This page (revision-50) was last changed on 24-Apr-2023 15:25 by Harry Metske

This page was created on 23-Apr-2022 17:05 by Harry Metske

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note
50 24-Apr-2023 15:25 12 KB Harry Metske to previous
49 21-May-2022 08:40 11 KB Harry Metske to previous | to last
48 23-Apr-2022 19:00 11 KB Harry Metske to previous | to last
47 23-Apr-2022 18:56 10 KB Harry Metske to previous | to last
46 23-Apr-2022 18:14 10 KB Harry Metske to previous | to last
45 23-Apr-2022 17:48 10 KB Harry Metske to previous | to last
44 23-Apr-2022 17:46 10 KB Harry Metske to previous | to last
43 23-Apr-2022 17:06 10 KB Harry Metske to previous | to last
42 23-Apr-2022 17:05 9 KB Harry Metske to previous | to last
41 23-Apr-2022 17:05 9 KB Harry Metske to previous | to last

Page References

Incoming links Outgoing links
Raspberry Pi setup...nobody
Raspberry Pi setup

Version management

Difference between version and

At line 5 removed 2 lines
[{TableOfContents}]
At line 9 changed one line
- apt install iotop apache2 docker.io mariadb-server mariadb-client knockd golang jq tcpdump sqlite3 certbot iptraf
- apt install iotop vim apache2 libapache2-mod-jk docker.io mariadb-server mariadb-client knockd golang
At line 11 changed one line
- a2enmod sslc
- a2enmod ssl
At line 13 changed 2 lines
- /etc/dhcpcd.conf : static IP naar 192.168.2.19 (192.168.2.3 wil niet, kan router al niet pingen)
- create /etc/systemd/system/iptables-setup.service => pointing to /home/pi/iptables-setup.service ==> de uptimerobot IPs zitten in eigen chain, zie verder
- /etc/dhcpcd.conf : static IP naar 192.168.2.99 (192.168.2.3 wil niet, kan router al niet pingen)
- create /etc/systemd/system/iptables-setup.service => pointing to /home/pi/iptables-setup.service ==> werkt nog niet goed, de uptimerobot IPs komen niet
At line 21 changed one line
- go to www.computerhok.nl:8081 ==> setup dialog =: 192.168.2.19 piwigo_user piwigopswd .....
- go to www.computerhok.nl:8081 ==> setup dialog =: 192.168.2.399 piwigo_user piwigopswd .....
At line 24 changed 2 lines
- curl -sSL https://install.pi-hole.net | bash # ==> edit port80 to 81 in /etc/lighttpd/lighttpd.conf
- go to http://192.168.2.19:2080/admin/
- docker run -d --name pihole -p 53:53/tcp -p 53:53/udp -p 2080:80 -p 2443:443 -e "IPv6=False" -e "TZ=Europe/Amsterdam" -e "ServerIP=192.168.2.99" -e "VIRTUAL_HOST=www.computerhok.nl:2080" -e "WEBPASSWORD=<see keepass>" -v "$(pwd)/etc-pihole/:/etc/pihole/" -v "$(pwd)/etc-dnsmasq.d/:/etc/dnsmasq.d/" --restart=unless-stopped --cap-add=NET_ADMIN pihole/pihole:latest
- go to http://192.168.2.99:2080/admin/
At line 84 changed one line
see [Backup laptop and Pi]
For now I run the following script from my MacOS (and upload to stack after that).
At line 86 removed 4 lines
!! CA cert trust
For dhmb to trust computerhok-https...
At line 91 changed 59 lines
mkdir /usr/share/ca-certificates/local
vi computerhok-ca.crt. #. copy the contents in here
dpkg-reconfigure ca-certificates. # interactive, should show 1 new cert
}}}
!! Install more recent version of golang
{{{
cd /tmp
curl -LO https://golang.org/dl/go1.16.4.linux-armv6l.tar.gz
tar -xzf go1.16.4.linux-armv6l.tar.gz
mv go /usr/share/go-1.16.3
cd /usr/share
rm go
ln -s go-1.16.3 go
cd /usr/bin
rm go gofmt
ln -s /usr/share/go/bin/go go
ln -s /usr/share/go/bin/gofmt gofmt
}}}
!! Openssl generate signed server cert (or letsencrypt, see next chapter)
Create the file sslreq.conf:
{{{
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = NL
ST = OV
L = Rijssen
O = computerhok
OU = computerhok-OU
CN = www.computerhok.nl
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.computerhok.nl
DNS.2 = computerhok.nl
}}}
create ssl-exts.conf file:
{{{
[v3_ca]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = DNS:www.computerhok.nl, DNS:computerhok.nl
}}}
next:
{{{
openssl req -utf8 -nodes -sha256 -newkey rsa:2048 -keyout www.computerhok.nl.key -out www.computerhok.nl.csr -config sslreq.conf
# verify csr:
# openssl req -text -noout -verify -in www.computerhok.nl.csr
#!/bin/sh
