Warnaud's Wiki

User Tools

Site Tools

You are here: start » devices » raspberrypi
devices:raspberrypi

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
devices:raspberrypi [2022/03/05 16:31] – [Pi-Hole] warnauddevices:raspberrypi [2025/03/06 10:38] (current) – new conf warnaud
Line 1: Line 1:
 +====== Raspberry Pi ======
 +Model B+\\
 +OS: [[https://www.raspberrypi.com/software/operating-systems/|RaspberryPi OS]] until it was full of crap undebugable - then [[https://archlinuxarm.org/platforms/armv6/raspberry-pi| ArclinuxARM]] ... but ArchARM guys removed armhf architecture, very MS®© style (clap) so back to PiOS Lite\\
 +Installed with [[https://pi-hole.net/|Pi-Hole]] and unbound as [[https://docs.pi-hole.net/guides/dns/unbound/|recursive DNS on port 5335]]
 +Interface: http://192.168.1.10/admin pass in //bitwarden// \\
 +SSHKeys on root\\
 +
 +====== Archlinux ======
 +Start fdisk to partition the SD card:
 +<code bash>fdisk /dev/mmcb1k0 </code> thank you systemD for shit naming :!:
 +Delete old partitions and create a new one:\\
 +Type o. to clear out any partitions\\
 +Type p to list & check partitions. \\
 +Type n for new, p for primary, 1 for the first partition , press ENTER to accept the default first sector, type **+200M** for the last sector.\\
 +Type t for type, type c to set the first partition to type W95 FAT32 (LBA).\\
 +Type n for new, p for primary, 2 for the second partition on the drive, and then press ENTER twice to accept the default first and last sector.\\
 +Write the partition table and exit by typing w.\\
 +<code bash>
 +cd /root
 +mkfs.vfat /dev/mmcb1k0p1
 +mkdir boot
 +mount /dev/mmcb1k0p1 boot
 +
 +mkfs.ext4 /dev/mmcb1k0p2
 +mkdir root
 +mount /dev/mmcb1k0p2 root
 +
 +curl -O http://os.archlinuxarm.org/os/ArchLinuxARM-rpi-latest.tar.gz
 +bsdtar -xpf ArchLinuxARM-rpi-latest.tar.gz -C root
 +sync
 +
 +mv root/boot/* boot
 +
 +umount boot root
 +</code>
 +First boot:
 +<code bash>
 +ssh alarm@IP #passwd alarm
 +su # pass root
 +pacman-key --init
 +pacman-key --populate archlinuxarm
 +passwd
 +</code>
 +===== Update&new toys =====
 +<code bash>
 +pacman -Syu
 +pacman -S htop ccze dfc zsh vim base-devel git go #go for yay</code>
 +===== Extra-config =====
 +==== hostname ====
 +<code bash>hostnamectl set-hostname dns</code>
 +==== fixed IP ====
 +<code bash>
 +vi /etc/systemd/network/20-wired.network</code>
 +<code perl>
 +[Match]
 +Name=eth0
 +
 +[Network]
 +Address=192.168.1.10/24
 +Gateway=192.168.1.1
 +DNS=192.168.1.11
 +</code>
 +==== VIM über älles====
 +<code bash> pacman -R vi
 +ln -s `which vim` /usr/bin/vi</code>
 +==== AUR Helper ====
 +Let's install [[https://aur.archlinux.org/packages/yay/|yay]]
 +<code bash>
 +su - alarm
 +mkdir /tmp/yay
 +curl https://aur.archlinux.org/cgit/aur.git/plain/PKGBUILD?h=yay > /tmp/yay/PKGBUILD
 +cd /tmp/yay
 +makepkg
 +su
 +pacman -U yay*.xz</code>
 +==== Pi-Hole ====
 +:!: as user **alarm** :!:
 +<code bash>
 +alarm@dns2 ~]$ yay -S pi-hole-server
 +:: Checking for conflicts...
