|
Size: 6611
Comment: rewritten up to networking stage
|
← Revision 14 as of 2025-03-13 13:46:46 ⇥
Size: 11795
Comment: plans to get an RPi 5
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 3: | Line 3: |
| * Radxa Rock Pi S * Ubuntu 20.04 (custom Radxa 4.4 kernel) {{{ Linux calico.thighhighs.top 4.4.143-65-rockchip-g58431d38f8f3 #1 SMP PREEMPT Sat Aug 14 09:31:07 UTC 2021 aarch64 aarch64 aarch64 GNU/Linux }}} |
* [[https://wiki.radxa.com/RockpiS| Radxa Rock Pi S]], a teeny little ARM computer with PoE and 100Mb ethernet * Running Armbian this time, I've got `Armbian_23.8.1_Rockpi-s_bookworm_current_6.1.50.img.xz` {{{ Linux calico 6.1.50-current-rockchip64 #3 SMP PREEMPT Wed Aug 30 14:11:13 UTC 2023 aarch64 GNU/Linux }}} Much newer than the 4.4 kernel that Radxa distributes themselves |
| Line 11: | Line 11: |
| == Hardware replacement notes == calico has been having issues, not sure if it'll work again after rebuilding it. In case it doesn't, the plan is something like an RPi5 with PoE hat. My God it is terrible using the internet at home without adblocking, eugh. * RPi 5 with 4GB RAM: https://core-electronics.com.au/raspberry-pi-5-model-b-4gb.html * RPi 5 active cooler: https://core-electronics.com.au/raspberry-pi-5-active-cooler.html * RPi 5 official case: https://core-electronics.com.au/raspberry-pi-5-case-red-white-official.html * RPi 5 PoE hat: https://core-electronics.com.au/power-over-ethernet-hat-g-raspberry-pi-5-5v-5a.html It'll be about $163 AUD including shipping. I could get another mini PC as those are great, but the PoE capability of the RPi is really really nice - it just doesn't need the grunt. Arguably the RPi 5 is too much and I should use an RPi 4, but it's better to get newer more capable hardware when the price difference is small anyway. |
|
| Line 13: | Line 27: |
| Used this to write the [[../RockPiS| general guide for Rock Pi S]] hardware. | I previously wrote [[../RockPiS| general notes for Rock Pi S]] hardware based on using the Radxa distro, this time I'm trying something different. |
| Line 17: | Line 31: |
| * Image the SD card and let it boot, it'll get on the network with DHCP * Copy your SSH key, the password is rock {{{ ssh-copy-id rock@IP |
* Image the SD card with Etcher and let it boot, it'll get on the network with DHCP * The MAC address will be something random, as these boards don't have a real burnt-in MAC address, so you'll need to find it. * Login with root // 1234 * Let it run the firstrun thing to set the root password to something secure, and record it safely. Select bash or zsh, your choice. * Skip user account creation, I won't be using that * Copy your SSH key to the box, using the freshly-set root password {{{ ssh-copy-id root@IP |
| Line 22: | Line 40: |
| ssh rock@IP }}} * Set a strong random password, this will be used for both rock and root {{{ passwd }}} * Sudo up and set the same password for root {{{ sudo -i passwd }}} Record the new password somewhere safe * Lock the rock account now, note that this still permits key access {{{ usermod -L rock }}} * Grab the rock user's `authorized_keys` so root can use it {{{ mkdir -m 0700 /root/.ssh cp /home/rock/.ssh/authorized_keys /root/.ssh/ chown root:root /root/.ssh/authorized_keys ; chmod 0600 /root/.ssh/authorized_keys }}} * Regenerate SSH host keys, we don't know what was installed with the OS image {{{ |
ssh root@IP }}} * Regenerate SSH host keys to ensure they're clean {{{ |
| Line 43: | Line 46: |