At line 151 changed 3 lines
openssl x509 -sha256 -req -in www.computerhok.nl.csr -extfile sslreq.conf -extensions v3_ca -extfile ssl-exts.conf -out www.computerhok.nl.crt -CA /etc/apache2/computerhok-ssl/ca.cert -CAkey /etc/apache2/computerhok-ssl/ca.key -CAcreateserial -days 365
# verify crt:
# openssl x509 -in www.computerhok.nl.crt -noout -text
#
ssh pi@apollo sudo tar cf - /appl/piwigo/config/www/gallery/galleries > /Users/metskem/Downloads/backup-apollo-fotos.tar
ssh pi@apollo sudo tar czf - --exclude=/var/jspwiki/logs --exclude=/usr/local/tomcat/logs --exclude=/usr/local/tomcat/work --exclude=/usr/local/tomcat/temp /home/pi /etc /var/jspwiki > /Users/metskem/Downloads/backup-apollo-rest.tar
At line 155 removed 233 lines
Put these files into /etc/apache2/computerhok-ssl, and make sure to append the ca.cert to the server.cert
!! Letsencrypt
The certbot command has already been installed. \\
First prepare:
Have the following in ''/etc/apache2/sites-enabled/005-www.computerhok.nl.conf''
{{{
<VirtualHost *:80>
ServerName www.computerhok.nl
ProxyPass /wiki http://localhost:8080/wiki
ProxyPassReverse /wiki http://localhost:8080/wiki
RewriteEngine On
Alias /.well-known/acme-challenge/ "/var/www/.well-known/acme-challenge/"
RewriteRule "^/.well-known/acme-challenge/" - [L]
<Directory "/var/www/.well-known/acme-challenge/">
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
CustomLog ${APACHE_LOG_DIR}/access.log combined env=!monitorrequest
LogFormat "%h %l %t %D \"%{Host}i\" \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
</VirtualHost>
}}}
Then create a directory named ''/var/www/.well-known/acme-challenge/'' .
Then do a dry-run:
{{{
certbot --text --agree-tos --non-interactive certonly --rsa-key-size 4096 -a webroot --cert-name 'www.computerhok.nl' --webroot-path /var/www/ -d 'www.computerhok.nl' --keep-until-expiring --email harry.metske@gmail.com --dry-run
}}}
If this succeeds, we can do the real one, put this one in /etc/cron.weekly/certbot:
{{{
certbot --text --agree-tos --non-interactive certonly --rsa-key-size 4096 -a webroot --cert-name 'www.computerhok.nl' --webroot-path /var/www/ -d 'www.computerhok.nl' --keep-until-expiring --email harry.metske@gmail.com --pre-hook 'iptables -I INPUT 3 -p tcp --match multiport --dports 80,443 -j ACCEPT' --post-hook '/home/ubuntu/iptables-setup.sh && systemctl restart apache2'
}}}
Then edit {{/etc/apache2/sites-enabled/005-www.computerhok.nl.conf}} and adjust the {{SSLCertificateKeyFile}} and the {{SSLCertificateFile}} to the right location at \\{{/etc/letsencrypt/live/www.computerhok.nl/privkey.pem}} and \\{{/etc/letsencrypt/live/www.computerhok.nl/fullchain.pem}}
Then restart apache with {{systemctl restart apache2}}, and do not forget to close down the firewall again with {{/home/pi/iptables-setup.sh}}, check the results with {{iptables -vnL}}
The --keep-until-expiring will make sure the cert(s) will only be renewed if the expiry date is within 30 days. So we run this command weekly by saving the following in an executable file {{/etc/cron.weekly/letsencrypt}}:
{{{
iptables -F
sleep 1
certbot --text --agree-tos --non-interactive certonly --rsa-key-size 4096 -a webroot --cert-name 'www.computerhok.nl' --webroot-path /var/www/ -d 'www.computerhok.nl' --keep-until-expiring --email harry.metske@gmail.com
/home/ubuntu/iptables-setup.sh
apachectl restart
}}}
!! Prometheus install
{{{
cd /tmp/
curl -L https://github.com/prometheus/prometheus/releases/download/v2.25.2/prometheus-2.25.2.linux-arm64.tar.gz -O
tar -xzf prometheus-2.25.2.linux-arm64.tar.gz
mv prometheus-2.25.2.linux-arm64 /usr/local
cd /usr/local
ln -s prometheus-2.25.2.linux-arm64 prometheus
cd prometheus
mkdir data
chown -R pi: /usr/local/prometheus
}}}
Create service file {{/etc/systemd/system/prometheus.service}}:
{{{
[Unit]
Description=Prometheus Server
Documentation=https://prometheus.io/docs/introduction/overview/
After=network-online.target
[Service]
User=pi
Restart=on-failure
ExecStart=/usr/local/prometheus/prometheus/prometheus \