 +:: Checking for inner conflicts...
 +[Repo:10]  libidn-1.38-1  bc-1.07.1-4  inetutils-2.2-1  logrotate-3.18.1-1  libmaxminddb-1.6.0-1  lmdb-0.9.29-1  python-3.9.9-1  python-ply-3.11-8  bind-9.16.23-1  lsof-4.94.0-1
 +[Repo Make:6]  hicolor-icon-theme-0.17-2  jsoncpp-1.9.4-1  libnsl-2.0.0-1  libuv-1.42.0-1  rhash-1.4.2-1  cmake-3.22.1-1
 +[Aur:2]  pi-hole-ftl-5.11-1  pi-hole-server-5.6-4
 +
 +==> Remove make dependencies after install? [y/N]
 +  2 pi-hole-ftl                              (Build Files Exist)
 +  1 pi-hole-server                           (Build Files Exist)
 +==> Packages to cleanBuild?
 +==> [N]one [A]ll [Ab]ort [I]nstalled [No]tInstalled or (1 2 3, 1-3, ^4)
 +==> A
 +:: Deleting (1/2): /home/alarm/.cache/yay/pi-hole-ftl
 +:: Deleting (2/2): /home/alarm/.cache/yay/pi-hole-server
 +:: (1/2) Downloaded PKGBUILD: pi-hole-ftl
 +:: (2/2) Downloaded PKGBUILD: pi-hole-server
 +  2 pi-hole-ftl                              (Build Files Exist)
 +  1 pi-hole-server                           (Build Files Exist)
 +==> Diffs to show?
 +==> [N]one [A]ll [Ab]ort [I]nstalled [No]tInstalled or (1 2 3, 1-3, ^4)
 +==> N
 +</code>
 +coffee time LOL\\
 +the compilation used to break @ 33% \\ <code>
 +....
 +[ 31%] Built target api
 +[ 32%] Building C object src/database/CMakeFiles/sqlite3.dir/shell.c.o
 +[ 33%] Building C object src/database/CMakeFiles/sqlite3.dir/sqlite3.c.o
 +/home/alarm/.cache/yay/pi-hole-ftl/src/FTL-5.11/src/database/sqlite3.c: In function 'dbpageUpdate':
 +/home/alarm/.cache/yay/pi-hole-ftl/src/FTL-5.11/src/database/sqlite3.c:206560:31: warning: comparison of integer expressions of different signedness: 'Pgno' {aka 'unsigned int'} and 'int' [-Wsign-compare]
 +206560 |   if( pgno<1 || pBt==0 || pgno>(int)sqlite3BtreeLastPage(pBt) ){
 +                                     ^
 +^[[{standard input}: Assembler messages:{standard input}:480061: Warning: end of file not at end of a line; newline inserted{standard input}: Error: open CFI at the end of file; missing .cfi_endproc directive
 +cc: fatal error: Killed signal terminated program cc1
 +compilation terminated.make[2]: *** [src/database/CMakeFiles/sqlite3.dir/build.make:90: src/database/CMakeFiles/sqlite3.dir/sqlite3.c.o] Error 1make[1]: *** [CMakeFiles/Makefile2:322: src/database/CMakeFiles/sqlite3.dir/all] Error 2make: *** [Makefile:136: all] Error 2==> ERROR: A failure occurred in build().
 +
 +</code>
 +Looks like the issue is the lack of memory to using https://docs.rackspace.com/support/how-to/create-a-linux-swap-file/ I added one GB of swap on /mnt\\
 +<code bash>
 +fallocate -l 1G /mnt/1GB.swap
 +dd if=/dev/zero of=/mnt/1GB.swap bs=1024 count=1048576
 +chmod 600 /mnt/1GB.swap
 +echo "vm.swappiness=10" > /etc/sysctl.conf
 +mkswap /mnt/1GB.swap
 +swapon /mnt/1GB.swap
 +
 +echo "/mnt/1GB.swap  none  swap  sw 0  0" >>/etc/fstab
 +</code>
 +Once installed, start/enable pihole-FTL service
 +<code bash>systemctl start pihole-FTL</code>
 +It will fail silently thanks to SystemD and its systemd-resolved.service...
