Skip to content

Instantly share code, notes, and snippets.

@Bubbgump209

Bubbgump209/gist:ceaf39bad9e589975633f72022098794

Last active January 6, 2020 01:34
Show Gist options
  • Save Bubbgump209/ceaf39bad9e589975633f72022098794 to your computer and use it in GitHub Desktop.
Save Bubbgump209/ceaf39bad9e589975633f72022098794 to your computer and use it in GitHub Desktop.
Download ZIP
New Pihole setup on GCP and Buster
Raw
gistfile1.txt
New PiHole
apt install zram-tools
nano /etc/default/zramswap
###
ALLOCATION=512
###
systemctl enable zramswap
systemctl start zramswap
apt install ufw
ufw logging off
ufw allow ssh
ufw enable
ufw allow from 173.245.48.0/20 to any port 443
ufw allow from 103.21.244.0/22 to any port 443
ufw allow from 103.22.200.0/22 to any port 443
ufw allow from 103.31.4.0/22 to any port 443
ufw allow from 141.101.64.0/18 to any port 443
ufw allow from 108.162.192.0/18 to any port 443
ufw allow from 190.93.240.0/20 to any port 443
ufw allow from 188.114.96.0/20 to any port 443
ufw allow from 197.234.240.0/22 to any port 443
ufw allow from 198.41.128.0/17 to any port 443
ufw allow from 162.158.0.0/15 to any port 443
ufw allow from 104.16.0.0/12 to any port 443
ufw allow from 172.64.0.0/13 to any port 443
ufw allow from 131.0.72.0/22 to any port 443
ufw allow 1194/udp
apt update
apt upgrade
dpkg-reconfigure tzdata
apt install fail2ban
nano /etc/fail2ban/jail.local
#########
[DEFAULT]
bantime = 3600
[sshd]
enabled = true
####
systemctl enable fail2ban
systemctl start fail2ban
nano /etc/apt/apt.conf.d/50unattended-upgrades
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Reboot-Time "04:00";
nano /etc/apt/apt.conf.d/20auto-upgrades
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
apt install whiptail
curl -L https://install.pivpn.dev | bash
Edit /etc/openvpn/server.vpn
####
#push "redirect-gateway def1"
push "dhcp-option DNS 10.8.0.1"
keepalive 10 60
cipher AES-128-GCM
auth SHA384
ncp-disable
######
ufw allow in on tun0 from 10.8.0.0/24 to any
apt install php-common
curl -sSL https://install.pi-hole.net | bash
/etc/pihole/adlists.lists
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
https://mirror1.malwaredomains.com/files/justdomains
http://sysctl.org/cameleon/hosts
https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
https://hosts-file.net/ad_servers.txt
https://v.firebog.net/hosts/Easyprivacy.txt
https://v.firebog.net/hosts/Prigent-Ads.txt
https://phishing.army/download/phishing_army_blocklist_extended.txt
https://v.firebog.net/hosts/Shalla-mal.txt
https://v.firebog.net/hosts/Easylist.txt
https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV.txt
https://dbl.oisd.nl/
https://v.firebog.net/hosts/static/w3kbl.txt
https://hosts-file.net/grm.txt
https://v.firebog.net/hosts/AdguardDNS.txt
https://www.squidblacklist.org/downloads/dg-ads.acl
https://hosts-file.net/exp.txt
https://hosts-file.net/emd.txt
https://hosts-file.net/psh.txt
https://v.firebog.net/hosts/Prigent-Malware.txt
https://v.firebog.net/hosts/Prigent-Phishing.txt
https://www.squidblacklist.org/downloads/dg-malicious.acl
https://zerodot1.gitlab.io/CoinBlockerLists/hosts
https://blocklist.site/app/dl/ads
https://blocklist.site/app/dl/crypto
https://blocklist.site/app/dl/drugs
https://blocklist.site/app/dl/fraud
https://blocklist.site/app/dl/fakenews
https://blocklist.site/app/dl/gambling
https://blocklist.site/app/dl/malware
https://blocklist.site/app/dl/phishing
https://blocklist.site/app/dl/piracy
https://blocklist.site/app/dl/porn
https://blocklist.site/app/dl/ransomware
https://blocklist.site/app/dl/redirect
https://blocklist.site/app/dl/scam
https://blocklist.site/app/dl/spam
https://blocklist.site/app/dl/tracking
systemctl enable lighttpd
systemctl start lighttpd
ufw allow http
apt install certbot
certbot certonly --dry-run --webroot -w /var/www/html/ -d pihole.somedomain.com
certbot certonly --webroot -w /var/www/html/ -d pihole.somedomain.com
ufw status numbered
ufw delete somenumberport80
cat /etc/letsencrypt/live/pihole.somedomain.com/cert.pem /etc/letsencrypt/live/pihole.somedomain.com/privkey.pem > /etc/letsencrypt/live/pihole.somedomain.com/combined.pem
nano /etc/lighttpd/external.conf
######
$HTTP["host"] == "pihole.somedomain.com" {
# Ensure the Pi-hole Block Page knows that this is not a blocked domain
setenv.add-environment = ("fqdn" => "true")
# Enable the SSL engine with a LE cert, only for this specific host
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/letsencrypt/live/pihole.somedomain.com/combined.pem"
ssl.ca-file = "/etc/letsencrypt/live/pihole.somedomain.com/fullchain.pem"
ssl.honor-cipher-order = "enable"
ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
}
# Redirect HTTP to HTTPS
$HTTP["scheme"] == "http" {
$HTTP["host"] =~ ".*" {
url.redirect = (".*" => "https://%0$0")
}
}
}
#####
mkdir /root/certrenew
nano /root/certrenew/certrenew.sh
####
#!/bin/bash
certbot renew
cat /etc/letsencrypt/live/pihole.somedomain.com/cert.pem /etc/letsencrypt/live/pihole.somedomain.com/privkey.pem > /etc/letsencrypt/live/pihole.somedomain.com/combined.pem
systemctl restart lighttpd
####
crontab -e
17 03 * * * /root/certrenew/certrenew.sh
Don't forget to setup snapshots!!!!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment