!!! Raspberry Pi setup

Bought a Raspberry Pi 4 model B with 2 GB memory.

[{TableOfContents}]

{{{
- on GUI disable wifi, and set boot to cli
- apt install iotop vim apache2 libapache2-mod-jk docker.io mariadb-server mariadb-client knockd golang jq tcpdump sqlite3 certbot iptraf
- a2enmod proxy_http
- a2enmod ssl
- a2enmod rewrite
- /etc/dhcpcd.conf :  static IP naar 192.168.2.19 (192.168.2.3 wil niet, kan router al niet pingen)
- create /etc/systemd/system/iptables-setup.service => pointing to /home/pi/iptables-setup.service ==> werkt nog niet goed, de uptimerobot IPs komen niet
- echo "syntax on" > ~/.vimrc
- mysql:
	create user 'piwigo_user'@'%' identified by "piwigopswd";
	create database piwigo;
	grant all privileges on piwigo.* to piwigo_user@'%';
- vim /etc/mysql/mariadb.conf.d/50-server.cnf => bind-address to 0.0.0.0
- go to www.computerhok.nl:8081 ==> setup dialog =: 192.168.2.19 piwigo_user piwigopswd .....
- copy all restored album folders to /appl/piwigo/config/www/gallery/galleries
- do the "Tools => Database synchronization with files" on the UI
- docker run -d --name pihole -p 53:53/tcp -p 53:53/udp -p 2080:80 -p 2443:443 -e "IPv6=False" -e "TZ=Europe/Amsterdam" -e "ServerIP=192.168.2.99" -e "VIRTUAL_HOST=www.computerhok.nl:2080" -e "WEBPASSWORD=<see keepass>" -v "$(pwd)/etc-pihole/:/etc/pihole/" -v "$(pwd)/etc-dnsmasq.d/:/etc/dnsmasq.d/" --restart=unless-stopped --cap-add=NET_ADMIN pihole/pihole:latest
- go to http://192.168.2.19:2080/admin/
- tweak the /etc/knockd.conf
- systemctl disable avahi-daemon.service
- systemctl disable avahi-daemon.sock
- remove wpa-supplicant and wireless-tools from /etc/networking
- systemctl disable wpa_supplicant
}}}

!! knockd fails on startup

It fails because eth0 is not yet up. Boot sequence is broken, see also https://www.raspberrypi.org/forums/viewtopic.php?t=187225

Add 3 lines at the end of /lib/systemd/system/knockd.service:

{{{
[Unit]
Description=Port-Knock Daemon
After=network-online.target
Documentation=man:knockd(1)

[Service]
EnvironmentFile=-/etc/default/knockd
ExecStart=/usr/sbin/knockd $KNOCKD_OPTS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=mixed
SuccessExitStatus=0 2 15
ProtectSystem=full
CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN

[Install]
WantedBy=multi-user.target
Alias=knockd.service
}}}

And install the service as indicated by the above link.  \\
systemctl disable knockd.service  \\
systemctl enable knockd.service

network-wait-online-service:
{{{
[Unit]
Description=Wait for Network to be Online
Documentation=man:systemd.service(5) man:systemd.special(7)
Conflicts=shutdown.target
After=network.target
Before=network-online.target

[Service]
Type=oneshot
ExecStart= \
    /bin/bash -c 'ifconfig eth0;sleep 20;ifconfig eth0'
TimeoutStartSec=1min 30s

[Install]
WantedBy=network-online.target
}}}

!! Backup

For now I run the following script from my MacOS (and upload to stack after that).

{{{
#!/bin/sh
#
#
ssh pi@apollo sudo tar cf - /appl/piwigo/config/www/gallery/galleries > /Users/metskem/Downloads/backup-apollo-fotos.tar
ssh pi@apollo sudo tar czf - --exclude=/var/jspwiki/logs --exclude=/usr/local/tomcat/logs --exclude=/usr/local/tomcat/work --exclude=/usr/local/tomcat/temp /home/pi /etc /var/jspwiki /usr/local > /Users/metskem/Downloads/backup-apollo-rest.tar
# encrypt:
echo "get gpg key from bitwarden" | gpg --passphrase-fd 0 --batch -co /Users/metskem/Downloads/backup-apollo-rest.tar.gpg /Users/metskem/Downloads/backup-apollo-rest.tar
# upload to STACK:
sftp metskem@metskem@metskem.stackstorage.com <<< $'put /Users/metskem/Downloads/backup-apollo-rest.tar.gpg'
}}}
Then manually upload this backup file to [https://metskem.stackstorage.com/]

!! CA cert trust

For dhmb to trust computerhok-https...
 
{{{
mkdir /usr/share/ca-certificates/local
vi computerhok-ca.crt.  #. copy the contents in here
dpkg-reconfigure ca-certificates.  # interactive, should show 1 new cert
}}}

!! Install more recent version of golang

{{{
cd /tmp
curl -LO https://golang.org/dl/go1.16.4.linux-armv6l.tar.gz
tar -xzf go1.16.4.linux-armv6l.tar.gz
mv go /usr/share/go-1.16.3
cd /usr/share
rm go
ln -s go-1.16.3 go
cd /usr/bin
rm go gofmt
ln -s /usr/share/go/bin/go go
ln -s /usr/share/go/bin/gofmt gofmt
}}}

!! Openssl generate signed server cert (or letsencrypt, see next chapter)

Create the file sslreq.conf:
{{{
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = NL
ST = OV
L = Rijssen
O = computerhok
OU = computerhok-OU
CN = www.computerhok.nl
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.computerhok.nl
DNS.2 = computerhok.nl
}}}

create ssl-exts.conf file:
{{{
[v3_ca]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = DNS:www.computerhok.nl, DNS:computerhok.nl
}}}

next:

