Dirty Harry Wiki: Edit: Raspberry Pi setup

Find & Replace

Match Case RegExp

!!! Raspberry Pi setup

Bought a Raspberry Pi 4 model B with 2 GB memory.

[{TableOfContents}]

{{{
- on GUI disable wifi, and set boot to cli
- apt install iotop apache2 docker.io mariadb-server mariadb-client knockd golang jq tcpdump sqlite3 certbot iptraf
- a2enmod proxy_http
- a2enmod sslc
- a2enmod rewrite
- /etc/dhcpcd.conf :  static IP naar 192.168.2.19 (192.168.2.3 wil niet, kan router al niet pingen)
- create /etc/systemd/system/iptables-setup.service => pointing to /home/pi/iptables-setup.service ==> de uptimerobot IPs zitten in eigen chain, zie verder
- echo "syntax on" > ~/.vimrc
- mysql:
	create user 'piwigo_user'@'%' identified by "piwigopswd";
	create database piwigo;
	grant all privileges on piwigo.* to piwigo_user@'%';
- vim /etc/mysql/mariadb.conf.d/50-server.cnf => bind-address to 0.0.0.0
- go to www.computerhok.nl:8081 ==> setup dialog =: 192.168.2.19 piwigo_user piwigopswd .....
- copy all restored album folders to /appl/piwigo/config/www/gallery/galleries
- do the "Tools => Database synchronization with files" on the UI
- curl -sSL https://install.pi-hole.net | bash  # ==> edit port80 to 81 in /etc/lighttpd/lighttpd.conf
- go to http://192.168.2.19:2080/admin/
- tweak the /etc/knockd.conf
- systemctl disable avahi-daemon.service
- systemctl disable avahi-daemon.sock
- remove wpa-supplicant and wireless-tools from /etc/networking
- systemctl disable wpa_supplicant
}}}

!! knockd fails on startup

It fails because eth0 is not yet up. Boot sequence is broken, see also https://www.raspberrypi.org/forums/viewtopic.php?t=187225

Add 3 lines at the end of /lib/systemd/system/knockd.service:

{{{
[Unit]
Description=Port-Knock Daemon
After=network-online.target
Documentation=man:knockd(1)

[Service]
EnvironmentFile=-/etc/default/knockd
ExecStart=/usr/sbin/knockd $KNOCKD_OPTS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=mixed
SuccessExitStatus=0 2 15
ProtectSystem=full
CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN

[Install]
WantedBy=multi-user.target
Alias=knockd.service
}}}

And install the service as indicated by the above link.  \\
systemctl disable knockd.service  \\
systemctl enable knockd.service

network-wait-online-service:
{{{
[Unit]
Description=Wait for Network to be Online
Documentation=man:systemd.service(5) man:systemd.special(7)
Conflicts=shutdown.target
After=network.target
Before=network-online.target

[Service]
Type=oneshot
ExecStart= \
    /bin/bash -c 'ifconfig eth0;sleep 20;ifconfig eth0'
TimeoutStartSec=1min 30s

[Install]
WantedBy=network-online.target
}}}

!! Backup

see [Backup laptop and Pi]

!! CA cert trust

For dhmb to trust computerhok-https...
 
{{{
mkdir /usr/share/ca-certificates/local
vi computerhok-ca.crt.  #. copy the contents in here
dpkg-reconfigure ca-certificates.  # interactive, should show 1 new cert
}}}

!! Install more recent version of golang

{{{
cd /tmp
curl -LO https://golang.org/dl/go1.16.4.linux-armv6l.tar.gz
tar -xzf go1.16.4.linux-armv6l.tar.gz
mv go /usr/share/go-1.16.3
cd /usr/share
rm go
ln -s go-1.16.3 go
cd /usr/bin
rm go gofmt
ln -s /usr/share/go/bin/go go
ln -s /usr/share/go/bin/gofmt gofmt
}}}

!! Openssl generate signed server cert (or letsencrypt, see next chapter)

Create the file sslreq.conf:
{{{
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = NL
ST = OV
L = Rijssen
O = computerhok
OU = computerhok-OU
CN = www.computerhok.nl
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.computerhok.nl
DNS.2 = computerhok.nl
}}}

create ssl-exts.conf file:
{{{
[v3_ca]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = DNS:www.computerhok.nl, DNS:computerhok.nl
}}}

