====== Raspberry Pi ======
Model B+\\
OS: [[https://www.raspberrypi.com/software/operating-systems/|RaspberryPi OS]] until it was full of crap undebugable - then [[https://archlinuxarm.org/platforms/armv6/raspberry-pi| ArclinuxARM]] ... but ArchARM guys removed armhf architecture, very MS®© style (clap) so back to PiOS Lite\\
Installed with [[https://pi-hole.net/|Pi-Hole]] and unbound as [[https://docs.pi-hole.net/guides/dns/unbound/|recursive DNS on port 5335]]
Interface: http://192.168.1.10/admin pass in //bitwarden// \\
SSHKeys on root\\
====== Archlinux ======
Start fdisk to partition the SD card:
fdisk /dev/mmcb1k0 thank you systemD for shit naming :!:
Delete old partitions and create a new one:\\
Type o. to clear out any partitions\\
Type p to list & check partitions. \\
Type n for new, p for primary, 1 for the first partition , press ENTER to accept the default first sector, type **+200M** for the last sector.\\
Type t for type, type c to set the first partition to type W95 FAT32 (LBA).\\
Type n for new, p for primary, 2 for the second partition on the drive, and then press ENTER twice to accept the default first and last sector.\\
Write the partition table and exit by typing w.\\
cd /root
mkfs.vfat /dev/mmcb1k0p1
mkdir boot
mount /dev/mmcb1k0p1 boot
mkfs.ext4 /dev/mmcb1k0p2
mkdir root
mount /dev/mmcb1k0p2 root
curl -O http://os.archlinuxarm.org/os/ArchLinuxARM-rpi-latest.tar.gz
bsdtar -xpf ArchLinuxARM-rpi-latest.tar.gz -C root
sync
mv root/boot/* boot
umount boot root
First boot:
ssh alarm@IP #passwd alarm
su # pass root
pacman-key --init
pacman-key --populate archlinuxarm
passwd
===== Update&new toys =====
pacman -Syu
pacman -S htop ccze dfc zsh vim base-devel git go #go for yay
===== Extra-config =====
==== hostname ====
hostnamectl set-hostname dns
==== fixed IP ====
vi /etc/systemd/network/20-wired.network
[Match]
Name=eth0
[Network]
Address=192.168.1.10/24
Gateway=192.168.1.1
DNS=192.168.1.11
==== VIM über älles====
pacman -R vi
ln -s `which vim` /usr/bin/vi
==== AUR Helper ====
Let's install [[https://aur.archlinux.org/packages/yay/|yay]]
su - alarm
mkdir /tmp/yay
curl https://aur.archlinux.org/cgit/aur.git/plain/PKGBUILD?h=yay > /tmp/yay/PKGBUILD
cd /tmp/yay
makepkg
su
pacman -U yay*.xz
==== Pi-Hole ====
:!: as user **alarm** :!:
alarm@dns2 ~]$ yay -S pi-hole-server
:: Checking for conflicts...
:: Checking for inner conflicts...
[Repo:10] libidn-1.38-1 bc-1.07.1-4 inetutils-2.2-1 logrotate-3.18.1-1 libmaxminddb-1.6.0-1 lmdb-0.9.29-1 python-3.9.9-1 python-ply-3.11-8 bind-9.16.23-1 lsof-4.94.0-1
[Repo Make:6] hicolor-icon-theme-0.17-2 jsoncpp-1.9.4-1 libnsl-2.0.0-1 libuv-1.42.0-1 rhash-1.4.2-1 cmake-3.22.1-1
[Aur:2] pi-hole-ftl-5.11-1 pi-hole-server-5.6-4
==> Remove make dependencies after install? [y/N]
2 pi-hole-ftl (Build Files Exist)
1 pi-hole-server (Build Files Exist)
==> Packages to cleanBuild?
