Skip to content

Instantly share code, notes, and snippets.

@vinayakg
Last active October 13, 2024 18:42
Show Gist options
  • Save vinayakg/0153e8de9b02f064637b569d2e10ebe4 to your computer and use it in GitHub Desktop.
Save vinayakg/0153e8de9b02f064637b569d2e10ebe4 to your computer and use it in GitHub Desktop.
Setup New PiHole
cdoh.vinayakg.dev:443 {
log {
level ERROR
output file /var/log/caddy/caddy.log {
roll_size 10MiB
roll_keep_for 3d
}
}
tls vinayak_k_g@yahoo.co.in
reverse_proxy /dns-doh-query 127.0.0.1:53 {
transport {
protocols dns
}
}
tls {
dns cloudflare 393990fe18328bccb478900b5cf9aaa61c3e3
}
route /admin* {
reverse_proxy 127.0.0.1:8080
}
respond * 404
}

Building Caddy with L4 Module on Debian Linux

Prerequisites

  1. Update your system:

    sudo apt update && sudo apt upgrade -y
    
  2. Install required packages:

    sudo apt install -y curl git build-essential
    
  3. Install Go (if not already installed):

    sudo apt install -y golang
    

    Verify Go installation:

    go version
    

    If the version is older than 1.18, you may need to install a newer version manually:

    wget https://go.dev/dl/go1.20.5.linux-amd64.tar.gz
    sudo tar -C /usr/local -xzf go1.20.5.linux-amd64.tar.gz
    

    Add Go to your PATH by adding these lines to your ~/.bashrc file:

    export PATH=$PATH:/usr/local/go/bin
    export PATH=$PATH:$(go env GOPATH)/bin
    

    Then, reload your bash profile:

    source ~/.bashrc
    

Installing xcaddy

  1. Install xcaddy:
    go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest
    

Building Caddy with L4 Module

  1. Build Caddy with the L4 module:

    xcaddy build --with github.com/mholt/caddy-l4
    
  2. Verify the build:

    ./caddy version
    

(Optional) Install Caddy System-Wide

  1. Move the Caddy binary to a system-wide location:

    sudo mv caddy /usr/local/bin/
    
  2. Set the appropriate permissions:

    sudo chown root:root /usr/local/bin/caddy
    sudo chmod 755 /usr/local/bin/caddy
    
  3. (Optional) If you want Caddy to bind to privileged ports (like 80 and 443):

    sudo setcap CAP_NET_BIND_SERVICE=+eip /usr/local/bin/caddy
    

Running Caddy

  1. Create a Caddyfile in your current directory or specify a path when running Caddy.

  2. Run Caddy:

    caddy run --config /path/to/your/Caddyfile
    

Remember to replace "/path/to/your/Caddyfile" with the actual path to your Caddy configuration file.

# sudo adduser -m -d /home/pivg -s /bin/bash pivg
sudo adduser pivg
passwd pivg
sudo cp -r .ssh /home/pivg/
# ensure the directory ir owned by the new user
sudo chown -R pivg:pivg /home/pivg/.ssh
# make sure only the new user has permissions
sudo chmod 700 /home/pivg/.ssh
sudo chmod 600 /home/pivg/.ssh/authorized_keys
sudo usermod -aG sudo pivg
# https://humanwhocodes.com/snippets/2021/03/create-user-linux-ssh-key/
# Automatically upgrade apt packages
sudo apt update && sudo apt upgrade -y
# Install unattended upgrades
sudo apt install unattended-upgrades -y
# Enable auto updates for unattended upgrades
echo "unattended-upgrades unattended-upgrades/enable_auto_updates boolean true" | sudo debconf-set-selections
# Prevent SSH brute force attacks by installing fail2ban
sudo apt install fail2ban -y
# Install firewall ufw
sudo apt install ufw -y
# Rate limit SSH attempts
sudo ufw limit ssh/tcp
# Firewall rules
sudo ufw allow OpenSSH
sudo ufw allow dns
sudo ufw allow http
sudo ufw allow https
# Enable ufw and default to deny
sudo ufw enable
sudo ufw default deny incoming
sudo ufw default allow outgoing
wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
sudo apt-get install ./cloudflared-linux-amd64.deb
sudo cloudflared proxy-dns --port 54 --upstream https://1.1.1.1/.well-known/dns-query --upstream https://1.0.0.1/.well-known/dns-query
curl -sSL https://install.pi-hole.net | sudo bash
pihole -a -p Qz4hHjKn83nF
sudo vim /etc/dnsmasq.d/01-pihole.conf
server=127.0.0.1#54
sudo systemctl stop systemd-resolved.service
sudo systemctl disable systemd-resolved.service
sudo vim /etc/systemd/system/dnsproxy.service
[Unit]
Description=CloudFlare DNS over HTTPS Proxy
Wants=network-online.target
After=network.target network-online.target
[Service]
ExecStart=cloudflared proxy-dns --port 54 --upstream https://1.1.1.1/.well-known/dns-query --upstream https://1.0.0.1/.well-known/dns-query
Restart=on-abort
[Install]
WantedBy=multi-user.target
sudo systemctl enable dnsproxy.service
curl -L https://install.pivpn.io | bash
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment