MeidokonWiki:

I grabbed a couple of these, one with NAND flash and one without. Both have Wifi/BT/POE support, and I bought the POE hats because that's a damn good idea.

https://shop.allnetchina.cn/collections/frontpage/products/rock-pi-s?variant=29067635458150

Official docs links

Setup

I'm using their Ubuntu image here, it's "focal" (20.04 LTS).

Initial image and packages

Fix your keys

Network config

More config

Faff with networking

We'd like static IP but dynamic IPv6

apt install netplan.io

Criteria is:

This'll do, it goes in /etc/netplan/10-thighhighs.yaml

network:
    version: 2
    renderer: networkd

    ethernets:
        eth0:
            critical: true
            dhcp-identifier: mac
            dhcp4: false
            dhcp6: true
            dhcp6-overrides:
                use-dns: false
            ipv6-privacy: false
            addresses:
                - "192.168.1.26/24"
                # :1:26 for the .1.26 IPv4, ca6c == 51820, the default Wireguard port
                - "2404:e80:42e3:0:26:0:0:ca6c/64"
            routes:
                - to: 0.0.0.0/0
                  via: 192.168.1.1
                  on-link: true
            nameservers:
                addresses:
                    - 192.168.1.20
                    - 192.168.1.24
                    - fe80::e65f:1ff:fe1c:c6ea
                    - fe80::ba27:ebff:fe8c:f4f8
                search:
                    - thighhighs.top

Disable wifi and bluetooth

We don't need them and it slows down boot.

systemctl disable wpa_supplicant.service --now
systemctl disable bluetooth.service --now

Save an image

Now take an image of the system after shrinking the filesystem

e2fsck -f /dev/mmcblk0p2
resize2fs /dev/mmcblk0p2 2G
# use cfdisk to resize the partition to 2.4G (as a generous example)
dd bs=4M count=600 if=/dev/mmcblk0 | pv -br | gzip --fast > 2021-12-09_calico_img_pre_pihole.img.gz

Pihole

Straightforward basic install, no conflict with other installed services.

Admin UI at https://calico.thighhighs.top/admin/

Should probably put cloudflare resolvers into the systemwide resolver set, meaning we don't see our own records though.

Can add TLS \o/ https://discourse.pi-hole.net/t/enabling-https-for-your-pi-hole-web-interface/5771/17

Firewall

As per https://docs.pi-hole.net/main/prerequisites/ I've installed ufw and locked things down.

Limit and fail2ban would be good to do as well: https://www.raspberrypi.org/documentation/configuration/security.md

apt install ufw
ufw allow ssh
ufw enable

# Pihole stuff - https://docs.pi-hole.net/main/prerequisites/#ufw
ufw allow http
ufw allow https
ufw allow domain
ufw allow 67/udp
ufw allow 67/tcp
ufw allow 546:547/udp

Wireguard

We need to make it compile first, then we can use Pivpn as a tool to manage it.

Fix the wireguard-dkms package

Try installing it

apt install wireguard-dkms

Install fails because the module doesn't build. This turns out to be a gcc9 problem.

In short, gcc-9 is more strict about this aliasing thing, and throws a warning. That warning is treated as an error because kernel stuff is important, and that causes the DKMS build to bomb out.

Fix 1 sounds hard, let's make it work with gcc-8 then. Using an idea from here: https://github.com/dell/dkms/issues/124#issuecomment-681704633

apt install gcc-8

# Fiddle with /usr/src/wireguard-1.0.20201112/dkms.conf and add this at the end.
# This is just the same as the normal MAKE[0] defn, but we've added CC=gcc-8
MAKE[0]="make CC=gcc-8 -C ${kernel_source_dir} M=${dkms_tree}/${PACKAGE_NAME}/${PACKAGE_VERSION}/build"

Let apt try to complete the installation now:

apt install

Now it completes!

Pivpn

While I've done wireguard manually before, a scripted tool is just kinda nicer (and I trust them enough to use it).

