Meidokon Wiki
  • Comments
  • Immutable Page
  • Menu
    • Navigation
    • RecentChanges
    • FindPage
    • Local Site Map
    • Help
    • HelpContents
    • HelpOnMoinWikiSyntax
    • Display
    • Attachments
    • Info
    • Raw Text
    • Print View
    • Edit
    • Load
    • Save
  • Login

Useful(?) links

  • furinkan's stuff

  • Postfix snippets

  • SystemInfo

  • This sidebar

Navigation

  • FrontPage
  • RecentChanges
  • FindPage
  • HelpContents

Upload page content

You can upload content for the page named below. If you change the page name, you can also upload content for another page. If the page name is empty, we derive the page name from the file name.

File to load page content from
Page name
Comment

Revision 1 as of 2021-12-13 04:57:35
MeidokonWiki:
  • servers
  • calico

calico

  • Radxa Rock Pi S

  • Ubuntu 20.04 (custom Radxa 4.4 kernel) 

    Linux calico.thighhighs.top 4.4.143-65-rockchip-g58431d38f8f3 #1 SMP PREEMPT Sat Aug 14 09:31:07 UTC 2021 aarch64 aarch64 aarch64 GNU/Linux
  • Located at home

Contents

  1. calico
    1. Build notes
      1. Image and setup SSH keys
      2. Basic environment stuff
      3. Configure networking
      4. Save a known-good image for convenience
    2. Pihole
    3. Firewall

Build notes

Used this to write the general guide for Rock Pi S hardware.

Image and setup SSH keys

  • Image the SD card and let it boot, it'll get on the network with DHCP

  • Copy your SSH key, the password is rock 

    ssh-copy-id rock@IP

  • Login again, now it'll use your SSH key 

    ssh rock@IP

  • Set a strong random password, this will be used for both rock and root 

    passwd

  • Sudo up and set the same password for root 

    sudo -i
passwd
    Record the new password somewhere safe

  • Lock the rock account now, note that this still permits key access 

    usermod -L rock

  • Grab the rock user's authorized_keys so root can use it 

    mkdir -m 0700 /root/.ssh
cp /home/rock/.ssh/authorized_keys /root/.ssh/
chown root:root /root/.ssh/authorized_keys ; chmod 0600 /root/.ssh/authorized_keys

  • Regenerate SSH host keys, we don't know what was installed with the OS image 

    rm /etc/ssh/ssh_host_*
dpkg-reconfigure openssh-server

    • You could do ssh-keygen -A as an alternative, but it'll generate DSA keys as well which we don't want

  • Logout completely
  • Delete the entries from your known_hosts file
  • SSH again as root@IP, accepting the new keys. It'll use your SSH key instead of asking for password now.

Basic environment stuff

  • Set hostname: 

    hostnamectl set-hostname calico.thighhighs.top
  • Update hostname in /etc/hosts
  • Uncomment the IPv6 entries in /etc/hosts as well

  • Set timezone 

    timedatectl set-timezone Australia/Sydney

  • Set editor 

    echo "export EDITOR=vim" > /etc/profile.d/editor-vim.sh

  • Disable HashKnownHosts 

    echo -e "Host *\n    HashKnownHosts no" > /etc/ssh/ssh_config.d/99-global.conf

  • Configure screen 

    curl -o ~/.screenrc https://gist.githubusercontent.com/barneydesmond/d16c5201ed9d2280251dfca7c620bb86/raw/.screenrc

  • Configure top by entering this cheatcode 

    z x c b s 1.5 <Enter>
e <zero> 1 W q

  • Disable wifi and bluetooth, we don't need them and it slows down boot 

    systemctl disable wpa_supplicant.service --now
systemctl disable bluetooth.service --now
systemctl disable rtl8723ds-btfw-load.service --now

echo -e "# Don't load the WLAN+BT module, we don't need it\nblacklist rtl8723ds" > /etc/modprobe.d/blacklist-radios.conf
update-initramfs -u

  • Install useful packages 

    apt update
apt install -y vim screen bash-completion lsof tcpdump netcat strace nmap less bsdmainutils tzdata whiptail netbase wget curl python-is-python3 net-tools ack jq make elinks nmap whois ethtool bind9-dnsutils apt-utils man-db

  • Do a full upgrade then reboot 

    apt full-upgrade
reboot

Configure networking

What we want:

  • Static IPv4 addressing
  • Autoconfig dynamic IPv6 addressing
    • Global stable IPv6 addresses (I guess)
  • Add a locally-defined static IPv6 address, that other hosts can refer to via DNS etc
  • DNS resolvers will be manually defined

We'll use netplan to do this, as it greatly simplifies getting what we want without needing to faff around with config in multiple places.

