IoT Beaglebone black
Purpose: host Unify Controller and maybe other services DNS 2
This IoT is delivered with super ugly images containing tons of BS™ software like cloud9 that takes tons of MB to then make you spend hours removing/reconfiguring them.
Hardware: good
OS image: catastrophic

The ISOs are full of node.js crap website that needs extreme hacking for Pi-hole to work !…
→ https://elinux.org/Beagleboard:BeagleBoneBlack_Debian
→ https://learn.adafruit.com/beaglebone-black-installing-operating-systems?view=all
→ https://beagleboard.org/latest-images/ - take the one that flashes eMMC

apt update
apt upgrade
reboot
systemctl stop cloud9.service
systemctl stop cloud9.socket
systemctl disable cloud9.service
systemctl disable cloud9.socket
 
apt remove --purge nginx*
apt remove --purge c9-core-installer nodejs* apache2*
rm -rf /usr/local/lib/node_modules/bonescript
apt autoremove
apt autoclean
rm -rf /opt/*
reboot
 
## static IP / remove connman
vi /etc/connman/main.conf
#NetworkinterfaceBlacklist=eth0,SoftAp0,usb0,usb1
 
vi /etc/network/interfaces
...
# The primary network interface
auto eth0
iface eth0 inet static
  address 192.168.1.11
  netmask 255.255.255.0
  gateway 192.168.1.1
  dns-nameservers 192.168.1.10 192.168.1.11
...
 
systemctl disable connman
reboot
apt remove --purge connman
systemctl disable dnsmasq
apt remove --purge dnsmasq
rm -rf /etc/resolvconf /etc/dnsmasq.d
 
vi /etc/resolv.conf
nameserver 192.168.1.10
nameserver 192.168.1.11
 
## install pihole
curl -sSL https://install.pi-hole.net | bash
pihole -a -p NEWPASS
 
 
timedatectl set-timezone Europe/Zurich
timedatectl
 
vi /etc/systemd/timesyncd.conf

#[Time] #NTP=ntp.fortier-family.com

timedatectl set-ntp true timedatectl status systemctl restart systemd-timesyncd

vi /etc/default/bb-wl18xx USE_GENERATED_DNSMASQ=no rm /var/lib/misc/dnsmasq.leases touch /var/lib/misc/dnsmasq.leases chown pihole:pihole /var/lib/misc/dnsmasq.leases vi /etc/dnsmasq.d/SoftAp0 #cache-size=2048 #dhcp-leasefile=/var/run/dnsmasq.leases reboot

## Setup dhcp/fixed IP vi /etc/network/interfaces # The primary network interface auto eth0 iface eth0 inet static

address 192.168.1.11
netmask 255.255.255.0
gateway 192.168.1.1
dns-nameserver 192.168.1.10 192.168.1.11

systemctl disable connman systemctl enable –now networking

# Remove crap connman apt remove –purge connman reboot systemctl disable dnsmasq </code>

 apt update && apt upgrade
cd /opt/scripts/tools/
git pull
./update_kernel.sh
reboot

https://elinux.org/Beagleboard:BeagleBoneBlack_Debian#i_take_full_responsibility_for_knowing_my_beagle_is_now_insecure

 curl -sSL https://install.pi-hole.net | bash

 apt install unbound

• /etc/unbound/unbound.conf.d/pi-hole.conf

  server:
      # If no logfile is specified, syslog is used
      # logfile: "/var/log/unbound/unbound.log"
      verbosity: 0
   
      interface: 127.0.0.1
      port: 5335
      do-ip4: yes
      do-udp: yes
      do-tcp: yes
   
      # May be set to yes if you have IPv6 connectivity
      do-ip6: no
   
      # You want to leave this to no unless you have *native* IPv6. With 6to4 and
      # Terredo tunnels your web browser should favor IPv4 for the same reasons
      prefer-ip6: no
   
      # Use this only when you downloaded the list of primary root servers!
      # If you use the default dns-root-data package, unbound will find it automatically
      #root-hints: "/var/lib/unbound/root.hints"
   
      # Trust glue only if it is within the server's authority
      harden-glue: yes
   
      # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
      harden-dnssec-stripped: yes
   
      # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
      # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
      use-caps-for-id: no
   
      # Reduce EDNS reassembly buffer size.
      # Suggested by the unbound man page to reduce fragmentation reassembly problems
      edns-buffer-size: 1472
   
      # Perform prefetching of close to expired message cache entries
      # This only applies to domains that have been frequently queried
      prefetch: yes
   
      # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
      num-threads: 1
   
      # Ensure kernel buffer is large enough to not lose messages in traffic spikes
      so-rcvbuf: 1m
   
      # Ensure privacy of local IP ranges
      private-address: 192.168.0.0/16
      private-address: 169.254.0.0/16
      private-address: 172.16.0.0/12
      private-address: 10.0.0.0/8
      private-address: fd00::/8
      private-address: fe80::/10

in http://192.168.1.11/admin Settings > DNS uncheck Google's and add 127.0.0.1#5335 as custom DNS 1

systemctl stop cloud9.service
systemctl stop cloud9.socket
systemctl disable cloud9.service
systemctl disable cloud9.socket

Modify files like in https://services.haacksnetworking.org/2021/02/28/pihole-on-the-beagle-bone-black/
Also some references:
→ https://github.com/pi-hole/pi-hole/issues/1521
And:
→ https://discourse.pi-hole.net/t/new-install-dns-service-not-running/18644/11 And:
→ https://discourse.pi-hole.net/t/existing-dnsmasq-pi-hole/13533/6 In a nutshell:

vi /usr/bin/bb_dnsmasq_config.sh # comment cache-size line
vi /opt/scripts/boot/am335x_evm.sh # comment cache-size line too
vi /etc/default/bb-wl18xx # USE_GENERATED_DNSMASQ=no
systemctl disable dnsmask
apt remove dnsmasq
systemctl restart pihole-FTL
 
## in case of errors ...
systemctl disable wpa_supplicant
systemctl disable bonescript-autorun.service
systemctl stop pihole-FTL
rm /etc/dnsmasq.d/SoftAp0
touch /var/run/dnsmasq.leases
chown pihole /var/run/dnsmasq.leases
systemctl restart pihole-FTL
systemctl status pihole-FTL

→ https://www.ui.com/download/unifi/unifi-flex-hd

apt install apt-transport-https ca-certificates wget dirmngr gnupg gnupg2 software-properties-common multiarch-support
wget -qO - https://www.mongodb.org/static/pgp/server-3.4.asc |  apt-key add -
echo "deb http://repo.mongodb.org/apt/debian jessie/mongodb-org/3.4 main" | tee /etc/apt/sources.list.d/mongodb-org-3.4.list
wget http://security.debian.org/debian-security/pool/updates/main/o/openssl/libssl1.0.0_1.0.1t-1+deb8u12_armhf.deb
dpkg -i libssl1.0.0_1.0.1t-1+deb8u12_armhf.deb
wget -qO - https://adoptopenjdk.jfrog.io/adoptopenjdk/api/gpg/key/public | apt-key add -
add-apt-repository --yes https://adoptopenjdk.jfrog.io/adoptopenjdk/deb/
apt update
apt install adoptopenjdk-8-hotspot
echo "export JAVA_HOME=\"/usr/lib/jvm/adoptopenjdk-8-hotspot-amd64\"" >>/etc/profile
source /etc/profile
echo $JAVA_HOME
apt-key adv --keyserver keyserver.ubuntu.com --recv 06E85760C0A52C50
echo 'deb https://www.ui.com/downloads/unifi/debian stable ubiquiti' | tee /etc/apt/sources.list.d/100-ubnt-unifi.list
apt update && apt install unifi
wget https://dl.ui.com/unifi/6.5.54/unifi_sysvinit_all.deb
apt install ./unifi_sysvinit_all.deb

apt install zsh htop ccze xrdp

connmanctl services
*AO Wired                ethernet_1cba8ca24f0d_cable
connmanctl config ethernet_1cba8ca24f0d_cable --ipv4 manual 192.168.1.11 255.255.255.0 192.168.1.1 --nameservers 192.168.1.10
hostnamectl set-hostname dns2

 curl -sSL https://install.pi-hole.net | bash

if any issue:

 pihole -r

 apt install unbound

• /etc/unbound/unbound.conf.d/pi-hole.conf

  server:
      # If no logfile is specified, syslog is used
      # logfile: "/var/log/unbound/unbound.log"
      verbosity: 0
   
      interface: 127.0.0.1
      port: 5335
      do-ip4: yes
      do-udp: yes
      do-tcp: yes
   
      # May be set to yes if you have IPv6 connectivity
      do-ip6: no
   
      # You want to leave this to no unless you have *native* IPv6. With 6to4 and
      # Terredo tunnels your web browser should favor IPv4 for the same reasons
      prefer-ip6: no
   
      # Use this only when you downloaded the list of primary root servers!
      # If you use the default dns-root-data package, unbound will find it automatically
      #root-hints: "/var/lib/unbound/root.hints"
   
      # Trust glue only if it is within the server's authority
      harden-glue: yes
   
      # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
      harden-dnssec-stripped: yes
   
      # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
      # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
      use-caps-for-id: no
   
      # Reduce EDNS reassembly buffer size.
      # Suggested by the unbound man page to reduce fragmentation reassembly problems
      edns-buffer-size: 1472
   
      # Perform prefetching of close to expired message cache entries
      # This only applies to domains that have been frequently queried
      prefetch: yes
   
      # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
      num-threads: 1
   
      # Ensure kernel buffer is large enough to not lose messages in traffic spikes
      so-rcvbuf: 1m
   
      # Ensure privacy of local IP ranges
      private-address: 192.168.0.0/16
      private-address: 169.254.0.0/16
      private-address: 172.16.0.0/12
      private-address: 10.0.0.0/8
      private-address: fd00::/8
      private-address: fe80::/10

in http://192.168.1.11/admin Settings > DNS uncheck Google's and add 127.0.0.1#5335 as custom DNS 1

Config

systemctl enable --now xrdp
adduser xrdp ssl-cert
systemctl restart xrdp

Il vous faut une carte SSD et un lecteur sur une machine Linux déjà fonctionnelle

dd if=/dev/zero of=/dev/mmcblk0 bs=1M count=8

partition the SD card:

fdisk /dev/mmcblk0

Type o. This will clear out any partitions on the drive.
Type n, then p for primary, 1 for the first partition on the drive, 2048 for the first sector, and then press ENTER to accept the default last sector.
Type w to write the partition table and exit
Format in ext4 filesystem:

mkfs.ext4 /dev/mmcblk0p1

Mount the card

cd /
mount /dev/mmcblk0p1 mnt

wget http://os.archlinuxarm.org/os/ArchLinuxARM-am33x-latest.tar.gz
bsdtar -xpvf ArchLinuxARM-am33x-latest.tar.gz -C mnt && sync

dd if=mnt/boot/MLO of=/dev/mmcblk1 count=1 seek=1 conv=notrunc bs=128k
dd if=mnt/boot/u-boot.img of=/dev/mmcblk0 count=2 seek=1 conv=notrunc bs=384k
umount mnt
sync

Insert the card in the BBB then connect the network cable then, while holding the “user” button, insert the power plug. When all led are lighted up release the “user button”

ssh alarm@IP # pass: alarm

pacman-key --init
pacman-key --populate archlinuxarm

The BBB is working fully however on the SD card

Same steps as above but… with /dev/mmcblk1

dd if=/dev/zero of=/dev/mmcblk1 bs=1M count=8
fdisk /dev/mmcblk1
mkfs.ext4 /dev/mmcblk1p1
cd /
mount /dev/mmcblk1p1 mnt
wget http://os.archlinuxarm.org/os/ArchLinuxARM-am33x-latest.tar.gz
bsdtar -xpvf ArchLinuxARM-am33x-latest.tar.gz -C mnt && sync
dd if=mnt/boot/MLO of=/dev/mmcblk1 count=1 seek=1 conv=notrunc bs=128k
dd if=mnt/boot/u-boot.img of=/dev/mmcblk1 count=2 seek=1 conv=notrunc bs=384k
umount mnt
sync
shutdown now
ssh alarm@IP # pass: alarm - root/root ( su )
pacman-key --init
pacman-key --populate archlinuxarm

 pacman -Syu
pacman -S htop ccze dfc zsh vim base-devel git go #go for yay

hostnamectl set-hostname dns2

vi /etc/systemd/network/20-wired.network

[Match]
Name=eth0
 
[Network]
Address=192.168.1.11/24
Gateway=192.168.1.1
DNS=192.168.1.10

 pacman -R vi
ln -s `which vim` /usr/bin/vi

Let's install yay

su - alarm
mkdir /tmp/yay
curl https://aur.archlinux.org/cgit/aur.git/plain/PKGBUILD?h=yay > /tmp/yay/PKGBUILD
cd /tmp/yay
makepkg
su
pacman -U yay*.xz

as user alarm

alarm@dns2 ~]$ yay -S pi-hole-server
:: Checking for conflicts...
:: Checking for inner conflicts...
[Repo:10]  libidn-1.38-1  bc-1.07.1-4  inetutils-2.2-1  logrotate-3.18.1-1  libmaxminddb-1.6.0-1  lmdb-0.9.29-1  python-3.9.9-1  python-ply-3.11-8  bind-9.16.23-1  lsof-4.94.0-1
[Repo Make:6]  hicolor-icon-theme-0.17-2  jsoncpp-1.9.4-1  libnsl-2.0.0-1  libuv-1.42.0-1  rhash-1.4.2-1  cmake-3.22.1-1
[Aur:2]  pi-hole-ftl-5.11-1  pi-hole-server-5.6-4
 
