Install Gravity Sync

Keep in mind that the following IP addresses were used for the setup:

I already had one pihole instance running on 10.0.0.80. I just had to shut this down to test my new HA-configured pihole.

To keep the configuration of both piholes in sync, we can install gravity-sync. I faced permission issues when I ran this as root. Make sure you have PermitRootLogin yes set in the /etc/ssh/sshd_config file. Then only execute below installation script.

curl -sSL https://raw.githubusercontent.com/vmstan/gs-install/main/gs-install.sh | bash

The installation procedure is straightforward. Just input the required information and wait for it to complete. You can then conduct a quick test of pulling or pushing configuration.

Create a new domain in pihole1 and ensure it’s not reflected on pihole2.

You can then execute gravity-sync compare to see if there is any configuration mismatch.

Then you can execute gravity-sync pull from the pihole2 and check if the delta configuration is reflected.

Automate

Execute gravity-sync auto on both pihole instances.

By default pihole should sync after 5 mins. For my setup I will set it hourly.

gravity-sync auto hour

Install keepalived

I found this tutorial on reddit link here shared by Panja0 on how to make use of keepalived by monitoring the pihole-FTL service with a simple bash script. I wanted to try and do it from scratch to add to my knowledge but I have decided to park this for now and test out this tutorial. For those interested, the keepalived documentation can be found here.

Install libipset13 and keepalived.

yum install -y libipset13 keepalived

Create a new scripts directory in /etc.

mkdir /etc/scripts

Create a new file and copy-paste the content from https://pastebin.com/npw6tcuk.

Add permision to execute the file:

chmod u+x /etc/scripts/chk_ftl

You need to edit keepalived.conf on both pihole instances. This file is located in /etc/keepalived/. The config files can be downloaded in the following links: keealived.conf for master keealived.conf for master

Modify the following fields according to your IP configuration. The auth_pass field is a password that should be match between both configuration files. unicast_src_ip unicast_peer auth_pass virtual_ipaddress

Restart the keepalived service and now the IP should be assigned to your primary pihole!

sudo systemctl restart keepalived

You should now be able to see DNS queries coming in.

Testing for auto fail-over

Shutdown the other pihole. Now pihole2b started accepting traffic

Let’s see if it will preempt. Poweron other pihole and check the keepalived. You can also check 10.0.0.80/admin (virtual ip) and see if it’s routed to the primary .

Proxmox already supports LXC containers by default and in this case, running Pihole on LXC provides some advantage in terms of flexibility and ease of configuration. This is especially for those who have less experience working with docker but only with Linux in general. I will share one good use case for this later on but for now let’s start setting up Pihole on Proxmox.

The hardware requirements according to the pihole documentation: Minimum of 2GB disk (4GB recommended) 512MB RAM

First you need to download an LXC template. I like using debian as the base image since it’s very lightweight and it’s where Ubuntu is based from. If you don’t have it yet, you can download it by going to Datacenter > pve > storage > CT templates > Templates and search for Debian 11 Bullseye.

Click on Create CT and input a container ID, hostname, and the root password. Check Unprivileged container and nesting (optional). Note that nesting is not really required but in my case the proxmox terminal will keep on printing permission errors if I leave this unchecked.

Select debian as the template.

For disk, I assigned 6GB. For RAM, double the recommended, since I have enough.

Assign a static IP to the container. Gateway should also be defined.

For DNS I will assign my unbound IP which is the same as my OPNsense gateway IP. (Unbound is a DNS caching tool built-into OPNsense). This will basically be my upstream DNS for my Pihole. If you don’t have Unbound running then you can input any public DNS like Google (8.8.8.8, 8.8.4.4) or Cloudflare (1.1.1.1).

Confirm

Enable start on boot flag.

Login as root

Update and upgrade

apt-get update -y && apt-get upgrade -y

Install curl:

apt-get install curl -y

Install Pihole:

curl -sSL https://install.pi-hole.net | bash

Install custom upstream and point to unbound IP

Install the default blacklist.

Install admin interface and lighthttpd.

Query logging or any other option is fine.

Reset the pihole password.

sudo pihole -a -p

Now go to your container IP and append /admin (e.g. http://10.0.0.88/admin)

If you are running it on proxmox like me you’d probably get the same error as in the snap below. You can ignore this especially if you have multi-core host. If you want to be sure you can check your CPU utilization with the top command.

After changing your DNS to pihole, check with nslookup if your device is able to send and receive to and from the Pihole IP.