How many Raspberry Pis do you have and what are they used for?

[the-evaluator]

I'm using a bash script that calls rsync to keep the black/white lists in sync. I make changes to one particular instance and then within an hour the changes are live on the other instance. The script definitely has the potential to bugger things up but I know my way around Unixesque operating systems and should I manage to break both instances (unlikely as the sync is one way) then I can spin up a new instance in about 15 minutes.

 

[Frozennova]

Alternatively a GIT repo would be a nice solution too as it would then offer versioning and easy roll backs

 

[Feek]

I'm using a bash script that calls rsync to keep the black/white lists in sync. I make changes to one particular instance and then within an hour the changes are live on the other instance. The script definitely has the potential to bugger things up but I know my way around Unixesque operating systems and should I manage to break both instances (unlikely as the sync is one way) then I can spin up a new instance in about 15 minutes.

Care to share?

 

[Frozennova]

Care to share?

Not specific but you'll need to setup an SSH Key on the "Master" Pi so it doesn't required a password for SSH on the "Slave" the rsync command should look something like this

rsync -v -e ssh /etc/pihole/whitelist.txt remoteuser@slaveIPaddr:/etc/pihole/
rsync -v -e ssh /etc/pihole/blacklistlist.txt remoteuser@slaveIPaddr:/etc/pihole/

 

[Feek]

Oh, as simple as that. I'll have a play.

For those who want help setting up an ssh key, it's pretty straightforward and this is how I do it:

ssh-keygen -t ed25519

Hit enter a couple of times to submit without a password.

Then

ssh-copy-id [email protected]

Where xxx.xxx.xxx.xxx is the IP of the Pi you're connecting to.

This will store the remote Pi password locally and then you can just ssh into it without having to enter a password.

 

[the-evaluator]

rsync -v -e ssh /etc/pihole/whitelist.txt remoteuser@slaveIPaddr:/etc/pihole/
rsync -v -e ssh /etc/pihole/blacklistlist.txt remoteuser@slaveIPaddr:/etc/pihole/

Pretty much that but I've also included a command to restart Pi-Hole on the secondary Pi so that any changes in the black/whitelists take effect now. From memory the command is very similar to this:

ssh -t user@slaveIPaddr "/usr/local/bin/pihole restartdns"

I've defined variables in the script rather than hard coding the username and IP address of the secondary Pi-Hole box. The script is then scheduled to run once an hour via cron.

 

[Feek]

I've defined variables in the script rather than hard coding the username and IP address of the secondary Pi-Hole box. The script is then scheduled to run once an hour via cron.

Post it!

 

[dymetrie]

I think I almost understand all of that code!

Once I get round to having the extra hardware then I will most definitely implement (with loads of questions, of course )

 

[the-evaluator]

Post it!

#!/bin/bash

# ===================
# = Setup variables =
# ===================

# Define an array containing the files that will be copied to the remote server
FILESTOCOPY=("whitelist.txt" "blacklist.txt")

# Where on the filesystem on this server are the files to be copied located?
LOCALSOURCEDIR="/etc/pihole"

# Where on the remote server should the files be put?
REMOTEDESTINATIONDIR="/etc/pihole"

# What is the IP address/DNS name of the remote server?
REMOTESERVER="192.168.8.3"

# What user should I log into the remote server as?
REMOTEUSERNAME="root"

# =================
# = END VARIABLES =
# =================

# For each filename specified in the array, rsync the file to the remote server.
for i in "${FILESTOCOPY[@]}"
        do
                rsync -v -e ssh $LOCALSOURCEDIR/$i $REMOTEUSERNAME@$REMOTESERVER:$REMOTEDESTINATIONDIR/
        done

# Restart Pi-Hole on the secondary box
ssh -t $REMOTEUSERNAME@$REMOTESERVER "/usr/local/bin/pihole restartdns"

There's risks to using this script. Firstly I've got it setup so that I'm logging into the secondary Pi-Hole box as root which isn't ideal. I could do the rsync to a different user and then use sudo to move files around but that's not ideal either.

For my needs though, this works well. I've had it in place for about a year or so and it hasn't given me any problems.

The variables and array make this look more complicated than it actually is but I based this script off some scripts I'm using at work that rsync specific stuff around and it took less than a minute to knock this up based on the template I use at work. To write something from scratch would have taken only marginally longer but I'm lazy

I may eventually extend the script a bit to keep archived copied of the white/blacklists on my NAS so that if I need to revert to a previous version I can.

 

[the-evaluator]

This will store the remote Pi password locally and then you can just ssh into it without having to enter a password.

Without wishing to be pedantic it doesn't store the password, either locally or remotely.

The ssh-keygen commands generates a pair of keys, a private and a public. Then you're copying the public key to the remote host using ssh-copy-id. The public key ends up in ~/.ssh/authorized_keys which is a file that contains a list of the public keys that are allowed to login without requiring a password as long as they have the corresponding private key. It's important the keep the private key private.

