Raspberry Pi setup#
Bought a Raspberry Pi 4 model B with 2 GB memory.
- on GUI disable wifi, and set boot to cli - apt install iotop vim apache2 libapache2-mod-jk docker.io mariadb-server mariadb-client knockd golang jq tcpdump sqlite3 certbot - a2enmod proxy_http - a2enmod ssl - a2enmod rewrite - /etc/dhcpcd.conf : static IP naar 192.168.2.99 (192.168.2.3 wil niet, kan router al niet pingen) - create /etc/systemd/system/iptables-setup.service => pointing to /home/pi/iptables-setup.service ==> werkt nog niet goed, de uptimerobot IPs komen niet - echo "syntax on" > ~/.vimrc - mysql: create user 'piwigo_user'@'%' identified by "piwigopswd"; create database piwigo; grant all privileges on piwigo.* to piwigo_user@'%'; - vim /etc/mysql/mariadb.conf.d/50-server.cnf => bind-address to 0.0.0.0 - go to www.computerhok.nl:8081 ==> setup dialog =: 192.168.2.399 piwigo_user piwigopswd ..... - copy all restored album folders to /appl/piwigo/config/www/gallery/galleries - do the "Tools => Database synchronization with files" on the UI - docker run -d --name pihole -p 53:53/tcp -p 53:53/udp -p 2080:80 -p 2443:443 -e "IPv6=False" -e "TZ=Europe/Amsterdam" -e "ServerIP=192.168.2.99" -e "VIRTUAL_HOST=www.computerhok.nl:2080" -e "WEBPASSWORD=<see keepass>" -v "$(pwd)/etc-pihole/:/etc/pihole/" -v "$(pwd)/etc-dnsmasq.d/:/etc/dnsmasq.d/" --restart=unless-stopped --cap-add=NET_ADMIN pihole/pihole:latest - go to http://192.168.2.99:2080/admin/ - tweak the /etc/knockd.conf - systemctl disable avahi-daemon.service - systemctl disable avahi-daemon.sock - remove wpa-supplicant and wireless-tools from /etc/networking - systemctl disable wpa_supplicant
knockd fails on startup#
It fails because eth0 is not yet up. Boot sequence is broken, see also https://www.raspberrypi.org/forums/viewtopic.php?t=187225
Add 3 lines at the end of /lib/systemd/system/knockd.service:
[Unit] Description=Port-Knock Daemon After=network-online.target Documentation=man:knockd(1) [Service] EnvironmentFile=-/etc/default/knockd ExecStart=/usr/sbin/knockd $KNOCKD_OPTS ExecReload=/bin/kill -HUP $MAINPID KillMode=mixed SuccessExitStatus=0 2 15 ProtectSystem=full CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN [Install] WantedBy=multi-user.target Alias=knockd.service
And install the service as indicated by the above link.
systemctl disable knockd.service
systemctl enable knockd.service
network-wait-online-service:
[Unit]
Description=Wait for Network to be Online
Documentation=man:systemd.service(5) man:systemd.special(7)
Conflicts=shutdown.target
After=network.target
Before=network-online.target
[Service]
Type=oneshot
ExecStart= \
/bin/bash -c 'ifconfig eth0;sleep 20;ifconfig eth0'
TimeoutStartSec=1min 30s
[Install]
WantedBy=network-online.target
Backup#
For now I run the following script from my MacOS (and upload to stack after that).
#!/bin/sh # # ssh pi@apollo sudo tar cf - /appl/piwigo/config/www/gallery/galleries > /Users/metskem/Downloads/backup-apollo-fotos.tar ssh pi@apollo sudo tar czf - --exclude=/var/jspwiki/logs --exclude=/usr/local/tomcat/logs --exclude=/usr/local/tomcat/work --exclude=/usr/local/tomcat/temp /home/pi /etc /var/jspwiki > /Users/metskem/Downloads/backup-apollo-rest.tar # upload to STACK: sftp metskem@metskem@metskem.stackstorage.com <<< $'put /Users/metskem/Downloads/backup-apollo-rest.tar'Then manually upload this backup file to https://metskem.stackstorage.com/
CA cert trust#
For dhmb to trust computerhok-https...
