calico
- Radxa Rock Pi S
Ubuntu 20.04 (custom Radxa 4.4 kernel)
Linux calico.thighhighs.top 4.4.143-65-rockchip-g58431d38f8f3 #1 SMP PREEMPT Sat Aug 14 09:31:07 UTC 2021 aarch64 aarch64 aarch64 GNU/Linux
- Located at home
Contents
Build notes
Used this to write the general guide for Rock Pi S hardware.
Image and setup SSH keys
- Image the SD card and let it boot, it'll get on the network with DHCP
Copy your SSH key, the password is rock
ssh-copy-id rock@IP
Login again, now it'll use your SSH key
ssh rock@IP
Set a strong random password, this will be used for both rock and root
passwd
Sudo up and set the same password for root
sudo -i passwd
Record the new password somewhere safeLock the rock account now, note that this still permits key access
usermod -L rock
Grab the rock user's authorized_keys so root can use it
mkdir -m 0700 /root/.ssh cp /home/rock/.ssh/authorized_keys /root/.ssh/ chown root:root /root/.ssh/authorized_keys ; chmod 0600 /root/.ssh/authorized_keys
Regenerate SSH host keys, we don't know what was installed with the OS image
rm /etc/ssh/ssh_host_* dpkg-reconfigure openssh-server
You could do ssh-keygen -A as an alternative, but it'll generate DSA keys as well which we don't want
- Logout completely
- Delete the entries from your known_hosts file
- SSH again as root@IP, accepting the new keys. It'll use your SSH key instead of asking for password now.
Basic environment stuff
Set hostname:
hostnamectl set-hostname calico.thighhighs.top
- Update hostname in /etc/hosts
- Uncomment the IPv6 entries in /etc/hosts as well
Set timezone
timedatectl set-timezone Australia/Sydney
Set editor
echo "export EDITOR=vim" > /etc/profile.d/editor-vim.sh
Disable HashKnownHosts
echo -e "Host *\n HashKnownHosts no" > /etc/ssh/ssh_config.d/99-global.conf
Configure screen
curl -o ~/.screenrc https://gist.githubusercontent.com/barneydesmond/d16c5201ed9d2280251dfca7c620bb86/raw/.screenrc
Configure top by entering this cheatcode
z x c b s 1.5 <Enter> e <zero> 1 W q
Disable wifi and bluetooth, we don't need them and it slows down boot
systemctl disable wpa_supplicant.service --now systemctl disable bluetooth.service --now systemctl disable rtl8723ds-btfw-load.service --now echo -e "# Don't load the WLAN+BT module, we don't need it\nblacklist rtl8723ds" > /etc/modprobe.d/blacklist-radios.conf update-initramfs -u
Install useful packages
apt update apt install -y vim screen bash-completion lsof tcpdump netcat strace nmap less bsdmainutils tzdata whiptail netbase wget curl python-is-python3 net-tools ack jq make elinks nmap whois ethtool bind9-dnsutils apt-utils man-db
Do a full upgrade then reboot
apt full-upgrade reboot
Configure networking
What we want:
- Static IPv4 addressing
- Autoconfig dynamic IPv6 addressing
- Global stable IPv6 addresses (I guess)
- Add a locally-defined static IPv6 address, that other hosts can refer to via DNS etc
- DNS resolvers will be manually defined
We'll use netplan to do this, as it greatly simplifies getting what we want without needing to faff around with config in multiple places.
Disable IPv6 privacy addresses, they're enabled by default on Ubuntu
sed -r -i 's/tempaddr = 2/tempaddr = 0/' /etc/sysctl.d/10-ipv6-privacy.conf systemctl restart procps
This is a nifty site for testing: http://ip.bieringer.net/ - Look at EUI64_SCOPE and see if it's random/privacy/global. Global is probably what we want for servers.
Install netplan
apt install -y netplan.io
Remove network-manager, we want to use networkd instead
apt purge network-manager networkmanager-patch rm -rf /etc/NetworkManager/ apt autoremove
Write the network config in /etc/netplan/10-thighhighs.yaml
network: version: 2 renderer: networkd ethernets: eth0: critical: true dhcp-identifier: mac dhcp4: false dhcp6: true dhcp6-overrides: use-dns: false ipv6-privacy: false addresses: - "192.168.1.26/24" # :1:26 for the .1.26 IPv4, ca6c == 51820, the default Wireguard port - "2404:e80:42e3:0:26:0:0:ca6c/64" routes: - to: 0.0.0.0/0 via: 192.168.1.1 on-link: true nameservers: addresses: - 192.168.1.20 - 192.168.1.24 - fe80::e65f:1ff:fe1c:c6ea - fe80::ba27:ebff:fe8c:f4f8 search: - thighhighs.topSanity check the generated config, hope it doesn't complain
netplan generate netplan apply
- Reboot and cross your fingers
Save a known-good image for convenience
On another system with an SD card reader, take an image of the system after shrinking the filesystem
e2fsck -f /dev/mmcblk0p2 resize2fs /dev/mmcblk0p2 2G dd bs=4M count=600 if=/dev/mmcblk0 | pv -br | gzip --fast > 2021-04-20_calico_img_clean_os.img.gz
Pihole
Straightforward basic install, no conflict with other installed services.
curl -sSL https://install.pi-hole.net | bash
- Cloudflare upstream
- Web interface enabled, full query logging and display
- Pi-hole DNS (IPv4): 192.168.1.26
- Pi-hole DNS (IPv6): 2404:e80:42e3:0:1:26:0:ca6c
Admin UI at https://calico.thighhighs.top/admin/
Should probably put cloudflare resolvers into the systemwide resolver set, meaning we don't see our own records though.
- 1.1.1.1
- 1.0.0.1
- 2606:4700:4700::1111
- 2606:4700:4700::1001
Can add TLS \o/ https://discourse.pi-hole.net/t/enabling-https-for-your-pi-hole-web-interface/5771/17
Firewall
As per https://docs.pi-hole.net/main/prerequisites/ I've installed ufw and locked things down.
Limit and fail2ban would be good to do as well: https://www.raspberrypi.org/documentation/configuration/security.md
apt install ufw ufw allow ssh ufw enable # Pihole stuff - https://docs.pi-hole.net/main/prerequisites/#ufw ufw allow http ufw allow https ufw allow domain ufw allow 67/udp ufw allow 67/tcp ufw allow 546:547/udp