{{{
openssl req -utf8 -nodes -sha256 -newkey rsa:2048 -keyout www.computerhok.nl.key -out www.computerhok.nl.csr -config sslreq.conf
# verify csr:
# openssl req -text -noout -verify -in www.computerhok.nl.csr
#
openssl x509 -sha256 -req -in www.computerhok.nl.csr -extfile sslreq.conf -extensions v3_ca -extfile ssl-exts.conf -out www.computerhok.nl.crt -CA /etc/apache2/computerhok-ssl/ca.cert -CAkey /etc/apache2/computerhok-ssl/ca.key -CAcreateserial -days 365
# verify crt:
# openssl x509 -in www.computerhok.nl.crt -noout -text
}}}
Put these files into /etc/apache2/computerhok-ssl, and make sure to append the ca.cert to the server.cert


!! Letsencrypt

The certbot command has already been installed. \\
First prepare:
{{{
certbot --apache -d www.computerhok.nl
}}}

Then open up the firewall, because letsencrypt comes in to verify: {{iptables -F}}

Then do a dry-run:
{{{
certbot --text --agree-tos --non-interactive certonly --rsa-key-size 4096 -a webroot --cert-name 'www.computerhok.nl' --webroot-path /var/www/ -d 'www.computerhok.nl'  --keep-until-expiring --email harry.metske@gmail.com --dry-run
}}}

If this succeeds, we can do the real one:
{{{
certbot --text --agree-tos --non-interactive certonly --rsa-key-size 4096 -a webroot --cert-name 'www.computerhok.nl' --webroot-path /var/www/ -d 'www.computerhok.nl'  --keep-until-expiring --email harry.metske@gmail.com
}}}

Then edit {{/etc/apache2/sites-enabled/005-www.computerhok.nl.conf}} and adjust the {{SSLCertificateKeyFile}} and the {{SSLCertificateFile}} to the right location at \\{{/etc/letsencrypt/live/www.computerhok.nl/privkey.pem}} and \\{{/etc/letsencrypt/live/www.computerhok.nl/fullchain.pem}}

Then restart apache with {{systemctl restart apache2}}, and do not forget to close down the firewall again with {{/home/pi/iptables-setup.sh}}, check the results with {{iptables -vnL}}

The --keep-until-expiring will make sure the cert(s) will only be renewed if the expiry date is within 30 days. So we run this command weekly by saving the following in an executable file {{/etc/cron.weekly/letsencrypt}}:
{{{
iptables -F
sleep 1
certbot --text --agree-tos --non-interactive certonly --rsa-key-size 4096 -a webroot --cert-name 'www.computerhok.nl' --webroot-path /var/www/ -d 'www.computerhok.nl'  --keep-until-expiring --email harry.metske@gmail.com
/home/pi/iptables-setup.sh
apachectl restart
}}}
 
!! Prometheus install

{{{
cd /tmp/
curl -L https://github.com/prometheus/prometheus/releases/download/v2.25.2/prometheus-2.25.2.linux-armv7.tar.gz -O
tar -xzf prometheus-2.25.2.linux-armv7.tar.gz
mv prometheus-2.25.2.linux-armv7 /usr/local
cd /usr/local
ln -s prometheus-2.25.2.linux-armv7 prometheus
cd prometheus
mkdir data
chown -R pi: /usr/local/prometheus
}}}

Create service file {{/etc/systemd/system/prometheus.service}}:
{{{
[Unit]
Description=Prometheus Server
Documentation=https://prometheus.io/docs/introduction/overview/
After=network-online.target

[Service]
User=pi
Restart=on-failure

ExecStart=/usr/local/prometheus/prometheus/prometheus \
  --config.file=/usr/local/prometheus/prometheus.yml \
  --storage.tsdb.path=/usr/local/prometheus/data \
  --storage.tsdb.retention.time=720d


[Install]
WantedBy=multi-user.target
}}}

{{systemctl enable prometheus && systemctl start prometheus}}

!! Install node exporter

{{{
cd /tmp/
curl -L https://github.com/prometheus/node_exporter/releases/download/v1.1.2/node_exporter-1.1.2.linux-armv7.tar.gz -O
tar -xzf node_exporter-1.1.2.linux-armv7.tar.gz
mv node_exporter-1.1.2.linux-armv7 /usr/local
cd /usr/local
ln -s node_exporter-1.1.2.linux-armv7 node-exporter
}}}

Create service file {{/etc/systemd/system/node-exporter.service}}:
{{{
[Unit]
Description=Prometheus Node Exporter
Documentation=https://prometheus.io/docs/guides/node-exporter/
After=network-online.target

[Service]
User=pi
Restart=on-failure

ExecStart=/usr/local/node-exporter/node_exporter

[Install]
WantedBy=multi-user.target
}}}

!! Install Grafana

{{{
wget -q -O - https://packages.grafana.com/gpg.key | sudo apt-key add -
echo "deb https://packages.grafana.com/oss/deb stable main" | sudo tee -a /etc/apt/sources.list.d/grafana.list
apt-get update && apt-get install -y grafana
systemctl enable grafana-server
systemctl start grafana-server
}}}

And go to [http://www.computerhok.nl:3000]

!! Remove large apt packages

{{{
dpkg-query -Wf '${Installed-Size}\t${Package}\n' | sort -n
}}}

Search at the bottom which can be uninstalled, and then (sample):
{{{
sudo apt-get remove --auto-remove --purge wolfram-engine libgl1-mesa-dri guile-2.2-libs vlc-l10n realvnc-vnc-server mesa-vdpau-drivers
}}}