Nifty hardware, here's some stuff to do with it.

Alternative hardware

Maybe you want something different? There's many manufacturers of single-board computers now. Here's one that'd be good for a VPN access router or something, the Nano Pi R4S: https://www.friendlyarm.com/index.php?route=product/product&path=69&product_id=284

RPi builds

This is using them for stuff like Pihole and Wireguard.

• https://www.reddit.com/r/pihole/comments/c62np8/pihole_with_unbound_wireguard_vpn_server_on_a/

• https://github.com/harrypnyce/raspbian10-buster/blob/master/README.md

• https://www.raspberrypi-spy.co.uk/2019/10/pi-hole-oled-status-screen/

• https://www.reddit.com/r/pihole/comments/bnihyz/guide_how_to_install_wireguard_on_a_raspberry_pi/

Monitoring is good too.

• https://bestmonitoringtools.com/how-to-install-zabbix-on-raspberry-pi-raspbian/

Apt Cacher NG

Package cache, great for RPi because one of the upstream repos is horrible and slow.

• https://wiki.debian.org/AptCacherNg

• https://www.unix-ag.uni-kl.de/~bloch/acng/

• https://help.ubuntu.com/community/Apt-Cacher-Server

• https://fabianlee.org/2018/02/11/ubuntu-a-centralized-apt-package-cache-using-apt-cacher-ng/

PXE utility server

https://wiki.polaire.nl/doku.php?id=raspberry_pi_pxe_server

Minimising

Stuff you can do to make it boot faster and run leaner. These notes are from running Fedora, but they're somewhat general.

disable wifi in config.txt (https://raspberrypi.stackexchange.com/questions/43720/disable-wifi-wlan0-on-pi-3)
    dtoverlay=disable-wifi
    yum erase -y wpa_supplicant
disable selinux (https://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux.html)
    selinux=0 on kernel comdline
    grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
disable firewalld
    systemctl disable firewalld --now
    dnf erase -y firewalld
disable auditd
    audit=0 on kernel comdline
    grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
disable sound (https://www.instructables.com/id/Disable-the-Built-in-Sound-Card-of-Raspberry-Pi/)
    modprobe.d blacklisting /etc/modprobe.d/raspi-blacklist.conf
    
disable fstrim (do it with an @reboot crontab)
    systemctl disable fstrim.service --now
    /usr/sbin/fstrim --fstab --verbose --quiet
remove lvm2
    yum erase -y lvm2

General provisioning

1. Download the latest image, like RPi OS buster-lite, write it to SD card with balenaEtcher
2. Boot as normal, let it do the firstboot thing

3. Rename it: https://wiki.debian.org/HowTo/ChangeHostname or use raspi-config tool

4. Wifi as needed in raspi-config
5. Set locale and default system locale in raspi-config

6. Enable ssh

   systemctl enable --now ssh

7. Fully update

     apt update and full-upgrade
     apt install vim screen locales bash-completion lsof tcpdump netcat strace nmap
     reboot

8. Change password for pi account

9. Install your ssh pubkeys
10. apt autoremove, autoclean

11. Empty motd, don't care about that on SSH login

    > /etc/motd

Unifi controller references

• https://community.ubnt.com/t5/UniFi-Routing-Switching/Step-By-Step-Tutorial-Guide-Raspberry-Pi-with-UniFi-Controller/td-p/2470231

• Useful packages to install:

  apt install openjdk-8-jre-headless
  apt install haveged

Debian 11 Bullseye on Zero W

As an extension/variant of the above, most of the trickiness is initial booting.

https://raspi.debian.net/faq/

Loaded up the image, booted, fixed up the wifi config in /etc/network/interfaces.d/wlan0

allow-hotplug wlan0
iface wlan0 inet dhcp
    wpa-ssid "Your Waifu is Trash"
    wpa-psk ABCDEFGHIJKL

Tweak /boot/firmware/sysconf.txt settings and reboot.

Should use hostnamectl set-hostname makarov.thighhighs.top

Actually it's much like furinkan/private/illustrious, can also follow that.

THIS IS A ROOT-ONLY BUILD

apt install vim screen locales bash-completion

Fix the locales: dpkg-reconfigure locales

Disable console blanking, seems this is already done by default:
    cat /sys/module/kernel/parameters/consoleblank

Disable address privacy:
    echo -e "net.ipv6.conf.all.use_tempaddr = 0\nnet.ipv6.conf.default.use_tempaddr = 0" >> /etc/sysctl.d/local.conf
    service procps restart

echo "export EDITOR=vim" > /etc/profile.d/50-editor-vim.sh

timedatectl set-timezone Australia/Sydney

echo -e "Host *\n    HashKnownHosts no" > /etc/ssh/ssh_config.d/99-global.conf

apt install python3 python-is-python3
apt install wget curl net-tools ack jq make mlocate elinks nmap whois
updatedb

curl -o ~/.screenrc https://gist.githubusercontent.com/barneydesmond/d16c5201ed9d2280251dfca7c620bb86/raw/.screenrc
curl -o ~/.config/procps/toprc https://gist.githubusercontent.com/barneydesmond/d16c5201ed9d2280251dfca7c620bb86/raw/.toprc


apt install dphys-swapfile/testing

Edit /etc/dphys-swapfile and set CONF_SWAPFACTOR=2 or whatever, then systemctl restart dphys-swapfile

config.txt

enable_uart=1
upstream_kernel=1

kernel=vmlinuz-5.10.0-5-rpi
# For details on the initramfs directive, see
# https://www.raspberrypi.org/forums/viewtopic.php?f=63&t=10532
initramfs initrd.img-5.10.0-5-rpi

Pihole HA

Run a couple of nodes, to ensure that an update or failure won't kill your entire network. Upstream ISP DNS servers are remarkably handy in their reliability, except when you can't reach them.

• vector as primary and DHCP server
• asval as secondary, maybe doing some DHCP too

Apparently it's valid to just rsync your configs across the network, that should do it. I wonder how the sqlite DB deals with this.

• https://discourse.pi-hole.net/t/high-availability-ha-for-pi-hole-running-two-pi-holes/3138/3

• Tools for scripted syncing: https://www.reddit.com/r/pihole/comments/eo2q1r/pihole_clustered_configuration/