Raspberry Pi setup#
Bought a Raspberry Pi 4 model B with 2 GB memory.
Table of Contents
- Raspberry Pi setup
- knockd fails on startup
- Backup
- CA cert trust
- Install more recent version of golang
- Openssl generate signed server cert (or letsencrypt, see next chapter)
- Letsencrypt
- Prometheus install
- Install node exporter
- Install prometheus pushgateway
- Install Grafana
- Remove large apt packages
- Uptime Robot own iptables chain
- on GUI disable wifi, and set boot to cli - apt install iotop vim apache2 libapache2-mod-jk docker.io mariadb-server mariadb-client knockd golang jq tcpdump sqlite3 certbot iptraf - a2enmod proxy_http - a2enmod ssl - a2enmod rewrite - /etc/dhcpcd.conf : static IP naar 192.168.2.19 (192.168.2.3 wil niet, kan router al niet pingen) - create /etc/systemd/system/iptables-setup.service => pointing to /home/pi/iptables-setup.service ==> de uptimerobot IPs zitten in eigen chain, zie verder - echo "syntax on" > ~/.vimrc - mysql: create user 'piwigo_user'@'%' identified by "piwigopswd"; create database piwigo; grant all privileges on piwigo.* to piwigo_user@'%'; - vim /etc/mysql/mariadb.conf.d/50-server.cnf => bind-address to 0.0.0.0 - go to www.computerhok.nl:8081 ==> setup dialog =: 192.168.2.19 piwigo_user piwigopswd ..... - copy all restored album folders to /appl/piwigo/config/www/gallery/galleries - do the "Tools => Database synchronization with files" on the UI - curl -sSL https://install.pi-hole.net | bash # ==> edit port80 to 81 in /etc/lighttpd/lighttpd.conf - go to http://192.168.2.19:2080/admin/ - tweak the /etc/knockd.conf - systemctl disable avahi-daemon.service - systemctl disable avahi-daemon.sock - remove wpa-supplicant and wireless-tools from /etc/networking - systemctl disable wpa_supplicant
knockd fails on startup#
It fails because eth0 is not yet up. Boot sequence is broken, see also https://www.raspberrypi.org/forums/viewtopic.php?t=187225
Add 3 lines at the end of /lib/systemd/system/knockd.service:
[Unit] Description=Port-Knock Daemon After=network-online.target Documentation=man:knockd(1) [Service] EnvironmentFile=-/etc/default/knockd ExecStart=/usr/sbin/knockd $KNOCKD_OPTS ExecReload=/bin/kill -HUP $MAINPID KillMode=mixed SuccessExitStatus=0 2 15 ProtectSystem=full CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN [Install] WantedBy=multi-user.target Alias=knockd.service
And install the service as indicated by the above link.
systemctl disable knockd.service
systemctl enable knockd.service
network-wait-online-service:
[Unit]
Description=Wait for Network to be Online
Documentation=man:systemd.service(5) man:systemd.special(7)
Conflicts=shutdown.target
After=network.target
Before=network-online.target
[Service]
Type=oneshot
ExecStart= \
/bin/bash -c 'ifconfig eth0;sleep 20;ifconfig eth0'
TimeoutStartSec=1min 30s
[Install]
WantedBy=network-online.target
Backup#
CA cert trust#
For dhmb to trust computerhok-https...
mkdir /usr/share/ca-certificates/local vi computerhok-ca.crt. #. copy the contents in here dpkg-reconfigure ca-certificates. # interactive, should show 1 new cert
Install more recent version of golang#
cd /tmp curl -LO https://golang.org/dl/go1.16.4.linux-armv6l.tar.gz tar -xzf go1.16.4.linux-armv6l.tar.gz mv go /usr/share/go-1.16.3 cd /usr/share rm go ln -s go-1.16.3 go cd /usr/bin rm go gofmt ln -s /usr/share/go/bin/go go ln -s /usr/share/go/bin/gofmt gofmt
Openssl generate signed server cert (or letsencrypt, see next chapter)#
Create the file sslreq.conf:
[req] distinguished_name = req_distinguished_name req_extensions = v3_req prompt = no [req_distinguished_name] C = NL ST = OV L = Rijssen O = computerhok OU = computerhok-OU CN = www.computerhok.nl [v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = www.computerhok.nl DNS.2 = computerhok.nl
create ssl-exts.conf file:
[v3_ca] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment subjectAltName = DNS:www.computerhok.nl, DNS:computerhok.nl
next:
openssl req -utf8 -nodes -sha256 -newkey rsa:2048 -keyout www.computerhok.nl.key -out www.computerhok.nl.csr -config sslreq.conf # verify csr: # openssl req -text -noout -verify -in www.computerhok.nl.csr # openssl x509 -sha256 -req -in www.computerhok.nl.csr -extfile sslreq.conf -extensions v3_ca -extfile ssl-exts.conf -out www.computerhok.nl.crt -CA /etc/apache2/computerhok-ssl/ca.cert -CAkey /etc/apache2/computerhok-ssl/ca.key -CAcreateserial -days 365 # verify crt: # openssl x509 -in www.computerhok.nl.crt -noout -textPut these files into /etc/apache2/computerhok-ssl, and make sure to append the ca.cert to the server.cert
Letsencrypt#
The certbot command has already been installed.
