-
Notifications
You must be signed in to change notification settings - Fork 1
Raspberry pi server notes
Alex Hanson edited this page Apr 8, 2021
·
21 revisions
- Flash Raspbian lite on minimum 16 GB uSD card and install on Pi 3+.
- Enable ssh by adding a file named 'ssh' (no extension) to the root directory of the boot partition of the uSD card.
- Insert uSD card into Pi, and power on with Ethernet plugged in.
If using the wifi adapter instead of etherent, figure out how to modify boot files on uSD card and update this documentation.
- Connect to server using ssh.
- username: pi
- password: raspberry
- Change password to strong password using
passwdand following prompt. Store in keypass. - Install and setup ddclient
- sudo apt-get install ddclient
- follow or skip prompt
- let install finish (may take a few minutes)
- edit ddclient config file
sudo nano /etc/ddclient.conf # ssl = yes protocol=googledomains use=web, web=ipinfo.io/ip login=XXXXXXXXX password='XXXXXXXXXX' sub.domain.com - sudo service ddclient restart
- sudo service ddclient status
- check google domains for update status
- Modify server's /ect/ssh/sshd_config
- Make backup first
- Need to edit using sudo.
- Disable login of root. Make sure the line
PermitRootLogin yesdoes not appear, and that the following line doesPermitRootLogin prohibit-password - Disconnect Idle Sessions with lines:
ClientAliveInterval 300 ClientAliveCountMax 4 - Whitelist Users with the line
AllowUsers pi - Un-comment the following line
AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
- Test config file
sudo sshd -t - Reload configuration file
sudo systemctl reload ssh - Disconnect from server.
- Follow this link to create private / public key, transfer to server, and test connecting with keys.
- Connect to
- Disable password authentication on server
- Continue modifying server's /ect/ssh/sshd_config
- Change
PasswordAuthentication yestoPasswordAuthentication no. - Change
X11Forwarding yestoX11Forwarding no.
- Change
- Test config file
sudo sshd -t - Reload configuration file
sudo systemctl reload ssh - Other items not yet implemented such as Fail2Ban, milti-factor authentication, custom banner, message of the day, SSH audit, and regenerate moduli, can be found here
Note: pi password was used to protect key
- Install
sudo apt-get update sudo apt-get upgrade sudo apt-get install mosquitto mosquitto-clients - check status
sudo service mosquitto status - setup ssl
Couldn't get this working, so it has been skipped.
# create dir to store certs mkdir mqtt_certs cd mqtt_certs/ # create a key pair for the CA openssl genrsa -des3 -out ca.key 2048 # Create a certificate for the CA using the CA key openssl req -new -x509 -days 1826 -key ca.key -out ca.crt # Create a server key pair to be used by the broker openssl genrsa -out server.key 2048 # Create a certificate request .csr. # we don't send this request as we are the CA openssl req -new -out server.csr -key server.key # Use the CA key to verify and sign the server certificate openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 360 # Copy necessary files to mosquito directory sudo cp ca.crt /etc/mosquitto/ca_certificates/ sudo cp server.crt /etc/mosquitto/certs/ sudo cp server.key /etc/mosquitto/certs/ # Create config file sudo gunzip -k /usr/share/doc/mosquitto/examples/mosquitto.conf.gz sudo cp /usr/share/doc/mosquitto/examples/mosquitto.conf /etc/mosquitto/conf.d/ # Edit config file sudo nano /etc/mosquitto/conf.d/mosquitto.conf # ================================================================= # Default listener # ================================================================= port 8883 # ================================================================= # Certificate based SSL/TLS support # ================================================================= cafile /etc/mosquitto/ca_certificates/ca.crt keyfile /etc/mosquitto/certs/server.key certfile /etc/mosquitto/certs/server.cert tls_version tlsv1 #
Note: pi password was used to protect key
On server:
-
Add apt-get stuff
sudo apt-get update && sudo apt-get install apt-transport-https # Add the InfluxData key curl -sL https://repos.influxdata.com/influxdb.key | sudo apt-key add - source /etc/os-release test $VERSION_ID = "7" && echo "deb https://repos.influxdata.com/debian wheezy stable" | sudo tee /etc/apt/sources.list.d/influxdb.list test $VERSION_ID = "8" && echo "deb https://repos.influxdata.com/debian jessie stable" | sudo tee /etc/apt/sources.list.d/influxdb.list test $VERSION_ID = "9" && echo "deb https://repos.influxdata.com/debian stretch stable" | sudo tee /etc/apt/sources.list.d/influxdb.list -
Install
sudo apt-get update sudo apt-get upgrade sudo apt-get install telegraf sudo apt-get install influxdb sudo apt-get install chronograf sudo apt-get install kapacitor -
check and start (if necessary) services
sudo service telegraf start sudo service telegraf status sudo service influxd start sudo service influxd status sudo service chronograf start sudo service chronograf status sudo service kapacitor start sudo service kapacitor status -
modify retention policy on telegraf db, and create DAH db
influx alter retention policy autogen on telegraf duration 7d shard duration 1d create database DAH with duration 7d exit -
Copy over telegraf.conf to /etc/telegraf/telegraf.conf
write instructions, and say what has been modified
-
Use browser to go to ip_address:8888
- Add influxdb and system dashboards and continue
- modify /etc/telegraf/telegraf.conf to make sure influxd and system dashboards are completely operational
-
Modify retention policies to 7 days w/ shard of one day
-
Start telegraf service
sudo systemctl start telegraf -
Edit configuration file
sudo nano /etc/telegraf/telegraf.conf