Raspberry Pi setup

Raspberry Pi setup#

Bought a Raspberry Pi 4 model B with 2 GB memory.

Table of Contents

- on GUI disable wifi, and set boot to cli
- apt install iotop apache2 docker.io mariadb-server mariadb-client knockd golang jq tcpdump sqlite3 certbot iptraf
- a2enmod proxy_http
- a2enmod sslc
- a2enmod rewrite
- /etc/dhcpcd.conf :  static IP naar 192.168.2.19 (192.168.2.3 wil niet, kan router al niet pingen)
- create /etc/systemd/system/iptables-setup.service => pointing to /home/pi/iptables-setup.service ==> de uptimerobot IPs zitten in eigen chain, zie verder
- echo "syntax on" > ~/.vimrc
- mysql:
	create user 'piwigo_user'@'%' identified by "piwigopswd";
	create database piwigo;
	grant all privileges on piwigo.* to piwigo_user@'%';
- vim /etc/mysql/mariadb.conf.d/50-server.cnf => bind-address to 0.0.0.0
- go to www.computerhok.nl:8081 ==> setup dialog =: 192.168.2.19 piwigo_user piwigopswd .....
- copy all restored album folders to /appl/piwigo/config/www/gallery/galleries
- do the "Tools => Database synchronization with files" on the UI
- curl -sSL https://install.pi-hole.net | bash  # ==> edit port80 to 81 in /etc/lighttpd/lighttpd.conf
- go to http://192.168.2.19:2080/admin/
- tweak the /etc/knockd.conf
- systemctl disable avahi-daemon.service
- systemctl disable avahi-daemon.sock
- remove wpa-supplicant and wireless-tools from /etc/networking
- systemctl disable wpa_supplicant

knockd fails on startup#

It fails because eth0 is not yet up. Boot sequence is broken, see also https://www.raspberrypi.org/forums/viewtopic.php?t=187225

Add 3 lines at the end of /lib/systemd/system/knockd.service: 

[Unit]
Description=Port-Knock Daemon
After=network-online.target
Documentation=man:knockd(1)

[Service]
EnvironmentFile=-/etc/default/knockd
ExecStart=/usr/sbin/knockd $KNOCKD_OPTS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=mixed
SuccessExitStatus=0 2 15
ProtectSystem=full
CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN

[Install]
WantedBy=multi-user.target
Alias=knockd.service

And install the service as indicated by the above link.
systemctl disable knockd.service
systemctl enable knockd.service

network-wait-online-service: 

[Unit]
Description=Wait for Network to be Online
Documentation=man:systemd.service(5) man:systemd.special(7)
Conflicts=shutdown.target
After=network.target
Before=network-online.target

[Service]
Type=oneshot
ExecStart= \
    /bin/bash -c 'ifconfig eth0;sleep 20;ifconfig eth0'
TimeoutStartSec=1min 30s

[Install]
WantedBy=network-online.target

Backup#

see Backup laptop and Pi

CA cert trust#

For dhmb to trust computerhok-https... 

mkdir /usr/share/ca-certificates/local
vi computerhok-ca.crt.  #. copy the contents in here
dpkg-reconfigure ca-certificates.  # interactive, should show 1 new cert

Install more recent version of golang#

cd /tmp
curl -LO https://golang.org/dl/go1.16.4.linux-armv6l.tar.gz
tar -xzf go1.16.4.linux-armv6l.tar.gz
mv go /usr/share/go-1.16.3
cd /usr/share
rm go
ln -s go-1.16.3 go
cd /usr/bin
rm go gofmt
ln -s /usr/share/go/bin/go go
ln -s /usr/share/go/bin/gofmt gofmt

Openssl generate signed server cert (or letsencrypt, see next chapter)#

Create the file sslreq.conf: 

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = NL
ST = OV
L = Rijssen
O = computerhok
OU = computerhok-OU
CN = www.computerhok.nl
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.computerhok.nl
DNS.2 = computerhok.nl

create ssl-exts.conf file: 

