Raspberry Pi on Adurhttps://adurrr.github.io/en/tags/raspberry-pi/Recent content in Raspberry Pi on AdurHugo -- gohugo.ioenThu, 21 Oct 2021 00:00:00 +0000Installing and Configuring Debian, Ubuntu, RaspberryPiOS, LibreElec or Arch on a Raspberry Pihttps://adurrr.github.io/en/p/installing-and-configuring-debian-ubuntu-raspberrypios-libreelec-or-arch-on-a-raspberry-pi/Thu, 21 Oct 2021 00:00:00 +0000https://adurrr.github.io/en/p/installing-and-configuring-debian-ubuntu-raspberrypios-libreelec-or-arch-on-a-raspberry-pi/<p>This post outlines the steps to install and configure a Raspberry Pi for deploying a series of services.</p> <h2 id="1--os-installation">1. OS Installation </h2><hr> <h3 id="11-ubuntu-raspberrypios-or-libreelec">1.1. Ubuntu, RaspberryPiOS or LibreElec </h3><p>Using the Raspberry Pi Imager tool, you can flash the image of Ubuntu, RaspberryPiOS, LibreElec, or whichever you prefer, onto any micro SD card or USB drive<cite> <sup id="fnref:1"><a href="#fn:1" class="footnote-ref" role="doc-noteref">1</a></sup></cite>. For example, we will choose the Raspbian OS image with desktop and flash it onto a 64GB USB drive.</p> <p>Another way to flash an image onto an SD card or a USB drive is by using the following commands:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-zsh" data-lang="zsh"><span class="line"><span class="cl"><span class="c1"># See the partitions</span> </span></span><span class="line"><span class="cl">lsblk </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Umount the USB partition</span> </span></span><span class="line"><span class="cl">umount /dev/sdc1 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Format in vFAT</span> </span></span><span class="line"><span class="cl">mkfs.vfat -F <span class="m">32</span> /dev/sdc -I </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Flash the ISO into USB</span> </span></span><span class="line"><span class="cl">dd <span class="nv">status</span><span class="o">=</span>progress <span class="k">if</span><span class="o">=</span>NAME.iso <span class="nv">of</span><span class="o">=</span>/dev/sdc </span></span></code></pre></td></tr></table> </div> </div><h3 id="12-arch">1.2. Arch </h3><p>To install Arch, the steps from <a class="link" href="https://archlinuxarm.org/platforms/armv8/broadcom/raspberry-pi-4" target="_blank" rel="noopener" >the AArch64 version of the Arch installation</a><cite> <sup id="fnref:2"><a href="#fn:2" class="footnote-ref" role="doc-noteref">2</a></sup></cite> were followed. We reproduced those steps for AArch64.</p> <ol> <li>Start fdisk to partition the SD card:</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"> fdisk /dev/sdX </span></span></code></pre></td></tr></table> </div> </div><p>At the fdisk prompt, delete old partitions and create a new one:</p> <ul> <li>Type o. This will clear out any partitions on the drive.</li> <li>Type p to list partitions. There should be no partitions left.</li> <li>Type n, then p for primary, 1 for the first partition on the drive, press ENTER to accept the default first sector, then type +200M for the last sector.</li> <li>Type t, then c to set the first partition to type W95 FAT32 (LBA).</li> <li>Type n, then p for primary, 2 for the second partition on the drive, and then press ENTER twice to accept the default first and last sector.</li> <li>Write the partition table and exit by typing w.</li> </ul> <ol start="2"> <li>Create and mount the FAT filesystem:</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">mkfs.vfat /dev/sdX1 </span></span><span class="line"><span class="cl">mkdir boot </span></span><span class="line"><span class="cl">mount /dev/sdX1 boot </span></span></code></pre></td></tr></table> </div> </div><ol start="3"> <li>Create and mount the ext4 filesystem:</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">mkfs.ext4 /dev/sdX2 </span></span><span class="line"><span class="cl">mkdir root </span></span><span class="line"><span class="cl">mount /dev/sdX2 root </span></span></code></pre></td></tr></table> </div> </div><ol start="4"> <li>Download and extract the root filesystem (as root, not via sudo):</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">wget http://os.archlinuxarm.org/os/ArchLinuxARM-rpi-aarch64-latest.tar.gz </span></span><span class="line"><span class="cl">bsdtar -xpf ArchLinuxARM-rpi-aarch64-latest.tar.gz -C root </span></span><span class="line"><span class="cl">sync </span></span></code></pre></td></tr></table> </div> </div><ol start="5"> <li>Move boot files to the first partition:</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">mv root/boot/* boot </span></span></code></pre></td></tr></table> </div> </div><ol start="6"> <li>Before unmounting the partitions, update /etc/fstab for the different SD block device compared to the Raspberry Pi 3:</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">sed -i &#39;s/mmcblk0/mmcblk1/g&#39; root/etc/fstab </span></span></code></pre></td></tr></table> </div> </div><ol start="7"> <li>Unmount the two partitions:</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">umount boot root </span></span></code></pre></td></tr></table> </div> </div><ol start="8"> <li> <p>Insert the SD card into the Raspberry Pi, connect ethernet, and apply 5V power.