I didn't notice that this was still open, I can confirm the HTTPS method works as expected from VyOS 1.1.8 and later.

Interestingly, disabling particular modules works fine in 1.1.8 regardless of whether NAT or firewall policies were in place.

It seems that in RC3 no conntrack settings work at all, causing the configuration loading to fail. For instance,

I'll try to repro on RC3 and update the ticket from there. Thanks!

Changed description, as this is also present in RC2.

In T901#21575, @EwaldvanGeffen wrote:

Do you experience this now? How many rules / what hardware may I ask?

Awesome. :) Let me know if you ever need an extra pair of hands on the infrastructure front.

If you can at least get a strong hash sum of the ISO from the master, that should be sufficient regardless of where the binary is downloaded from. Of course, if the master is compromised, all bets are off.

This begs the question about the mirror mechanism. My mirror supports TLS, but most don't.

Sorry for the unsolicited feedback, but... BUT... ;-) Honestly, I think the way the Pi-Hole stack is put together does not lend itself well to a firmware-like platform like VyOS. In fact, personally I can't even suggest it for anything more than home use. Frankly, it's a bit cludgy on the back-end. Further, it increases the potential attack surface of your router, which is in general bad security practice. IMO the best course, even if by some twist of fate Pi-Hole WAS integrated into VyOS, would be to run Pi-Hole as a separate service. DNS is one of those things that's easy to run alongside routers; there's no compelling reason I can think of to run it ON the router. Buy a $35 Pi, run a tiny VM on existing hardware, etc. and serve that DNS server to DHCP clients via VyOS. That's my $0.02, adjusted for inflation.

Web proxies are relatively complex by nature and offer an attractive attack surface. I don't like having such software on routers at all, even if they are properly maintained. Better to relegate this functionality to a system which is external to the router.