{{{
openssl req -utf8 -nodes -sha256 -newkey rsa:2048 -keyout www.computerhok.nl.key -out www.computerhok.nl.csr -config sslreq.conf
# verify csr:
# openssl req -text -noout -verify -in www.computerhok.nl.csr
#
openssl x509 -sha256 -req -in www.computerhok.nl.csr -extfile sslreq.conf -extensions v3_ca -extfile ssl-exts.conf -out www.computerhok.nl.crt -CA /etc/apache2/computerhok-ssl/ca.cert -CAkey /etc/apache2/computerhok-ssl/ca.key -CAcreateserial -days 365
# verify crt:
# openssl x509 -in www.computerhok.nl.crt -noout -text
}}}
Put these files into /etc/apache2/computerhok-ssl, and make sure to append the ca.cert to the server.cert

!! Letsencrypt

The certbot command has already been installed. \\
First prepare:
Have the following in ''/etc/apache2/sites-enabled/005-www.computerhok.nl.conf''
{{{
<VirtualHost *:80>
  ServerName www.computerhok.nl
  ProxyPass /wiki http://localhost:8080/wiki
  ProxyPassReverse /wiki http://localhost:8080/wiki
  RewriteEngine On
    Alias /.well-known/acme-challenge/ "/var/www/.well-known/acme-challenge/"
    RewriteRule "^/.well-known/acme-challenge/" - [L]
    <Directory "/var/www/.well-known/acme-challenge/">
        Options Indexes MultiViews
        AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>
  CustomLog ${APACHE_LOG_DIR}/access.log combined env=!monitorrequest
  LogFormat "%h %l %t %D \"%{Host}i\" \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
</VirtualHost>
}}}

Then create a directory named ''/var/www/.well-known/acme-challenge/'' .

Then do a dry-run:
{{{
certbot --text --agree-tos --non-interactive certonly --rsa-key-size 4096 -a webroot --cert-name 'www.computerhok.nl' --webroot-path /var/www/ -d 'www.computerhok.nl'  --keep-until-expiring --email harry.metske@gmail.com --dry-run
}}}

If this succeeds, we can do the real one, put this one in /etc/cron.weekly/certbot:
{{{
certbot --text --agree-tos --non-interactive certonly --rsa-key-size 4096 -a webroot --cert-name 'www.computerhok.nl' --webroot-path /var/www/ -d 'www.computerhok.nl'  --keep-until-expiring --email harry.metske@gmail.com --pre-hook 'iptables -I INPUT 3 -p tcp  --match multiport --dports 80,443 -j ACCEPT' --post-hook '/home/ubuntu/iptables-setup.sh && systemctl restart apache2'
}}}

Then edit {{/etc/apache2/sites-enabled/005-www.computerhok.nl.conf}} and adjust the {{SSLCertificateKeyFile}} and the {{SSLCertificateFile}} to the right location at \\{{/etc/letsencrypt/live/www.computerhok.nl/privkey.pem}} and \\{{/etc/letsencrypt/live/www.computerhok.nl/fullchain.pem}}

Then restart apache with {{systemctl restart apache2}}, and do not forget to close down the firewall again with {{/home/pi/iptables-setup.sh}}, check the results with {{iptables -vnL}}

The --keep-until-expiring will make sure the cert(s) will only be renewed if the expiry date is within 30 days. So we run this command weekly by saving the following in an executable file {{/etc/cron.weekly/letsencrypt}}:
{{{
iptables -F
sleep 1
certbot --text --agree-tos --non-interactive certonly --rsa-key-size 4096 -a webroot --cert-name 'www.computerhok.nl' --webroot-path /var/www/ -d 'www.computerhok.nl'  --keep-until-expiring --email harry.metske@gmail.com
/home/ubuntu/iptables-setup.sh
apachectl restart
}}}
 
!! Prometheus install

{{{
cd /tmp/
curl -L https://github.com/prometheus/prometheus/releases/download/v2.25.2/prometheus-2.25.2.linux-arm64.tar.gz -O
tar -xzf prometheus-2.25.2.linux-arm64.tar.gz
mv prometheus-2.25.2.linux-arm64 /usr/local
cd /usr/local
ln -s prometheus-2.25.2.linux-arm64 prometheus
cd prometheus
mkdir data
chown -R pi: /usr/local/prometheus
}}}

Create service file {{/etc/systemd/system/prometheus.service}}:
{{{
[Unit]
Description=Prometheus Server
Documentation=https://prometheus.io/docs/introduction/overview/
After=network-online.target

[Service]
User=pi
Restart=on-failure

ExecStart=/usr/local/prometheus/prometheus/prometheus \
  --config.file=/usr/local/prometheus/prometheus.yml \
  --storage.tsdb.path=/usr/local/prometheus/data \
  --storage.tsdb.retention.time=720d

