nebula-sync Invalidating sessions resets the webui password

[libreelecc2]

I have been having issues syncing two pi holes both primary and replica versions:

pihole -v
Core version is v6.0.1 (Latest: v6.0.4)
Web version is v6.0 (Latest: v6.0.1)
FTL version is v6.0 (Latest: v6.0.2)

Primary is in a VM, replica is a proxmox LXC

The nebula-sync container logs:

2025-02-27T22:19:58+11:00 INF Starting nebula-sync v0.3.0

2025-02-27T22:19:58+11:00 INF Running full sync replicas=1

2025-02-27T22:19:58+11:00 INF Authenticating clients...

2025-02-27T22:19:58+11:00 INF Syncing Teleporters...

2025-02-27T22:19:58+11:00 INF Invalidating sessions...

2025-02-27T22:19:58+11:00 INF Sync complete

after this i get the error below and am unable to login to the web ui on the replica pi hole.

FTL Sync failed error="sync teleporters: http://192.168.10.20/api/teleporter: unexpected status code: 400"

I use the command sudo pihole setpassword to set the password again and it works until the next sync.

[libreelecc2]

i updated both to the latest versions but the same occurs

[PhilThurston]

From my own tests manually doing it via the interface, in v6 the teleporter (Full sync) function of Pihole not only moves all of your settings and changes but also your password. This means that it will copy your password from the primary to the replicas. This is just how Pihole teleporter works now and isn't something this project could control.
We made a workaround by setting the password via FTLCONF_webserver_api_password in each of our Pihole instances this way teleporter can't overwrite it.

Edit: btw I could be wrong, I just know our issues stopped once we did the above workaround.

[libreelecc2]

yes, i think you are right. i will use the same on both - thanks!

[kohai-ut]

From my own tests manually doing it via the interface, in v6 the teleporter (Full sync) function of Pihole not only moves all of your settings and changes but also your password. This means that it will copy your password from the primary to the replicas. This is just how Pihole teleporter works now and isn't something this project could control. We made a workaround by setting the password via FTLCONF_webserver_api_password in each of our Pihole instances this way teleporter can't overwrite it.

Edit: btw I could be wrong, I just know our issues stopped once we did the above workaround.

On another thread, I posted this same issue. The primary overwrites the secondary's api password and then the script doesn't work and it isn't obvious why. The pihole 6 ui does not allow a person to manually set the api password so they match.

[janusloo]

Hi I face this same issue too. My 1st instance is running on a Pi 4 and 2nd on Synology as container. I set the password for the 2nd instance docker with FTLCONF_webserver_api_password envronment and make it the same as my 1st Pihole instance. I am still getting the error:

nebula-sync | 2025-03-02T12:05:23+01:00 FTL Sync failed error="sync configs: All attempts fail:\n#1: https://xxx:9443/api/config: unexpected status code: 400\n#2: https://xxx:9443/api/config: unexpected status code: 400\n#3: https://xxx:9443/api/config: unexpected status code: 400"

It is complaining about the 2nd Pihole instance running on docker. Anything I can do on my end to fix this?

I am running the lateste version 6 of Pihole:
pihole -v
Core version is v6.0.4 (Latest: v6.0.4)
Web version is v6.0.1 (Latest: v6.0.1)
FTL version is v6.0.3 (Latest: v6.0.3)

Edited: I found the culprit on my end: I was using FTLCONF_misc_check_load on the 2nd PiHole instance and it caused issue with the sync. Removing this environment variable and everthing gets synced successfully now. Thank you for this great tool! ;-)

[scarez]

As a note if you chose the Manual Sync option and enter all available options in his documentation it will not sync the web server / api settings, which will prevent it from messing with your passwords and other web server / api settings.

I assume the Full Sync option is something provided by the Teleporter API, and its intent may be different than what most folks want. For me I only really want to sync DNS, Adlists, Clients, etc. I don't want web server or API settings to be sync'd.

[smegoff]

Just came here to see if this was a me thing.

I have the same issue here where the primary API password overwrites the Replicas API password - which in itself is not the end of the world, however it goes against having unique API passwords for security :-)

[kohai-ut]

As a note if you chose the Manual Sync option and enter all available options in his documentation it will not sync the web server / api settings, which will prevent it from messing with your passwords and other web server / api settings.

I assume the Full Sync option is something provided by the Teleporter API, and its intent may be different than what most folks want. For me I only really want to sync DNS, Adlists, Clients, etc. I don't want web server or API settings to be sync'd.

Good clarification. It looks like the documentation mentions a manual sync which really means a selective sync. I assumed a manual sync meant I had to run it manually rather than cron.

[BBT-nZ]

@janusloo came here for the same. So, what variable do I need to declare on both Pi instances and the value? Any help is appreciated.

[janusloo]

Hi @BBT-nZ are both Pihole instances running on docker? And are you using full sync or partial sync? As long as you do not specify any environment variables for the components that you want to sync you should be okay. The configurations set by the environment variable are readonly.

I found the culprit in the pihole log so you can take a look there and see what causes the sync to fail.

[kohai-ut]

The doc example yml uses FULL_SYNC=true which is likely not the right solution for most people. I'm now trying the following (I have an rpi and a synology as my two pi-hole setups).

---

services:
nebula-sync:
container_name: nebula-sync
image: ghcr.io/lovelaze/nebula-sync:latest
restart: unless-stopped
environment:
- PRIMARY=http://192.168.1.249:8008|PASSWORDHERE
- REPLICAS=http://192.168.1.247:8080|PASSWORDHERE
- CRON=0 * * * *
- TZ=American/Denver
- FULL_SYNC=false
- SYNC_CONFIG_DNS=true
- SYNC_CONFIG_RESOLVER=true
- SYNC_CONFIG_DATABASE=true
- SYNC_GRAVITY_GROUP=true
- SYNC_GRAVITY_AD_LIST=true
- SYNC_GRAVITY_AD_LIST_BY_GROUP=true
- SYNC_GRAVITY_DOMAIN_LIST=true
- SYNC_GRAVITY_DOMAIN_LIST_BY_GROUP=true

[scarez]

Here is my compose.yaml for my nebula-sync container. I run Pihole on two Raspberry Pi 4's. The below does not sync or change the website or API passwords.

services:
nebula-sync:
image: ghcr.io/lovelaze/nebula-sync:latest
container_name: nebula-sync
environment:
- PRIMARY=http://ph1.example.com|password
- REPLICAS=http://ph2.example.com|password
- FULL_SYNC=false
- SYNC_CONFIG_DNS=true
- SYNC_CONFIG_DHCP=true
- SYNC_CONFIG_NTP=true
- SYNC_CONFIG_RESOLVER=true
- SYNC_CONFIG_DATABASE=true
- SYNC_CONFIG_MISC=true
- SYNC_CONFIG_DEBUG=true
- SYNC_GRAVITY_DHCP_LEASES=true
- SYNC_GRAVITY_GROUP=true
- SYNC_GRAVITY_AD_LIST=true
- SYNC_GRAVITY_AD_LIST_BY_GROUP=true
- SYNC_GRAVITY_DOMAIN_LIST=true
- SYNC_GRAVITY_DOMAIN_LIST_BY_GROUP=true
- SYNC_GRAVITY_CLIENT=true
- SYNC_GRAVITY_CLIENT_BY_GROUP=true
- CRON=*/2 * * * *
networks: {}