Meidokon Wiki
  • Comments
  • Immutable Page
  • Menu
    • Navigation
    • RecentChanges
    • FindPage
    • Local Site Map
    • Help
    • HelpContents
    • HelpOnMoinWikiSyntax
    • Display
    • Attachments
    • Info
    • Raw Text
    • Print View
    • Edit
    • Load
    • Save
  • Login

Useful(?) links

  • furinkan's stuff

  • Postfix snippets

  • SystemInfo

  • This sidebar

Navigation

  • FrontPage
  • RecentChanges
  • FindPage
  • HelpContents
Revision 1 as of 2021-04-20 17:47:04
MeidokonWiki:
  • servers
  • vector

vector

  • RPi OS Lite on RPi Model 4
  • Based on Debian buster (10) x32
  • Located at home

Contents

  1. vector
    1. Build notes
    2. Unifi controller
    3. network
    4. IPv6
    5. services
    6. Pihole
    7. Disable wifi and bluetooth on RPi
    8. systemd-timesyncd config

Build notes

  • Flash the image

  • touch ssh on boot partition

  • Fire it up
  • Login as pi//raspberry, set new passwd
  • ssh-copy-id
  • sudo to root and copy authorized_keys to root's
  • Login directly as root
  • hostnamectl set-hostname vector.thighhighs.top

  • Packages 

    apt update
apt install vim screen locales bash-completion
dpkg-reconfigure locales
apt full-upgrade
reboot

  • Disable IPv6 privacy addresses 

    # Already disabled in sysctl
sysctl -a | grep tempaddr
# Fix it in dhcp client config, /etc/dhcpcd.conf
slaac hwaddr

  • Set editor 

    echo "export EDITOR=vim" > /etc/profile.d/editor-vim.sh

  • Set timezone 

    timedatectl set-timezone Australia/Sydney

  • Disable HashKnownHosts in /etc/ssh/ssh_config

  • More packages 

    apt install wget curl net-tools ack jq make mlocate elinks nmap whois
updatedb
reboot

  • Configure screen: curl -o ~/.screenrc https://gist.githubusercontent.com/barneydesmond/d16c5201ed9d2280251dfca7c620bb86/raw/.screenrc

  • Configure top yourself

  • Set static IPv4 config in /etc/dhcpcd.conf because this will be a network services box 

    option ntp_servers
interface eth0
static ip_address=192.168.1.20/24
static routers=192.168.1.1
static domain_name_servers=8.8.8.8 1.1.1.1 8.8.4.4

Now take an image of the system after shrinking the filesystem 

e2fsck -f /dev/mmcblk0p2
resize2fs /dev/mmcblk0p2 2G
dd bs=4M count=600 if=/dev/mmcblk0 | pv -br | gzip --fast > 2021-04-20_vector_img_pre_unifi.img.gz

Unifi controller

Notes and script from here: https://community.ui.com/questions/UniFi-Installation-Scripts-or-UniFi-Easy-Update-Script-or-UniFi-Lets-Encrypt-or-UniFi-Easy-Encrypt-/ccbc7530-dd61-40a7-82ec-22b17f027776

  • wget https://get.glennr.nl/unifi/install/unifi-6.2.17.sh

  • Grow partition with cfdisk, then FS with resize2fs
  • bash unifi-6.2.17.sh
  • Setup new empty site, create local admin account
  • Import site from old controller
  • Update DNS to point unifi to vector

This SSL cert thing doesn't work, yet it should be exactly the perfect method. -_-

java -jar /usr/lib/unifi/lib/ace.jar import_key_cert STAR_thighhighs_top.key.stripped STAR_thighhighs_top.crt

Instead I used this thing, it's stashed in /root/unifi-import-cert.sh 

# Backup previous keystore
cp /var/lib/unifi/keystore /var/lib/unifi/keystore.backup.$(date +%F_%R)

# Convert cert to PKCS12 format
openssl pkcs12 -export \
        -inkey /etc/ssl/STAR_thighhighs_top.key \
        -in /etc/ssl/STAR_thighhighs_top.crt \
        -out /etc/ssl/STAR_thighhighs_top.p12 \
        -name unifi -password pass:unifi

# Install certificate
keytool -importkeystore \
        -deststorepass aircontrolenterprise \
        -destkeypass aircontrolenterprise \
        -destkeystore /var/lib/unifi/keystore \
        -srckeystore /etc/ssl/STAR_thighhighs_top.p12 \
        -srcstoretype PKCS12 \
        -srcstorepass unifi \
        -alias unifi \
        -noprompt

# Restart UniFi controller
systemctl restart unifi

network

Static IPv4 address via /etc/dhcpcd.conf IPv6 stuff works by SLAAC as usual. 

slaac hwaddr

option ntp_servers

interface eth0
static ip_address=192.168.1.20/24
static routers=192.168.1.1
static domain_name_servers=8.8.8.8 1.1.1.1 8.8.4.4

IPv6

Autoconfigured, slaac hwaddr, not externally accessible

services

  • Unifi controller
  • Pihole DNS and DHCP server

Pihole

Straightforward basic install, no conflict with other installed services.

  • Pi-hole DNS (IPv4): 192.168.1.20
  • Pi-hole DNS (IPv6): 2404:e80:42e3:0:e65f:1ff:fe1c:c6ea

Admin UI at https://pihole.thighhighs.top/admin/

TLS works \o/ https://discourse.pi-hole.net/t/enabling-https-for-your-pi-hole-web-interface/5771/17

Disable wifi and bluetooth on RPi

I'm using vector as a network appliance, so I don't need the radios.

https://sleeplessbeastie.eu/2018/12/31/how-to-disable-onboard-wifi-and-bluetooth-on-raspberry-pi-3/

Edit your /boot/config.txt and add: 

dtoverlay=disable-wifi
dtoverlay=disable-bt
  • The linked page above uses pi3-disable-foo, which are deprecated names

systemd-timesyncd config

RPi OS ships with systemd-timesyncd enabled by default, for SNTP functionality.

Configure it in /etc/systemd/timesyncd.conf 

[Time]
NTP=ntp.on.net 0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org 2.ubuntu.pool.ntp.org 3.ubuntu.pool.ntp.org

Leave the rest, just restart the daemon with systemctl restart systemd-timesyncd.service

  • MoinMoin Powered
  • Python Powered
  • GPL licensed
  • Valid HTML 4.01
MoinMoin Release 1.9.11 [Revision release], Copyright by Juergen Hermann et al.