Table of Contents
Raspberry Pi
Model B+
OS: RaspberryPi OS until it was full of crap undebugable - then ArclinuxARM … but ArchARM guys removed armhf architecture, very MS®© style (clap) so back to PiOS Lite
Installed with Pi-Hole and unbound as recursive DNS on port 5335
Interface: http://192.168.1.10/admin pass in bitwarden
SSHKeys on root
Archlinux
Start fdisk to partition the SD card:
fdisk /dev/mmcb1k0
thank you systemD for shit naming
Delete old partitions and create a new one:
Type o. to clear out any partitions
Type p to list & check partitions.
Type n for new, p for primary, 1 for the first partition , press ENTER to accept the default first sector, type +200M for the last sector.
Type t for type, type c to set the first partition to type W95 FAT32 (LBA).
Type n for new, p for primary, 2 for the second partition on the drive, and then press ENTER twice to accept the default first and last sector.
Write the partition table and exit by typing w.
cd /root mkfs.vfat /dev/mmcb1k0p1 mkdir boot mount /dev/mmcb1k0p1 boot mkfs.ext4 /dev/mmcb1k0p2 mkdir root mount /dev/mmcb1k0p2 root curl -O http://os.archlinuxarm.org/os/ArchLinuxARM-rpi-latest.tar.gz bsdtar -xpf ArchLinuxARM-rpi-latest.tar.gz -C root sync mv root/boot/* boot umount boot root
First boot:
ssh alarm@IP #passwd alarm su # pass root pacman-key --init pacman-key --populate archlinuxarm passwd
Update&new toys
pacman -Syu pacman -S htop ccze dfc zsh vim base-devel git go #go for yay
Extra-config
hostname
hostnamectl set-hostname dns
fixed IP
vi /etc/systemd/network/20-wired.network
[Match] Name=eth0 [Network] Address=192.168.1.10/24 Gateway=192.168.1.1 DNS=192.168.1.11
VIM über älles
pacman -R vi ln -s `which vim` /usr/bin/vi
AUR Helper
Let's install yay
su - alarm mkdir /tmp/yay curl https://aur.archlinux.org/cgit/aur.git/plain/PKGBUILD?h=yay > /tmp/yay/PKGBUILD cd /tmp/yay makepkg su pacman -U yay*.xz
Pi-Hole
as user alarm
alarm@dns2 ~]$ yay -S pi-hole-server :: Checking for conflicts... :: Checking for inner conflicts... [Repo:10] libidn-1.38-1 bc-1.07.1-4 inetutils-2.2-1 logrotate-3.18.1-1 libmaxminddb-1.6.0-1 lmdb-0.9.29-1 python-3.9.9-1 python-ply-3.11-8 bind-9.16.23-1 lsof-4.94.0-1 [Repo Make:6] hicolor-icon-theme-0.17-2 jsoncpp-1.9.4-1 libnsl-2.0.0-1 libuv-1.42.0-1 rhash-1.4.2-1 cmake-3.22.1-1 [Aur:2] pi-hole-ftl-5.11-1 pi-hole-server-5.6-4 ==> Remove make dependencies after install? [y/N] 2 pi-hole-ftl (Build Files Exist) 1 pi-hole-server (Build Files Exist) ==> Packages to cleanBuild? ==> [N]one [A]ll [Ab]ort [I]nstalled [No]tInstalled or (1 2 3, 1-3, ^4) ==> A :: Deleting (1/2): /home/alarm/.cache/yay/pi-hole-ftl :: Deleting (2/2): /home/alarm/.cache/yay/pi-hole-server :: (1/2) Downloaded PKGBUILD: pi-hole-ftl :: (2/2) Downloaded PKGBUILD: pi-hole-server 2 pi-hole-ftl (Build Files Exist) 1 pi-hole-server (Build Files Exist) ==> Diffs to show? ==> [N]one [A]ll [Ab]ort [I]nstalled [No]tInstalled or (1 2 3, 1-3, ^4) ==> N
coffee time
the compilation used to break @ 33%
.... [ 31%] Built target api [ 32%] Building C object src/database/CMakeFiles/sqlite3.dir/shell.c.o [ 33%] Building C object src/database/CMakeFiles/sqlite3.dir/sqlite3.c.o /home/alarm/.cache/yay/pi-hole-ftl/src/FTL-5.11/src/database/sqlite3.c: In function 'dbpageUpdate': /home/alarm/.cache/yay/pi-hole-ftl/src/FTL-5.11/src/database/sqlite3.c:206560:31: warning: comparison of integer expressions of different signedness: 'Pgno' {aka 'unsigned int'} and 'int' [-Wsign-compare] 206560 | if( pgno<1 || pBt==0 || pgno>(int)sqlite3BtreeLastPage(pBt) ){ | ^ ^[[{standard input}: Assembler messages:{standard input}:480061: Warning: end of file not at end of a line; newline inserted{standard input}: Error: open CFI at the end of file; missing .cfi_endproc directive cc: fatal error: Killed signal terminated program cc1 compilation terminated.make[2]: *** [src/database/CMakeFiles/sqlite3.dir/build.make:90: src/database/CMakeFiles/sqlite3.dir/sqlite3.c.o] Error 1make[1]: *** [CMakeFiles/Makefile2:322: src/database/CMakeFiles/sqlite3.dir/all] Error 2make: *** [Makefile:136: all] Error 2==> ERROR: A failure occurred in build().
