813
- 29814:29814
- 29815:29815
- 29816:29816
sysctls:
- net.ipv4.ip_unprivileged_port_start=0
volumes:
......@@ -34,6 +37,8 @@ services:
PORT_DISCOVERY: 29810
PORT_MANAGER_V1: 29811
PORT_MANAGER_V2: 29814
PORT_TRANSFER_V2: 29815
PORT_RTTY: 29816
PORT_UPGRADE_V1: 29813
SHOW_SERVER_LOGS: "true"
SHOW_MONGODB_LOGS: "false"
......
intern/docker_pihole/templates/docker-compose.yml 0 → 100644
View file @ a568db47
services:
app:
image: pihole/pihole:latest
restart: always
ports:
- "53:53/tcp"
- "53:53/udp"
volumes:
- "{{ basedir }}/etc:/etc/pihole"
- "{{ basedir }}/dnsmasq:/etc/dnsmasq.d"
- "/dev/null:/var/log/pihole.log"
- "/dev/null:/var/log/pihole-FTL.log"
hostname: pihole
environment:
TZ: 'Europe/Berlin'
TAIL_FTL_LOG: 0
FTLCONF_LOCAL_IPV4: '{{ int_ip4 }}'
WEBPASSWORD: '{{ admin_password }}'
labels:
- traefik.enable=true
- traefik.http.routers.{{ servicename }}.entrypoints=websecure
- traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`)
- traefik.http.services.{{ servicename }}.loadBalancer.server.port=80
networks:
- default
- web
networks:
web:
external: true
\ No newline at end of file
keyfiles/supervirus.pub 0 → 100644
View file @ a568db47
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM6+Ex8TM4gP+Nph5Cy5zK6z2mceI9i7vsh0ec4oTfDC htk@ridcully
\ No newline at end of file
pihole/docker_pihole/tasks/main.yml 0 → 100644
View file @ a568db47
- include_tasks: ../functions/get_secret.yml
with_items:
- { path: "{{ basedir }}/secrets/admin_password", type: create, length: 24 }
- name: "create folder struct for {{ servicename }}"
file:
path: "{{ item }}"
state: "directory"
with_items:
- "{{ basedir }}"
- "{{ basedir }}/secrets"
- "{{ basedir }}/etc"
- name: "create config files for {{ servicename }}"
template:
src: "{{ item }}"
dest: "{{ basedir }}/{{ item }}"
with_items:
- docker-compose.yml
- etc/pihole.toml
register: config
- name: "stop {{ servicename}} docker"
community.docker.docker_compose_v2:
project_src: "{{ basedir }}"
state: absent
when: config.changed
- name: "start {{ servicename}} docker"
community.docker.docker_compose_v2:
project_src: "{{ basedir }}"
state: present
\ No newline at end of file
pihole/docker_pihole/templates/docker-compose.yml 0 → 100644
View file @ a568db47
services:
app:
image: pihole/pihole:2025.02.6
restart: always
network_mode: host
volumes:
- '{{ basedir }}/etc:/etc/pihole'
hostname: pihole
environment:
TZ: 'Europe/Berlin'
WEBPASSWORD: '{{ admin_password }}'
cap_add:
- NET_ADMIN
- SYS_NICE
- SYS_TIME
- NET_BIND_SERVICE
- NET_RAW
pihole/docker_pihole/templates/etc/pihole.toml 0 → 100644
View file @ a568db47
# Pi-hole configuration file (v6.0.2)
# Encoding: UTF-8
# This file is managed by pihole-FTL
# Last updated on 2025-02-27 02:49:13 CET
[dns]
# Array of upstream DNS servers used by Pi-hole
# Example: [ "8.8.8.8", "127.0.0.1#5335", "docker-resolver" ]
#
# Possible values are:
# array of IP addresses and/or hostnames, optionally with a port (#...)
upstreams = [
"8.8.8.8",
"8.8.4.4"
] ### CHANGED, default = []
# Use this option to control deep CNAME inspection. Disabling it might be beneficial
# for very low-end devices
CNAMEdeepInspect = true
# Should _esni. subdomains be blocked by default? Encrypted Server Name Indication
# (ESNI) is certainly a good step into the right direction to enhance privacy on the
# web. It prevents on-path observers, including ISPs, coffee shop owners and
# firewalls, from intercepting the TLS Server Name Indication (SNI) extension by
# encrypting it. This prevents the SNI from being used to determine which websites
# users are visiting.
# ESNI will obviously cause issues for pixelserv-tls which will be unable to generate
# matching certificates on-the-fly when it cannot read the SNI. Cloudflare and Firefox
# are already enabling ESNI. According to the IEFT draft (link above), we can easily
# restore piselserv-tls's operation by replying NXDOMAIN to _esni. subdomains of
# blocked domains as this mimics a "not configured for this domain" behavior.
blockESNI = true
# Should we overwrite the query source when client information is provided through
# EDNS0 client subnet (ECS) information? This allows Pi-hole to obtain client IPs even
# if they are hidden behind the NAT of a router. This feature has been requested and
# discussed on Discourse where further information how to use it can be found:
# https://discourse.pi-hole.net/t/support-for-add-subnet-option-from-dnsmasq-ecs-edns0-client-subnet/35940
EDNS0ECS = true
# Should FTL hide queries made by localhost?
ignoreLocalhost = false
# Should FTL should analyze and show internally generated DNSSEC queries?
showDNSSEC = true
# Should FTL analyze *only* A and AAAA queries?
analyzeOnlyAandAAAA = false
# Controls whether and how FTL will reply with for address for which a local interface
# exists. Changing this setting causes FTL to restart.
#
# Possible values are:
# - "NONE"
# Pi-hole will not respond automatically on PTR requests to local interface
# addresses. Ensure pi.hole and/or hostname records exist elsewhere.
# - "HOSTNAME"
# Serve the machine's hostname. The hostname is queried from the kernel through
# uname(2)->nodename. If the machine has multiple network interfaces, it can
# also have multiple nodenames. In this case, it is unspecified and up to the
# kernel which one will be returned. On Linux, the returned string is what has
# been set using sethostname(2) which is typically what has been set in
# /etc/hostname.
# - "HOSTNAMEFQDN"
# Serve the machine's hostname (see limitations above) as fully qualified domain
# by adding the local domain. If no local domain has been defined (config option
# dns.domain), FTL tries to query the domain name from the kernel using
# getdomainname(2). If this fails, FTL appends ".no_fqdn_available" to the
# hostname.
# - "PI.HOLE"
# Respond with "pi.hole".
piholePTR = "PI.HOLE"
