= calico = * Radxa Rock Pi S * Ubuntu 20.04 (custom Radxa 4.4 kernel) {{{ Linux calico.thighhighs.top 4.4.143-65-rockchip-g58431d38f8f3 #1 SMP PREEMPT Sat Aug 14 09:31:07 UTC 2021 aarch64 aarch64 aarch64 GNU/Linux }}} * Located at home <> == Build notes == Used this to write the [[../RockPiS| general guide for Rock Pi S]] hardware. === Image and setup SSH keys === * Image the SD card and let it boot, it'll get on the network with DHCP * Copy your SSH key, the password is rock {{{ ssh-copy-id rock@IP }}} * Login again, now it'll use your SSH key {{{ ssh rock@IP }}} * Set a strong random password, this will be used for both rock and root {{{ passwd }}} * Sudo up and set the same password for root {{{ sudo -i passwd }}} Record the new password somewhere safe * Lock the rock account now, note that this still permits key access {{{ usermod -L rock }}} * Grab the rock user's `authorized_keys` so root can use it {{{ mkdir -m 0700 /root/.ssh cp /home/rock/.ssh/authorized_keys /root/.ssh/ chown root:root /root/.ssh/authorized_keys ; chmod 0600 /root/.ssh/authorized_keys }}} * Regenerate SSH host keys, we don't know what was installed with the OS image {{{ rm /etc/ssh/ssh_host_* dpkg-reconfigure openssh-server }}} * You could do `ssh-keygen -A` as an alternative, but it'll generate DSA keys as well which we don't want * Logout completely * Delete the entries from your known_hosts file * SSH again as root@IP, accepting the new keys. It'll use your SSH key instead of asking for password now. === Basic environment stuff === * Set hostname: {{{ hostnamectl set-hostname calico.thighhighs.top }}} * Update hostname in /etc/hosts * Uncomment the IPv6 entries in /etc/hosts as well * Set timezone {{{ timedatectl set-timezone Australia/Sydney }}} * Set editor {{{ echo "export EDITOR=vim" > /etc/profile.d/editor-vim.sh }}} * Disable `HashKnownHosts` {{{ echo -e "Host *\n HashKnownHosts no" > /etc/ssh/ssh_config.d/99-global.conf }}} * Configure screen {{{ curl -o ~/.screenrc https://gist.githubusercontent.com/barneydesmond/d16c5201ed9d2280251dfca7c620bb86/raw/.screenrc }}} * Configure top by entering this cheatcode {{{ z x c b s 1.5 e 1 W q }}} * Disable wifi and bluetooth, we don't need them and it slows down boot {{{ systemctl disable wpa_supplicant.service --now systemctl disable bluetooth.service --now systemctl disable rtl8723ds-btfw-load.service --now echo -e "# Don't load the WLAN+BT module, we don't need it\nblacklist rtl8723ds" > /etc/modprobe.d/blacklist-radios.conf update-initramfs -u }}} * Install useful packages {{{ apt update apt install -y vim screen bash-completion lsof tcpdump netcat strace nmap less bsdmainutils tzdata whiptail netbase wget curl python-is-python3 net-tools ack jq make elinks nmap whois ethtool bind9-dnsutils apt-utils man-db }}} * Do a full upgrade then reboot {{{ apt full-upgrade reboot }}} === Configure networking === What we want: * Static IPv4 addressing * Autoconfig dynamic IPv6 addressing * Global stable IPv6 addresses (I guess) * Add a locally-defined static IPv6 address, that other hosts can refer to via DNS etc * DNS resolvers will be manually defined We'll use netplan to do this, as it greatly simplifies getting what we want without needing to faff around with config in multiple places. * Disable IPv6 privacy addresses, they're enabled by default on Ubuntu {{{ sed -r -i 's/tempaddr = 2/tempaddr = 0/' /etc/sysctl.d/10-ipv6-privacy.conf systemctl restart procps }}} This is a nifty site for testing: http://ip.bieringer.net/ - Look at `EUI64_SCOPE` and see if it's random/privacy/global. Global is probably what we want for servers. * Install netplan {{{ apt install -y netplan.io }}} * Remove network-manager, we want to use networkd instead {{{ apt purge network-manager networkmanager-patch rm -rf /etc/NetworkManager/ apt autoremove }}} * Write the network config in `/etc/netplan/10-thighhighs.yaml` {{{ network: version: 2 renderer: networkd ethernets: eth0: critical: true dhcp-identifier: mac dhcp4: false dhcp6: true dhcp6-overrides: use-dns: false ipv6-privacy: false addresses: - "192.168.1.26/24" # :1:26 for the .1.26 IPv4, ca6c == 51820, the default Wireguard port - "2404:e80:42e3:0:26:0:0:ca6c/64" routes: - to: 0.0.0.0/0 via: 192.168.1.1 on-link: true nameservers: addresses: - 192.168.1.20 - 192.168.1.24 - fe80::e65f:1ff:fe1c:c6ea - fe80::ba27:ebff:fe8c:f4f8 search: - thighhighs.top }}} * Sanity check the generated config, hope it doesn't complain {{{ netplan generate netplan apply }}} * Reboot and cross your fingers === Save a known-good image for convenience === On another system with an SD card reader, take an image of the system after shrinking the filesystem {{{ e2fsck -f /dev/mmcblk0p2 resize2fs /dev/mmcblk0p2 2G dd bs=4M count=600 if=/dev/mmcblk0 | pv -br | gzip --fast > 2021-04-20_calico_img_clean_os.img.gz }}} == Pihole == Straightforward basic install, no conflict with other installed services. * `curl -sSL https://install.pi-hole.net | bash` * Cloudflare upstream * Web interface enabled, full query logging and display * Pi-hole DNS (IPv4): 192.168.1.26 * Pi-hole DNS (IPv6): 2404:e80:42e3:0:1:26:0:ca6c Admin UI at https://calico.thighhighs.top/admin/ Should probably put cloudflare resolvers into the systemwide resolver set, meaning we don't see our own records though. * 1.1.1.1 * 1.0.0.1 * 2606:4700:4700::1111 * 2606:4700:4700::1001 Can add TLS \o/ https://discourse.pi-hole.net/t/enabling-https-for-your-pi-hole-web-interface/5771/17 == Firewall == As per https://docs.pi-hole.net/main/prerequisites/ I've installed ufw and locked things down. Limit and fail2ban would be good to do as well: https://www.raspberrypi.org/documentation/configuration/security.md {{{ apt install ufw ufw allow ssh ufw enable # Pihole stuff - https://docs.pi-hole.net/main/prerequisites/#ufw ufw allow http ufw allow https ufw allow domain ufw allow 67/udp ufw allow 67/tcp ufw allow 546:547/udp }}}