= vector = * RPi OS Lite on RPi Model 4 * Based on Debian buster (10) x32 * Located at home <> == Build notes == * Flash the image * touch `ssh` on boot partition * Fire it up * Login as pi//raspberry, set new passwd * ssh-copy-id * sudo to root and copy authorized_keys to root's * Login directly as root * hostnamectl set-hostname vector.thighhighs.top * Packages {{{ apt update apt install vim screen locales bash-completion dpkg-reconfigure locales apt full-upgrade reboot }}} * Disable IPv6 privacy addresses {{{ # Already disabled in sysctl sysctl -a | grep tempaddr # Fix it in dhcp client config, /etc/dhcpcd.conf slaac hwaddr }}} * Set editor {{{ echo "export EDITOR=vim" > /etc/profile.d/editor-vim.sh }}} * Set timezone {{{ timedatectl set-timezone Australia/Sydney }}} * Disable HashKnownHosts in `/etc/ssh/ssh_config` * More packages {{{ apt install wget curl net-tools ack jq make mlocate elinks nmap whois updatedb reboot }}} * Configure screen: curl -o ~/.screenrc https://gist.githubusercontent.com/barneydesmond/d16c5201ed9d2280251dfca7c620bb86/raw/.screenrc * Configure top yourself * Set static IPv4 config in `/etc/dhcpcd.conf` because this will be a network services box {{{ option ntp_servers interface eth0 static ip_address=192.168.1.20/24 static routers=192.168.1.1 static domain_name_servers=8.8.8.8 1.1.1.1 8.8.4.4 }}} Now take an image of the system after shrinking the filesystem {{{ e2fsck -f /dev/mmcblk0p2 resize2fs /dev/mmcblk0p2 2G dd bs=4M count=600 if=/dev/mmcblk0 | pv -br | gzip --fast > 2021-04-20_vector_img_pre_unifi.img.gz }}} == network == Static IPv4 address via /etc/dhcpcd.conf IPv6 stuff works by SLAAC as usual. {{{ slaac hwaddr option ntp_servers interface eth0 static ip_address=192.168.1.20/24 static routers=192.168.1.1 static domain_name_servers=8.8.8.8 1.1.1.1 8.8.4.4 }}} == IPv6 == Autoconfigured, slaac hwaddr, not externally accessible == services == * Pihole DNS and DHCP server == Pihole == Straightforward basic install, no conflict with other installed services. * Pi-hole DNS (IPv4): 192.168.1.20 * Pi-hole DNS (IPv6): 2404:e80:42e3:0:e65f:1ff:fe1c:c6ea Admin UI at https://pihole.thighhighs.top/admin/ TLS works \o/ https://discourse.pi-hole.net/t/enabling-https-for-your-pi-hole-web-interface/5771/17 == Firewall == As per https://docs.pi-hole.net/main/prerequisites/ I've installed ufw and locked things down. Limit and fail2ban would be good to do as well: https://www.raspberrypi.org/documentation/configuration/security.md {{{ apt install ufw ufw allow ssh ufw enable # Unifi stuff - https://help.ui.com/hc/en-us/articles/218506997-UniFi-Ports-Used ufw allow 8443/tcp ufw allow 8080/tcp ufw allow 3478/udp ufw allow 5515/udp ufw allow 5514/udp ufw allow 8843/tcp ufw allow 6789/tcp ufw allow 8880/tcp ufw allow 10001/udp ufw allow 1900/udp # Pihole stuff - https://docs.pi-hole.net/main/prerequisites/#ufw ufw allow http ufw allow https ufw allow domain ufw allow 67/udp ufw allow 67/tcp ufw allow 546:547/udp }}} == Disable wifi and bluetooth on RPi == I'm using vector as a network appliance, so I don't need the radios. https://sleeplessbeastie.eu/2018/12/31/how-to-disable-onboard-wifi-and-bluetooth-on-raspberry-pi-3/ Edit your /boot/config.txt and add: {{{ dtoverlay=disable-wifi dtoverlay=disable-bt }}} * The linked page above uses pi3-disable-foo, which are deprecated names == systemd-timesyncd config == RPi OS ships with systemd-timesyncd enabled by default, for SNTP functionality. Configure it in /etc/systemd/timesyncd.conf {{{ [Time] NTP=ntp.on.net 0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org 2.ubuntu.pool.ntp.org 3.ubuntu.pool.ntp.org }}} Leave the rest, just restart the daemon with `systemctl restart systemd-timesyncd.service`