vector

• RPi OS Lite on RPi Model 4
• Based on Debian buster (10) x32
• Located at home

Build notes

• Flash the image

• touch ssh on boot partition

• Fire it up
• Login as pi//raspberry, set new passwd
• ssh-copy-id
• sudo to root and copy authorized_keys to root's
• Login directly as root
• hostnamectl set-hostname vector.thighhighs.top

• Packages

  apt update
  apt install vim screen locales bash-completion
  dpkg-reconfigure locales
  apt full-upgrade
  reboot

• Disable IPv6 privacy addresses

  # Already disabled in sysctl
  sysctl -a | grep tempaddr
  # Fix it in dhcp client config, /etc/dhcpcd.conf
  slaac hwaddr

• Set editor

  echo "export EDITOR=vim" > /etc/profile.d/editor-vim.sh

• Set timezone

  timedatectl set-timezone Australia/Sydney

• Disable HashKnownHosts in /etc/ssh/ssh_config

• More packages

  apt install wget curl net-tools ack jq make mlocate elinks nmap whois
  updatedb
  reboot

• Configure screen: curl -o ~/.screenrc https://gist.githubusercontent.com/barneydesmond/d16c5201ed9d2280251dfca7c620bb86/raw/.screenrc

• Configure top yourself

• Set static IPv4 config in /etc/dhcpcd.conf because this will be a network services box

  option ntp_servers
  interface eth0
  static ip_address=192.168.1.20/24
  static routers=192.168.1.1
  static domain_name_servers=8.8.8.8 1.1.1.1 8.8.4.4

Now take an image of the system after shrinking the filesystem

e2fsck -f /dev/mmcblk0p2
resize2fs /dev/mmcblk0p2 2G
dd bs=4M count=600 if=/dev/mmcblk0 | pv -br | gzip --fast > 2021-04-20_vector_img_pre_unifi.img.gz

network

Static IPv4 address via /etc/dhcpcd.conf IPv6 stuff works by SLAAC as usual.

slaac hwaddr

option ntp_servers

interface eth0
static ip_address=192.168.1.20/24
static routers=192.168.1.1
static domain_name_servers=8.8.8.8 1.1.1.1 8.8.4.4

IPv6

Autoconfigured, slaac hwaddr, not externally accessible

services

• Pihole DNS and DHCP server

Pihole

Straightforward basic install, no conflict with other installed services.

• Pi-hole DNS (IPv4): 192.168.1.20
• Pi-hole DNS (IPv6): 2404:e80:42e3:0:e65f:1ff:fe1c:c6ea

Admin UI at https://pihole.thighhighs.top/admin/

TLS works \o/ https://discourse.pi-hole.net/t/enabling-https-for-your-pi-hole-web-interface/5771/17

Firewall

As per https://docs.pi-hole.net/main/prerequisites/ I've installed ufw and locked things down.

Limit and fail2ban would be good to do as well: https://www.raspberrypi.org/documentation/configuration/security.md

apt install ufw
ufw allow ssh
ufw enable

# Unifi stuff - https://help.ui.com/hc/en-us/articles/218506997-UniFi-Ports-Used
ufw allow 8443/tcp
ufw allow 8080/tcp
ufw allow 3478/udp
ufw allow 5515/udp
ufw allow 5514/udp
ufw allow 8843/tcp
ufw allow 6789/tcp
ufw allow 8880/tcp
ufw allow 10001/udp
ufw allow 1900/udp

# Pihole stuff - https://docs.pi-hole.net/main/prerequisites/#ufw
ufw allow http
ufw allow https
ufw allow domain
ufw allow 67/udp
ufw allow 67/tcp
ufw allow 546:547/udp

Disable wifi and bluetooth on RPi

I'm using vector as a network appliance, so I don't need the radios.

https://sleeplessbeastie.eu/2018/12/31/how-to-disable-onboard-wifi-and-bluetooth-on-raspberry-pi-3/

Edit your /boot/config.txt and add:

dtoverlay=disable-wifi
dtoverlay=disable-bt

• The linked page above uses pi3-disable-foo, which are deprecated names

systemd-timesyncd config

RPi OS ships with systemd-timesyncd enabled by default, for SNTP functionality.

Configure it in /etc/systemd/timesyncd.conf

[Time]
NTP=ntp.on.net 0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org 2.ubuntu.pool.ntp.org 3.ubuntu.pool.ntp.org

Leave the rest, just restart the daemon with systemctl restart systemd-timesyncd.service