# How should FTL handle queries when the gravity database is not available?
#
# Possible values are:
# - "BLOCK"
# Block all queries when the database is busy.
# - "ALLOW"
# Allow all queries when the database is busy.
# - "REFUSE"
# Refuse all queries which arrive while the database is busy.
# - "DROP"
# Just drop the queries, i.e., never reply to them at all. Despite "REFUSE"
# sounding similar to "DROP", it turned out that many clients will just
# immediately retry, causing up to several thousands of queries per second. This
# does not happen in "DROP" mode.
replyWhenBusy = "ALLOW"
# FTL's internal TTL to be handed out for blocked queries in seconds. This settings
# allows users to select a value different from the dnsmasq config option local-ttl.
# This is useful in context of locally used hostnames that are known to stay constant
# over long times (printers, etc.).
# Note that large values may render whitelisting ineffective due to client-side
# caching of blocked queries.
blockTTL = 2
# Array of custom DNS records
# Example: hosts = [ "127.0.0.1 mylocal", "192.168.0.1 therouter" ]
#
# Possible values are:
# Array of custom DNS records each one in HOSTS form: "IP HOSTNAME"
hosts = [
{% for domain in hostvars['ogg'].webserver_domains %}
"192.168.0.201 {{ domain }}"
{% endfor %}
{% for domain in hostvars['pihole'].webserver_domains %}
"10.0.0.2 {{ domain }}"
{% endfor %}
] ### CHANGED, default = []
# If set, A and AAAA queries for plain names, without dots or domain parts, are never
# forwarded to upstream nameservers
domainNeeded = false
# If set, the domain is added to simple names (without a period) in /etc/hosts in the
# same way as for DHCP-derived names
expandHosts = false
# The DNS domain used by your Pi-hole to expand hosts and for DHCP.
#
# Only if DHCP is enabled below: For DHCP, this has two effects; firstly it causes the
# DHCP server to return the domain to any hosts which request it, and secondly it sets
# the domain which it is legal for DHCP-configured hosts to claim. The intention is to
# constrain hostnames so that an untrusted host on the LAN cannot advertise its name
# via DHCP as e.g. "google.com" and capture traffic not meant for it. If no domain
# suffix is specified, then any DHCP hostname with a domain part (ie with a period)
# will be disallowed and logged. If a domain is specified, then hostnames with a
# domain part are allowed, provided the domain part matches the suffix. In addition,
# when a suffix is set then hostnames without a domain part have the suffix added as
# an optional domain part. For instance, we can set domain=mylab.com and have a
# machine whose DHCP hostname is "laptop". The IP address for that machine is
# available both as "laptop" and "laptop.mylab.com".
#
# You can disable setting a domain by setting this option to an empty string.
#
# Possible values are:
# <any valid domain>
domain = "warpzone.lan" ### CHANGED, default = "lan"
# Should all reverse lookups for private IP ranges (i.e., 192.168.x.y, etc) which are
# not found in /etc/hosts or the DHCP leases file be answered with "no such domain"
# rather than being forwarded upstream?
bogusPriv = true
# Validate DNS replies using DNSSEC?
dnssec = false
# Interface to use for DNS (see also dnsmasq.listening.mode) and DHCP (if enabled)
#
# Possible values are:
# a valid interface name
interface = ""
# Add A, AAAA and PTR records to the DNS. This adds one or more names to the DNS with
# associated IPv4 (A) and IPv6 (AAAA) records
#
# Possible values are:
# <name>[,<name>....],[<IPv4-address>],[<IPv6-address>][,<TTL>]
hostRecord = ""
# Pi-hole interface listening modes
#
# Possible values are:
# - "LOCAL"
# Allow only local requests. This setting accepts DNS queries only from hosts
# whose address is on a local subnet, i.e., a subnet for which an interface
# exists on the server. It is intended to be set as a default on installation,
# to allow unconfigured installations to be useful but also safe from being used
# for DNS amplification attacks if (accidentally) running public.
# - "SINGLE"
# Permit all origins, accept only on the specified interface. Respond only to
# queries arriving on the specified interface. The loopback (lo) interface is
# automatically added to the list of interfaces to use when this option is used.
# Make sure your Pi-hole is properly firewalled!
# - "BIND"
# By default, FTL binds the wildcard address. If this is not what you want, you
# can use this option as it forces FTL to really bind only the interfaces it is
# listening on. Note that this may result in issues when the interface may go
# down (cable unplugged, etc.). About the only time when this is useful is when
# running another nameserver on the same port on the same machine. This may also
# happen if you run a virtualization API such as libvirt. When this option is
# used, IP alias interface labels (e.g. enp2s0:0) are checked rather than
# interface names.
# - "ALL"
# Permit all origins, accept on all interfaces. Make sure your Pi-hole is
# properly firewalled! This truly allows any traffic to be replied to and is a
# dangerous thing to do as your Pi-hole could become an open resolver. You
# should always ask yourself if the first option doesn't work for you as well.
# - "NONE"
# Do not add any configuration concerning the listening mode to the dnsmasq
# configuration file. This is useful if you want to manually configure the
# listening mode in auxiliary configuration files. This option is really meant
# for advanced users only, support for this option may be limited.
listeningMode = "LOCAL"
# Log DNS queries and replies to pihole.log
queryLogging = false ### CHANGED, default = true
# List of CNAME records which indicate that <cname> is really <target>. If the <TTL> is
# given, it overwrites the value of local-ttl
#
# Possible values are:
# Array of CNAMEs each on in one of the following forms: "<cname>,<target>[,<TTL>]"
cnameRecords = []
# Port used by the DNS server
port = 53
# Reverse server (former also called "conditional forwarding") feature
# Array of reverse servers each one in one of the following forms:
# "<enabled>,<ip-address>[/<prefix-len>],<server>[#<port>][,<domain>]"
#
# Individual components:
#
# <enabled>: either "true" or "false"
#
# <ip-address>[/<prefix-len>]: Address range for the reverse server feature in CIDR
# notation. If the prefix length is omitted, either 32 (IPv4) or 128 (IPv6) are
# substituted (exact address match). This is almost certainly not what you want here.
# Example: "192.168.0.0/24" for the range 192.168.0.1 - 192.168.0.255
#
# <server>[#<port>]: Target server to be used for the reverse server feature
# Example: "192.168.0.1#53"
#
# <domain>: Domain used for the reverse server feature (e.g., "fritz.box")
# Example: "fritz.box"
#
# Possible values are:
# array of reverse servers each one in one of the following forms:
# "<enabled>,<ip-address>[/<prefix-len>],<server>[#<port>][,<domain>]", e.g.,
# "true,192.168.0.0/24,192.168.0.1,fritz.box"
revServers = []
[dns.cache]