| * You could do `ssh-keygen -A` as an alternative, but it'll generate DSA keys as well which we don't want | * We only want to use ed25519 as well {{{ echo "HostKey /etc/ssh/ssh_host_ed25519_key" >> /etc/ssh/sshd_config.d/10-ed25519-hostkey-only.conf }}} |
| Line 45: | Line 50: |
| * Delete the entries from your known_hosts file | * Delete the entries from your local known_hosts file |
| Line 48: | Line 53: |
| Go ahead and reboot to make sure everything is clean. === Run armbian-config to configure the host === * System * CPU: choose the min/max speeds, use ondemand governor * Avahi: Let's announce, I guess * Hardware * Check `bs@1.3ghz` (I think this is fine for v1.3 RockPiS board * Firmware: Apply all updates, don't reboot * Network * IP * end0 * Static: 192.168.1.26 // 24 // 192.168.1.1 // 8.8.8.8 * Personal * Timezone: Australia/Sydney * Locales * Enable `en_AU.UTF-8` * Leave `en_US.UTF-8` enabled too * Select `en_AU.UTF-8` as default for system * Hostname: calico * Welcome * 10 Armbian header * 30 Armbian sysinfo * 40 Armbian updates * 41 Armbian config * 98 Armbian autoreboot warn * !! /etc/update-motd.d/ seems to be missing * Exit and run armbian-config again, seems fine now Some notes on the key setup from the Armbian forums: https://forum.armbian.com/topic/23465-apt-get-update-fails-with-public-key-errors/page/2/#comment-178626 I got this error on 2024-04-25 and re/adding the key fixed the issue. {{{ # This is deprecated, but I think it still works wget -qO - http://fi.mirror.armbian.de/apt/armbian.key | sudo apt-key add - # This isn't really necessary but can't hurt cd /etc/apt/trusted.gpg.d/ wget http://fi.mirror.armbian.de/apt/armbian.key mv armbian.key armbian.asc # The linked guide actually suggests doing this: wget https://apt.armbian.com/armbian.key -O key gpg --dearmor < key | sudo tee /usr/share/keyrings/armbian.gpg > /dev/null chmod go+r /usr/share/keyrings/armbian.gpg echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/armbian.gpg] http://apt.armbian.com $(lsb_release -cs) main $(lsb_release -cs)-utils $(lsb_release -cs)-desktop" | tee /etc/apt/sources.list.d/armbian.list apt update }}} |
|
| Line 51: | Line 105: |
| * Armbian doesn't seem to load root's bashrc so we trigger it ourselves {{{ echo -e "if [ -f ~/.bashrc ] ; then\n . ~/.bashrc\nfi" > /root/.profile }}} * Enable shell timestamping for root, as our usual bashrd.d won't be imported here {{{ echo -e "\n# Timestamped shell FTW\nexport HISTTIMEFORMAT='%Y-%m-%d %H:%M:%S '" >> /root/.bashrc }}} |
|
| Line 54: | Line 114: |
| * Update hostname in /etc/hosts * Uncomment the IPv6 entries in /etc/hosts as well |
|
| Line 69: | Line 127: |
| z x c b s 1.5 <Enter> | z x c s 1.5 <Enter> |
| Line 72: | Line 130: |
| * Disable wifi and bluetooth, we don't need them and it slows down boot {{{ | * Disable wifi, we don't need it and it slows down boot {{{ |
| Line 74: | Line 132: |
| systemctl disable bluetooth.service --now systemctl disable rtl8723ds-btfw-load.service --now echo -e "# Don't load the WLAN+BT module, we don't need it\nblacklist rtl8723ds" > /etc/modprobe.d/blacklist-radios.conf |
systemctl disable rpcbind.socket --now systemctl stop rpcbind.service echo -e "# Don't load the WLAN+BT module, we don't need it\nblacklist 8723ds" > /etc/modprobe.d/blacklist-radios.conf |
| Line 82: | Line 140: |
| apt install -y vim screen bash-completion lsof tcpdump netcat strace nmap less bsdmainutils tzdata whiptail netbase wget curl python-is-python3 net-tools ack jq make elinks nmap whois ethtool bind9-dnsutils apt-utils man-db | apt install -y ack bind9-dnsutils elinks net-tools netcat-openbsd nmap python-is-python3 screen strace tcpdump vim wget whiptail whois |