[Install]
WantedBy=multi-user.target
}}}

!! Install node exporter

{{{
cd /tmp/
curl -L https://github.com/prometheus/node_exporter/releases/download/v1.1.2/node_exporter-1.1.2.linux-arm64.tar.gz -O
tar -xzf node_exporter-1.1.2.linux-arm64.tar.gz
mv node_exporter-1.1.2.linux-arm64 /usr/local
cd /usr/local
ln -s node_exporter-1.1.2.linux-arm64 node-exporter
}}}

Create service file {{/etc/systemd/system/node-exporter.service}}:
{{{
[Unit]
Description=Prometheus Node Exporter
Documentation=https://prometheus.io/docs/guides/node-exporter/
After=network-online.target

[Service]
User=pi
Restart=on-failure

ExecStart=/usr/local/node-exporter/node_exporter

[Install]
WantedBy=multi-user.target
}}}

!! Install prometheus pushgateway

See [instructions here|https://sysadmins.co.za/install-pushgateway-to-expose-metrics-to-prometheus/].\\

{{{
curl -sLO https://github.com/prometheus/pushgateway/releases/download/v1.4.2/pushgateway-1.4.2.linux-arm64.tar.gz
tar -xf pushgateway-1.4.2.linux-arm64.tar.gz
cp pushgateway-1.4.2.linux-arm64/pushgateway  /usr/local/bin/
# install unit file:

cat > /etc/systemd/system/pushgateway.service << EOF
[Unit]
Description=Pushgateway
Wants=network-online.target
After=network-online.target

[Service]
User=pushgateway
Group=pushgateway
Type=simple
ExecStart=/usr/local/bin/pushgateway \
    --web.listen-address=":9091" \
    --web.telemetry-path="/metrics" \
    --persistence.file="/tmp/metric.store" \
    --persistence.interval=5m \
    --log.level="info" \
    --log.format="logfmt"

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl start pushgateway
}}}

Add this to /usr/local/prometheus/prometheus.yml:

{{{
- job_name: 'pushgateway'
    honor_labels: true
    static_configs:
    - targets: [['localhost:9091']
}}}

Testing pushgateway:
{{{
echo -e "# TYPE temperature gauge\n# HELP temperature The temperature in Celsius\ntemperature 5.9" | curl --data-binary @- http://localhost:9091/metrics/job/openweather
}}}
And checkout [http://www.computerhok.nl:9091]

!! Install Grafana

{{{
wget -q -O - https://packages.grafana.com/gpg.key | sudo apt-key add -
echo "deb https://packages.grafana.com/oss/deb stable main" | sudo tee -a /etc/apt/sources.list.d/grafana.list
apt-get update && apt-get install -y grafana
}}}

And go to [http://www.computerhok.nl:3000]

!! Install Pihole

{{{
git clone https://github.com/pi-hole/pi-hole.git
cd pi-hole/automated\ install
export PIHOLE_SKIP_OS_CHECK=true  #  22.04 was officially not yet supported, but it just works
./basic-install.sh
}}}
Change /etc/lighttpd/lighttpd.conf : port to 81   # conflict with apache httpd  \\
Set password with {{pihole -a -p}}

!! Set static IP for Ubuntu 22.04:

Create file {{{/etc/netplan/01-network-manager-all.yaml}}} :
{{{
# This file is generated from information provided by
# the datasource.  Changes to it will not persist across an instance.
# To disable cloud-init's network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}
network:
    ethernets:
        eth0:
            dhcp4: false
            addresses: [192.168.2.19/24]
            gateway4: 192.168.2.254
            nameservers:
              addresses: [8.8.8.8,8.8.4.4,192.168.2.254]
    version: 2
}}}

!! Remove large apt packages (only for desktop pi-os, not for server install)

{{{
dpkg-query -Wf '${Installed-Size}\t${Package}\n' | sort -n
}}}

Search at the bottom which can be uninstalled, and then (sample):
{{{
sudo apt-get remove --auto-remove --purge wolfram-engine libgl1-mesa-dri guile-2.2-libs vlc-l10n realvnc-vnc-server mesa-vdpau-drivers
}}}

!! Uptime Robot own iptables chain

Because uptimerobot has quite a list of IPs where it can come from, we want it in a separate chain:

{{{
iptables -N UPTIME-ROBOT
for H in $(curl -s https://uptimerobot.com/inc/files/ips/IPv4.txt | sed 's/\r$//'); do 
  /sbin/iptables -A UPTIME-ROBOT -s "${H}"/32 -j ACCEPT
done
iptables -I INPUT -j UPTIME-ROBOT
}}}

Active Sessions	92
Uptime	6d, 15h 31m 21s
Number of pages	333