# Cache size of the DNS server. Note that expiring cache entries naturally make room
# for new insertions over time. Setting this number too high will have an adverse
# effect as not only more space is needed, but also lookup speed gets degraded in the
# 10,000+ range. dnsmasq may issue a warning when you go beyond 10,000+ cache entries.
size = 10000
# Query cache optimizer: If a DNS name exists in the cache, but its time-to-live has
# expired only recently, the data will be used anyway (a refreshing from upstream is
# triggered). This can improve DNS query delays especially over unreliable Internet
# connections. This feature comes at the expense of possibly sometimes returning
# out-of-date data and less efficient cache utilization, since old data cannot be
# flushed when its TTL expires, so the cache becomes mostly least-recently-used. To
# mitigate issues caused by massively outdated DNS replies, the maximum overaging of
# cached records is limited. We strongly recommend staying below 86400 (1 day) with
# this option.
# Setting the TTL excess time to zero will serve stale cache data regardless how long
# it has expired. This is not recommended as it may lead to stale data being served
# for a long time. Setting this option to any negative value will disable this feature
# altogether.
optimizer = 3600
# This setting allows you to specify the TTL used for queries blocked upstream. Once
# the TTL expires, the query will be forwarded to the upstream server again to check
# if the block is still valid. Defaults to caching for one day (86400 seconds).
# Setting this value to zero disables caching of queries blocked upstream.
upstreamBlockedTTL = 86400
[dns.blocking]
# Should FTL block queries?
active = true
# How should FTL reply to blocked queries?
#
# Possible values are:
# - "NULL"
# In NULL mode, which is both the default and recommended mode for Pi-hole
# FTLDNS, blocked queries will be answered with the "unspecified address"
# (0.0.0.0 or ::). The "unspecified address" is a reserved IP address specified
# by RFC 3513 - Internet Protocol Version 6 (IPv6) Addressing Architecture,
# section 2.5.2.
# - "IP_NODATA_AAAA"
# In IP-NODATA-AAAA mode, blocked queries will be answered with the local IPv4
# addresses of your Pi-hole. Blocked AAAA queries will be answered with
# NODATA-IPV6 and clients will only try to reach your Pi-hole over its static
# IPv4 address.
# - "IP"
# In IP mode, blocked queries will be answered with the local IP addresses of
# your Pi-hole.
# - "NX"
# In NXDOMAIN mode, blocked queries will be answered with an empty response
# (i.e., there won't be an answer section) and status NXDOMAIN. A NXDOMAIN
# response should indicate that there is no such domain to the client making the
# query.
# - "NODATA"
# In NODATA mode, blocked queries will be answered with an empty response (no
# answer section) and status NODATA. A NODATA response indicates that the domain
# exists, but there is no record for the requested query type.
mode = "NULL"
# Should FTL enrich blocked replies with EDNS0 information?
#
# Possible values are:
# - "NONE"
# In NONE mode, no additional EDNS information is added to blocked queries
# - "CODE"
# In CODE mode, blocked queries will be enriched with EDNS info-code BLOCKED (15)
# - "TEXT"
# In TEXT mode, blocked queries will be enriched with EDNS info-code BLOCKED (15)
# and a text message describing the reason for the block
edns = "TEXT"
[dns.specialDomains]
# Should Pi-hole always replies with NXDOMAIN to A and AAAA queries of
# use-application-dns.net to disable Firefox automatic DNS-over-HTTP? This is
# following the recommendation on
# https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https
mozillaCanary = true
# Should Pi-hole always replies with NXDOMAIN to A and AAAA queries of mask.icloud.com
# and mask-h2.icloud.com to disable Apple's iCloud Private Relay to prevent Apple
# devices from bypassing Pi-hole? This is following the recommendation on
# https://developer.apple.com/support/prepare-your-network-for-icloud-private-relay
iCloudPrivateRelay = true
[dns.reply.host]
# Use a specific IPv4 address for the Pi-hole host? By default, FTL determines the
# address of the interface a query arrived on and uses this address for replying to A
# queries with the most suitable address for the requesting client. This setting can
# be used to use a fixed, rather than the dynamically obtained, address when Pi-hole
# responds to the following names: [ "pi.hole", "<the device's hostname>",
# "pi.hole.<local domain>", "<the device's hostname>.<local domain>" ]
force4 = false
# Custom IPv4 address for the Pi-hole host
#
# Possible values are:
# <valid IPv4 address> or empty string ("")
IPv4 = ""
# Use a specific IPv6 address for the Pi-hole host? See description for the IPv4
# variant above for further details.
force6 = false
# Custom IPv6 address for the Pi-hole host
#
# Possible values are:
# <valid IPv6 address> or empty string ("")
IPv6 = ""
[dns.reply.blocking]
# Use a specific IPv4 address in IP blocking mode? By default, FTL determines the
# address of the interface a query arrived on and uses this address for replying to A
# queries with the most suitable address for the requesting client. This setting can
# be used to use a fixed, rather than the dynamically obtained, address when Pi-hole
# responds in the following cases: IP blocking mode is used and this query is to be
# blocked, regular expressions with the ;reply=IP regex extension.
force4 = false
# Custom IPv4 address for IP blocking mode
#
# Possible values are:
# <valid IPv4 address> or empty string ("")
IPv4 = ""
# Use a specific IPv6 address in IP blocking mode? See description for the IPv4 variant
# above for further details.
force6 = false
# Custom IPv6 address for IP blocking mode
#
# Possible values are:
# <valid IPv6 address> or empty string ("")
IPv6 = ""
[dns.rateLimit]
# Rate-limited queries are answered with a REFUSED reply and not further processed by
# FTL.
# The default settings for FTL's rate-limiting are to permit no more than 1000 queries
# in 60 seconds. Both numbers can be customized independently. It is important to note
# that rate-limiting is happening on a per-client basis. Other clients can continue to
# use FTL while rate-limited clients are short-circuited at the same time.
# For this setting, both numbers, the maximum number of queries within a given time,
# and the length of the time interval (seconds) have to be specified. For instance, if
# you want to set a rate limit of 1 query per hour, the option should look like
# RATE_LIMIT=1/3600. The time interval is relative to when FTL has finished starting
# (start of the daemon + possible delay by DELAY_STARTUP) then it will advance in
# steps of the rate-limiting interval. If a client reaches the maximum number of
# queries it will be blocked until the end of the current interval. This will be
# logged to /var/log/pihole/FTL.log, e.g. Rate-limiting 10.0.1.39 for at least 44
# seconds. If the client continues to send queries while being blocked already and
# this number of queries during the blocking exceeds the limit the client will
# continue to be blocked until the end of the next interval (FTL.log will contain
# lines like Still rate-limiting 10.0.1.39 as it made additional 5007 queries). As
# soon as the client requests less than the set limit, it will be unblocked (Ending
# rate-limitation of 10.0.1.39).
# Rate-limiting may be disabled altogether by setting both values to zero (this
# results in the same behavior as before FTL v5.7).
# How many queries are permitted...
count = 1000
# ... in the set interval before rate-limiting?
interval = 60
[dhcp]
# Is the embedded DHCP server enabled?
active = true ### CHANGED, default = false
# Start address of the DHCP address pool
#
# Possible values are:
# <valid IPv4 address> or empty string (""), e.g., "192.168.0.10"
start = "10.0.0.3" ### CHANGED, default = ""
# End address of the DHCP address pool
#
# Possible values are:
# <valid IPv4 address> or empty string (""), e.g., "192.168.0.250"
end = "10.0.3.254" ### CHANGED, default = ""
# Address of the gateway to be used (typically the address of your router in a home
# installation)
#
# Possible values are:
# <valid IPv4 address> or empty string (""), e.g., "192.168.0.1"
router = "10.0.0.1" ### CHANGED, default = ""