| Line 91: | Line 149: |
We've already got the static IPv4 address, but let's make sure we've got this complete. |
|
| Line 97: | Line 157: |
| * This is a nifty site for testing: http://ip.bieringer.net/ - Look at `EUI64_SCOPE` and see if it's random/privacy/global. Global is probably what we want for servers. | |
| Line 99: | Line 160: |
| We'll use netplan to do this, as it greatly simplifies getting what we want without needing to faff around with config in multiple places. * Disable IPv6 privacy addresses, they're enabled by default on Ubuntu {{{ sed -r -i 's/tempaddr = 2/tempaddr = 0/' /etc/sysctl.d/10-ipv6-privacy.conf systemctl restart procps }}} This is a nifty site for testing: http://ip.bieringer.net/ - Look at `EUI64_SCOPE` and see if it's random/privacy/global. Global is probably what we want for servers. * Install netplan {{{ apt install -y netplan.io }}} * Remove network-manager, we want to use networkd instead {{{ apt purge network-manager networkmanager-patch rm -rf /etc/NetworkManager/ apt autoremove }}} * Write the network config in `/etc/netplan/10-thighhighs.yaml` {{{ network: version: 2 renderer: networkd ethernets: eth0: critical: true dhcp-identifier: mac dhcp4: false dhcp6: true dhcp6-overrides: use-dns: false ipv6-privacy: false addresses: - "192.168.1.26/24" # :1:26 for the .1.26 IPv4, ca6c == 51820, the default Wireguard port - "2404:e80:42e3:0:26:0:0:ca6c/64" routes: - to: 0.0.0.0/0 via: 192.168.1.1 on-link: true nameservers: addresses: - 192.168.1.20 - 192.168.1.24 - fe80::e65f:1ff:fe1c:c6ea - fe80::ba27:ebff:fe8c:f4f8 search: - thighhighs.top }}} * Sanity check the generated config, hope it doesn't complain {{{ netplan generate netplan apply }}} * Reboot and cross your fingers |
The connection is managed by Network Manager, so let's try sticking with that for now. `nmtui` to edit the connection * Rename it to `Ethernet` or something easier * IPv4 * Set DNS servers to 8.8.8.8 and 8.8.4.4 * Add search domain `thighhighs.top` * IPv6 * Add v6 address 2404:e80:42e3:0:201:26:314:159 * Note that this respects the EUI-64 derivation, changing `:1:26` to `:201:26` * Add search domain `thighhighs.top` Reboot and cross your fingers |
| Line 160: | Line 179: |
| resize2fs /dev/mmcblk0p2 2G dd bs=4M count=600 if=/dev/mmcblk0 | pv -br | gzip --fast > 2021-04-20_calico_img_clean_os.img.gz }}} |
resize2fs -M /dev/mmcblk0p2 # Use cfdisk or parted to shrink the partition to a bit larger than the FS, has just been reported. # In this case it's just over 1GiB, so I'll shrink the partition to 1.1GiB. # Now take the image, capture a bit more than the size of the partitions. # boot+root partitions are ~1.22GiB (1254MiB) here, so I'll capture 1300MiB just to be sure. dd bs=1M count=1300 if=/dev/mmcblk0 | pv -br | gzip --fast > 2021-12-13_calico_img_clean_os.img.gz }}} If you ever need to restore this image, make sure to run `resize-assistant` afterwards. As well as growing the FS, it needs to locate the backup GPT table at the end of the disk. At the very least you need to run `sgdisk -e /dev/mmcblk0` and then `partprobe` to clean that up. If you want to expand the filesystem manually: 1. Boot the image you just restored to the SD card 2. `sgdisk -e /dev/mmcblk0` 3. `partprobe` 4. Use parted or cfdisk to expand the 2nd partition to the desired size (or the whole disk) 5. `resize2fs /dev/mmcblk0p2` |
