vector
- RPi OS Lite on RPi Model 4
- Based on Debian buster (10) x32
- Located at home
Contents
Build notes
- Flash the image
touch ssh on boot partition
- Fire it up
- Login as pi//raspberry, set new passwd
- ssh-copy-id
- sudo to root and copy authorized_keys to root's
- Login directly as root
- hostnamectl set-hostname vector.thighhighs.top
Packages
apt update apt install vim screen locales bash-completion dpkg-reconfigure locales apt full-upgrade reboot
Disable IPv6 privacy addresses
# Already disabled in sysctl sysctl -a | grep tempaddr # Fix it in dhcp client config, /etc/dhcpcd.conf slaac hwaddr
Set editor
echo "export EDITOR=vim" > /etc/profile.d/editor-vim.sh
Set timezone
timedatectl set-timezone Australia/Sydney
Disable HashKnownHosts in /etc/ssh/ssh_config
More packages
apt install wget curl net-tools ack jq make mlocate elinks nmap whois updatedb reboot
Configure screen: curl -o ~/.screenrc https://gist.githubusercontent.com/barneydesmond/d16c5201ed9d2280251dfca7c620bb86/raw/.screenrc
- Configure top yourself
Set static IPv4 config in /etc/dhcpcd.conf because this will be a network services box
option ntp_servers interface eth0 static ip_address=192.168.1.20/24 static routers=192.168.1.1 static domain_name_servers=8.8.8.8 1.1.1.1 8.8.4.4
Now take an image of the system after shrinking the filesystem
e2fsck -f /dev/mmcblk0p2 resize2fs /dev/mmcblk0p2 2G dd bs=4M count=600 if=/dev/mmcblk0 | pv -br | gzip --fast > 2021-04-20_vector_img_pre_unifi.img.gz
network
Static IPv4 address via /etc/dhcpcd.conf IPv6 stuff works by SLAAC as usual.
slaac hwaddr option ntp_servers interface eth0 static ip_address=192.168.1.20/24 static routers=192.168.1.1 static domain_name_servers=8.8.8.8 1.1.1.1 8.8.4.4
IPv6
Autoconfigured, slaac hwaddr, not externally accessible
services
- Pihole DNS and DHCP server
Pihole
Straightforward basic install, no conflict with other installed services.
- Pi-hole DNS (IPv4): 192.168.1.20
- Pi-hole DNS (IPv6): 2404:e80:42e3:0:e65f:1ff:fe1c:c6ea
Admin UI at https://pihole.thighhighs.top/admin/
TLS works \o/ https://discourse.pi-hole.net/t/enabling-https-for-your-pi-hole-web-interface/5771/17
Firewall
As per https://docs.pi-hole.net/main/prerequisites/ I've installed ufw and locked things down.
Limit and fail2ban would be good to do as well: https://www.raspberrypi.org/documentation/configuration/security.md
apt install ufw ufw allow ssh ufw enable # Unifi stuff - https://help.ui.com/hc/en-us/articles/218506997-UniFi-Ports-Used ufw allow 8443/tcp ufw allow 8080/tcp ufw allow 3478/udp ufw allow 5515/udp ufw allow 5514/udp ufw allow 8843/tcp ufw allow 6789/tcp ufw allow 8880/tcp ufw allow 10001/udp ufw allow 1900/udp # Pihole stuff - https://docs.pi-hole.net/main/prerequisites/#ufw ufw allow http ufw allow https ufw allow domain ufw allow 67/udp ufw allow 67/tcp ufw allow 546:547/udp
Disable wifi and bluetooth on RPi
I'm using vector as a network appliance, so I don't need the radios.
https://sleeplessbeastie.eu/2018/12/31/how-to-disable-onboard-wifi-and-bluetooth-on-raspberry-pi-3/
Edit your /boot/config.txt and add:
dtoverlay=disable-wifi dtoverlay=disable-bt
- The linked page above uses pi3-disable-foo, which are deprecated names
systemd-timesyncd config
RPi OS ships with systemd-timesyncd enabled by default, for SNTP functionality.
Configure it in /etc/systemd/timesyncd.conf
[Time] NTP=ntp.on.net 0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org 2.ubuntu.pool.ntp.org 3.ubuntu.pool.ntp.org
Leave the rest, just restart the daemon with systemctl restart systemd-timesyncd.service