</p> </li> <li> <p>Use the serial console or SSH to the IP address given to the board by your router.</p> </li> </ol> <ul> <li>Login as the default user alarm with the password alarm.</li> <li>The default root password is root.</li> </ul> <ol start="10"> <li>Initialize the pacman keyring and populate the Arch Linux ARM package signing keys:</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">pacman-key --init </span></span><span class="line"><span class="cl">pacman-key --populate archlinuxarm </span></span></code></pre></td></tr></table> </div> </div><h2 id="2-basic-configuration">2. Basic Configuration </h2><hr> <p>Once the operating system is installed, there are several options to configure the Raspberry Pi. The simplest approach is to run a network scan with <code>sudo nmap -f 192.168.1.0/24</code> to identify the IP address assigned to the Raspberry Pi by the router. Then connect via <code>ssh pi@192.168.10.250</code> (for Raspbian) or <code>ssh alarm@192.168.10.250</code> (for Arch). You can also set it up headlessly, without an extra monitor, keyboard, and mouse, as explained in a <a class="link" href="./content/post/2020-09-28_raspberryPi.es.md" >previous post</a>, or by using these three external peripherals. In this case, we will use an external monitor, keyboard, and mouse to simplify the walkthrough. Once the Raspberry Pi is powered on with the USB drive or SD card connected, a dialog will appear to configure the language, Wi-Fi, and a password (for example, use KeepassXC to generate a random password).</p> <h3 id="21-system-update">2.1 System Update </h3><p>Once we have a console with a non-root user, we will open a new console as the <code>root</code> user:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl">su - </span></span></code></pre></td></tr></table> </div> </div><p>The default password is usually <code>root</code> or similar.</p> <ul> <li>Debian-based:</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-zsh" data-lang="zsh"><span class="line"><span class="cl"><span class="c1"># Update and upgrade packages system</span> </span></span><span class="line"><span class="cl">apt-get update -y <span class="o">&amp;&amp;</span> sudo apt-get upgrade -y </span></span></code></pre></td></tr></table> </div> </div><ul> <li>Arch-based:</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-zsh" data-lang="zsh"><span class="line"><span class="cl"><span class="c1"># Update and upgrade packages system</span> </span></span><span class="line"><span class="cl">pacman -Syu </span></span></code></pre></td></tr></table> </div> </div><h3 id="22-time-configuration">2.2 Time Configuration </h3><p>We follow this guide on <a class="link" href="https://gist.github.com/TheZoc/849a82d3eed219998cd82fb4040607ae" target="_blank" rel="noopener" >first steps after installing Arch</a><cite> <sup id="fnref:3"><a href="#fn:3" class="footnote-ref" role="doc-noteref">3</a></sup></cite> or any minimalist distribution such as HypriotOS. We set the timezone to the appropriate one:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-zsh" data-lang="zsh"><span class="line"><span class="cl">timedatectl set-timezone Europe/London </span></span></code></pre></td></tr></table> </div> </div><p>We synchronize the clock with the internet:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-zsh" data-lang="zsh"><span class="line"><span class="cl">timedatectl set-ntp <span class="nb">true</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="23-locale-configuration">2.3 Locale Configuration </h3><p>Uncomment the desired locale in the <code>locale.gen</code> file (for example: en_US.UTF-8):</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-zsh" data-lang="zsh"><span class="line"><span class="cl">nano /etc/locale.gen </span></span></code></pre></td></tr></table> </div> </div><p>Run:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-zsh" data-lang="zsh"><span class="line"><span class="cl">locale-gen </span></span></code></pre></td></tr></table> </div> </div><p>And run:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-zsh" data-lang="zsh"><span class="line"><span class="cl">localectl set-locale <span class="nv">LANG</span><span class="o">=</span>en_US.UTF-8 </span></span></code></pre></td></tr></table> </div> </div><h3 id="24-hostname-change">2.4 Hostname Change </h3><p>Change the hostname with:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-zsh" data-lang="zsh"><span class="line"><span class="cl">hostnamectl set-hostname &lt;name&gt; </span></span></code></pre></td></tr></table> </div> </div><p>Add an alias for the hostname in the <code>/etc/hosts</code> file of the computer you are using for the configuration. Use <code>nano /etc/hosts</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">127.0.0.1 localhost.localdomain &lt;name&gt; localhost </span></span><span class="line"><span class="cl">::1 localhost.localdomain &lt;name&gt; localhost </span></span></code></pre></td></tr></table> </div> </div><h3 id="optional-enable-colored-output-in-pacman">(Optional) Enable colored output in pacman </h3><p>If using Arch, run:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-zsh" data-lang="zsh"><span class="line"><span class="cl">sed -i <span class="s1">&#39;s/#Color/Color/&#39;</span> /etc/pacman.conf </span></span></code></pre></td></tr></table> </div> </div><h3 id="optional-add-8gb-of-swap-memory">(Optional) Add 8GB of SWAP memory </h3><p>If using Arch, run:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-zsh" data-lang="zsh"><span class="line"><span class="cl">fallocate -l 8192M /swapfile </span></span></code></pre></td></tr></table> </div> </div><h3 id="optional-new-user-with-sudo-permissions">(Optional) New user with sudo permissions </h3><p>If using Arch, we will now use the visudo utility to edit group permissions for running administrative commands with sudo.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">pacman -S sudo </span></span><span class="line"><span class="cl">EDITOR=nano visudo </span></span></code></pre></td></tr></table> </div> </div><p>Uncomment the following line:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">## Uncomment to allow members of group sudo to execute any command </span></span><span class="line"><span class="cl">%sudo ALL=(ALL:ALL) ALL </span></span></code></pre></td></tr></table> </div> </div><p>Create a new sudo group with:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">sudo groupadd sudo </span></span></code></pre></td></tr></table> </div> </div><p>Create a new user with:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">useradd -m -G sudo username </span></span></code></pre></td></tr></table> </div> </div><p>Set a password for the new user:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">passwd username </span></span></code></pre></td></tr></table> </div> </div><p>Once the new user is created, delete the <code>alarm</code> user.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">userdel alarm </span></span></code></pre></td></tr></table> </div> </div><p>On Debian or derivatives, modify the permissions of the user created during installation and add them to the sudo group with the following command:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">su - </span></span><span class="line"><span class="cl">usermod -aG sudo username </span></span></code></pre></td></tr></table> </div> </div><p>Reboot the system:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">reboot </span></span></code></pre></td></tr></table> </div> </div><h3 id="25-ssh">2.5 SSH </h3><p>The next step is to copy the public key to the <code>~/.ssh/authorized_keys</code> file on the Raspberry Pi. Use the following command:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-zsh" data-lang="zsh"><span class="line"><span class="cl">ssh-copy-id -i &lt;identity.pub&gt; pi@&lt;raspberry ip or node-1&gt; </span></span></code></pre></td></tr></table> </div> </div><p>Now it will prompt for the SSH key password, and we will connect to the Raspberry Pi via:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-zsh" data-lang="zsh"><span class="line"><span class="cl">ssh pi@node-1 </span></span></code></pre></td></tr></table> </div> </div><h3 id="optional-wi-fi-configuration">(Optional) Wi-Fi Configuration </h3><p>Reproduced from the guide: <a class="link" href="https://gist.github.com/TheZoc/849a82d3eed219998cd82fb4040607ae" target="_blank" rel="noopener" >first steps after installing Arch</a><cite> <sup id="fnref1:3"><a href="#fn:3" class="footnote-ref" role="doc-noteref">3</a></sup></cite></p> <p><a class="link" href="https://archlinuxarm.org/forum/viewtopic.php?f=65&amp;t=14578" target="_blank" rel="noopener" >karog, on ArchLinux ARM forums</a> provided a simple way to connect to Wi-Fi. As <code>root</code>, do the following steps:</p> <ol> <li><code>nano /etc/systemd/network/wlan0.network</code> to configure the wlan0 interface:</li> <li>Add the following contents to the file:</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">[Match] </span></span><span class="line"><span class="cl">Name=wlan0 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">[Network] </span></span><span class="line"><span class="cl">DHCP=yes </span></span></code></pre></td></tr></table> </div> </div><ol start="3"> <li><code>wpa_passphrase &quot;&lt;SSID&gt;&quot; &quot;&lt;PASSWORD&gt;&quot; &gt; /etc/wpa_supplicant/wpa_supplicant-wlan0.conf</code>. Replace <SSID> and <PASSWORD> with your respective Wi-Fi network name and password.