[v3_ca]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = DNS:www.computerhok.nl, DNS:computerhok.nl

next: 

openssl req -utf8 -nodes -sha256 -newkey rsa:2048 -keyout www.computerhok.nl.key -out www.computerhok.nl.csr -config sslreq.conf
# verify csr:
# openssl req -text -noout -verify -in www.computerhok.nl.csr
#
openssl x509 -sha256 -req -in www.computerhok.nl.csr -extfile sslreq.conf -extensions v3_ca -extfile ssl-exts.conf -out www.computerhok.nl.crt -CA /etc/apache2/computerhok-ssl/ca.cert -CAkey /etc/apache2/computerhok-ssl/ca.key -CAcreateserial -days 365
# verify crt:
# openssl x509 -in www.computerhok.nl.crt -noout -text
Put these files into /etc/apache2/computerhok-ssl, and make sure to append the ca.cert to the server.cert

Letsencrypt#

The certbot command has already been installed.
First prepare: Have the following in /etc/apache2/sites-enabled/005-www.computerhok.nl.conf 

<VirtualHost *:80>
  ServerName www.computerhok.nl
  ProxyPass /wiki http://localhost:8080/wiki
  ProxyPassReverse /wiki http://localhost:8080/wiki
  RewriteEngine On
    Alias /.well-known/acme-challenge/ "/var/www/.well-known/acme-challenge/"
    RewriteRule "^/.well-known/acme-challenge/" - [L]
    <Directory "/var/www/.well-known/acme-challenge/">
        Options Indexes MultiViews
        AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>
  CustomLog ${APACHE_LOG_DIR}/access.log combined env=!monitorrequest
  LogFormat "%h %l %t %D \"%{Host}i\" \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
</VirtualHost>

Then create a directory named /var/www/.well-known/acme-challenge/ .

Then do a dry-run: 

certbot --text --agree-tos --non-interactive certonly --rsa-key-size 4096 -a webroot --cert-name 'www.computerhok.nl' --webroot-path /var/www/ -d 'www.computerhok.nl'  --keep-until-expiring --email harry.metske@gmail.com --dry-run

If this succeeds, we can do the real one, put this one in /etc/cron.weekly/certbot: 

certbot --text --agree-tos --non-interactive certonly --rsa-key-size 4096 -a webroot --cert-name 'www.computerhok.nl' --webroot-path /var/www/ -d 'www.computerhok.nl'  --keep-until-expiring --email harry.metske@gmail.com --pre-hook 'iptables -I INPUT 3 -p tcp  --match multiport --dports 80,443 -j ACCEPT' --post-hook '/home/ubuntu/iptables-setup.sh && systemctl restart apache2'

Then edit /etc/apache2/sites-enabled/005-www.computerhok.nl.conf and adjust the SSLCertificateKeyFile and the SSLCertificateFile to the right location at
/etc/letsencrypt/live/www.computerhok.nl/privkey.pem and
/etc/letsencrypt/live/www.computerhok.nl/fullchain.pem

Then restart apache with systemctl restart apache2, and do not forget to close down the firewall again with /home/pi/iptables-setup.sh, check the results with iptables -vnL

The --keep-until-expiring will make sure the cert(s) will only be renewed if the expiry date is within 30 days. So we run this command weekly by saving the following in an executable file /etc/cron.weekly/letsencrypt: 

iptables -F
sleep 1
certbot --text --agree-tos --non-interactive certonly --rsa-key-size 4096 -a webroot --cert-name 'www.computerhok.nl' --webroot-path /var/www/ -d 'www.computerhok.nl'  --keep-until-expiring --email harry.metske@gmail.com
/home/ubuntu/iptables-setup.sh
apachectl restart

Prometheus install#

cd /tmp/
curl -L https://github.com/prometheus/prometheus/releases/download/v2.25.2/prometheus-2.25.2.linux-arm64.tar.gz -O
tar -xzf prometheus-2.25.2.linux-arm64.tar.gz
mv prometheus-2.25.2.linux-arm64 /usr/local
cd /usr/local
ln -s prometheus-2.25.2.linux-arm64 prometheus
cd prometheus
mkdir data
chown -R pi: /usr/local/prometheus

Create service file /etc/systemd/system/prometheus.service: 

[Unit]
Description=Prometheus Server
Documentation=https://prometheus.io/docs/introduction/overview/
After=network-online.target

[Service]
User=pi
Restart=on-failure

ExecStart=/usr/local/prometheus/prometheus/prometheus \
  --config.file=/usr/local/prometheus/prometheus.yml \
  --storage.tsdb.path=/usr/local/prometheus/data \
  --storage.tsdb.retention.time=720d