Clone the repo:

mkdir -p ~/git
cd ~/git/
git clone https://github.com/pivpn/pivpn.git
cd pivpn/

Tweak the auto install script like so:

   1 diff --git a/auto_install/install.sh b/auto_install/install.sh
   2 index debdf78..aebe9ee 100755
   3 --- a/auto_install/install.sh
   4 +++ b/auto_install/install.sh
   5 @@ -466,7 +466,9 @@ preconfigurePackages(){
   6                 # On Debian (and Ubuntu), we can only reliably assume the headers package for amd64: linux-image-amd64
   7                 [[ $PLAT == 'Debian' && $DPKG_ARCH == 'amd64' ]] ||
   8                 # On Ubuntu, additionally the WireGuard package needs to be available, since we didn't test mixing Ubuntu repositories.
   9 -               [[ $PLAT == 'Ubuntu' && $DPKG_ARCH == 'amd64' && -n $AVAILABLE_WIREGUARD ]]
  10 +               [[ $PLAT == 'Ubuntu' && $DPKG_ARCH == 'amd64' && -n $AVAILABLE_WIREGUARD ]] ||
  11 +               # We've dealt with this on our Ubuntu install
  12 +               [[ $PLAT == 'Ubuntu' && $DPKG_ARCH == 'arm64' && -n $AVAILABLE_WIREGUARD ]]
  13         then
  14                 WIREGUARD_SUPPORT=1
  15         fi
  16 @@ -1294,7 +1296,9 @@ installWireGuard(){
  17                 PIVPN_DEPS=(wireguard-tools qrencode)
  18  
  19                 if [ "$WIREGUARD_BUILTIN" -eq 0 ]; then
  20 -                       PIVPN_DEPS+=(linux-headers-generic wireguard-dkms)
  21 +                       # Not safe for rockpi, they use their own headers
  22 +                       #PIVPN_DEPS+=(linux-headers-generic wireguard-dkms)
  23 +                       PIVPN_DEPS+=(wireguard-dkms)
  24                 fi
  25  
  26                 installDependentPackages PIVPN_DEPS[@]

Then run it and follow the prompts. I need to show unsupported NICs because eth0 doesn't register as being "UP" for some reason.

./auto_install/install.sh --show-unsupported-nics

Use these settings:

It'll use these settings:
    pivpnNET="10.6.0.0/24"
    vpnGw="10.6.0.1"
    pivpnPORT=51820
    # use the pihole servers
    pivpnDNS1="192.168.1.26"
    pivpnDNS2="192.168.1.27"
    pivpnHOST = vpn.thighhighs.top

System inspection

I installed their provided image of Debian buster, balena Etcher'd straight onto a spare SD card and inserted. Used adb shell to get initial connectivity to set it up and inspect things.

The root filesystem is all of ~500 MiB, which is great for compactness and speed. It auto-grows on first boot by the looks of it.

[   11.091476] EXT4-fs (mmcblk0p2): resizing filesystem from 199161 to 7835148 blocks
[   11.518063] EXT4-fs (mmcblk0p2): resized filesystem to 7835148

Disk usage

root@rockpis:/# df -hl
Filesystem      Size  Used Avail Use% Mounted on
udev            210M     0  210M   0% /dev
tmpfs            43M  296K   43M   1% /run
/dev/mmcblk0p2   30G  511M   28G   2% /
tmpfs           213M     0  213M   0% /dev/shm
tmpfs           5.0M     0  5.0M   0% /run/lock
tmpfs           213M     0  213M   0% /sys/fs/cgroup

Block devices

root@rockpis:/# lsblk
NAME        MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
mmcblk0     179:0    0   30G  0 disk 
├─mmcblk0p1 179:1    0  112M  0 part 
└─mmcblk0p2 179:2    0 29.9G  0 part /
mmcblk1     179:32   0  3.6G  0 disk 
└─mmcblk1p1 179:33   0  3.6G  0 part 

CPU

root@rockpis:/# lscpu 
Architecture:        aarch64
Byte Order:          Little Endian
CPU(s):              4
On-line CPU(s) list: 0-3
Thread(s) per core:  1
Core(s) per socket:  4
Socket(s):           1
Vendor ID:           ARM
Model:               2
Model name:          Cortex-A35
Stepping:            r0p2
CPU max MHz:         1296.0000
CPU min MHz:         408.0000
BogoMIPS:            48.00
Flags:               fp asimd aes pmull sha1 sha2 crc32

Network interfaces

root@rockpis:/# ifconfig 
eth0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 4e:43:df:6b:85:ff  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 6  bytes 752 (752.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 26  

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 2  bytes 106 (106.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2  bytes 106 (106.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

p2p0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 1a:77:e9:6d:75:84  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether e6:a6:66:59:15:ed  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

MeidokonWiki: servers/RockPiS (last edited 2021-12-12 05:50:30 by furinkan)