==> [N]one [A]ll [Ab]ort [I]nstalled [No]tInstalled or (1 2 3, 1-3, ^4)
==> A
:: Deleting (1/2): /home/alarm/.cache/yay/pi-hole-ftl
:: Deleting (2/2): /home/alarm/.cache/yay/pi-hole-server
:: (1/2) Downloaded PKGBUILD: pi-hole-ftl
:: (2/2) Downloaded PKGBUILD: pi-hole-server
2 pi-hole-ftl (Build Files Exist)
1 pi-hole-server (Build Files Exist)
==> Diffs to show?
==> [N]one [A]ll [Ab]ort [I]nstalled [No]tInstalled or (1 2 3, 1-3, ^4)
==> N
coffee time LOL\\
the compilation used to break @ 33% \\
....
[ 31%] Built target api
[ 32%] Building C object src/database/CMakeFiles/sqlite3.dir/shell.c.o
[ 33%] Building C object src/database/CMakeFiles/sqlite3.dir/sqlite3.c.o
/home/alarm/.cache/yay/pi-hole-ftl/src/FTL-5.11/src/database/sqlite3.c: In function 'dbpageUpdate':
/home/alarm/.cache/yay/pi-hole-ftl/src/FTL-5.11/src/database/sqlite3.c:206560:31: warning: comparison of integer expressions of different signedness: 'Pgno' {aka 'unsigned int'} and 'int' [-Wsign-compare]
206560 | if( pgno<1 || pBt==0 || pgno>(int)sqlite3BtreeLastPage(pBt) ){
| ^
^[[{standard input}: Assembler messages:{standard input}:480061: Warning: end of file not at end of a line; newline inserted{standard input}: Error: open CFI at the end of file; missing .cfi_endproc directive
cc: fatal error: Killed signal terminated program cc1
compilation terminated.make[2]: *** [src/database/CMakeFiles/sqlite3.dir/build.make:90: src/database/CMakeFiles/sqlite3.dir/sqlite3.c.o] Error 1make[1]: *** [CMakeFiles/Makefile2:322: src/database/CMakeFiles/sqlite3.dir/all] Error 2make: *** [Makefile:136: all] Error 2==> ERROR: A failure occurred in build().
Looks like the issue is the lack of memory to using https://docs.rackspace.com/support/how-to/create-a-linux-swap-file/ I added one GB of swap on /mnt\\
fallocate -l 1G /mnt/1GB.swap
dd if=/dev/zero of=/mnt/1GB.swap bs=1024 count=1048576
chmod 600 /mnt/1GB.swap
echo "vm.swappiness=10" > /etc/sysctl.conf
mkswap /mnt/1GB.swap
swapon /mnt/1GB.swap
echo "/mnt/1GB.swap none swap sw 0 0" >>/etc/fstab
Once installed, start/enable pihole-FTL service
systemctl start pihole-FTL
It will fail silently thanks to SystemD and its systemd-resolved.service...
vi /etc/systemd/resolved.conf
[Resolve]
DNSStubListener=no
Restart both...
systemctl restart systemd-resolved pihole-FTL
== Php ==
* Install yay -S php-sqlite
* /etc/php/php.ini
[...]
extension=pdo_sqlite
[...]
extension=sockets
[...]
extension=sqlite3
[...]
== Lighttpd ==
yay -S lighttpd php-cgi
cp /usr/share/pihole/configs/lighttpd.example.conf /etc/lighttpd/lighttpd.conf
systemctl enable --now lighttpd
== Hosts ==
vi /etc/hosts
127.0.0.1 localhost
192.168.1.10 pi.hole dns
=== Unbound ===
Let's install a real recursive DNS
== Install ==
yay -S unbound
== Config ==
-> https://docs.pi-hole.net/guides/dns/unbound/ \\
In /etc/unbound/unbound.conf
server:
