Locking down gravity-sync user

[K34nu]

Had a bit of a painful time when trying to get gravity-sync push working. Ended up with the following in a sudoers file:

Replace "gravity-sync" with the user you're using for the sync.

create file in /etc/sudoers.d/gravity-sync (be careful when doing this, you can break your sudo if you're not careful.)

gravity-sync ALL=(ALL:ALL) NOPASSWD: /usr/local/bin/gravity-sync, \
                                     /usr/bin/touch, \
                                     /usr/bin/pihole-FTL, \
                                     /usr/bin/ssh, \
                                     /usr/bin/rsync, \
                                     /usr/bin/touch /etc/dnsmasq.d/05-pihole-custom-cname.conf, \
                                     /usr/bin/chown, \
                                     /usr/bin/chmod 664 /etc/pihole/gravity.db, \
                                     /usr/bin/cp /etc/pihole/custom.list /etc/pihole/custom.list.gsb, \
                                     /usr/bin/chmod 644 /etc/pihole/custom.list, \
                                     /usr/bin/cp /etc/dnsmasq.d/05-pihole-custom-cname.conf /etc/pihole/05-pihole-custom-cname.conf.gsb, \
                                     /usr/bin/chmod 644 /etc/dnsmasq.d/05-pihole-custom-cname.conf, \
                                     /usr/bin/bash /usr/local/bin/pihole restartdns reload-lists, \
                                     /usr/bin/bash /usr/local/bin/pihole restartdns

Would prefer to not be giving full chown permission, but not sure if there's a way around that. Everything I was reading pointed it towards needing an external script to lock it down any further. It doesn't like specifying the pihole:pihole in the sudoers file.

Just for context - two pihole containers on a proxmox box. Setup fresh user - "gravity-sync"

Anyway, hopefully it helps someone.