# The netmask used by your Pi-hole. For directly connected networks (i.e., networks on
# which the machine running Pi-hole has an interface) the netmask is optional and may
# be set to an empty string (""): it will then be determined from the interface
# configuration itself. For networks which receive DHCP service via a relay agent, we
# cannot determine the netmask itself, so it should explicitly be specified, otherwise
# Pi-hole guesses based on the class (A, B or C) of the network address.
#
# Possible values are:
# <any valid netmask> (e.g., "255.255.255.0") or empty string ("") for
# auto-discovery
netmask = "255.255.252.0" ### CHANGED, default = ""
# If the lease time is given, then leases will be given for that length of time. If not
# given, the default lease time is one hour for IPv4 and one day for IPv6.
#
# Possible values are:
# The lease time can be in seconds, or minutes (e.g., "45m") or hours (e.g., "1h")
# or days (like "2d") or even weeks ("1w"). You may also use "infinite" as string
# but be aware of the drawbacks
leaseTime = ""
# Should Pi-hole make an attempt to also satisfy IPv6 address requests (be aware that
# IPv6 works a whole lot different than IPv4)
ipv6 = false
# Enable DHCPv4 Rapid Commit Option specified in RFC 4039. Should only be enabled if
# either the server is the only server for the subnet to avoid conflicts
rapidCommit = true ### CHANGED, default = false
# Advertise DNS server multiple times to clients. Some devices will add their own
# proprietary DNS servers to the list of DNS servers, which can cause issues with
# Pi-hole. This option will advertise the Pi-hole DNS server multiple times to
# clients, which should prevent this from happening.
multiDNS = true ### CHANGED, default = false
# Enable logging for DHCP. This will log all relevant DHCP-related activity, including,
# e.g., all the options sent to DHCP clients and the tags used to determine them (if
# any). This can be useful for debugging DHCP issues. The generated output is saved to
# the file specified by files.log.dnsmasq below.
logging = false
# Ignore unknown DHCP clients.
# If this option is set, Pi-hole ignores all clients which are not explicitly
# configured through dhcp.hosts. This can be useful to prevent unauthorized clients
# from getting an IP address from the DHCP server.
# It should be noted that this option is not a security feature, as clients can still
# assign themselves an IP address and use the network. It is merely a convenience
# feature to prevent unknown clients from getting a valid IP configuration assigned
# automatically.
# Note that you will need to configure new clients manually in dhcp.hosts before they
# can use the network when this feature is enabled.
ignoreUnknownClients = false
# Per host parameters for the DHCP server. This allows a machine with a particular
# hardware address to be always allocated the same hostname, IP address and lease time
# or to specify static DHCP leases
#
# Possible values are:
# Array of static leases each on in one of the following forms:
# "[<hwaddr>][,id:<client_id>|*][,set:<tag>][,tag:<tag>][,<ipaddr>][,<hostname>][,<lease_time>][,ignore]"
hosts = []
[ntp.ipv4]
# Should FTL act as network time protocol (NTP) server (IPv4)?
active = true
# IPv4 address to listen on for NTP requests
#
# Possible values are:
# <valid IPv4 address> or empty string ("") for wildcard (0.0.0.0)
address = ""
[ntp.ipv6]
# Should FTL act as network time protocol (NTP) server (IPv6)?
active = true
# IPv6 address to listen on for NTP requests
#
# Possible values are:
# <valid IPv6 address> or empty string ("") for wildcard (::)
address = ""
[ntp.sync]
# Should FTL try to synchronize the system time with an upstream NTP server?
active = true
# NTP upstream server to sync with, e.g., "pool.ntp.org". Note that the NTP server
# should be located as close as possible to you in order to minimize the time offset
# possibly introduced by different routing paths.
#
# Possible values are:
# valid NTP upstream server
server = "pool.ntp.org"
# Interval in seconds between successive synchronization attempts with the NTP server
interval = 3600
# Number of NTP syncs to perform and average before updating the system time
count = 8
[ntp.sync.rtc]
# Should FTL update a real-time clock (RTC) if available?
set = false
# Path to the RTC device to update. Leave empty for auto-discovery
#
# Possible values are:
# Path to the RTC device, e.g., "/dev/rtc0"
device = ""
# Should the RTC be set to UTC?
utc = true
[resolver]
# Should FTL try to resolve IPv4 addresses to hostnames?
resolveIPv4 = true
# Should FTL try to resolve IPv6 addresses to hostnames?
resolveIPv6 = true
# Control whether FTL should use the fallback option to try to obtain client names from
# checking the network table. This behavior can be disabled with this option.
# Assume an IPv6 client without a host names. However, the network table knows -
# though the client's MAC address - that this is the same device where we have a host
# name for another IP address (e.g., a DHCP server managed IPv4 address). In this
# case, we use the host name associated to the other address as this is the same
# device.
networkNames = true
# With this option, you can change how (and if) hourly PTR requests are made to check
# for changes in client and upstream server hostnames.
#
# Possible values are:
# - "IPV4_ONLY"
# Do hourly PTR lookups only for IPv4 addresses. This is the new default since
# Pi-hole FTL v5.3.2. It should resolve issues with more and more very
# short-lived PE IPv6 addresses coming up in a lot of networks.
# - "ALL"
# Do hourly PTR lookups for all addresses. This was the default until FTL
# v5.3(.1). It has been replaced as it can create a lot of PTR queries for those
# with many IPv6 addresses in their networks.
# - "UNKNOWN"
# Only resolve unknown hostnames. Already existing hostnames are never refreshed,
# i.e., there will be no PTR queries made for clients where hostnames are known.
# This also means that known hostnames will not be updated once known.
# - "NONE"
# Don't do any hourly PTR lookups. This means we look host names up exactly once
# (when we first see a client) and never again. You may miss future changes of
# host names.
refreshNames = "IPV4_ONLY"
[database]
# Should FTL load information from the database on startup to be aware of the most
# recent history?
DBimport = true
# How long should queries be stored in the database [days]?
# Setting this value to 0 will disable the database.
maxDBdays = 91
# How often do we store queries in FTL's database [seconds]?
DBinterval = 60
# Should FTL enable Write-Ahead Log (WAL) mode for the on-disk query database
# (configured via files.database)?
# It is recommended to leave this setting enabled for performance reasons. About the
# only reason to disable WAL mode is if you are experiencing specific issues with it,
# e.g., when using a database that is accessed from multiple hosts via a network
# share. When this setting is disabled, FTL will use SQLite3's default journal mode
# (rollback journal in DELETE mode).
useWAL = true
[database.network]
# Should FTL analyze the local ARP cache? When disabled, client identification and the
# network table will stop working reliably.
parseARPcache = true
# How long should IP addresses be kept in the network_addresses table [days]? IP
# addresses (and associated host names) older than the specified number of days are
# removed to avoid dead entries in the network overview table.
expire = 91
[webserver]
