Nifty hardware, here's some stuff to do with it. = Alternative hardware = Maybe you want something different? There's many manufacturers of single-board computers now. Here's one that'd be good for a VPN access router or something, the Nano Pi R4S: https://www.friendlyarm.com/index.php?route=product/product&path=69&product_id=284 = RPi builds = This is using them for stuff like Pihole and Wireguard. * https://www.reddit.com/r/pihole/comments/c62np8/pihole_with_unbound_wireguard_vpn_server_on_a/ * https://github.com/harrypnyce/raspbian10-buster/blob/master/README.md * https://www.raspberrypi-spy.co.uk/2019/10/pi-hole-oled-status-screen/ * https://www.reddit.com/r/pihole/comments/bnihyz/guide_how_to_install_wireguard_on_a_raspberry_pi/ Monitoring is good too. * https://bestmonitoringtools.com/how-to-install-zabbix-on-raspberry-pi-raspbian/ = Apt Cacher NG = Package cache, great for RPi because one of the upstream repos is horrible and slow. * https://wiki.debian.org/AptCacherNg * https://www.unix-ag.uni-kl.de/~bloch/acng/ * https://help.ubuntu.com/community/Apt-Cacher-Server * https://fabianlee.org/2018/02/11/ubuntu-a-centralized-apt-package-cache-using-apt-cacher-ng/ = PXE utility server = https://wiki.polaire.nl/doku.php?id=raspberry_pi_pxe_server = Minimising = Stuff you can do to make it boot faster and run leaner. These notes are from running Fedora, but they're somewhat general. {{{ disable wifi in config.txt (https://raspberrypi.stackexchange.com/questions/43720/disable-wifi-wlan0-on-pi-3) dtoverlay=disable-wifi yum erase -y wpa_supplicant disable selinux (https://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux.html) selinux=0 on kernel comdline grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg disable firewalld systemctl disable firewalld --now dnf erase -y firewalld disable auditd audit=0 on kernel comdline grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg disable sound (https://www.instructables.com/id/Disable-the-Built-in-Sound-Card-of-Raspberry-Pi/) modprobe.d blacklisting /etc/modprobe.d/raspi-blacklist.conf disable fstrim (do it with an @reboot crontab) systemctl disable fstrim.service --now /usr/sbin/fstrim --fstab --verbose --quiet remove lvm2 yum erase -y lvm2 }}} Maybe use systemd for networking config: https://raspberrypi.stackexchange.com/questions/108592/use-systemd-networkd-for-general-networking Setup the filesystem to be read-only if you want it to be really bulletproof and appliance-y: https://medium.com/@andreas.schallwig/how-to-make-your-raspberry-pi-file-system-read-only-raspbian-stretch-80c0f7be7353 = General provisioning = 1. Download the latest image, like RPi OS buster-lite, write it to SD card with balenaEtcher 1. Boot as normal, let it do the firstboot thing 1. Rename it: https://wiki.debian.org/HowTo/ChangeHostname or use raspi-config tool 1. Wifi as needed in raspi-config 1. Set locale and default system locale in raspi-config 1. Enable ssh {{{ systemctl enable --now ssh }}} 1. Fully update {{{ apt update and full-upgrade apt install vim screen locales bash-completion lsof tcpdump netcat strace nmap reboot }}} 1. Change password for `pi` account 1. Install your ssh pubkeys 1. apt autoremove, autoclean 1. Empty motd, don't care about that on SSH login {{{ > /etc/motd }}} == Unifi controller references == * https://community.ubnt.com/t5/UniFi-Routing-Switching/Step-By-Step-Tutorial-Guide-Raspberry-Pi-with-UniFi-Controller/td-p/2470231 * Useful packages to install: {{{ apt install openjdk-8-jre-headless apt install haveged }}} = Debian 11 Bullseye on Zero W = As an extension/variant of the above, most of the trickiness is initial booting. https://raspi.debian.net/faq/ Loaded up the image, booted, fixed up the wifi config in `/etc/network/interfaces.d/wlan0` {{{ allow-hotplug wlan0 iface wlan0 inet dhcp wpa-ssid "Your Waifu is Trash" wpa-psk ABCDEFGHIJKL }}} Tweak `/boot/firmware/sysconf.txt` settings and reboot. Should use `hostnamectl set-hostname makarov.thighhighs.top` Actually it's much like [[furinkan/private/illustrious]], can also follow that. '''THIS IS A ROOT-ONLY BUILD''' {{{ apt install vim screen locales bash-completion Fix the locales: dpkg-reconfigure locales Disable console blanking, seems this is already done by default: cat /sys/module/kernel/parameters/consoleblank Disable address privacy: echo -e "net.ipv6.conf.all.use_tempaddr = 0\nnet.ipv6.conf.default.use_tempaddr = 0" >> /etc/sysctl.d/local.conf service procps restart echo "export EDITOR=vim" > /etc/profile.d/50-editor-vim.sh timedatectl set-timezone Australia/Sydney echo -e "Host *\n HashKnownHosts no" > /etc/ssh/ssh_config.d/99-global.conf apt install python3 python-is-python3 apt install wget curl net-tools ack jq make mlocate elinks nmap whois updatedb curl -o ~/.screenrc https://gist.githubusercontent.com/barneydesmond/d16c5201ed9d2280251dfca7c620bb86/raw/.screenrc curl -o ~/.config/procps/toprc https://gist.githubusercontent.com/barneydesmond/d16c5201ed9d2280251dfca7c620bb86/raw/.toprc apt install dphys-swapfile/testing Edit /etc/dphys-swapfile and set CONF_SWAPFACTOR=2 or whatever, then systemctl restart dphys-swapfile }}} config.txt {{{ enable_uart=1 upstream_kernel=1 kernel=vmlinuz-5.10.0-5-rpi # For details on the initramfs directive, see # https://www.raspberrypi.org/forums/viewtopic.php?f=63&t=10532 initramfs initrd.img-5.10.0-5-rpi }}} = Pihole HA = Run a couple of nodes, to ensure that an update or failure won't kill your entire network. Upstream ISP DNS servers are remarkably handy in their reliability, except when you can't reach them. * vector as primary and DHCP server * asval as secondary, maybe doing some DHCP too Apparently it's valid to just rsync your configs across the network, that should do it. I wonder how the sqlite DB deals with this. * https://discourse.pi-hole.net/t/high-availability-ha-for-pi-hole-running-two-pi-holes/3138/3 * Tools for scripted syncing: https://www.reddit.com/r/pihole/comments/eo2q1r/pihole_clustered_configuration/