| Line 170: | Line 204: |
| * Cloudflare upstream | * Google upstream * Use suggested blocklist |
| Line 172: | Line 207: |
| * Pi-hole DNS (IPv4): 192.168.1.26 * Pi-hole DNS (IPv6): 2404:e80:42e3:0:1:26:0:ca6c |
{{{ [i] Web Interface password: iMm9OBVz [i] This can be changed using 'pihole -a -p' [i] View the web interface at http://pi.hole/admin or http://192.168.1.26/admin [i] You may now configure your devices to use the Pi-hole as their DNS server [i] Pi-hole DNS (IPv4): 192.168.1.26 [i] Pi-hole DNS (IPv6): 2404:e80:42e3:0:39d1:1547:50dd:bce7 [i] If you have not done so already, the above IP should be set to static. [i] The install log is located at: /etc/pihole/install.log }}} |
| Line 177: | Line 224: |
| Should probably put cloudflare resolvers into the systemwide resolver set, meaning we don't see our own records though. * 1.1.1.1 * 1.0.0.1 * 2606:4700:4700::1111 * 2606:4700:4700::1001 |
Update our network config to use localhost resolvers only. This gives us the sum of what pihole/dnsmasq knows from local static configs, plus whatever is forwarded to Cloudflare. * Ether1 * IPv4 DNS: `127.0.0.1` * IPv6 DNS: `::1` * Ignore automatically obtained DNS parameters In Pihole, enable IPv6 upstreams, and '''Respond only on interface end0''', in http://calico.thighhighs.top/admin/settings.php?tab=dns This is important as the default setting won't answer queries from other LAN subnets (eg. VPN, IOT segments). Enable conditional forwarding. === TLS support === |
| Line 185: | Line 240: |
| * Copy the cert to `/etc/ssl/STAR_thighhighs_top.combined.pem`, which is a concatenation of the key, the cert, the intermediate CA chain, and apparently the root CA's cert in my case. I dunno why I did that. * Install the `mod_openssl` for lighttpd: {{{ apt install lighttpd-mod-openssl }}} * Create `/etc/lighttpd/conf-enabled/pihole-tls.conf` with the following contents {{{#!conf server.modules += ( "mod_openssl" ) $HTTP["host"] =~ "^[a-zA-Z0-9-_]+\.thighhighs\.top$" { # Ensure the Pi-hole Block Page knows that this is not a blocked domain setenv.add-environment = ("fqdn" => "true") # TLS cert for Pihole admin interface $SERVER["socket"] == ":443" { ssl.engine = "enable" ssl.pemfile = "/etc/ssl/STAR_thighhighs_top.combined.pem" ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.3", "Options" => "-ServerPreference") } $SERVER["socket"] == "[::]:443" { ssl.engine = "enable" ssl.pemfile = "/etc/ssl/STAR_thighhighs_top.combined.pem" ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.3", "Options" => "-ServerPreference") } # Redirect HTTP to HTTPS $HTTP["scheme"] == "http" { $HTTP["host"] =~ ".*" { url.redirect = (".*" => "https://%0$0") } } } }}} * Then restart lighttpd and it should just work. |
|
| Line 193: | Line 280: |
| apt install ufw ufw allow ssh |
apt install -y ufw ufw allow from 192.168.1.0/24 to any app OpenSSH ufw allow from 2404:e80:42e3:0::/64 to any app OpenSSH |
calico
Radxa Rock Pi S, a teeny little ARM computer with PoE and 100Mb ethernet
Running Armbian this time, I've got Armbian_23.8.1_Rockpi-s_bookworm_current_6.1.50.img.xz
Linux calico 6.1.50-current-rockchip64 #3 SMP PREEMPT Wed Aug 30 14:11:13 UTC 2023 aarch64 GNU/Linux
Much newer than the 4.4 kernel that Radxa distributes themselves- Located at home
Contents
Hardware replacement notes
calico has been having issues, not sure if it'll work again after rebuilding it. In case it doesn't, the plan is something like an RPi5 with PoE hat.