 +<code bash> vi /etc/systemd/resolved.conf</code>
 +<code perl>
 +[Resolve]
 +DNSStubListener=no
 +</code>
 +Restart both...
 +<code bash> systemctl restart systemd-resolved pihole-FTL</code>
 +== Php ==
 +  * Install <code bash> yay -S php-sqlite</code>
 +  * /etc/php/php.ini<code perl>
 +[...]
 +extension=pdo_sqlite
 +[...]
 +extension=sockets
 +[...]
 +extension=sqlite3
 +[...]</code>
 +== Lighttpd ==
 +<code bash> yay -S lighttpd php-cgi
 +cp /usr/share/pihole/configs/lighttpd.example.conf /etc/lighttpd/lighttpd.conf
 +systemctl enable --now lighttpd
 +</code>
 +== Hosts ==
 +<code> vi /etc/hosts</code>
 +<code perl>
 +127.0.0.1              localhost
 +192.168.1.10   pi.hole dns
 +</code>
 +=== Unbound ===
 +Let's install a real recursive DNS
 +== Install ==
 +<code bash>yay -S unbound</code>
 +== Config ==
 +-> https://docs.pi-hole.net/guides/dns/unbound/ \\
 +In /etc/unbound/unbound.conf
 +<code perl>
 +server:
 +    # If no logfile is specified, syslog is used
 +    # logfile: "/var/log/unbound/unbound.log"
 +    verbosity: 0
 +
 +    interface: 127.0.0.1
 +    port: 5335
 +    do-ip4: yes
 +    do-udp: yes
 +    do-tcp: yes
 +
 +    # May be set to yes if you have IPv6 connectivity
 +    do-ip6: no
 +
 +    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
 +    # Terredo tunnels your web browser should favor IPv4 for the same reasons
 +    prefer-ip6: no
 +
 +    # Use this only when you downloaded the list of primary root servers!
 +    # If you use the default dns-root-data package, unbound will find it automatically
 +    root-hints: "/var/lib/unbound/root.hints"
 +
 +    # Trust glue only if it is within the server's authority
 +    harden-glue: yes
 +
 +    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
 +    harden-dnssec-stripped: yes
 +
 +    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
 +    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
 +    use-caps-for-id: no
 +
 +    # Reduce EDNS reassembly buffer size.
 +    # Suggested by the unbound man page to reduce fragmentation reassembly problems
 +    edns-buffer-size: 1472
 +
 +    # Perform prefetching of close to expired message cache entries
 +    # This only applies to domains that have been frequently queried
 +    prefetch: yes
 +    msg-cache-size: 32m
 +    rrset-cache-size: 64m
 +    serve-expired: yes
 +    serve-expired-ttl: 3600
 +    cache-max-ttl: 86400
 +    cache-min-ttl: 300
 +    minimal-responses: yes
 +
 +    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
 +    num-threads: 1
 +
 +    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
 +    so-rcvbuf: 4m
 +
 +    # Ensure privacy of local IP ranges
 +    private-address: 192.168.0.0/16
 +    #private-address: 192.168.1.0/24
 +    private-address: 169.254.0.0/16
 +    private-address: 172.16.0.0/12
 +    private-address: 10.0.0.0/8
 +    #private-address: fd00::/8
 +    #private-address: fe80::/10
 +    
 +    # Aliases
 +    local-data: "srv0.fortier-family.com. IN CNAME kali2.fortier-family.com."
 +</code>
 +<code bash>
 +curl -o /var/lib/unbound/root.hints https://www.internic.net/domain/named.root
 +unbound-checkconf
 +systemctl enable unbound</code>
 +
 +Now just enter 127.0.0.1#5335 in Settings>DNS (upstream DNS) Custom 1, unchecking any upstream DNS previously setup.