mkdir /usr/share/ca-certificates/local vi computerhok-ca.crt. #. copy the contents in here dpkg-reconfigure ca-certificates. # interactive, should show 1 new cert
Install more recent version of golang#
cd /tmp curl -LO https://golang.org/dl/go1.15.5.linux-arm64.tar.gz tar -xzf go1.15.5.linux-arm64.tar.gz mv go /usr/share/go-1.15.5 cd /usr/share rm go ln -s go-1.15.5 go cd /usr/bin rm go gofmt ln -s /usr/share/go/bin/go go ln -s /usr/share/go/bin/gofmt gofmt
Openssl generate signed server cert (or letsencrypt, see next chapter)#
Create the file sslreq.conf:
[req] distinguished_name = req_distinguished_name req_extensions = v3_req prompt = no [req_distinguished_name] C = NL ST = OV L = Rijssen O = computerhok OU = computerhok-OU CN = www.computerhok.nl [v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = www.computerhok.nl DNS.2 = computerhok.nl
create ssl-exts.conf file:
[v3_ca] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment subjectAltName = DNS:www.computerhok.nl, DNS:computerhok.nl
next:
openssl req -utf8 -nodes -sha256 -newkey rsa:2048 -keyout www.computerhok.nl.key -out www.computerhok.nl.csr -config sslreq.conf # verify csr: # openssl req -text -noout -verify -in www.computerhok.nl.csr # openssl x509 -sha256 -req -in www.computerhok.nl.csr -extfile sslreq.conf -extensions v3_ca -extfile ssl-exts.conf -out www.computerhok.nl.crt -CA /etc/apache2/computerhok-ssl/ca.cert -CAkey /etc/apache2/computerhok-ssl/ca.key -CAcreateserial -days 365 # verify crt: # openssl x509 -in www.computerhok.nl.crt -noout -textPut these files into /etc/apache2/computerhok-ssl, and make sure to append the ca.cert to the server.cert
Letsencrypt#
The certbot command has already been installed.
First prepare:
certbot --apache -d www.computerhok.nl
Then open up the firewall, because letsencrypt comes in to verify: iptables -F
Then do a dry-run:
certbot --text --agree-tos --non-interactive certonly --rsa-key-size 4096 -a webroot --cert-name 'www.computerhok.nl' --webroot-path /var/www/ -d 'www.computerhok.nl' --keep-until-expiring --email harry.metske@gmail.com --dry-run
If this succeeds, we can do the real one:
certbot --text --agree-tos --non-interactive certonly --rsa-key-size 4096 -a webroot --cert-name 'www.computerhok.nl' --webroot-path /var/www/ -d 'www.computerhok.nl' --keep-until-expiring --email harry.metske@gmail.com
Then edit /etc/apache2/sites-enabled/005-www.computerhok.nl.conf and adjust the SSLCertificateKeyFile and the SSLCertificateFile to the right location at
/etc/letsencrypt/live/www.computerhok.nl/privkey.pem and
/etc/letsencrypt/live/www.computerhok.nl/fullchain.pem
Then restart apache with systemctl restart apache2, and do not forget to close down the firewall again with /home/pi/iptables-setup.sh, check the results with iptables -vnL
The --keep-until-expiring will make sure the cert(s) will only be renewed if the expiry date is within 30 days. So we run this command weekly by saving the following in an executable file /etc/cron.weekly/letsencrypt:
iptables -F certbot --text --agree-tos --non-interactive certonly --rsa-key-size 4096 -a webroot --cert-name 'www.computerhok.nl' --webroot-path /var/www/ -d 'www.computerhok.nl' --keep-until-expiring --email harry.metske@gmail.com /home/pi/iptables-setup.sh
Prometheus install#
cd /tmp/ curl -L https://github.com/prometheus/prometheus/releases/download/v2.25.2/prometheus-2.25.2.linux-armv7.tar.gz -O tar -xzf prometheus-2.25.2.linux-armv7.tar.gz mv prometheus-2.25.2.linux-armv7 /usr/local cd /usr/local ln -s prometheus-2.25.2.linux-armv7 prometheus cd prometheus mkdir data chown -R pi: /usr/local/prometheus
Create service file /etc/systemd/system/prometheus.service:
[Unit] Description=Prometheus Server Documentation=https://prometheus.io/docs/introduction/overview/ After=network-online.target [Service] User=pi Restart=on-failure ExecStart=/usr/local/prometheus/prometheus/prometheus \ --config.file=/usr/local/prometheus/prometheus.yml \ --storage.tsdb.path=/usr/local/prometheus/data [Install] WantedBy=multi-user.target
systemctl enable prometheus && systemctl start prometheus
Install node exporter#
cd /tmp/ curl -L https://github.com/prometheus/node_exporter/releases/download/v1.1.2/node_exporter-1.1.2.linux-armv7.tar.gz -O tar -xzf node_exporter-1.1.2.linux-armv7.tar.gz mv node_exporter-1.1.2.linux-armv7 /usr/local cd /usr/local ln -s node_exporter-1.1.2.linux-armv7 node-exporter chmod 755 node_exporter-1.1.2.linux-armv7 && chown -R pi: /usr/local/node_exporter-1.1.2.linux-armv7
Create service file /etc/systemd/system/node-exporter.service:
[Unit] Description=Prometheus Node Exporter Documentation=https://prometheus.io/docs/guides/node-exporter/ After=network-online.target [Service] User=pi Restart=on-failure ExecStart=/usr/local/node-exporter/node_exporter [Install] WantedBy=multi-user.target