</li> <li><code>systemctl enable wpa_supplicant@wlan0</code> to enable the Wi-Fi when booting</li> <li><code>systemctl start wpa_supplicant@wlan0</code> to connect to Wi-Fi.</li> </ol> <p>You&rsquo;re good to go!</p> <p>If you ever want to remove Wi-Fi connection (e.g. when you want to make it connect only through ethernet):</p> <ol> <li><code>systemctl stop wpa_supplicant@wlan0</code></li> <li><code>systemctl disable wpa_supplicant@wlan0</code></li> <li><code>rm /etc/wpa_supplicant/wpa_supplicant-wlan0.conf</code></li> <li><code>rm /etc/systemd/network/wlan0.network</code></li> </ol> <h2 id="3-software-installation">3. Software Installation </h2><hr> <h3 id="31-basic-packages">3.1. Basic Packages </h3><ul> <li>Debian:</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-zsh" data-lang="zsh"><span class="line"><span class="cl">sudo apt install -y software-properties-common git wget </span></span></code></pre></td></tr></table> </div> </div><ul> <li>Arch:</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-zsh" data-lang="zsh"><span class="line"><span class="cl">sudo pacman -S -y git wget </span></span></code></pre></td></tr></table> </div> </div><h3 id="32-docker-and-docker-compose">3.2. Docker and Docker Compose </h3><p>It is recommended to install <a class="link" href="https://docs.docker.com/engine/security/rootless/" target="_blank" rel="noopener" >docker rootless</a>.</p> <h4 id="321-installation-on-debian">3.2.1. Installation on Debian </h4><p>Install Docker using the installation script:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-zsh" data-lang="zsh"><span class="line"><span class="cl">curl -fsSL https://get.docker.com -o get-docker.sh </span></span><span class="line"><span class="cl">sudo sh get-docker.sh </span></span></code></pre></td></tr></table> </div> </div><p>For docker-compose, install it through Python 3:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-zsh" data-lang="zsh"><span class="line"><span class="cl">sudo apt-get install libffi-dev libssl-dev </span></span><span class="line"><span class="cl">sudo apt install python3-dev </span></span><span class="line"><span class="cl">sudo apt-get install -y python3 python3-pip </span></span><span class="line"><span class="cl">sudo pip3 install docker-compose </span></span></code></pre></td></tr></table> </div> </div><p>Add the user to the docker group:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-zsh" data-lang="zsh"><span class="line"><span class="cl">sudo usermod -aG docker <span class="si">${</span><span class="nv">USER</span><span class="si">}</span> </span></span></code></pre></td></tr></table> </div> </div><h4 id="322-installation-on-arch">3.2.2. Installation on Arch </h4><p>Install Docker and docker-compose from the official repositories:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">sudo pacman -Sy docker </span></span><span class="line"><span class="cl">sudo pacman -Sy docker-compose </span></span></code></pre></td></tr></table> </div> </div><p>Enable the service with:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">sudo systemctl start docker.service </span></span></code></pre></td></tr></table> </div> </div><p>Enable it on every reboot:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">sudo systemctl start docker.service </span></span></code></pre></td></tr></table> </div> </div><p>Add the user to the docker group:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-zsh" data-lang="zsh"><span class="line"><span class="cl">sudo usermod -aG docker <span class="si">${</span><span class="nv">USER</span><span class="si">}</span> </span></span></code></pre></td></tr></table> </div> </div><h4 id="323-docker-rootless">3.2.3 Docker Rootless </h4><ul> <li>Arch:</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">sudo pacman -S shadow </span></span><span class="line"><span class="cl">sudo pacman -S fuse-overlayfs </span></span></code></pre></td></tr></table> </div> </div><p>Add <code>kernel.unprivileged_userns_clone=1</code> in <code>/etc/sysctl.conf</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">sudo nano /etc/sysctl.conf </span></span><span class="line"><span class="cl">sudo sysctl --system </span></span></code></pre></td></tr></table> </div> </div><ul> <li>Common:</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-gdscript3" data-lang="gdscript3"><span class="line"><span class="cl"><span class="n">sudo</span> <span class="n">touch</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">subuid</span> <span class="o">&amp;&amp;</span> <span class="n">sudo</span> <span class="n">touch</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">subgid</span> </span></span><span class="line"><span class="cl"><span class="n">su</span> <span class="o">-</span> </span></span><span class="line"><span class="cl"><span class="n">echo</span> <span class="s2">&#34;pi:100000:65536&#34;</span> <span class="o">&gt;&gt;</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">subgid</span> </span></span><span class="line"><span class="cl"><span class="n">echo</span> <span class="s2">&#34;pi:100000:65536&#34;</span> <span class="o">&gt;&gt;</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">subuid</span> </span></span><span class="line"><span class="cl"><span class="n">exit</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">sudo</span> <span class="n">systemctl</span> <span class="n">disable</span> <span class="o">--</span><span class="n">now</span> <span class="n">docker</span><span class="o">.</span><span class="n">service</span> <span class="n">docker</span><span class="o">.</span><span class="n">socket</span> </span></span><span class="line"><span class="cl"><span class="n">curl</span> <span class="o">-</span><span class="n">fsSL</span> <span class="n">https</span><span class="p">:</span><span class="o">//</span><span class="n">get</span><span class="o">.</span><span class="n">docker</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">rootless</span> <span class="o">|</span> <span class="n">sh</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">systemctl</span> <span class="o">--</span><span class="n">user</span> <span class="n">start</span> <span class="n">docker</span> </span></span><span class="line"><span class="cl"><span class="n">systemctl</span> <span class="o">--</span><span class="n">user</span> <span class="n">enable</span> <span class="n">docker</span> </span></span><span class="line"><span class="cl"><span class="n">sudo</span> <span class="n">loginctl</span> <span class="n">enable</span><span class="o">-</span><span class="n">linger</span> <span class="o">$</span><span class="p">(</span><span class="n">whoami</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">export</span> <span class="n">DOCKER_HOST</span><span class="o">=</span><span class="n">unix</span><span class="p">:</span><span class="o">//$</span><span class="n">XDG_RUNTIME_DIR</span><span class="o">/</span><span class="n">docker</span><span class="o">.</span><span class="n">sock</span> </span></span></code></pre></td></tr></table> </div> </div><p>Test it with <code>docker run -d -p 8080:80 nginx</code>.</p> <p>If you want it to start at boot, run the following commands:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-zsh" data-lang="zsh"><span class="line"><span class="cl"> sudo systemctl <span class="nb">enable</span> docker.service </span></span><span class="line"><span class="cl"> sudo systemctl <span class="nb">enable</span> containerd.service </span></span></code></pre></td></tr></table> </div> </div><h3 id="33-ansible">3.3. Ansible </h3><ul> <li>Debian</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-zsh" data-lang="zsh"><span class="line"><span class="cl">sudo apt install -y ansible </span></span></code></pre></td></tr></table> </div> </div><ul> <li>Arch:</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-zsh" data-lang="zsh"><span class="line"><span class="cl">sudo pacman -Sy ansible </span></span></code></pre></td></tr></table> </div> </div><h4 id="331-ssh-hardening-with-ansible">3.3.1 SSH Hardening with Ansible </h4><p>Using the Ansible collections <a class="link" href="https://github.com/dev-sec/ansible-collection-hardening" target="_blank" rel="noopener" >devsec.hardening</a>, we apply security mechanisms and verify them with the following commands.</p> <ul> <li>Installation:</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-zsh" data-lang="zsh"><span class="line"><span class="cl">ansible-galaxy install dev-sec.ssh-hardening </span></span></code></pre></td></tr></table> </div> </div><ul> <li> <p>Create a playbook for each Ansible role called <code>ansible-ssh-hardening.yaml</code>.</p> </li> <li> <p>Run these playbooks with the following commands:</p> </li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-zsh" data-lang="zsh"><span class="line"><span class="cl">ansible-playbook ansible-ssh-hardening.yaml --ask-become-pass </span></span></code></pre></td></tr></table> </div> </div><p>You can also create an Ansible playbook with any modules you wish to include.