| Size: 5527 Comment: firewall notes | Size: 3954 Comment: remove unifi controller stuff, it's a container on illustrious now | 
| Deletions are marked like this. | Additions are marked like this. | 
| Line 62: | Line 62: | 
| == Unifi controller == Notes and script from here: https://community.ui.com/questions/UniFi-Installation-Scripts-or-UniFi-Easy-Update-Script-or-UniFi-Lets-Encrypt-or-UniFi-Easy-Encrypt-/ccbc7530-dd61-40a7-82ec-22b17f027776 * wget https://get.glennr.nl/unifi/install/unifi-6.2.17.sh * Grow partition with cfdisk, then FS with resize2fs * bash unifi-6.2.17.sh * Setup new empty site, create local admin account * Import site from old controller * Update DNS to point unifi to vector This SSL cert thing doesn't work, yet it should be exactly the perfect method. -_- `java -jar /usr/lib/unifi/lib/ace.jar import_key_cert STAR_thighhighs_top.key.stripped STAR_thighhighs_top.crt` Instead I used this thing, it's stashed in `/root/unifi-import-cert.sh` {{{ # Backup previous keystore cp /var/lib/unifi/keystore /var/lib/unifi/keystore.backup.$(date +%F_%R) # Convert cert to PKCS12 format openssl pkcs12 -export \ -inkey /etc/ssl/STAR_thighhighs_top.key \ -in /etc/ssl/STAR_thighhighs_top.crt \ -out /etc/ssl/STAR_thighhighs_top.p12 \ -name unifi -password pass:unifi # Install certificate keytool -importkeystore \ -deststorepass aircontrolenterprise \ -destkeypass aircontrolenterprise \ -destkeystore /var/lib/unifi/keystore \ -srckeystore /etc/ssl/STAR_thighhighs_top.p12 \ -srcstoretype PKCS12 \ -srcstorepass unifi \ -alias unifi \ -noprompt # Restart UniFi controller systemctl restart unifi }}} | |
| Line 127: | Line 85: | 
| * Unifi controller | 
vector
- RPi OS Lite on RPi Model 4
- Based on Debian buster (10) x32
- Located at home
Contents
Build notes
- Flash the image
- touch ssh on boot partition 
- Fire it up
- Login as pi//raspberry, set new passwd
- ssh-copy-id
- sudo to root and copy authorized_keys to root's
- Login directly as root
- hostnamectl set-hostname vector.thighhighs.top
- Packages - apt update apt install vim screen locales bash-completion dpkg-reconfigure locales apt full-upgrade reboot 
- Disable IPv6 privacy addresses - # Already disabled in sysctl sysctl -a | grep tempaddr # Fix it in dhcp client config, /etc/dhcpcd.conf slaac hwaddr 
- Set editor - echo "export EDITOR=vim" > /etc/profile.d/editor-vim.sh 
- Set timezone - timedatectl set-timezone Australia/Sydney 
- Disable HashKnownHosts in /etc/ssh/ssh_config 
- More packages - apt install wget curl net-tools ack jq make mlocate elinks nmap whois updatedb reboot 
- Configure screen: curl -o ~/.screenrc https://gist.githubusercontent.com/barneydesmond/d16c5201ed9d2280251dfca7c620bb86/raw/.screenrc 
- Configure top yourself
- Set static IPv4 config in /etc/dhcpcd.conf because this will be a network services box - option ntp_servers interface eth0 static ip_address=192.168.1.20/24 static routers=192.168.1.1 static domain_name_servers=8.8.8.8 1.1.1.1 8.8.4.4 
Now take an image of the system after shrinking the filesystem
e2fsck -f /dev/mmcblk0p2 resize2fs /dev/mmcblk0p2 2G dd bs=4M count=600 if=/dev/mmcblk0 | pv -br | gzip --fast > 2021-04-20_vector_img_pre_unifi.img.gz
network
Static IPv4 address via /etc/dhcpcd.conf IPv6 stuff works by SLAAC as usual.
slaac hwaddr option ntp_servers interface eth0 static ip_address=192.168.1.20/24 static routers=192.168.1.1 static domain_name_servers=8.8.8.8 1.1.1.1 8.8.4.4
IPv6
Autoconfigured, slaac hwaddr, not externally accessible
services
- Pihole DNS and DHCP server
Pihole
Straightforward basic install, no conflict with other installed services.
- Pi-hole DNS (IPv4): 192.168.1.20
- Pi-hole DNS (IPv6): 2404:e80:42e3:0:e65f:1ff:fe1c:c6ea
Admin UI at https://pihole.thighhighs.top/admin/
TLS works \o/ https://discourse.pi-hole.net/t/enabling-https-for-your-pi-hole-web-interface/5771/17
Firewall
As per https://docs.pi-hole.net/main/prerequisites/ I've installed ufw and locked things down.
Limit and fail2ban would be good to do as well: https://www.raspberrypi.org/documentation/configuration/security.md
apt install ufw ufw allow ssh ufw enable # Unifi stuff - https://help.ui.com/hc/en-us/articles/218506997-UniFi-Ports-Used ufw allow 8443/tcp ufw allow 8080/tcp ufw allow 3478/udp ufw allow 5515/udp ufw allow 5514/udp ufw allow 8843/tcp ufw allow 6789/tcp ufw allow 8880/tcp ufw allow 10001/udp ufw allow 1900/udp # Pihole stuff - https://docs.pi-hole.net/main/prerequisites/#ufw ufw allow http ufw allow https ufw allow domain ufw allow 67/udp ufw allow 67/tcp ufw allow 546:547/udp
Disable wifi and bluetooth on RPi
I'm using vector as a network appliance, so I don't need the radios.
https://sleeplessbeastie.eu/2018/12/31/how-to-disable-onboard-wifi-and-bluetooth-on-raspberry-pi-3/
Edit your /boot/config.txt and add:
dtoverlay=disable-wifi dtoverlay=disable-bt
- The linked page above uses pi3-disable-foo, which are deprecated names
systemd-timesyncd config
RPi OS ships with systemd-timesyncd enabled by default, for SNTP functionality.
Configure it in /etc/systemd/timesyncd.conf
[Time] NTP=ntp.on.net 0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org 2.ubuntu.pool.ntp.org 3.ubuntu.pool.ntp.org
Leave the rest, just restart the daemon with systemctl restart systemd-timesyncd.service