Once you've set things up like this you can change the password on the remote host and you'll still be able to login because the password is not being used. If you wanted to revoke access then you need to remove the public key from the authorized_keys file on the remote host.

 

[Feek]

That’s a good explanation, thank you.

 

[Squid Vicious]

Got round to setting up the Pi Zero W and pihole this morning - all pretty straightforward and it works a treat!

Now all I need are some more applications/excuses to get some more Any good ideas for smart home, security or other interesting apps?

 

[Feek]

There's risks to using this script. Firstly I've got it setup so that I'm logging into the secondary Pi-Hole box as root which isn't ideal. I could do the rsync to a different user and then use sudo to move files around but that's not ideal either.

Thanks for posting it.

From what I understood, by default there's no root password. Have you added one? Also, I seem to recall that root login is disabled as well, have you enabled it? Sorry for all the questions, I like to comprehend what I'm doing and why. Your script makes perfect sense, it's just this remote root connection I'm not sure about.

 

[the-evaluator]

From what I understood, by default there's no root password. Have you added one?

Correct, by default there isn't a password on the root user. Setting one is the same as setting a password for any other user. So you just need to do the following when logged in as pi or whatever user you normally use which is allowed to sudo:

sudo su -
passwd root

Also, I seem to recall that root login is disabled as well, have you enabled it?

It's not disabled in that the user account is disabled but the SSH daemon is set by default to not allow root logins using the password. To change that edit /etc/ssh/sshd_config. Look for the line that contains PermitRootLogin, by default I think it looks like this:

#PermitRootLogin without-password

Note the # at the beginning so that's make that entire line just a comment. Remove the #. If you wanted to login as root using public/private keys then the line is now correct. If you want to login using the password over SSH then change without-password to yes. Save the file and either restart sshd (the command /etc/init.d/ssh restart will do it, or just reboot the box)

Sorry for all the questions, I like to comprehend what I'm doing and why.

Ask away

Also, not that it's relevant but my secondary Pi-Hole box isn't a Pi, it's an Ubuntu 18.04LTS virtual machine but the basics of Raspbian and Ubuntu are pretty much the same.

 

[Feek]

Correct, by default there isn't a password on the root user. Setting one is the same as setting a password for any other user. So you just need to do the following when logged in as pi or whatever user you normally use which is allowed to sudo:

Thanks - What you've described is largely what I'd already found but my sshd_config didn't have the line, even commented out so I've added it.

I then set a root password and tried to log in remotely to set up public/private keys but it wouldn't let me do that until I changed the without-password to yes.

Now when I run the script, it prompts me for a password three times which is what I'd expect from the three files it's copying.

Have I dropped a gonad here by setting a root password? Should I have left it unset and left sshd_config as it was? I suspect I should and that's why I should have been testing this with my Pihole VM rather than an actual Pihole.

It's not the end of the world if I have, I was going to rebuild them (one at a time) to Buster anyway.

 

[the-evaluator]

If it's prompting you for a password when the script runs then something with the keys hasn't worked. I guess the public key from your primary Pi hasn't ended up in the authorized_keys file for the correct user on the secondary Pi.

Which user did you run the ssh-keygen as? What was the exact ssh-copy-id command you ran? What user is set as REMOTEUSERNAME in the script? I'm assuming that REMOTEUSERNAME is root? If that's the case then ideally you'd want to run ssh-keygen as root on the primary Pi and use ssh-copy-id [email protected] to copy the public key for the root on the primary key into the authorized_keys file for root on the secondary Pi.

Having a root password set won't cause you any problems so there's nothing to worry about there.

 

[Feek]

Which user did you run the ssh-keygen as?

Yup, that was it. I'd run it as pi, not as root. Now I've done that, it's sorted so thanks for the help. This is the sort of thing I should have noticed so it's frustrating not to have realised what was going on there.

I've added a couple of extra files so regex.list and adlists.list are copied as well and I may also add my hosts and 04-pihole-static-dhcp.conf files as well just to keep everything the same between the two boxes.

Then I'll just cron it to run once an hour. Sorted.

 

[the-evaluator]

I've added a couple of extra files

A timely comment as I'd totally forgotten to include 'lan.list' into the script which is a file containing my internal DNS stuff. I shall do that now!

 

[Feek]

This is how I did it - Just added a second set of variables and rsync lines. There's probably a better way but this works.

 

[the-evaluator]

If you're just copying 1 file in the secondary and tertiary routines then you could replace this:

for i in "${FILESTOCOPY2[@]}"
       do
                rsync -v -e ssh $LOCALSOURCEDIR2/$i $REMOTEUSERNAME@$REMOTESERVER:$REMOTEDESTINATIONDIR2/
        done

with this and do away with the for loop:

rsync -v -e ssh $LOCALSOURCEDIR2/FILESTOCOPY2 $REMOTEUSERNAME@$REMOTESERVER:$REMOTEDESTINATIONDIR2/

As you said though, what you've got works fine plus it gives you the flexibility of being able to add additional files located in LOCALSOURCEDIR2 and 3 to the sync. The very marginal plus side is that the script would slightly easier to read through and follow.