# If no logfile is specified, syslog is used
# logfile: "/var/log/unbound/unbound.log"
verbosity: 0
interface: 127.0.0.1
port: 5335
do-ip4: yes
do-udp: yes
do-tcp: yes
# May be set to yes if you have IPv6 connectivity
do-ip6: no
# You want to leave this to no unless you have *native* IPv6. With 6to4 and
# Terredo tunnels your web browser should favor IPv4 for the same reasons
prefer-ip6: no
# Use this only when you downloaded the list of primary root servers!
# If you use the default dns-root-data package, unbound will find it automatically
root-hints: "/var/lib/unbound/root.hints"
# Trust glue only if it is within the server's authority
harden-glue: yes
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped: yes
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id: no
# Reduce EDNS reassembly buffer size.
# Suggested by the unbound man page to reduce fragmentation reassembly problems
edns-buffer-size: 1472
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes
msg-cache-size: 32m
rrset-cache-size: 64m
serve-expired: yes
serve-expired-ttl: 3600
cache-max-ttl: 86400
cache-min-ttl: 300
minimal-responses: yes
# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
num-threads: 1
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
so-rcvbuf: 4m
# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
#private-address: 192.168.1.0/24
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
#private-address: fd00::/8
#private-address: fe80::/10
# Aliases
local-data: "srv0.fortier-family.com. IN CNAME kali2.fortier-family.com."
curl -o /var/lib/unbound/root.hints https://www.internic.net/domain/named.root
unbound-checkconf
systemctl enable unbound
Now just enter 127.0.0.1#5335 in Settings>DNS (upstream DNS) Custom 1, unchecking any upstream DNS previously setup.
== Admin pass ==
pihole -a -p
== Fix Network ==
vi /etc/systemd/network/20-wired.network
[Match]
Name=eth0
[Network]
Address=192.168.1.10/24
Gateway=192.168.1.1
DNS=192.168.1.10
====== PiOS Lite ======
Put "SSH" file in root/boot folder so SSH is available
sudo apt update && apt dist-upgrade -y
sudo raspi-config # change/set timezone&locales
exit #reconnect
sudo apt install -y htop
sudo curl -sSL https://install.pi-hole.net | bash
pihole -a -p MyP4sw0rdIsFabul0us
rm ~/.bash_history
sudo apt install -y unbound
===== Unbound Config =====
-> https://docs.pi-hole.net/guides/dns/unbound/ \\
sudo mv /etc/unbound/unbound.conf /etc/unbound/unbound.conf.org
sudo vi /etc/unbound/unbound.conf
In /etc/unbound/unbound.conf
server:
# If no logfile is specified, syslog is used
# logfile: "/var/log/unbound/unbound.log"
verbosity: 0
interface: 127.0.0.1
port: 5335
do-ip4: yes
do-udp: yes
do-tcp: yes
# May be set to yes if you have IPv6 connectivity
do-ip6: no
# You want to leave this to no unless you have *native* IPv6. With 6to4 and
# Terredo tunnels your web browser should favor IPv4 for the same reasons
prefer-ip6: no
# Use this only when you downloaded the list of primary root servers!
# If you use the default dns-root-data package, unbound will find it automatically
#root-hints: "/var/lib/unbound/root.hints"
# Trust glue only if it is within the server's authority
harden-glue: yes
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped: yes
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id: no
# Reduce EDNS reassembly buffer size.
# Suggested by the unbound man page to reduce fragmentation reassembly problems
edns-buffer-size: 1472
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes
# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
num-threads: 1
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
so-rcvbuf: 1m
# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10
sudo systemctl enable --now unbound
Now just enter 127.0.0.1#5335 in Settings>DNS (upstream DNS) Custom 1, unchecking any upstream DNS previously setup.
===== Update pi-hole =====
pihole -v
pihole -up
====== Reference ======
* https://www.youtube.com/watch?v=FnFtWsZ8IP0
* https://docs.rackspace.com/support/how-to/create-a-linux-swap-file/
* https://docs.pi-hole.net/guides/dns/unbound/
* https://wiki.archlinux.org/title/Pi-hole
* https://pi-hole.net/
* https://peppe8o.com/install-pi-hole-in-your-raspberry-pi-with-raspberry-pi-os-lite/