==> Remove make dependencies after install? [y/N]
  2 pi-hole-ftl                              (Build Files Exist)
  1 pi-hole-server                           (Build Files Exist)
==> Packages to cleanBuild?
==> [N]one [A]ll [Ab]ort [I]nstalled [No]tInstalled or (1 2 3, 1-3, ^4)
==> A
:: Deleting (1/2): /home/alarm/.cache/yay/pi-hole-ftl
:: Deleting (2/2): /home/alarm/.cache/yay/pi-hole-server
:: (1/2) Downloaded PKGBUILD: pi-hole-ftl
:: (2/2) Downloaded PKGBUILD: pi-hole-server
  2 pi-hole-ftl                              (Build Files Exist)
  1 pi-hole-server                           (Build Files Exist)
==> Diffs to show?
==> [N]one [A]ll [Ab]ort [I]nstalled [No]tInstalled or (1 2 3, 1-3, ^4)
==> N

coffee time
the compilation used to break @ 33%

[ 31%] Built target api
[ 32%] Building C object src/database/CMakeFiles/sqlite3.dir/shell.c.o
[ 33%] Building C object src/database/CMakeFiles/sqlite3.dir/sqlite3.c.o
/home/alarm/.cache/yay/pi-hole-ftl/src/FTL-5.11/src/database/sqlite3.c: In function 'dbpageUpdate':
/home/alarm/.cache/yay/pi-hole-ftl/src/FTL-5.11/src/database/sqlite3.c:206560:31: warning: comparison of integer expressions of different signedness: 'Pgno' {aka 'unsigned int'} and 'int' [-Wsign-compare]
206560 |   if( pgno<1 || pBt==0 || pgno>(int)sqlite3BtreeLastPage(pBt) ){
       |                               ^
{standard input}: Assembler messages:
{standard input}: Error: open CFI at the end of file; missing .cfi_endproc directive
...

Looks like the issue is the lack of memory to using https://docs.rackspace.com/support/how-to/create-a-linux-swap-file/ I added one GB of swap on /dev/mmcblk0p1
Once installed, start/enable pihole-FTL service

systemctl start pihole-FTL

It will fail silently thanks to SystemD and its systemd-resolved.service…

 vi /etc/systemd/resolved.conf

[Resolve]
DNSStubListener=no

Restart both…

 systemctl restart systemd-resolved pihole-FTL

• Install

   yay -S php-sqlite

• /etc/php/php.ini

  [...]
  extension=pdo_sqlite
  [...]
  extension=sockets
  [...]
  extension=sqlite3
  [...]

 yay -S lighttpd php-cgi
cp /usr/share/pihole/configs/lighttpd.example.conf /etc/lighttpd/lighttpd.conf
systemctl enable --now lighttpd

 vi /etc/hosts

127.0.0.1              localhost
192.168.1.11   pi.hole dns2

Let's install a real recursive DNS

yay -S unbound

→ https://docs.pi-hole.net/guides/dns/unbound/
In /etc/unbound/unbound.conf.d/pi-hole.conf

server:
    # If no logfile is specified, syslog is used
    # logfile: "/var/log/unbound/unbound.log"
    verbosity: 0
 
    interface: 127.0.0.1
    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes
 
    # May be set to yes if you have IPv6 connectivity
    do-ip6: no
 
    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
    # Terredo tunnels your web browser should favor IPv4 for the same reasons
    prefer-ip6: no
 
    # Use this only when you downloaded the list of primary root servers!
    # If you use the default dns-root-data package, unbound will find it automatically
    #root-hints: "/var/lib/unbound/root.hints"
 
    # Trust glue only if it is within the server's authority
    harden-glue: yes
 
    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    harden-dnssec-stripped: yes
 
    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
    use-caps-for-id: no
 
    # Reduce EDNS reassembly buffer size.
    # Suggested by the unbound man page to reduce fragmentation reassembly problems
    edns-buffer-size: 1472
 
    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    prefetch: yes
 
    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
    num-threads: 1
 
    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
    so-rcvbuf: 1m
 
    # Ensure privacy of local IP ranges
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10

 systemctl enable unbound

Now just enter 127.0.0.1#5335 in Settings > DNS (upstream DNS) Custom 1, unchecking any upstream DNS previously setup.

• https://www.how2shout.com/linux/commands-to-install-xrdp-server-on-debian-11-bullseye-linux/
• http://derekmolloy.ie/set-ip-address-to-be-static-on-the-beaglebone-black/
• https://forum.digikey.com/t/static-ip-on-beaglebone-black/4497
• https://devopstales.github.io/linux/install-unifi-controller/ [not working on Debian's image…]
• https://discourse.pi-hole.net/t/pihole-dns-service-not-running-and-ftl-offline-after-v5-installation/31262/10
• https://www.youtube.com/watch?v=FnFtWsZ8IP0
• https://frdmtoplay.com/running-pi-hole-on-the-beagle-bone-black/
• https://discourse.pi-hole.net/t/update-from-v5-to-v5-2-but-pihole-status-shows-dns-service-is-not-listening/44316
• https://archlinuxarm.org/platforms/armv7/ti/beaglebone-black
• https://wiki.archlinux.org/title/Pi-hole
• https://docs.rackspace.com/support/how-to/create-a-linux-swap-file/