My God it is terrible using the internet at home without adblocking, eugh.
RPi 5 with 4GB RAM: https://core-electronics.com.au/raspberry-pi-5-model-b-4gb.html
RPi 5 active cooler: https://core-electronics.com.au/raspberry-pi-5-active-cooler.html
RPi 5 official case: https://core-electronics.com.au/raspberry-pi-5-case-red-white-official.html
RPi 5 PoE hat: https://core-electronics.com.au/power-over-ethernet-hat-g-raspberry-pi-5-5v-5a.html
It'll be about $163 AUD including shipping. I could get another mini PC as those are great, but the PoE capability of the RPi is really really nice - it just doesn't need the grunt. Arguably the RPi 5 is too much and I should use an RPi 4, but it's better to get newer more capable hardware when the price difference is small anyway.
Build notes
I previously wrote general notes for Rock Pi S hardware based on using the Radxa distro, this time I'm trying something different.
Image and setup SSH keys
- Image the SD card with Etcher and let it boot, it'll get on the network with DHCP
- The MAC address will be something random, as these boards don't have a real burnt-in MAC address, so you'll need to find it.
- Login with root // 1234
- Let it run the firstrun thing to set the root password to something secure, and record it safely. Select bash or zsh, your choice.
- Skip user account creation, I won't be using that
Copy your SSH key to the box, using the freshly-set root password
ssh-copy-id root@IP
Login again, now it'll use your SSH key
ssh root@IP
Regenerate SSH host keys to ensure they're clean
rm /etc/ssh/ssh_host_* dpkg-reconfigure openssh-server
We only want to use ed25519 as well
echo "HostKey /etc/ssh/ssh_host_ed25519_key" >> /etc/ssh/sshd_config.d/10-ed25519-hostkey-only.conf
- Logout completely
- Delete the entries from your local known_hosts file
- SSH again as root@IP, accepting the new keys. It'll use your SSH key instead of asking for password now.
Go ahead and reboot to make sure everything is clean.
Run armbian-config to configure the host
- System
- CPU: choose the min/max speeds, use ondemand governor
- Avahi: Let's announce, I guess
- Hardware
Check bs@1.3ghz (I think this is fine for v1.3 RockPiS board
- Firmware: Apply all updates, don't reboot
- Network
- IP
- end0
- Static: 192.168.1.26 // 24 // 192.168.1.1 // 8.8.8.8
- end0
- IP
- Personal
- Timezone: Australia/Sydney
- Locales
Enable en_AU.UTF-8
Leave en_US.UTF-8 enabled too
Select en_AU.UTF-8 as default for system
- Locales
- Hostname: calico
- Welcome
- 10 Armbian header
- 30 Armbian sysinfo
- 40 Armbian updates
- 41 Armbian config
- 98 Armbian autoreboot warn
- !! /etc/update-motd.d/ seems to be missing
- Exit and run armbian-config again, seems fine now
- Timezone: Australia/Sydney
Some notes on the key setup from the Armbian forums: https://forum.armbian.com/topic/23465-apt-get-update-fails-with-public-key-errors/page/2/#comment-178626
I got this error on 2024-04-25 and re/adding the key fixed the issue.