# On which domain is the web interface served?
#
# Possible values are:
# <valid domain>
domain = "pi.hole"
# Webserver access control list (ACL) allowing for restrictions to be put on the list
# of IP addresses which have access to the web server. The ACL is a comma separated
# list of IP subnets, where each subnet is prepended by either a - or a + sign. A plus
# sign means allow, where a minus sign means deny. If a subnet mask is omitted, such
# as -1.2.3.4, this means to deny only that single IP address. If this value is not
# set (empty string), all accesses are allowed. Otherwise, the default setting is to
# deny all accesses. On each request the full list is traversed, and the last (!)
# match wins. IPv6 addresses may be specified in CIDR-form [a:b::c]/64.
#
# Example 1: acl = "+127.0.0.1,+[::1]"
# ---> deny all access, except from 127.0.0.1 and ::1,
# Example 2: acl = "+192.168.0.0/16"
# ---> deny all accesses, except from the 192.168.0.0/16 subnet,
# Example 3: acl = "+[::]/0" ---> allow only IPv6 access.
#
# Possible values are:
# <valid ACL>
acl = ""
# Ports to be used by the webserver.
# Comma-separated list of ports to listen on. It is possible to specify an IP address
# to bind to. In this case, an IP address and a colon must be prepended to the port
# number. For example, to bind to the loopback interface on port 80 (IPv4) and to all
# interfaces port 8080 (IPv4), use "127.0.0.1:80,8080". "[::]:80" can be used to
# listen to IPv6 connections to port 80. IPv6 addresses of network interfaces can be
# specified as well, e.g. "[::1]:80" for the IPv6 loopback interface. [::]:80 will
# bind to port 80 IPv6 only.
# In order to use port 80 for all interfaces, both IPv4 and IPv6, use either the
# configuration "80,[::]:80" (create one socket for IPv4 and one for IPv6 only), or
# "+80" (create one socket for both, IPv4 and IPv6). The '+' notation to use IPv4 and
# IPv6 will only work if no network interface is specified. Depending on your
# operating system version and IPv6 network environment, some configurations might not
# work as expected, so you have to test to find the configuration most suitable for
# your needs. In case "+80" does not work for your environment, you need to use
# "80,[::]:80".
# If the port is TLS/SSL, a letter 's' (secure) must be appended, for example,
# "80,443s" will open port 80 and port 443, and connections on port 443 will be
# encrypted. For non-encrypted ports, it is allowed to append letter 'r' (as in
# redirect). Redirected ports will redirect all their traffic to the first configured
# SSL port. For example, if webserver.port is "80r,443s", then all HTTP traffic coming
# at port 80 will be redirected to HTTPS port 443.
# When specifying 'o' (optional) behind a port, inability to use this port is not
# considered an error. For instance, specifying "80o,8080o" will allow the webserver
# to listen on either 80, 8080, both or even none of the two ports. This flag may be
# combined with 'r' and 's' like "80or,443os,8080,4443s" (80 redirecting to SSL if
# available, 443 encrypted if available, 8080 mandatory and unencrypted, 4443
# mandatory and encrypted).
# If this value is not set (empty string), the web server will not be started and,
# hence, the API will not be available.
#
# Possible values are:
# comma-separated list of <[ip_address:]port>
port = "80o,443os,[::]:80o,[::]:443os"
# Maximum number of worker threads allowed.
# The Pi-hole web server handles each incoming connection in a separate thread.
# Therefore, the value of this option is effectively the number of concurrent HTTP
# connections that can be handled. Any other connections are queued until they can be
# processed by a unoccupied thread.
# The default value of 0 means that the number of threads is automatically determined
# by the number of online CPU cores minus 1 (e.g., launching up to 8-1 = 7 threads on
# 8 cores). Any other value specifies the number of threads explicitly. A hard-coded
# maximum of 64 threads is enforced for this option.
# The total number of threads you see may be lower than the configured value as
# threads are only created when needed due to incoming connections.
threads = 0
[webserver.session]
# Session timeout in seconds. If a session is inactive for more than this time, it will
# be terminated. Sessions are continuously refreshed by the web interface, preventing
# sessions from timing out while the web interface is open.
# This option may also be used to make logins persistent for long times, e.g. 86400
# seconds (24 hours), 604800 seconds (7 days) or 2592000 seconds (30 days). Note that
# the total number of concurrent sessions is limited so setting this value too high
# may result in users being rejected and unable to log in if there are already too
# many sessions active.
timeout = 1800
# Should Pi-hole backup and restore sessions from the database? This is useful if you
# want to keep your sessions after a restart of the web interface.
restore = true
[webserver.tls]
# Path to the TLS (SSL) certificate file. All directories along the path must be
# readable and accessible by the user running FTL (typically 'pihole'). This option is
# only required when at least one of webserver.port is TLS. The file must be in PEM
# format, and it must have both, private key and certificate (the *.pem file created
# must contain a 'CERTIFICATE' section as well as a 'RSA PRIVATE KEY' section).
# The *.pem file can be created using
# cp server.crt server.pem
# cat server.key >> server.pem
# if you have these files instead
#
# Possible values are:
# <valid TLS certificate file (*.pem)>
cert = "/etc/pihole/tls.pem"
[webserver.paths]
# Server root on the host
#
# Possible values are:
# <valid path>
webroot = "/var/www/html"
# Sub-directory of the root containing the web interface
#
# Possible values are:
# <valid subpath>, both slashes are needed!
webhome = "/admin/"
[webserver.interface]
# Should the web interface use the boxed layout?
boxed = false ### CHANGED, default = true
# Theme used by the Pi-hole web interface
#
# Possible values are:
# - "default-auto"
# Pi-hole auto
# - "default-light"
# Pi-hole day
# - "default-dark"
# Pi-hole midnight
# - "default-darker"
# Pi-hole deep-midnight
# - "high-contrast"
# High-contrast light
# - "high-contrast-dark"
# High-contrast dark
# - "lcars"
# Star Trek LCARS
theme = "default-auto"
[webserver.api]
# Number of concurrent sessions allowed for the API. If the number of sessions exceeds
# this value, no new sessions will be allowed until the number of sessions drops due
# to session expiration or logout. Note that the number of concurrent sessions is
# irrelevant if authentication is disabled as no sessions are used in this case.
max_sessions = 16
# Should FTL prettify the API output (add extra spaces, newlines and indentation)?
prettyJSON = false
# API password hash
#
# Possible values are:
# <valid Pi-hole password hash>
pwhash = ""
# Pi-hole 2FA TOTP secret. When set to something different than "", 2FA authentication
# will be enforced for the API and the web interface. This setting is write-only, you
# can not read the secret back.
#
# Possible values are:
# <valid TOTP secret (20 Bytes in Base32 encoding)>
totp_secret = ""
