Skip to content

Pi hole on Unifi Cloud Key Gen 1

Backups

[[cbf32d23aa63462d834f58aa881051da.gz]]

Installation

This installation is based on these instructions.

Update Cloudkey Firmware and reset to factory defaults:

  • Download the latest Cloudkey V1 firmware
  • Activate Recovery Mode and go to firmware update, choose the .bin file you just downloaded. If the update is done you have to reboot.
  • Once the reboot is done once again put the Cloudkey in Recovery Mode. Now do a “reset to factory defaults”, reboot once again. Wait for 2 minutes and manually power reset the Cloudkey.

Uninstalling the UniFi Controller:

  • First we need to know the local ip address of the Cloudkey, open terminal/cmd on any device and run the command arp -a . The output shows a list with local ip addresses of devices in your local network, search for the mac address that starts with "f0-9f-c2", that's your Cloudkey and before the mac address it shows your local ip address. Make a SSH connection with the Cloudkey (ssh ubnt@ip_address). The username and password are ubnt & ubnt.
  • Now that we have a ssh connection we need to uninstall the UniFi controller, you can do this with the following command sudo dpkg -P unifi

Now let's remove the sources.list entries which are mainly looking at some old repo's and UniFi repo's. SSH into your Cloudkey and run the following commands

sudo rm /etc/apt/sources.list
sudo rm /etc/apt/sources.list.d/nodejs.list
sudo rm /etc/apt/sources.list.d/security.list
sudo rm /etc/apt/sources.list.d/ubnt-unifi.list

In above steps we removed the original sources.list file. So now we need to create a new file with the next command: vi /etc/apt/sources.list and enter the following text and save the file.

deb http://deb.debian.org/debian buster main contrib non-free
deb-src http://deb.debian.org/debian buster main contrib non-free

deb http://deb.debian.org/debian-security/ buster/updates main contrib non-free
deb-src http://deb.debian.org/debian-security/ buster/updates main contrib non-free

deb http://deb.debian.org/debian buster-updates main contrib non-free
deb-src http://deb.debian.org/debian buster-updates main contrib non-free

Now let's create another file vi /etc/apt/sources.list.d/nodesource.list, enter the following text and save the file.

deb https://deb.nodesource.com/node_14.x stretch main

Run the following command:

sudo apt-get update

sudo apt-get clean && sudo apt-get clean all && sudo apt-get autoclean && sudo apt-get update

Update Debian OS:

We first need to update to the newer Debian Buster 10.x, at this moment the Cloudkey is running Debian Jessie 8.x. Run the command sudo apt install ca-certificates before running the Debian update command. Now run command sudo apt-get update && sudo apt-get upgrade. During the upgrade you may be asked what to do with the unattended-upgrades configration file, Choose to ‘Keep the local version currently installed’. You can run hostnamectl to see if Debian Buster update was successful installed.

Run the following commands to delete "files" we no longer use:

rm /etc/apt/apt.conf.d/50unattended-upgrades.ucf-dist
sudo apt-get remove freeradius
sudo apt-get purge freeradius

Update NodeJS 6.x to 14.x:

sudo apt update
sudo apt install nodejs

To test if you have successful installed NodeJS 14.x and NPM 6.x run the commands.

npm -v
node -v

Install Pi-hole

  • Update all packages: sudo apt-get upgrade and sudo reboot
  • Add php5 repo:
sudo apt-get update
sudo apt-get install -y apt-transport-https curl
curl https://packages.sury.org/php/apt.gpg | sudo apt-key add -
echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/php5.list
sudo apt-get update
  • Install Pi-hole using curl -sSL https://install.pi-hole.net | bash and take note of the admin password presented at the end of the installation.
  • Just follow the install screens but be sure to change your NIC to eth0, default is set to ethp0 but that’s not correct for the CK.
  • Run the command sudo service nginx stop, this step is important because lighttpd will not run because it using the same port 80.
  • To start lighttpd run systemctl start lighttpd and check with systemctl status lighttpd that the service is successful running.
  • Note if lighttpd is still not running you have to change the default port. For some reason when i wrote this manual i got it working without this extra step but now after a reboot Pi-hole began to use appache2 server instead of lighttpd. So if lighttpd status is running you don't need to do this extra step, otherwise use vim /etc/lighttpd/lighttpd.conf and change Server port=80 to port=8989 (or whatever port is not in use) and save.
  • We need to fix another port conflict, systemd-resolved is using port 53 but FTL will also be using the same port...
  • Run sudo systemctl stop systemd-resolved
  • Use the command sudo vi /etc/systemd/resolved.conf to edit the resolved.conf file. Replace the text inside by the following code.
  • [Resolve]
DNS=1.1.1.1
DNSStubListener=no

  • Check with systemctl restart pihole-FTL if the service status for FTL is running.

  • Use pihole -r and use the repair option, I had a error using the gravity database and this way will fix it.
  • One last step is to set a Pihole WebUI password, run the command pihole -a -p and type your password twice.

One last thing, we going to mask both systemd-resolved and nginx services. This will prevent that the services will running again on port 80 and 53 which will result in Pihole not running. Use the command systemctl mask systemd-resolvd nginx to mask both services. If you ever want to run this processes again just use the same command with a unmask flag. (Thx to /u/ztendies666 2 for the tip!)

That’s it, you now have Pi-hole running on your UniFi CK.

Change SSH Access

Reset password: connect through ssh and set a new password: passwd. See 1Password: Unifi CloudKey Pi-hole

Now enable key based ssh access: on your host, run

ssh-copy-id -i ~/.ssh/patschifigpro_rsa ubnt@pi.hole

Accessing Pi-hole

Go to http://pi.hole/admin.

See 1Password for login: Pi-hole Web UI

Updating Pi-hole

pihole -up

Unifi USG Setup

  • Put Pi-hole on your network at some static IP.
  • In Pi-hole, under Settings -> DNS, turn on Conditional Forwarding with the IP of your router as the USG, and Local domain name your local domain name.
  • Let the USG continue to do DHCP as before, but set DHCP Name Server to the Pi-hole IP for the first and the Unifi USG for the second server (as a back-up when pi-hole is unavailable) under Settings -> Networks -> default network -> DHCP -> DHCP DNS Server.
  • In USG, under Settings -> Networks -> default network -> DHCP -> DHCP Server, be sure Register client hostname from DHCP requests in USG DNS forwarder is On (only visible in the old Unifi UI)
  • I left the WAN interface using 1.1.1.1 and 1.0.0.1 because I want the USG itself to get DNS from something upstream.

CloudKey Reset

Emergency Recovery Mode

Resetting a Device to Factory Defaults