# This is deprecated, but I think it still works wget -qO - http://fi.mirror.armbian.de/apt/armbian.key | sudo apt-key add - # This isn't really necessary but can't hurt cd /etc/apt/trusted.gpg.d/ wget http://fi.mirror.armbian.de/apt/armbian.key mv armbian.key armbian.asc # The linked guide actually suggests doing this: wget https://apt.armbian.com/armbian.key -O key gpg --dearmor < key | sudo tee /usr/share/keyrings/armbian.gpg > /dev/null chmod go+r /usr/share/keyrings/armbian.gpg echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/armbian.gpg] http://apt.armbian.com $(lsb_release -cs) main $(lsb_release -cs)-utils $(lsb_release -cs)-desktop" | tee /etc/apt/sources.list.d/armbian.list apt update
Basic environment stuff
Armbian doesn't seem to load root's bashrc so we trigger it ourselves
echo -e "if [ -f ~/.bashrc ] ; then\n . ~/.bashrc\nfi" > /root/.profile
Enable shell timestamping for root, as our usual bashrd.d won't be imported here
echo -e "\n# Timestamped shell FTW\nexport HISTTIMEFORMAT='%Y-%m-%d %H:%M:%S '" >> /root/.bashrc
Set hostname:
hostnamectl set-hostname calico.thighhighs.top
Set timezone
timedatectl set-timezone Australia/Sydney
Set editor
echo "export EDITOR=vim" > /etc/profile.d/editor-vim.sh
Disable HashKnownHosts
echo -e "Host *\n HashKnownHosts no" > /etc/ssh/ssh_config.d/99-global.conf
Configure screen
curl -o ~/.screenrc https://gist.githubusercontent.com/barneydesmond/d16c5201ed9d2280251dfca7c620bb86/raw/.screenrc
Configure top by entering this cheatcode
z x c s 1.5 <Enter> e <zero> 1 W q
Disable wifi, we don't need it and it slows down boot
systemctl disable wpa_supplicant.service --now systemctl disable rpcbind.socket --now systemctl stop rpcbind.service echo -e "# Don't load the WLAN+BT module, we don't need it\nblacklist 8723ds" > /etc/modprobe.d/blacklist-radios.conf update-initramfs -u
Install useful packages
apt update apt install -y ack bind9-dnsutils elinks net-tools netcat-openbsd nmap python-is-python3 screen strace tcpdump vim wget whiptail whois
Do a full upgrade then reboot
apt full-upgrade reboot
Configure networking
We've already got the static IPv4 address, but let's make sure we've got this complete.
What we want:
- Static IPv4 addressing
- Autoconfig dynamic IPv6 addressing
- Global stable IPv6 addresses (I guess)
- Add a locally-defined static IPv6 address, that other hosts can refer to via DNS etc
This is a nifty site for testing: http://ip.bieringer.net/ - Look at EUI64_SCOPE and see if it's random/privacy/global. Global is probably what we want for servers.
- DNS resolvers will be manually defined
The connection is managed by Network Manager, so let's try sticking with that for now.
nmtui to edit the connection
Rename it to Ethernet or something easier
- IPv4
- Set DNS servers to 8.8.8.8 and 8.8.4.4
Add search domain thighhighs.top
- IPv6
- Add v6 address 2404:e80:42e3:0:201:26:314:159
Note that this respects the EUI-64 derivation, changing :1:26 to :201:26
Add search domain thighhighs.top
- Add v6 address 2404:e80:42e3:0:201:26:314:159
Reboot and cross your fingers
Save a known-good image for convenience
On another system with an SD card reader, take an image of the system after shrinking the filesystem
e2fsck -f /dev/mmcblk0p2 resize2fs -M /dev/mmcblk0p2 # Use cfdisk or parted to shrink the partition to a bit larger than the FS, has just been reported. # In this case it's just over 1GiB, so I'll shrink the partition to 1.1GiB. # Now take the image, capture a bit more than the size of the partitions. # boot+root partitions are ~1.22GiB (1254MiB) here, so I'll capture 1300MiB just to be sure. dd bs=1M count=1300 if=/dev/mmcblk0 | pv -br | gzip --fast > 2021-12-13_calico_img_clean_os.img.gz
If you ever need to restore this image, make sure to run resize-assistant afterwards. As well as growing the FS, it needs to locate the backup GPT table at the end of the disk. At the very least you need to run sgdisk -e /dev/mmcblk0 and then partprobe to clean that up.
If you want to expand the filesystem manually:
- Boot the image you just restored to the SD card
sgdisk -e /dev/mmcblk0
partprobe
- Use parted or cfdisk to expand the 2nd partition to the desired size (or the whole disk)
resize2fs /dev/mmcblk0p2
Pihole
Straightforward basic install, no conflict with other installed services.
curl -sSL https://install.pi-hole.net | bash
- Google upstream
- Use suggested blocklist
- Web interface enabled, full query logging and display
[i] Web Interface password: iMm9OBVz [i] This can be changed using 'pihole -a -p' [i] View the web interface at http://pi.hole/admin or http://192.168.1.26/admin [i] You may now configure your devices to use the Pi-hole as their DNS server [i] Pi-hole DNS (IPv4): 192.168.1.26 [i] Pi-hole DNS (IPv6): 2404:e80:42e3:0:39d1:1547:50dd:bce7 [i] If you have not done so already, the above IP should be set to static. [i] The install log is located at: /etc/pihole/install.log
Admin UI at https://calico.thighhighs.top/admin/
Update our network config to use localhost resolvers only. This gives us the sum of what pihole/dnsmasq knows from local static configs, plus whatever is forwarded to Cloudflare.
- Ether1
IPv4 DNS: 127.0.0.1
IPv6 DNS: ::1
- Ignore automatically obtained DNS parameters
In Pihole, enable IPv6 upstreams, and Respond only on interface end0, in http://calico.thighhighs.top/admin/settings.php?tab=dns
This is important as the default setting won't answer queries from other LAN subnets (eg. VPN, IOT segments).
Enable conditional forwarding.
TLS support
Can add TLS \o/ https://discourse.pi-hole.net/t/enabling-https-for-your-pi-hole-web-interface/5771/17
Copy the cert to /etc/ssl/STAR_thighhighs_top.combined.pem, which is a concatenation of the key, the cert, the intermediate CA chain, and apparently the root CA's cert in my case. I dunno why I did that.
Install the mod_openssl for lighttpd:
apt install lighttpd-mod-openssl
Create /etc/lighttpd/conf-enabled/pihole-tls.conf with the following contents
server.modules += ( "mod_openssl" ) $HTTP["host"] =~ "^[a-zA-Z0-9-_]+\.thighhighs\.top$" { # Ensure the Pi-hole Block Page knows that this is not a blocked domain setenv.add-environment = ("fqdn" => "true") # TLS cert for Pihole admin interface $SERVER["socket"] == ":443" { ssl.engine = "enable" ssl.pemfile = "/etc/ssl/STAR_thighhighs_top.combined.pem" ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.3", "Options" => "-ServerPreference") } $SERVER["socket"] == "[::]:443" { ssl.engine = "enable" ssl.pemfile = "/etc/ssl/STAR_thighhighs_top.combined.pem" ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.3", "Options" => "-ServerPreference") } # Redirect HTTP to HTTPS $HTTP["scheme"] == "http" { $HTTP["host"] =~ ".*" { url.redirect = (".*" => "https://%0$0") } } }- Then restart lighttpd and it should just work.
Firewall
As per https://docs.pi-hole.net/main/prerequisites/ I've installed ufw and locked things down.
Limit and fail2ban would be good to do as well: https://www.raspberrypi.org/documentation/configuration/security.md
apt install -y ufw ufw allow from 192.168.1.0/24 to any app OpenSSH ufw allow from 2404:e80:42e3:0::/64 to any app OpenSSH ufw enable # Pihole stuff - https://docs.pi-hole.net/main/prerequisites/#ufw ufw allow http ufw allow https ufw allow domain ufw allow 67/udp ufw allow 67/tcp ufw allow 546:547/udp