--config.file=/usr/local/prometheus/prometheus.yml \
--storage.tsdb.path=/usr/local/prometheus/data \
--storage.tsdb.retention.time=720d
[Install]
WantedBy=multi-user.target
}}}
{{systemctl enable prometheus && systemctl start prometheus}}
!! Install node exporter
{{{
cd /tmp/
curl -L https://github.com/prometheus/node_exporter/releases/download/v1.1.2/node_exporter-1.1.2.linux-arm64.tar.gz -O
tar -xzf node_exporter-1.1.2.linux-arm64.tar.gz
mv node_exporter-1.1.2.linux-arm64 /usr/local
cd /usr/local
ln -s node_exporter-1.1.2.linux-arm64 node-exporter
}}}
Create service file {{/etc/systemd/system/node-exporter.service}}:
{{{
[Unit]
Description=Prometheus Node Exporter
Documentation=https://prometheus.io/docs/guides/node-exporter/
After=network-online.target
[Service]
User=pi
Restart=on-failure
ExecStart=/usr/local/node-exporter/node_exporter
[Install]
WantedBy=multi-user.target
}}}
!! Install prometheus pushgateway
See [instructions here|https://sysadmins.co.za/install-pushgateway-to-expose-metrics-to-prometheus/].\\
{{{
curl -sLO https://github.com/prometheus/pushgateway/releases/download/v1.4.2/pushgateway-1.4.2.linux-arm64.tar.gz
tar -xf pushgateway-1.4.2.linux-arm64.tar.gz
cp pushgateway-1.4.2.linux-arm64/pushgateway /usr/local/bin/
# install unit file:
cat > /etc/systemd/system/pushgateway.service << EOF
[Unit]
Description=Pushgateway
Wants=network-online.target
After=network-online.target
[Service]
User=pushgateway
Group=pushgateway
Type=simple
ExecStart=/usr/local/bin/pushgateway \
--web.listen-address=":9091" \
--web.telemetry-path="/metrics" \
--persistence.file="/tmp/metric.store" \
--persistence.interval=5m \
--log.level="info" \
--log.format="logfmt"
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl start pushgateway
}}}
Add this to /usr/local/prometheus/prometheus.yml:
{{{
- job_name: 'pushgateway'
honor_labels: true
static_configs:
- targets: [['localhost:9091']
}}}
Testing pushgateway:
{{{
echo -e "# TYPE temperature gauge\n# HELP temperature The temperature in Celsius\ntemperature 5.9" | curl --data-binary @- http://localhost:9091/metrics/job/openweather
}}}
And checkout [http://www.computerhok.nl:9091]
!! Install Grafana
{{{
wget -q -O - https://packages.grafana.com/gpg.key | sudo apt-key add -
echo "deb https://packages.grafana.com/oss/deb stable main" | sudo tee -a /etc/apt/sources.list.d/grafana.list
apt-get update && apt-get install -y grafana
}}}
And go to [http://www.computerhok.nl:3000]
!! Install Pihole
{{{
git clone https://github.com/pi-hole/pi-hole.git
cd pi-hole/automated\ install
export PIHOLE_SKIP_OS_CHECK=true # 22.04 was officially not yet supported, but it just works
./basic-install.sh
}}}
Change /etc/lighttpd/lighttpd.conf : port to 81 # conflict with apache httpd \\
Set password with {{pihole -a -p}}
!! Set static IP for Ubuntu 22.04:
Create file {{{/etc/netplan/01-network-manager-all.yaml}}} :
{{{
# This file is generated from information provided by
# the datasource. Changes to it will not persist across an instance.
# To disable cloud-init's network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}
network:
ethernets:
eth0:
dhcp4: false
addresses: [192.168.2.19/24]
gateway4: 192.168.2.254
nameservers:
addresses: [8.8.8.8,8.8.4.4,192.168.2.254]
version: 2
}}}
!! Remove large apt packages (only for desktop pi-os, not for server install)
{{{
dpkg-query -Wf '${Installed-Size}\t${Package}\n' | sort -n
}}}
Search at the bottom which can be uninstalled, and then (sample):
{{{
sudo apt-get remove --auto-remove --purge wolfram-engine libgl1-mesa-dri guile-2.2-libs vlc-l10n realvnc-vnc-server mesa-vdpau-drivers
}}}
!! Uptime Robot own iptables chain
Because uptimerobot has quite a list of IPs where it can come from, we want it in a separate chain:
{{{
iptables -N UPTIME-ROBOT
for H in $(curl -s https://uptimerobot.com/inc/files/ips/IPv4.txt | sed 's/\r$//'); do
/sbin/iptables -A UPTIME-ROBOT -s "${H}"/32 -j ACCEPT
done
iptables -I INPUT -j UPTIME-ROBOT
}}}
This page (revision-50) was last changed on 24-Apr-2023 15:25 by Harry MetskeTop