 +== Admin pass ==
 +<code bash> pihole -a -p</code>
 +== Fix Network ==
 +<code bash>vi /etc/systemd/network/20-wired.network</code>
 +<code perl>
 +[Match]
 +Name=eth0
 + 
 +[Network]
 +Address=192.168.1.10/24
 +Gateway=192.168.1.1
 +DNS=192.168.1.10
 +</code>
 +====== PiOS Lite ======
 +Put "SSH" file in root/boot folder so SSH is available
 +<code bash>sudo apt update && apt dist-upgrade -y
 +sudo raspi-config # change/set timezone&locales
 +exit #reconnect
 +sudo apt install -y htop
 +sudo curl -sSL https://install.pi-hole.net | bash
 +pihole -a -p MyP4sw0rdIsFabul0us
 +rm ~/.bash_history
 +sudo apt install -y unbound
 +</code>
 +===== Unbound Config =====
 +-> https://docs.pi-hole.net/guides/dns/unbound/ \\
 +<code bash> sudo mv /etc/unbound/unbound.conf /etc/unbound/unbound.conf.org
 +sudo vi /etc/unbound/unbound.conf</code>
 +In /etc/unbound/unbound.conf
 +<code perl>
 +server:
 +    # If no logfile is specified, syslog is used
 +    # logfile: "/var/log/unbound/unbound.log"
 +    verbosity: 0
 +
 +    interface: 127.0.0.1
 +    port: 5335
 +    do-ip4: yes
 +    do-udp: yes
 +    do-tcp: yes
 +
 +    # May be set to yes if you have IPv6 connectivity
 +    do-ip6: no
 +
 +    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
 +    # Terredo tunnels your web browser should favor IPv4 for the same reasons
 +    prefer-ip6: no
 +
 +    # Use this only when you downloaded the list of primary root servers!
 +    # If you use the default dns-root-data package, unbound will find it automatically
 +    #root-hints: "/var/lib/unbound/root.hints"
 +
 +    # Trust glue only if it is within the server's authority
 +    harden-glue: yes
 +
 +    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
 +    harden-dnssec-stripped: yes
 +
 +    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
 +    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
 +    use-caps-for-id: no
 +
 +    # Reduce EDNS reassembly buffer size.
 +    # Suggested by the unbound man page to reduce fragmentation reassembly problems
 +    edns-buffer-size: 1472
 +
 +    # Perform prefetching of close to expired message cache entries
 +    # This only applies to domains that have been frequently queried
 +    prefetch: yes
 +
 +    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
 +    num-threads: 1
 +
 +    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
 +    so-rcvbuf: 1m
 +
 +    # Ensure privacy of local IP ranges
 +    private-address: 192.168.0.0/16
 +    private-address: 169.254.0.0/16
 +    private-address: 172.16.0.0/12
 +    private-address: 10.0.0.0/8
 +    private-address: fd00::/8
 +    private-address: fe80::/10
 +</code>
 +<code bash>sudo systemctl enable --now unbound</code>
 +
 +Now just enter 127.0.0.1#5335 in Settings>DNS (upstream DNS) Custom 1, unchecking any upstream DNS previously setup.
 +===== Update pi-hole =====
 +<code bash>
 +pihole -v
 +pihole -up
 +</code>
 +====== Reference ======
 +
 +  * https://www.youtube.com/watch?v=FnFtWsZ8IP0
 +  * https://docs.rackspace.com/support/how-to/create-a-linux-swap-file/
 +  * https://docs.pi-hole.net/guides/dns/unbound/
 +  * https://wiki.archlinux.org/title/Pi-hole
 +  * https://pi-hole.net/
 +  * https://peppe8o.com/install-pi-hole-in-your-raspberry-pi-with-raspberry-pi-os-lite/
 +
 +