Setting up a Raspberry Pi (Model B Rev 2, armv6l)

How to setup a pi with a linux without desktop, controlled remotely via ssh.

Installing: zsh, pure prompt, ufw, git, node.js, npm, yarn, nginx with ssl, pi-hole.

Prepare SD Card

Download the Raspberry Pi Imager, start it and follow the instructions to create an image using the Raspberry Pi OS Lite (32-bit) (a debian port without desktop environment).

First Login

User: pi
Password: raspberry

Using raspi-config

sudo raspi-config

set timezone
enable ssh server
whatever else fits your needs...

Afterwards, everything else can be done via ssh.

ssh <USERNAME>@<PI-IP>

Create Users

sudo adduser <USERNAME>
sudo usermod -a -G adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,netdev,gpio,i2c,spi <USERNAME>

Afterwards, you can remove the pi user and its home directory:

sudo pkill -u pi
sudo deluser -remove-home pi

No Password for sudo

sudo visudo

Edit the line for the sudoers group:

%sudo   ALL=(ALL:ALL) NOPASSWD:ALL

SSH

Copy your ssh id from your local machine to the pi:

ssh-copy-id -i ~/.ssh/id_rsa.pub <USERNAME>@<PI-IP>

You can also add an entry to your local .ssh/config for convenient connect:

Host pi
  HostName <PI-IP>
  User <USERNAME>
  IdentityFile ~/.ssh/id_rsa

Afterwards, you can connect via ssh pi.

Update Packages

sudo apt-get update
sudo apt-get upgrade

Custom MOTD

sudo apt-get install toilet
sudo cat /proc/device-tree/model | toilet --termwidth --filter border --gay --font future -k > /etc/motd

Git

sudo apt-get install git

ZSH

sudo apt-get install zsh
# set zsh as default
chsh -s $(which zsh)

Install pure prompt

mkdir -p "$HOME/.zsh"
git clone https://github.com/sindresorhus/pure.git "$HOME/.zsh/pure"

.zshrc

# Aliases
alias ls='ls -h --color=auto'
alias ll='ls -l'
alias la='ls -la'
alias grep='grep --color=auto'

# edit .zshrc
alias ez="nano ~/.zshrc"
# reload .zshrc
alias sz="source ~/.zshrc && echo \"~/.zshrc reloaded.\""

# pure prompt
fpath+=$HOME/.zsh/pure
autoload -U promptinit
promptinit
prompt pure

# Use vi keybindings even if our EDITOR is set to vi
bindkey -e

# Do not enter command lines into the history list if they are duplicates of the previous event
setopt histignorealldups

# Import new commands from the history file and append typed commands to the history file
setopt sharehistory

# Keep lines of history within the shell and save it to ~/.zsh_history:
HISTSIZE=5000
SAVEHIST=5000
HISTFILE=~/.zsh_history

# Use modern completion system
autoload -Uz compinit
compinit

Node.js

Sadly, node.js for armv6l architecture is only available until v11.15.0, which we need to install manually:

curl https://nodejs.org/download/release/11.15.0/node-11.15.0-linux-armv6l.tar.gz | sudo tar -C /usr/local --strip-components 1 -xzf
node --version
npm --version

Yarn

curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -
echo "deb https://dl.yarnpkg.com/debian/ stable main" | sudo tee /etc/apt/sources.list.d/yarn.list
sudo apt-get update
sudo apt-get install yarn
yarn --version

Nginx

sudo apt-get install nginx

After changing configuration:

# test config
sudo nginx -t
# reload config
sudo nginx -s reload

PHP

We need php to run pi-hole (and maybe other apps in the future).

sudo apt-get install php7.3-fpm php7.3-cgi php7.3-xml php7.3-sqlite3 php7.3-intl apache2-utils

Download a Raspberry Pi Favicon

sudo curl -L https://www.raspberrypi.org/favicon.ico -o /var/www/html/favicon.png

Create self-signed SSL Certificate

sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
# better run this command directly on your pi and not via ssh. it took my py about 45 hours to complete...
sudo openssl dhparam -out /etc/nginx/dhparam.pem 4096

/etc/nginx/nginx.conf

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;
}

http {
        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}

/etc/nginx/snippets/ssl-self-signed.conf

ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

/etc/nginx/snippets/ssl-params.conf

ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout  10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
# ssl_stapling on; # Requires nginx >= 1.3.7
# ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable strict transport security for now. You can uncomment the following
# line if you understand the implications.
# add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";

/etc/nginx/sites-available/default

#upstream node_app {
#        server 127.0.0.1:3000;
#        keepalive 8;
#}

server {
        listen 80 default_server;
        listen [::]:80 default_server;

        listen 443 ssl default_server;
        listen [::]:443 ssl default_server;

        include snippets/ssl-self-signed.conf;
        include snippets/ssl-params.conf;

        root /var/www/html;

        index index.php index.html index.htm;

        server_name pi;

        autoindex on;
        autoindex_localtime on;
        autoindex_exact_size on;

        location / {
                try_files $uri $uri/ =404;
        }

        location = /favicon.ico {
                rewrite . /favicon.png;
        }

        # map /~<USERNAME> to ~/www for every user
        location ~ ^/~(.+?)(/.*)?$ {
                alias /home/$1/www$2;
        }

        # php
        location ~ .php$ {
                include fastcgi_params;
                fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
                fastcgi_pass unix:/run/php/php7.3-fpm.sock;
                fastcgi_param FQDN true;
        }

        #location /app {
        #        proxy_set_header X-Real-IP $remote_addr;
        #        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        #        proxy_set_header Host $http_host;
        #        proxy_set_header X-NginX-Proxy true;
        #        proxy_http_version 1.1;
        #        proxy_set_header Upgrade $http_upgrade;
        #        proxy_set_header Connection "upgrade";
        #        proxy_pass http://node_app/;
        #        proxy_redirect off;
        #}

}

Pi-Hole

curl -sSL https://install.pi-hole.net | bash
# add user www-data to pihole group
sudo usermod -a -G pihole www-data

Firewall

sudo apt-get install ufw
# deny all incoming traffic
sudo ufw default deny incoming
# allow ssh from local network
sudo ufw allow from 192.168.0.0/24 to any app OpenSSH
# limit ssh connections
sudo ufw limit ssh/tcp
# allow http(s) from local network
sudo ufw allow from 192.168.0.0/24 to any app "NGINX HTTP"
sudo ufw allow from 192.168.0.0/24 to any app "NGINX HTTPS"
# allow dns for pi hole
sudo ufw allow 53/tcp
sudo ufw allow 53/udp
sudo ufw allow 67/tcp
sudo ufw allow 67/udp
sudo ufw allow 546:547/udp
# enable firewall (WARNING: misconfiguration may lock you out!)
sudo ufw enable
sudo ufw status verbose

Cleanup

sudo apt-get autoremove
sudo apt-get clean
sudo apt-get autoclean

simbo/raspberry-pi-setup.md

Select an option

No results found