Looks like the issue is the lack of memory to using https://docs.rackspace.com/support/how-to/create-a-linux-swap-file/ I added one GB of swap on /mnt
fallocate -l 1G /mnt/1GB.swap dd if=/dev/zero of=/mnt/1GB.swap bs=1024 count=1048576 chmod 600 /mnt/1GB.swap echo "vm.swappiness=10" > /etc/sysctl.conf mkswap /mnt/1GB.swap swapon /mnt/1GB.swap echo "/mnt/1GB.swap none swap sw 0 0" >>/etc/fstab
Once installed, start/enable pihole-FTL service
systemctl start pihole-FTL
It will fail silently thanks to SystemD and its systemd-resolved.service…
vi /etc/systemd/resolved.conf
[Resolve] DNSStubListener=no
Restart both…
systemctl restart systemd-resolved pihole-FTL
Php
- Install
yay -S php-sqlite
- /etc/php/php.ini
[...] extension=pdo_sqlite [...] extension=sockets [...] extension=sqlite3 [...]
Lighttpd
yay -S lighttpd php-cgi cp /usr/share/pihole/configs/lighttpd.example.conf /etc/lighttpd/lighttpd.conf systemctl enable --now lighttpd
Hosts
vi /etc/hosts
127.0.0.1 localhost 192.168.1.10 pi.hole dns
Unbound
Let's install a real recursive DNS
Install
yay -S unbound
Config
→ https://docs.pi-hole.net/guides/dns/unbound/
In /etc/unbound/unbound.conf
server: # If no logfile is specified, syslog is used # logfile: "/var/log/unbound/unbound.log" verbosity: 0 interface: 127.0.0.1 port: 5335 do-ip4: yes do-udp: yes do-tcp: yes # May be set to yes if you have IPv6 connectivity do-ip6: no # You want to leave this to no unless you have *native* IPv6. With 6to4 and # Terredo tunnels your web browser should favor IPv4 for the same reasons prefer-ip6: no # Use this only when you downloaded the list of primary root servers! # If you use the default dns-root-data package, unbound will find it automatically #root-hints: "/var/lib/unbound/root.hints" # Trust glue only if it is within the server's authority harden-glue: yes # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS harden-dnssec-stripped: yes # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details use-caps-for-id: no # Reduce EDNS reassembly buffer size. # Suggested by the unbound man page to reduce fragmentation reassembly problems edns-buffer-size: 1472 # Perform prefetching of close to expired message cache entries # This only applies to domains that have been frequently queried prefetch: yes # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1. num-threads: 1 # Ensure kernel buffer is large enough to not lose messages in traffic spikes so-rcvbuf: 1m # Ensure privacy of local IP ranges private-address: 192.168.0.0/16 private-address: 169.254.0.0/16 private-address: 172.16.0.0/12 private-address: 10.0.0.0/8 private-address: fd00::/8 private-address: fe80::/10
systemctl enable unbound
Now just enter 127.0.0.1#5335 in Settings>DNS (upstream DNS) Custom 1, unchecking any upstream DNS previously setup.
Admin pass
pihole -a -p
Fix Network
vi /etc/systemd/network/20-wired.network
[Match] Name=eth0 [Network] Address=192.168.1.10/24 Gateway=192.168.1.1 DNS=192.168.1.10
PiOS Lite
Put “SSH” file in root/boot folder so SSH is available
sudo apt update && apt dist-upgrade -y sudo raspi-config # change/set timezone&locales exit #reconnect sudo apt install -y htop sudo curl -sSL https://install.pi-hole.net | bash pihole -a -p MyP4sw0rdIsFabul0us rm ~/.bash_history sudo apt install -y unbound
Unbound Config
→ https://docs.pi-hole.net/guides/dns/unbound/
sudo mv /etc/unbound/unbound.conf /etc/unbound/unbound.conf.org sudo vi /etc/unbound/unbound.conf
In /etc/unbound/unbound.conf
server: # If no logfile is specified, syslog is used # logfile: "/var/log/unbound/unbound.log" verbosity: 0 interface: 127.0.0.1 port: 5335 do-ip4: yes do-udp: yes do-tcp: yes # May be set to yes if you have IPv6 connectivity do-ip6: no # You want to leave this to no unless you have *native* IPv6. With 6to4 and # Terredo tunnels your web browser should favor IPv4 for the same reasons prefer-ip6: no # Use this only when you downloaded the list of primary root servers! # If you use the default dns-root-data package, unbound will find it automatically #root-hints: "/var/lib/unbound/root.hints" # Trust glue only if it is within the server's authority harden-glue: yes # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS harden-dnssec-stripped: yes # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details use-caps-for-id: no # Reduce EDNS reassembly buffer size. # Suggested by the unbound man page to reduce fragmentation reassembly problems edns-buffer-size: 1472 # Perform prefetching of close to expired message cache entries # This only applies to domains that have been frequently queried prefetch: yes # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1. num-threads: 1 # Ensure kernel buffer is large enough to not lose messages in traffic spikes so-rcvbuf: 1m # Ensure privacy of local IP ranges private-address: 192.168.0.0/16 private-address: 169.254.0.0/16 private-address: 172.16.0.0/12 private-address: 10.0.0.0/8 private-address: fd00::/8 private-address: fe80::/10
sudo systemctl enable --now unbound
Now just enter 127.0.0.1#5335 in Settings>DNS (upstream DNS) Custom 1, unchecking any upstream DNS previously setup.
Update pi-hole
pihole -v pihole -up