# Pi-hole application password.
# After you turn on two-factor (2FA) verification and set up an Authenticator app, you
# may run into issues if you use apps or other services that don't support two-step
# verification. In this case, you can create and use an app password to sign in. An
# app password is a long, randomly generated password that can be used instead of your
# regular password + TOTP token when signing in to the API. The app password can be
# generated through the API and will be shown only once. You can revoke the app
# password at any time. If you revoke the app password, be sure to generate a new one
# and update your app with the new password.
#
# Possible values are:
# <valid Pi-hole password hash>
app_pwhash = ""
# Should application password API sessions be allowed to modify config settings?
# Setting this to true allows third-party applications using the application password
# to modify settings, e.g., the upstream DNS servers, DHCP server settings, or
# changing passwords. This setting should only be enabled if really needed and only if
# you trust the applications using the application password.
app_sudo = false
# Should FTL create a temporary CLI password? This password is stored in clear in
# /etc/pihole and can be used by the CLI (pihole ... commands) to authenticate
# against the API. Note that the password is only valid for the current session and
# regenerated on each FTL restart. Sessions initiated with this password cannot modify
# the Pi-hole configuration (change passwords, etc.) for security reasons but can
# still use the API to query data and manage lists.
cli_pw = true
# Array of clients to be excluded from certain API responses (regex):
# - Query Log (/api/queries)
# - Top Clients (/api/stats/top_clients)
# This setting accepts both IP addresses (IPv4 and IPv6) as well as hostnames.
# Note that backslashes "\" need to be escaped, i.e. "\\" in this setting
#
# Example: [ "^192\\.168\\.2\\.56$", "^fe80::341:[0-9a-f]*$", "^localhost$" ]
#
# Possible values are:
# array of regular expressions describing clients
excludeClients = []
# Array of domains to be excluded from certain API responses (regex):
# - Query Log (/api/queries)
# - Top Clients (/api/stats/top_domains)
# Note that backslashes "\" need to be escaped, i.e. "\\" in this setting
#
# Example: [ "(^|\\.)\\.google\\.de$", "\\.pi-hole\\.net$" ]
#
# Possible values are:
# array of regular expressions describing domains
excludeDomains = []
# How much history should be imported from the database and returned by the API
# [seconds]? (max 24*60*60 = 86400)
maxHistory = 86400
# Up to how many clients should be returned in the activity graph endpoint
# (/api/history/clients)?
# This setting can be overwritten at run-time using the parameter N. Setting this to 0
# will always send all clients. Be aware that this may be challenging for the GUI if
# you have many (think > 1.000 clients) in your network
maxClients = 10
# How should the API compute the most active clients? If set to true, the API will
# return the clients with the most queries globally (within 24 hours). If set to
# false, the API will return the clients with the most queries per time slot
# individually.
client_history_global_max = true
# Allow destructive API calls (e.g. deleting all queries, powering off the system, ...)
allow_destructive = true
[webserver.api.temp]
# Which upper temperature limit should be used by Pi-hole? Temperatures above this
# limit will be shown as "hot". The number specified here is in the unit defined below
limit = 60.000000
# Which temperature unit should be used for temperatures processed by FTL?
#
# Possible values are:
# - "C"
# Celsius
# - "F"
# Fahrenheit
# - "K"
# Kelvin
unit = "C"
[files]
# The file which contains the PID of FTL's main process.
#
# Possible values are:
# <any writable file>
pid = "/run/pihole-FTL.pid"
# The location of FTL's long-term database
#
# Possible values are:
# <any FTL database>
database = "/etc/pihole/pihole-FTL.db"
# The location of Pi-hole's gravity database
#
# Possible values are:
# <any Pi-hole gravity database>
gravity = "/etc/pihole/gravity.db"
# A temporary directory where Pi-hole can store files during gravity updates. This
# directory must be writable by the user running gravity (typically pihole).
#
# Possible values are:
# <any existing world-writable writable directory>
gravity_tmp = "/tmp"
# The database containing MAC -> Vendor information for the network table
#
# Possible values are:
# <any Pi-hole macvendor database>
macvendor = "/macvendor.db" ### CHANGED, default = "/etc/pihole/macvendor.db"
# The old config file of Pi-hole used before v6.0
#
# Possible values are:
# <any Pi-hole setupVars file>
setupVars = "/etc/pihole/setupVars.conf"
# An optional file containing a pcap capture of the network traffic. This file is used
# for debugging purposes only. If you don't know what this is, you don't need it.
# Setting this to an empty string disables pcap recording. The file must be writable
# by the user running FTL (typically pihole). Failure to write to this file will
# prevent the DNS resolver from starting. The file is appended to if it already
# exists.
#
# Possible values are:
# <any writable pcap file>
pcap = ""
[files.log]
# The location of FTL's log file
#
# Possible values are:
# <any writable file>
ftl = "/var/log/pihole/FTL.log"
# The log file used by the embedded dnsmasq DNS server
#
# Possible values are:
# <any writable file>
dnsmasq = "/var/log/pihole/pihole.log"
# The log file used by the webserver
#
# Possible values are:
# <any writable file>
webserver = "/var/log/pihole/webserver.log"
[misc]
