The OS is installed on Raspberry Pi 3 B featuring a High Endurance Micro-SDHC card 32 GB 100 MB/s UHS Class 3 by SANDISK.

Get model information

cat /sys/firmware/devicetree/base/model

Set time

in case the Raspberry Pi has no internet connection we need to adjust the time manually. It's important for InfluxDB, collectd and Grafana

sudo date --set '2020-06-19 11:31:00'

Standard configuration

sudo su
apt remove unattended-upgrades

apt-get install keyboard-configuration

cat << EOF > /etc/default/keyboard
# KEYBOARD CONFIGURATION FILE

# Consult the keyboard(5) manual page.

XKBMODEL="pc105"
XKBLAYOUT="de"
XKBVARIANT=""
XKBOPTIONS=""

BACKSPACE="guess"
EOF
sudo dpkg-reconfigure -f noninteractive keyboard-configuration

sudo ln -fs /usr/share/zoneinfo/Europe/Berlin /etc/localtime
sudo dpkg-reconfigure -f noninteractive tzdata

#Passwort ändern
passwd

#Enable ssh
dpkg-reconfigure openssh-server
sudo systemctl enable ssh
systemctl start ssh

Install languages + set default

sudo su
vim /etc/locale.gen
locale-gen de_DE.UTF-8
locale-gen en_GB.UTF-8
locale-gen en_US.UTF-8
update-locale LANG=en_US.UTF-8
cat /etc/default/locale

Configure hostname

#Hostname ändern und an allen wichtigen Stellen anpassen
hostname -b hangdevice
cat /etc/hostname

sudo vim /etc/hosts
127.0.0.1	localhost.ffcmesh localhost #fritz.box oder speedport.ip oder ffcmesh (Freifunk)
127.0.1.1	hangdevice.fablabchemnitz.de hangdevice.ffcmesh hangdevice
YourIP		hangdevice.fablabchemnitz.de hangdevice.ffcmesh hangdevice

Additional Packages

sudo su
apt-get install cifs-utils collectd console-data console-setup curl deborphan gcc git grc htop iftop jq make dos2unix dnsutils fail2ban molly-guard lsof mailutils mosh mtr ncdu net-tools postfix python-pip rkhunter ruby ruby-dev screen sysstat tcpdump telnet traceroute vim

sudo update-alternatives --set editor /usr/bin/vim.basic

#fail2ban config
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
systemctl restart fail2ban.service

gem install colorls

pip install --upgrade pip

#logout and login again before running the speedtest-cli installation:
pip install speedtest-cli

Make ping accesible from other users than root

setcap cap_net_raw+ep /bin/ping

Postfix Mail Server

cd /etc/postfix
vim sasl_passwd
smtp.fablabchemnitz.de  the@address.server:thePassword
chown root:root /etc/postfix/sasl_passwd && chmod 600 /etc/postfix/sasl_passwd
postmap hash:/etc/postfix/sasl_passwd

Troubleshooting: System mails are not sent

Problem description

(delivery temporarily suspended: Host or domain name not found. Name service error for name=smtp.fablabchemnitz.de type=MX: Host not found, try again

Solution

  • check Freifunk connection (maybe restart the router and the meshing "mother" router also. Restarting the mesh points helped)
  • restart postfix service
  • adjust postfix config (not sure if this really changes anything)
vim /etc/postfix/
disable_dns_lookups = yes

Permissions: The admin user hangprintermanage

bashrc anpassen
sudo su
rm /etc/sudoers.d/010_pi-nopasswd
echo "hangprintermanage ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers.d/010_hangprintermanage-nopasswd

#make hangprintermanage to sudo user - if not already done by renaming "pi" user to "hangprintermanage". in this case hangprintermanage is already a sudoer
sudo usermod -aG sudo hangprintermanage 
sudo -iu hangprintermanage 

SSH Key hangprintermanage

cd /home/hangprintermanage
chown -R hangprintermanage:hangprintermanage .ssh/
chmod 700 /home/hangprintermanage/.ssh
chmod 600 /home/hangprintermanage/.ssh/authorized_keys

SSH User for remote rsync backups

sudo su
adduser --gecos "" --shell /bin/bash --home /home/hangprinterbackup hangprinterbackup
mkdir -p /home/hangprinterbackup/.ssh/
chmod 700 /home/hangprinterbackup/.ssh/
touch /home/hangprinterbackup/.ssh/authorized_keys
echo "ssh-ed25519 THEPUBLICKEY ssh backup hangprinter" >> /home/hangprinterbackup/.ssh/authorized_keys
chmod 600 /home/hangprinterbackup/.ssh/authorized_keys
chown -R hangprinterbackup:hangprinterbackup /home/hangprinterbackup/

How to setup systemd-networkd/systemd-resolved + remove legacy (ifupdown, networking & networkManager services)

This makes unavailable some old nasty stuff like ifup, ifdown, service networking, service networkManager, resolvconf

systemctl stop networking.service
systemctl stop NetworkManager.service

systemctl disable networking.service
systemctl disable NetworkManager.service

#PLEASE DO NOT REMOVE "openresolv" - this is required for Wireguard Service!
apt-get remove ifupdown resolvconf
cd /etc
rm -rf network netplan.io
systemctl enable systemd-networkd.service
systemctl enable systemd-resolved.service

rm /etc/resolv.conf
ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf

service systemd-networkd restart
service systemd-networkd status
service systemd-resolved restart
service systemd-resolved status

networkctl #print general info
networkctl status eth0 #print detail info for eth0
systemd-resolve --status

cat /etc/resolv.conf

traceroute -i eth0 google.de
traceroute -i ewg0 google.de

systemd adjustments

omit "a stop job is running for " warnings

vim /etc/systemd/system.conf
DefaultTimeoutStopSec=30s 

Removed snoopy again

Snoopy was removed again because it creates a huge log file in /var/log/auth.log (up to 4 GB after some days)

apt remove snoopy

Disable rsyslog

This prevents to have large files in /var/log (kern.log, daemon.log, syslog). This made about 4 GB after a few weeks because monitoring services write to InfluxDB for example

systemctl disable rsyslog.service
  • No labels
Write a comment…