MeidokonWiki:

calico

Build notes

I previously wrote general notes for Rock Pi S hardware based on using the Radxa distro, this time I'm trying something different.

Image and setup SSH keys

Go ahead and reboot to make sure everything is clean.

Run armbian-config to configure the host

Some notes on the key setup from the Armbian forums: https://forum.armbian.com/topic/23465-apt-get-update-fails-with-public-key-errors/page/2/#comment-178626

I got this error on 2024-04-25 and re/adding the key fixed the issue.

# This is deprecated, but I think it still works
wget -qO - http://fi.mirror.armbian.de/apt/armbian.key | sudo apt-key add -

# This isn't really necessary but can't hurt
cd /etc/apt/trusted.gpg.d/
wget http://fi.mirror.armbian.de/apt/armbian.key
mv armbian.key armbian.asc

# The linked guide actually suggests doing this:
wget https://apt.armbian.com/armbian.key -O key
gpg --dearmor < key | sudo tee /usr/share/keyrings/armbian.gpg > /dev/null
chmod go+r /usr/share/keyrings/armbian.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/armbian.gpg] http://apt.armbian.com $(lsb_release -cs) main  $(lsb_release -cs)-utils  $(lsb_release -cs)-desktop" | tee /etc/apt/sources.list.d/armbian.list
apt update

Basic environment stuff

Configure networking

We've already got the static IPv4 address, but let's make sure we've got this complete.

What we want:

The connection is managed by Network Manager, so let's try sticking with that for now.

nmtui to edit the connection

Reboot and cross your fingers

Save a known-good image for convenience

On another system with an SD card reader, take an image of the system after shrinking the filesystem

e2fsck -f /dev/mmcblk0p2
resize2fs -M /dev/mmcblk0p2

# Use cfdisk or parted to shrink the partition to a bit larger than the FS, has just been reported.
# In this case it's just over 1GiB, so I'll shrink the partition to 1.1GiB.

# Now take the image, capture a bit more than the size of the partitions.
# boot+root partitions are ~1.22GiB (1254MiB) here, so I'll capture 1300MiB just to be sure.
dd bs=1M count=1300 if=/dev/mmcblk0 | pv -br | gzip --fast > 2021-12-13_calico_img_clean_os.img.gz

If you ever need to restore this image, make sure to run resize-assistant afterwards. As well as growing the FS, it needs to locate the backup GPT table at the end of the disk. At the very least you need to run sgdisk -e /dev/mmcblk0 and then partprobe to clean that up.

If you want to expand the filesystem manually:

  1. Boot the image you just restored to the SD card
  2. sgdisk -e /dev/mmcblk0

  3. partprobe

  4. Use parted or cfdisk to expand the 2nd partition to the desired size (or the whole disk)
  5. resize2fs /dev/mmcblk0p2

Pihole

Straightforward basic install, no conflict with other installed services.

  [i] Web Interface password: iMm9OBVz
  [i] This can be changed using 'pihole -a -p'

  [i] View the web interface at http://pi.hole/admin or http://192.168.1.26/admin

  [i] You may now configure your devices to use the Pi-hole as their DNS server
  [i] Pi-hole DNS (IPv4): 192.168.1.26
  [i] Pi-hole DNS (IPv6): 2404:e80:42e3:0:39d1:1547:50dd:bce7
  [i] If you have not done so already, the above IP should be set to static.

  [i] The install log is located at: /etc/pihole/install.log

Admin UI at https://calico.thighhighs.top/admin/

Update our network config to use localhost resolvers only. This gives us the sum of what pihole/dnsmasq knows from local static configs, plus whatever is forwarded to Cloudflare.

In Pihole, enable IPv6 upstreams, and Respond only on interface end0, in http://calico.thighhighs.top/admin/settings.php?tab=dns

This is important as the default setting won't answer queries from other LAN subnets (eg. VPN, IOT segments).

Enable conditional forwarding.

TLS support

Can add TLS \o/ https://discourse.pi-hole.net/t/enabling-https-for-your-pi-hole-web-interface/5771/17

Firewall

As per https://docs.pi-hole.net/main/prerequisites/ I've installed ufw and locked things down.

Limit and fail2ban would be good to do as well: https://www.raspberrypi.org/documentation/configuration/security.md

apt install -y ufw
ufw allow from 192.168.1.0/24 to any app OpenSSH
ufw allow from 2404:e80:42e3:0::/64 to any app OpenSSH
ufw enable

# Pihole stuff - https://docs.pi-hole.net/main/prerequisites/#ufw
ufw allow http
ufw allow https
ufw allow domain
ufw allow 67/udp
ufw allow 67/tcp
ufw allow 546:547/udp

MeidokonWiki: servers/calico (last edited 2024-04-25 02:17:47 by furinkan)