# Using privacy levels you can specify which level of detail you want to see in your
# Pi-hole statistics. Changing this setting will trigger a restart of FTL
#
# Possible values are:
# - 0
# Don't hide anything, all statistics are available.
# - 1
# Hide domains. This setting disables Top Domains and Top Ads
# - 2
# Hide domains and clients. This setting disables Top Domains, Top Ads, Top
# Clients and Clients over time.
# - 3
# Anonymize everything. This setting disabled almost any statistics and query
# analysis. There will be no long-term database logging and no Query Log. You
# will also loose most regex features.
privacylevel = 0
# During startup, in some configurations, network interfaces appear only late during
# system startup and are not ready when FTL tries to bind to them. Therefore, you may
# want FTL to wait a given amount of time before trying to start the DNS revolver.
# This setting takes any integer value between 0 and 300 seconds. To prevent delayed
# startup while the system is already running and FTL is restarted, the delay only
# takes place within the first 180 seconds (hard-coded) after booting.
delay_startup = 0
# Set niceness of pihole-FTL. Defaults to -10 and can be disabled altogether by setting
# a value of -999. The nice value is an attribute that can be used to influence the
# CPU scheduler to favor or disfavor a process in scheduling decisions. The range of
# the nice value varies across UNIX systems. On modern Linux, the range is -20 (high
# priority = not very nice to other processes) to +19 (low priority).
nice = -10
# Should FTL translate its own stack addresses into code lines during the bug
# backtrace? This improves the analysis of crashed significantly. It is recommended to
# leave the option enabled. This option should only be disabled when addr2line is
# known to not be working correctly on the machine because, in this case, the
# malfunctioning addr2line can prevent from generating any backtrace at all.
addr2line = true
# Should FTL load additional dnsmasq configuration files from /etc/dnsmasq.d/?
etc_dnsmasq_d = false
# Additional lines to inject into the generated dnsmasq configuration.
# Warning: This is an advanced setting and should only be used with care. Incorrectly
# formatted or duplicated lines as well as lines conflicting with the automatic
# configuration of Pi-hole can break the embedded dnsmasq and will stop DNS resolution
# from working.
# Use this option with extra care.
#
# Possible values are:
# array of valid dnsmasq config line options
dnsmasq_lines = []
# Log additional information about queries and replies to pihole.log
# When this setting is enabled, the log has extra information at the start of each
# line. This consists of a serial number which ties together the log lines associated
# with an individual query, and the IP address of the requestor. This setting is only
# effective if dns.queryLogging is enabled, too. This option is only useful for
# debugging and is not recommended for normal use.
extraLogging = false
# Put configuration into read-only mode. This will prevent any changes to the
# configuration file via the API or CLI. This setting useful when a configuration is
# to be forced/modified by some third-party application (like infrastructure-as-code
# providers) and should not be changed by any means.
readOnly = true
[misc.check]
# Pi-hole is very lightweight on resources. Nevertheless, this does not mean that you
# should run Pi-hole on a server that is otherwise extremely busy as queuing on the
# system can lead to unnecessary delays in DNS operation as the system becomes less
# and less usable as the system load increases because all resources are permanently
# in use. To account for this, FTL regularly checks the system load. To bring this to
# your attention, FTL warns about excessive load when the 15 minute system load
# average exceeds the number of cores.
# This check can be disabled with this setting.
load = true
# FTL stores history in shared memory to allow inter-process communication with forked
# dedicated TCP workers. If FTL runs out of memory, it cannot continue to work as
# queries cannot be analyzed any further. Hence, FTL checks if enough shared memory is
# available on your system and warns you if this is not the case.
# By default, FTL warns if the shared-memory usage exceeds 90%. You can set any
# integer limit between 0 to 100 (interpreted as percentages) where 0 means that
# checking of shared-memory usage is disabled.
shmem = 90
# FTL stores its long-term history in a database file on disk. Furthermore, FTL stores
# log files. By default, FTL warns if usage of the disk holding any crucial file
# exceeds 90%. You can set any integer limit between 0 to 100 (interpreted as
# percentages) where 0 means that checking of disk usage is disabled.
disk = 90
[debug]