First prepare:
certbot --apache -d www.computerhok.nl
Then open up the firewall, because letsencrypt comes in to verify: iptables -F
Then do a dry-run:
certbot --text --agree-tos --non-interactive certonly --rsa-key-size 4096 -a webroot --cert-name 'www.computerhok.nl' --webroot-path /var/www/ -d 'www.computerhok.nl' --keep-until-expiring --email harry.metske@gmail.com --dry-run
If this succeeds, we can do the real one:
certbot --text --agree-tos --non-interactive certonly --rsa-key-size 4096 -a webroot --cert-name 'www.computerhok.nl' --webroot-path /var/www/ -d 'www.computerhok.nl' --keep-until-expiring --email harry.metske@gmail.com
Then edit /etc/apache2/sites-enabled/005-www.computerhok.nl.conf and adjust the SSLCertificateKeyFile and the SSLCertificateFile to the right location at
/etc/letsencrypt/live/www.computerhok.nl/privkey.pem and
/etc/letsencrypt/live/www.computerhok.nl/fullchain.pem
Then restart apache with systemctl restart apache2, and do not forget to close down the firewall again with /home/pi/iptables-setup.sh, check the results with iptables -vnL
The --keep-until-expiring will make sure the cert(s) will only be renewed if the expiry date is within 30 days. So we run this command weekly by saving the following in an executable file /etc/cron.weekly/letsencrypt:
iptables -F sleep 1 certbot --text --agree-tos --non-interactive certonly --rsa-key-size 4096 -a webroot --cert-name 'www.computerhok.nl' --webroot-path /var/www/ -d 'www.computerhok.nl' --keep-until-expiring --email harry.metske@gmail.com /home/pi/iptables-setup.sh apachectl restart
Prometheus install#
cd /tmp/ curl -L https://github.com/prometheus/prometheus/releases/download/v2.25.2/prometheus-2.25.2.linux-armv7.tar.gz -O tar -xzf prometheus-2.25.2.linux-armv7.tar.gz mv prometheus-2.25.2.linux-armv7 /usr/local cd /usr/local ln -s prometheus-2.25.2.linux-armv7 prometheus cd prometheus mkdir data chown -R pi: /usr/local/prometheus
Create service file /etc/systemd/system/prometheus.service:
[Unit] Description=Prometheus Server Documentation=https://prometheus.io/docs/introduction/overview/ After=network-online.target [Service] User=pi Restart=on-failure ExecStart=/usr/local/prometheus/prometheus/prometheus \ --config.file=/usr/local/prometheus/prometheus.yml \ --storage.tsdb.path=/usr/local/prometheus/data \ --storage.tsdb.retention.time=720d [Install] WantedBy=multi-user.target
systemctl enable prometheus && systemctl start prometheus
Install node exporter#
cd /tmp/ curl -L https://github.com/prometheus/node_exporter/releases/download/v1.1.2/node_exporter-1.1.2.linux-armv7.tar.gz -O tar -xzf node_exporter-1.1.2.linux-armv7.tar.gz mv node_exporter-1.1.2.linux-armv7 /usr/local cd /usr/local ln -s node_exporter-1.1.2.linux-armv7 node-exporter
Create service file /etc/systemd/system/node-exporter.service:
[Unit] Description=Prometheus Node Exporter Documentation=https://prometheus.io/docs/guides/node-exporter/ After=network-online.target [Service] User=pi Restart=on-failure ExecStart=/usr/local/node-exporter/node_exporter [Install] WantedBy=multi-user.target
Install prometheus pushgateway#
See instructions here
.
curl -sLO https://github.com/prometheus/pushgateway/releases/download/v1.4.2/pushgateway-1.4.2.linux-armv7.tar.gz
tar -xf pushgateway-1.4.2.linux-armv7.tar.gz
cp pushgateway-1.4.2.linux-armv7/pushgateway /usr/local/bin/
# install unit file:
cat > /etc/systemd/system/pushgateway.service << EOF
[Unit]
Description=Pushgateway
Wants=network-online.target
After=network-online.target
[Service]
User=pushgateway
Group=pushgateway
Type=simple
ExecStart=/usr/local/bin/pushgateway \
--web.listen-address=":9091" \
--web.telemetry-path="/metrics" \
--persistence.file="/tmp/metric.store" \
--persistence.interval=5m \
--log.level="info" \
--log.format="logfmt"
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl start pushgateway
Install Grafana#
wget -q -O - https://packages.grafana.com/gpg.key | sudo apt-key add - echo "deb https://packages.grafana.com/oss/deb stable main" | sudo tee -a /etc/apt/sources.list.d/grafana.list apt-get update && apt-get install -y grafana systemctl enable grafana-server systemctl start grafana-server
And go to http://www.computerhok.nl:3000
Remove large apt packages#
dpkg-query -Wf '${Installed-Size}\t${Package}\n' | sort -n
Search at the bottom which can be uninstalled, and then (sample):
sudo apt-get remove --auto-remove --purge wolfram-engine libgl1-mesa-dri guile-2.2-libs vlc-l10n realvnc-vnc-server mesa-vdpau-drivers
Uptime Robot own iptables chain#
Because uptimerobot has quite a list of IPs where it can come from, we want it in a separate chain:
iptables -N UPTIME-ROBOT
for H in $(curl -s https://uptimerobot.com/inc/files/ips/IPv4.txt | sed 's/\r$//'); do
/sbin/iptables -A UPTIME-ROBOT -s "${H}"/32 -j ACCEPT
done
iptables -I INPUT -j UPTIME-ROBOT
