This is version 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 . It is not the current version, and thus it cannot be edited.

Back to current versionRestore this version

Raspberry Pi setup#

Bought a Raspberry Pi 4 model B with 2 GB memory.

- on GUI disable wifi, and set boot to cli
- apt install iotop vim apache2 libapache2-mod-jk docker.io mariadb-server mariadb-client knockd golang jq tcpdump sqlite3
- a2enmod proxy_http
- a2enmod ssl
- a2enmod rewrite
- /etc/dhcpcd.conf :  static IP naar 192.168.2.99 (192.168.2.3 wil niet, kan router al niet pingen)
- create /etc/systemd/system/iptables-setup.service => pointing to /home/pi/iptables-setup.service ==> werkt nog niet goed, de uptimerobot IPs komen niet
- echo "syntax on" > ~/.vimrc
- mysql:
	create user 'piwigo_user'@'%' identified by "piwigopswd";
	create database piwigo;
	grant all privileges on piwigo.* to piwigo_user@'%';
- vim /etc/mysql/mariadb.conf.d/50-server.cnf => bind-address to 0.0.0.0
- go to www.computerhok.nl:8081 ==> setup dialog =: 192.168.2.399 piwigo_user piwigopswd .....
- copy all restored album folders to /appl/piwigo/config/www/gallery/galleries
- do the "Tools => Database synchronization with files" on the UI
- docker run -d --name pihole -p 53:53/tcp -p 53:53/udp -p 2080:80 -p 2443:443 -e "IPv6=False" -e "TZ=Europe/Amsterdam" -e "ServerIP=192.168.2.99" -e "VIRTUAL_HOST=www.computerhok.nl:2080" -e "WEBPASSWORD=<see keepass>" -v "$(pwd)/etc-pihole/:/etc/pihole/" -v "$(pwd)/etc-dnsmasq.d/:/etc/dnsmasq.d/" --restart=unless-stopped --cap-add=NET_ADMIN pihole/pihole:latest
- go to http://192.168.2.99:2080/admin/
- tweak the /etc/knockd.conf
- systemctl disable avahi-daemon.service
- systemctl disable avahi-daemon.sock
- remove wpa-supplicant and wireless-tools from /etc/networking
- systemctl disable wpa_supplicant

knockd fails on startup#

It fails because eth0 is not yet up. Boot sequence is broken, see also https://www.raspberrypi.org/forums/viewtopic.php?t=187225

Add 3 lines at the end of /lib/systemd/system/knockd.service:

[Unit]
Description=Port-Knock Daemon
After=network-online.target
Documentation=man:knockd(1)

[Service]
EnvironmentFile=-/etc/default/knockd
ExecStart=/usr/sbin/knockd $KNOCKD_OPTS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=mixed
SuccessExitStatus=0 2 15
ProtectSystem=full
CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN

[Install]
WantedBy=multi-user.target
Alias=knockd.service

And install the service as indicated by the above link.
systemctl disable knockd.service
systemctl enable knockd.service

network-wait-online-service:

[Unit]
Description=Wait for Network to be Online
Documentation=man:systemd.service(5) man:systemd.special(7)
Conflicts=shutdown.target
After=network.target
Before=network-online.target

[Service]
Type=oneshot
ExecStart= \
    /bin/bash -c 'ifconfig eth0;sleep 20;ifconfig eth0'
TimeoutStartSec=1min 30s

[Install]
WantedBy=network-online.target

Backup#

For now I run the following script from my MacOS (and upload to stack after that).

#!/bin/sh
#
#
ssh pi@apollo sudo tar cf - /appl/piwigo/config/www/gallery/galleries > /Users/metskem/Downloads/backup-apollo-fotos.tar
ssh pi@apollo sudo tar czf - --exclude=/var/jspwiki/logs --exclude=/usr/local/tomcat/logs --exclude=/usr/local/tomcat/work --exclude=/usr/local/tomcat/temp /home/pi /etc /var/jspwiki > /Users/metskem/Downloads/backup-apollo-rest.tar

Then manually upload this backup file to https://metskem.stackstorage.com/

CA cert trust#

For dhmb to trust computerhok-https...

mkdir /usr/share/ca-certificates/local
vi computerhok-ca.crt.  #. copy the contents in here
dpkg-reconfigure ca-certificates.  # interactive, should show 1 new cert

Install more recent version of golang#

cd /tmp
curl -LO https://golang.org/dl/go1.15.5.linux-arm64.tar.gz
tar -xzf go1.15.5.linux-arm64.tar.gz
mv go /usr/share/go-1.15.5
cd /usr/share
rm go
ln -s go-1.15.5 go
cd /usr/bin
rm go gofmt
ln -s /usr/share/go/bin/go go
ln -s /usr/share/go/bin/gofmt gofmt

Openssl generate signed server cert#

Create the file sslreq.conf:

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = NL
ST = OV
L = Rijssen
O = computerhok
OU = computerhok-OU
CN = www.computerhok.nl
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.computerhok.nl
DNS.2 = computerhok.nl

next:

openssl req -utf8 -nodes -sha256 -newkey rsa:2048 -keyout www.computerhok.nl.key -out www.computerhok.nl.csr -config sslreq.conf
openssl x509 -req -in www.computerhok.nl.csr -CA /etc/apache2/computerhok-ssl/ca.cert -CAkey /etc/apache2/computerhok-ssl/ca.key -CAcreateserial -days 365 -out www.computerhok.nl.crt

Put these files into /etc/apache2/computerhok-ssl, and make sure to append the ca.cert to the server.cert