[Install]
WantedBy=multi-user.target

systemctl enable prometheus && systemctl start prometheus

Install node exporter#

cd /tmp/
curl -L https://github.com/prometheus/node_exporter/releases/download/v1.1.2/node_exporter-1.1.2.linux-arm64.tar.gz -O
tar -xzf node_exporter-1.1.2.linux-arm64.tar.gz
mv node_exporter-1.1.2.linux-arm64 /usr/local
cd /usr/local
ln -s node_exporter-1.1.2.linux-arm64 node-exporter

Create service file /etc/systemd/system/node-exporter.service: 

[Unit]
Description=Prometheus Node Exporter
Documentation=https://prometheus.io/docs/guides/node-exporter/
After=network-online.target

[Service]
User=pi
Restart=on-failure

ExecStart=/usr/local/node-exporter/node_exporter

[Install]
WantedBy=multi-user.target

Install prometheus pushgateway#

See instructions here.

curl -sLO https://github.com/prometheus/pushgateway/releases/download/v1.4.2/pushgateway-1.4.2.linux-arm64.tar.gz
tar -xf pushgateway-1.4.2.linux-arm64.tar.gz
cp pushgateway-1.4.2.linux-arm64/pushgateway  /usr/local/bin/
# install unit file:

cat > /etc/systemd/system/pushgateway.service << EOF
[Unit]
Description=Pushgateway
Wants=network-online.target
After=network-online.target

[Service]
User=pushgateway
Group=pushgateway
Type=simple
ExecStart=/usr/local/bin/pushgateway \
    --web.listen-address=":9091" \
    --web.telemetry-path="/metrics" \
    --persistence.file="/tmp/metric.store" \
    --persistence.interval=5m \
    --log.level="info" \
    --log.format="logfmt"

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl start pushgateway

Add this to /usr/local/prometheus/prometheus.yml: 

- job_name: 'pushgateway'
    honor_labels: true
    static_configs:
    - targets: [['localhost:9091']

Testing pushgateway: 

echo -e "# TYPE temperature gauge\n# HELP temperature The temperature in Celsius\ntemperature 5.9" | curl --data-binary @- http://localhost:9091/metrics/job/openweather
And checkout http://www.computerhok.nl:9091

Install Grafana#

wget -q -O - https://packages.grafana.com/gpg.key | sudo apt-key add -
echo "deb https://packages.grafana.com/oss/deb stable main" | sudo tee -a /etc/apt/sources.list.d/grafana.list
apt-get update && apt-get install -y grafana

And go to http://www.computerhok.nl:3000

Install Pihole#

git clone https://github.com/pi-hole/pi-hole.git
cd pi-hole/automated\ install
export PIHOLE_SKIP_OS_CHECK=true  #  22.04 was officially not yet supported, but it just works
./basic-install.sh
Change /etc/lighttpd/lighttpd.conf : port to 81 # conflict with apache httpd
Set password with pihole -a -p

Set static IP for Ubuntu 22.04:#

Create file /etc/netplan/01-network-manager-all.yaml : 

# This file is generated from information provided by
# the datasource.  Changes to it will not persist across an instance.
# To disable cloud-init's network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}
network:
    ethernets:
        eth0:
            dhcp4: false
            addresses: [192.168.2.19/24]
            gateway4: 192.168.2.254
            nameservers:
              addresses: [8.8.8.8,8.8.4.4,192.168.2.254]
    version: 2

Remove large apt packages (only for desktop pi-os, not for server install)#

dpkg-query -Wf '${Installed-Size}\t${Package}\n' | sort -n

Search at the bottom which can be uninstalled, and then (sample): 

sudo apt-get remove --auto-remove --purge wolfram-engine libgl1-mesa-dri guile-2.2-libs vlc-l10n realvnc-vnc-server mesa-vdpau-drivers

Uptime Robot own iptables chain#

Because uptimerobot has quite a list of IPs where it can come from, we want it in a separate chain: 

iptables -N UPTIME-ROBOT
for H in $(curl -s https://uptimerobot.com/inc/files/ips/IPv4.txt | sed 's/\r$//'); do 
  /sbin/iptables -A UPTIME-ROBOT -s "${H}"/32 -j ACCEPT
done
iptables -I INPUT -j UPTIME-ROBOT