# Print debugging information about database actions. This prints performed SQL
# statements as well as some general information such as the time it took to store the
# queries and how many have been saved to the database.
database = false
# Prints a list of the detected interfaces on the startup of pihole-FTL. Also, prints
# whether these interfaces are IPv4 or IPv6 interfaces.
networking = false
# Print information about shared memory locks. Messages will be generated when waiting,
# obtaining, and releasing a lock.
locks = false
# Print extensive query information (domains, types, replies, etc.). This has always
# been part of the legacy debug mode of pihole-FTL.
queries = false
# Print flags of queries received by the DNS hooks. Only effective when DEBUG_QUERIES
# is enabled as well.
flags = false
# Print information about shared memory buffers. Messages are either about creating or
# enlarging shmem objects or string injections.
shmem = false
# Print information about garbage collection (GC): What is to be removed, how many have
# been removed and how long did GC take.
gc = false
# Print information about ARP table processing: How long did parsing take, whether read
# MAC addresses are valid, and if the macvendor.db file exists.
arp = false
# Controls if FTLDNS should print extended details about regex matching into FTL.log.
regex = false
# Print extra debugging information concerning API calls. This includes the request,
# the request parameters, and the internal details about how the algorithms decide
# which data to present and in what form. This very verbose output should only be used
# when debugging specific API issues and can be helpful, e.g., when a client cannot
# connect due to an obscure API error. Furthermore, this setting enables logging of
# all API requests (auth log) and details about user authentication attempts.
api = false
# Print extra debugging information about TLS connections. This includes the TLS
# version, the cipher suite, the certificate chain and much more. This very verbose
# output should only be used when debugging specific TLS issues and can be helpful,
# e.g., when a client cannot connect due to an obscure TLS error as modern browsers do
# not provide much information about the underlying TLS connection and most often give
# only very generic error messages without much/any underlying technical information.
tls = false
# Print information about overTime memory operations, such as initializing or moving
# overTime slots.
overtime = false
# Print information about status changes for individual queries. This can be useful to
# identify unexpected unknown queries.
status = false
# Print information about capabilities granted to the pihole-FTL process. The current
# capabilities are printed on receipt of SIGHUP, i.e., the current set of capabilities
# can be queried without restarting pihole-FTL (by setting DEBUG_CAPS=true and
# thereafter sending killall -HUP pihole-FTL).
caps = false
# Print information about DNSSEC activity
dnssec = false
# FTL uses dynamically allocated vectors for various tasks. This config option enables
# extensive debugging information such as information about allocation, referencing,
# deletion, and appending.
vectors = false
# Extensive information about hostname resolution like which DNS servers are used in
# the first and second hostname resolving tries (only affecting internally generated
# PTR queries).
resolver = false
# Print debugging information about received EDNS(0) data.
edns0 = false
# Log various important client events such as change of interface (e.g., client
# switching from WiFi to wired or VPN connection), as well as extensive reporting
# about how clients were assigned to its groups.
clients = false
# Log information related to alias-client processing.
aliasclients = false
# Log information regarding FTL's embedded event handling queue.
events = false
# Log information about script helpers, e.g., due to dhcp-script.
helper = false
# Print config parsing details
config = false
# Debug monitoring of /etc/pihole filesystem events
inotify = false
# Debug monitoring of the webserver (CivetWeb) events
webserver = false
# Temporary flag that may print additional information. This debug flag is meant to be
# used whenever needed for temporary investigations. The logged content may change
# without further notice at any time.
extra = false
# Reserved debug flag
reserved = false
# Print information about NTP synchronization
ntp = false
# Print information about netlink communication and parsing
netlink = false
# Set all debug flags at once. This is a convenience option to enable all debug flags
# at once. Note that this option is not persistent, setting it to true will enable all
# *remaining* debug flags but unsetting it will disable *all* debug flags.
all = false
# Configuration statistics:
# 152 total entries out of which 137 entries are default
# --> 15 entries are modified
site.yml
View file @ a568db47
......@@ -27,28 +27,28 @@
domain: "test-warpzone.de",
domain_default: "www.test-warpzone.de",
}
- {
role: testserver/docker_mail, tags: [ test_mail, docker_services ],
servicename: mail,
basedir: "/srv/{{ servicename }}",
domain: "test-warpzone.de",
mailserver: "mailserver.test-warpzone.de",
listserver: "listserver.test-warpzone.de"
}
# - {
# role: testserver/docker_mail, tags: [ test_mail, docker_services ],
# servicename: mail,
# basedir: "/srv/{{ servicename }}",
# domain: "test-warpzone.de",
# mailserver: "mailserver.test-warpzone.de",
# listserver: "listserver.test-warpzone.de"
# }
- {
role: testserver/docker_uffd, tags: [ test_uffd, docker_services ],
servicename: uffd,
basedir: "/srv/{{ servicename }}",
domain: "uffd.test-warpzone.de",
}
- {
role: testserver/docker_icinga, tags: [ test_icinga, docker_services ],
servicename: icinga,
basedir: "/srv/{{ servicename }}",
domain: "icinga.test-warpzone.de",
api_port: 5665,
mysql_port: 33306
}
# - {
# role: testserver/docker_icinga, tags: [ test_icinga, docker_services ],
# servicename: icinga,
# basedir: "/srv/{{ servicename }}",
# domain: "icinga.test-warpzone.de",
# api_port: 5665,
# mysql_port: 33306
# }
- {
role: testserver/docker_gitlab, tags: [ test_gitlab, docker_services ],
servicename: "gitlab",
......@@ -76,6 +76,12 @@
basedir: "/srv/{{ servicename }}",
domain: "md.test-warpzone.de"
}
- {
role: testserver/docker_matrix, tags: [ test_matrix, docker_services ],
servicename: "matrix",
basedir: "/srv/{{ servicename }}",
domain: "matrix.test-warpzone.de"
}
- {
role: testserver/docker_nextcloud, tags: [ test_nextcloud, docker_services ],
servicename: "nextcloud",
......@@ -244,6 +250,24 @@
domain: "zigbee2mqtt.warpzone.lan"
}
- hosts: pihole
remote_user: root
roles:
- { role: common/cronapt, tags: cronapt }
- { role: common/docker, tags: docker }
- { role: common/prometheus-node, tags: prometheus-node }
- {
role: common/docker_dockerstats, tags: [ dockerstats, docker_services ],
servicename: dockerstats,
basedir: /srv/dockerstats,
metrics_port: 9487
}
- {
role: pihole/docker_pihole, tags: pihole,
servicename: pihole,
basedir: /srv/pihole,
domain: "pihole.warpzone.lan"
}
- hosts: webserver
remote_user: root
......@@ -356,6 +380,12 @@
basedir: /srv/wordpress,
domain: "www.warpzone.ms"
}
- {
role: webserver/docker_privatebin, tags: [ privatebin, docker_services ],
servicename: privatebin,
basedir: /srv/privatebin,
domain: "privatebin.warpzone.ms"
}
# - {
# role: webserver/docker_workadventure, tags: [ workadventure, docker_services ],
# servicename: "workadventure",
......
testserver/docker_dokuwiki/tasks/main.yml
View file @ a568db47
......@@ -3,6 +3,8 @@
- include_tasks: ../functions/get_secret.yml
with_items:
- { path: "{{ basedir }}/secrets/oauth_secret", length: 64}
- { path: "{{ basedir }}/dokuwiki_api_secret", length: 32 }
- { path: "{{ basedir }}/ldap_bind_pw", length: 32 }
- name: create folder struct for dokuwiki
file:
......@@ -12,6 +14,11 @@
- "{{ basedir }}"
- "{{ basedir }}/data"
- "{{ basedir }}/pdftemplate"
- "{{ basedir }}/data/lib"
- "{{ basedir }}/data/lib/plugins"
- "{{ basedir }}/data/lib/plugins/oauth"
- "{{ basedir }}/data/lib/plugins/oauthgeneric"
- "{{ basedir }}/uffd-ldapd"
- name: Docker Compose Konfig-Datei erstellen
template:
......@@ -20,9 +27,37 @@
with_items:
- docker-compose.yml
- Dockerfile
- authuffd_vars.php
- uffd-ldapd/Dockerfile
register: config
#- name: oauth plugin clonen
# ansible.builtin.git:
# repo: https://github.com/cosmocode/dokuwiki-plugin-oauth.git
# dest: "{{ basedir }}/data/lib/plugins/oauth"
# force: true
#- name: config für oauth kopieren
# ansible.builtin.template:
# src: oauth_vars.php
# dest: "{{ basedir }}/data/lib/plugins/oauth/conf/default.php"
#- name: oauthgeneric plugin clonen
# ansible.builtin.git:
# repo: https://github.com/cosmocode/dokuwiki-plugin-oauthgeneric.git
# dest: "{{ basedir }}/data/lib/plugins/oauthgeneric"
# force: true
#- name: config für oauthgeneric kopieren
# ansible.builtin.template:
# src: oauthgeneric_vars.php
# dest: "{{ basedir }}/data/lib/plugins/oauthgeneric/conf/default.php"
#- name: oauth provider aktivieren
# ansible.builtin.lineinfile:
# path: "{{ basedir }}/data/conf/local.php"
# regexp: "^$conf['authtype'] = "
# line: "$conf['authtype'] = 'oauth';"
- name: "stop {{ servicename}} docker"
community.docker.docker_compose_v2:
project_src: "{{ basedir }}"
......
testserver/docker_dokuwiki/templates/Dockerfile
View file @ a568db47
......@@ -25,16 +25,6 @@ RUN apt-get update && apt-get install -y wget unzip git \
&& tar -xvzf dokuwiki-stable.tgz -C /var/www/html --strip-components=1 \
&& rm dokuwiki-stable.tgz
# Plugin-Verzeichnis erstellen und das Authentifizierungs-Plugin hinzufügen
RUN mkdir -p /var/www/html/lib/plugins/authuffd \
&& git clone https://git.cccv.de/uffd/dokuwiki-plugin-authuffd.git /var/www/html/lib/plugins/authuffd
# Konfigurationsdatei für das Plugin anpassen
COPY authuffd_vars.php /var/www/html/lib/plugins/authuffd/conf/default.php
# DokuWiki Konfiguration anpassen
RUN echo "\$conf['authtype'] = 'authuffd';" >> /var/www/html/conf/local.php
# Setzen der richtigen Berechtigungen
RUN chown -R www-data:www-data /var/www/html
......
testserver/docker_dokuwiki/templates/authuffd_vars.php deleted 100644 → 0
View file @ 86f7e433
<?php
$conf['name'] = 'uffd';
$conf['baseurl'] = '{{ oidc_global.provider_url }}';
$conf['oauth2_client_id'] = '{{ servicename }}';
$conf['oauth2_client_secret'] = '{{ oauth_secret }}';
$conf['oauth2_redirect_uri'] = '{{ domain }}/dokuwiki/doku.php?id=authredirect';
#$conf['api_username'] = '';
#$conf['api_password'] = '';
testserver/docker_dokuwiki/templates/docker-compose.yml
View file @ a568db47
......@@ -17,7 +17,20 @@ services:
networks:
- default
- web
ldap:
build: uffd-ldapd/
restart: always
environment:
SERVER_API_URL: "{{ oidc_global.provider_url }}"
SERVER_API_USER: "dokuwikildap"
SERVER_API_SECRET: "{{ dokuwiki_api_secret }}"
SERVER_BASE_DN: "{{ oidc_global.ldap_base_dn }}"
SERVER_BIND_PASSWORD: "{{ ldap_bind_pw}}"
networks:
- default
networks:
web:
external: true
testserver/docker_dokuwiki/templates/oauth_vars.php 0 → 100644
View file @ a568db47
<?php
/**
* Default settings for the oauth plugin
*
* @author Andreas Gohr <andi@splitbrain.org>
*/
$conf['info'] = '';
$conf['custom-redirectURI'] = '';
$conf['mailRestriction'] = '';
$conf['singleService'] = '';
$conf['register-on-auth'] = 1;
$conf['overwrite-groups'] = 0;
\ No newline at end of file