  • Disable IPv6 privacy addresses, they're enabled by default on Ubuntu 

    sed -r -i 's/tempaddr = 2/tempaddr = 0/' /etc/sysctl.d/10-ipv6-privacy.conf
systemctl restart procps

    This is a nifty site for testing: http://ip.bieringer.net/ - Look at EUI64_SCOPE and see if it's random/privacy/global. Global is probably what we want for servers.

  • Install netplan 

    apt install -y netplan.io

  • Remove network-manager, we want to use networkd instead 

    apt purge network-manager networkmanager-patch
rm -rf /etc/NetworkManager/
apt autoremove

  • Write the network config in /etc/netplan/10-thighhighs.yaml 

    network:
    version: 2
    renderer: networkd

    ethernets:
        eth0:
            critical: true
            dhcp-identifier: mac
            dhcp4: false
            dhcp6: true
            dhcp6-overrides:
                use-dns: false
            ipv6-privacy: false
            addresses:
                - "192.168.1.26/24"
                # :1:26 for the .1.26 IPv4, ca6c == 51820, the default Wireguard port
                - "2404:e80:42e3:0:26:0:0:ca6c/64"
            routes:
                - to: 0.0.0.0/0
                  via: 192.168.1.1
                  on-link: true
            nameservers:
                addresses:
                    - 192.168.1.20
                    - 192.168.1.24
                    - fe80::e65f:1ff:fe1c:c6ea
                    - fe80::ba27:ebff:fe8c:f4f8
                search:
                    - thighhighs.top

  • Sanity check the generated config, hope it doesn't complain 

    netplan generate
netplan apply
  • Reboot and cross your fingers

Save a known-good image for convenience

On another system with an SD card reader, take an image of the system after shrinking the filesystem 

e2fsck -f /dev/mmcblk0p2
resize2fs /dev/mmcblk0p2 2G
dd bs=4M count=600 if=/dev/mmcblk0 | pv -br | gzip --fast > 2021-04-20_calico_img_clean_os.img.gz

Pihole

Straightforward basic install, no conflict with other installed services.

  • curl -sSL https://install.pi-hole.net | bash

  • Cloudflare upstream
  • Web interface enabled, full query logging and display
  • Pi-hole DNS (IPv4): 192.168.1.26
  • Pi-hole DNS (IPv6): 2404:e80:42e3:0:1:26:0:ca6c

Admin UI at https://calico.thighhighs.top/admin/

Should probably put cloudflare resolvers into the systemwide resolver set, meaning we don't see our own records though.

  • 1.1.1.1
  • 1.0.0.1
  • 2606:4700:4700::1111
  • 2606:4700:4700::1001

Can add TLS \o/ https://discourse.pi-hole.net/t/enabling-https-for-your-pi-hole-web-interface/5771/17

Firewall

As per https://docs.pi-hole.net/main/prerequisites/ I've installed ufw and locked things down.

Limit and fail2ban would be good to do as well: https://www.raspberrypi.org/documentation/configuration/security.md 

apt install ufw
ufw allow ssh
ufw enable

# Pihole stuff - https://docs.pi-hole.net/main/prerequisites/#ufw
ufw allow http
ufw allow https
ufw allow domain
ufw allow 67/udp
ufw allow 67/tcp
ufw allow 546:547/udp
  • MoinMoin Powered
  • Python Powered
  • GPL licensed
  • Valid HTML 4.01
MoinMoin Release 1.9.11 [Revision release], Copyright by Juergen Hermann et al.