Meidokon Wiki
  • Comments
  • Immutable Page
  • Menu
    • Navigation
    • RecentChanges
    • FindPage
    • Local Site Map
    • Help
    • HelpContents
    • HelpOnMoinWikiSyntax
    • Display
    • Attachments
    • Info
    • Raw Text
    • Print View
    • Edit
    • Load
    • Save
  • Login

Useful(?) links

  • furinkan's stuff

  • Postfix snippets

  • SystemInfo

  • This sidebar

Navigation

  • FrontPage
  • RecentChanges
  • FindPage
  • HelpContents

Upload page content

You can upload content for the page named below. If you change the page name, you can also upload content for another page. If the page name is empty, we derive the page name from the file name.

File to load page content from
Page name
Comment

Revision 1 as of 2021-04-20 17:47:04
MeidokonWiki:
  • servers
  • vector

vector

  • RPi OS Lite on RPi Model 4
  • Based on Debian buster (10) x32
  • Located at home

Contents

  1. vector
    1. Build notes
    2. Unifi controller
    3. network
    4. IPv6
    5. services
    6. Pihole
    7. Disable wifi and bluetooth on RPi
    8. systemd-timesyncd config

Build notes

  • Flash the image

  • touch ssh on boot partition

  • Fire it up
  • Login as pi//raspberry, set new passwd
  • ssh-copy-id
  • sudo to root and copy authorized_keys to root's
  • Login directly as root
  • hostnamectl set-hostname vector.thighhighs.top

  • Packages 

    apt update
apt install vim screen locales bash-completion
dpkg-reconfigure locales
apt full-upgrade
reboot

  • Disable IPv6 privacy addresses 

    # Already disabled in sysctl
sysctl -a | grep tempaddr
# Fix it in dhcp client config, /etc/dhcpcd.conf
slaac hwaddr

  • Set editor 

    echo "export EDITOR=vim" > /etc/profile.d/editor-vim.sh

  • Set timezone 

    timedatectl set-timezone Australia/Sydney

  • Disable HashKnownHosts in /etc/ssh/ssh_config

  • More packages 

    apt install wget curl net-tools ack jq make mlocate elinks nmap whois
updatedb
reboot

  • Configure screen: curl -o ~/.screenrc https://gist.githubusercontent.com/barneydesmond/d16c5201ed9d2280251dfca7c620bb86/raw/.screenrc

  • Configure top yourself

  • Set static IPv4 config in /etc/dhcpcd.conf because this will be a network services box 

    option ntp_servers
interface eth0
static ip_address=192.168.1.20/24
static routers=192.168.1.1
static domain_name_servers=8.8.8.8 1.1.1.1 8.8.4.4

Now take an image of the system after shrinking the filesystem 

e2fsck -f /dev/mmcblk0p2
resize2fs /dev/mmcblk0p2 2G
dd bs=4M count=600 if=/dev/mmcblk0 | pv -br | gzip --fast > 2021-04-20_vector_img_pre_unifi.img.gz

Unifi controller

Notes and script from here: https://community.ui.com/questions/UniFi-Installation-Scripts-or-UniFi-Easy-Update-Script-or-UniFi-Lets-Encrypt-or-UniFi-Easy-Encrypt-/ccbc7530-dd61-40a7-82ec-22b17f027776

  • wget https://get.glennr.nl/unifi/install/unifi-6.2.17.sh

  • Grow partition with cfdisk, then FS with resize2fs
  • bash unifi-6.2.17.sh
  • Setup new empty site, create local admin account
  • Import site from old controller
  • Update DNS to point unifi to vector

This SSL cert thing doesn't work, yet it should be exactly the perfect method. -_-

java -jar /usr/lib/unifi/lib/ace.jar import_key_cert STAR_thighhighs_top.key.stripped STAR_thighhighs_top.crt

Instead I used this thing, it's stashed in /root/unifi-import-cert.sh 

# Backup previous keystore
cp /var/lib/unifi/keystore /var/lib/unifi/keystore.backup.$(date +%F_%R)

# Convert cert to PKCS12 format
openssl pkcs12 -export \
        -inkey /etc/ssl/STAR_thighhighs_top.key \
        -in /etc/ssl/STAR_thighhighs_top.crt \
        -out /etc/ssl/STAR_thighhighs_top.p12 \
        -name unifi -password pass:unifi

# Install certificate
keytool -importkeystore \
        -deststorepass aircontrolenterprise \
        -destkeypass aircontrolenterprise \
        -destkeystore /var/lib/unifi/keystore \
        -srckeystore /etc/ssl/STAR_thighhighs_top.p12 \
        -srcstoretype PKCS12 \
        -srcstorepass unifi \
        -alias unifi \
        -noprompt

# Restart UniFi controller
systemctl restart unifi

network

Static IPv4 address via /etc/dhcpcd.conf IPv6 stuff works by SLAAC as usual. 

slaac hwaddr

option ntp_servers

interface eth0
static ip_address=192.168.1.20/24
static routers=192.168.1.1
static domain_name_servers=8.8.8.8 1.1.1.1 8.8.4.4

IPv6

Autoconfigured, slaac hwaddr, not externally accessible

services

  • Unifi controller
  • Pihole DNS and DHCP server

Pihole

Straightforward basic install, no conflict with other installed services.

  • Pi-hole DNS (IPv4): 192.168.1.20
  • Pi-hole DNS (IPv6): 2404:e80:42e3:0:e65f:1ff:fe1c:c6ea

Admin UI at https://pihole.thighhighs.top/admin/

TLS works \o/ https://discourse.pi-hole.net/t/enabling-https-for-your-pi-hole-web-interface/5771/17

Disable wifi and bluetooth on RPi

I'm using vector as a network appliance, so I don't need the radios.

https://sleeplessbeastie.eu/2018/12/31/how-to-disable-onboard-wifi-and-bluetooth-on-raspberry-pi-3/

Edit your /boot/config.txt and add: 

dtoverlay=disable-wifi
dtoverlay=disable-bt
  • The linked page above uses pi3-disable-foo, which are deprecated names

systemd-timesyncd config

RPi OS ships with systemd-timesyncd enabled by default, for SNTP functionality.

Configure it in /etc/systemd/timesyncd.conf 

[Time]
NTP=ntp.on.net 0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org 2.ubuntu.pool.ntp.org 3.ubuntu.pool.ntp.org

Leave the rest, just restart the daemon with systemctl restart systemd-timesyncd.service

  • MoinMoin Powered
  • Python Powered
  • GPL licensed
  • Valid HTML 4.01
MoinMoin Release 1.9.11 [Revision release], Copyright by Juergen Hermann et al.