</p> <ul> <li>Add your SSH key to an ssh-agent using zsh (or bash):</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">ssh-agent zsh </span></span><span class="line"><span class="cl">ssh-add ~/.ssh/id_ed25519 </span></span></code></pre></td></tr></table> </div> </div><ul> <li>Run the Ansible playbook with the required sudo password for the commands:</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">ansible-playbook playbook.yaml --ask-become-pass </span></span></code></pre></td></tr></table> </div> </div><h3 id="34-installing-zsh-and-oh-my-zsh">3.4. Installing zsh and Oh My Zsh </h3><ul> <li>Debian<sup id="fnref:4"><a href="#fn:4" class="footnote-ref" role="doc-noteref">4</a></sup>:</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-gdscript3" data-lang="gdscript3"><span class="line"><span class="cl"><span class="n">sudo</span> <span class="n">apt</span> <span class="n">install</span> <span class="n">zsh</span> </span></span><span class="line"><span class="cl"><span class="n">sh</span> <span class="o">-</span><span class="n">c</span> <span class="s2">&#34;$(curl -fsSL https://raw.github.com/ohmyzsh/ohmyzsh/master/tools/install.sh)&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><ul> <li>Arch:</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-gdscript3" data-lang="gdscript3"><span class="line"><span class="cl"><span class="n">sudo</span> <span class="n">pacman</span> <span class="o">-</span><span class="n">Sy</span> <span class="n">zsh</span> <span class="n">zsh</span><span class="o">-</span><span class="n">completions</span> </span></span><span class="line"><span class="cl"><span class="n">sh</span> <span class="o">-</span><span class="n">c</span> <span class="s2">&#34;$(curl -fsSL https://raw.github.com/ohmyzsh/ohmyzsh/master/tools/install.sh)&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="341-installing-powerlevel10k">3.4.1. Installing Powerlevel10k </h3><p>Download and place the 4 <a class="link" href="https://github.com/romkatv/powerlevel10k#meslo-nerd-font-patched-for-powerlevel10k" target="_blank" rel="noopener" >Meslo Nerd</a> .ttf fonts in <code>/usr/local/share/fonts</code>. They must have permissions 644 (-rw-r&ndash;r&ndash;).<sup id="fnref:5"><a href="#fn:5" class="footnote-ref" role="doc-noteref">5</a></sup></p> <ul> <li><a class="link" href="https://github.com/romkatv/powerlevel10k-media/raw/master/MesloLGS%20NF%20Regular.ttf" target="_blank" rel="noopener" >MesloLGS NF Regular.ttf</a></li> <li><a class="link" href="https://github.com/romkatv/powerlevel10k-media/raw/master/MesloLGS%20NF%20Bold.ttf" target="_blank" rel="noopener" >MesloLGS NF Bold.ttf</a></li> <li><a class="link" href="https://github.com/romkatv/powerlevel10k-media/raw/master/MesloLGS%20NF%20Italic.ttf" target="_blank" rel="noopener" >MesloLGS NF Italic.ttf</a></li> <li><a class="link" href="https://github.com/romkatv/powerlevel10k-media/raw/master/MesloLGS%20NF%20Bold%20Italic.ttf" target="_blank" rel="noopener" >MesloLGS NF Bold Italic.ttf</a> Create the <code>/usr/local/share/fonts</code> directory:</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">sudo mkdir /usr/local/share/fonts </span></span><span class="line"><span class="cl">cd /usr/local/share/fonts </span></span></code></pre></td></tr></table> </div> </div><p>Download the fonts:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">sudo wget https://github.com/romkatv/powerlevel10k-media/raw/master/MesloLGS%20NF%20Regular.ttf https://github.com/romkatv/powerlevel10k-media/raw/master/MesloLGS%20NF%20Bold.ttf https://github.com/romkatv/powerlevel10k-media/raw/master/MesloLGS%20NF%20Italic.ttf https://github.com/romkatv/powerlevel10k-media/raw/master/MesloLGS%20NF%20Bold%20Italic.ttf </span></span></code></pre></td></tr></table> </div> </div><p>Clone the <a class="link" href="https://github.com/romkatv/powerlevel10k/blob/master/README.md" target="_blank" rel="noopener" >powerlevel10k</a> project:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">git clone --depth<span class="o">=</span><span class="m">1</span> https://github.com/romkatv/powerlevel10k.git ~/powerlevel10k </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s1">&#39;source ~/powerlevel10k/powerlevel10k.zsh-theme&#39;</span> &gt;&gt;~/.zshrc </span></span><span class="line"><span class="cl"><span class="nb">exec</span> zsh </span></span></code></pre></td></tr></table> </div> </div><p>Replace the following value in <code>~/.zshrc</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">ZSH_THEME=&#34;powerlevel10k/powerlevel10k&#34; </span></span></code></pre></td></tr></table> </div> </div><h3 id="342-installing-zsh-plugins">3.4.2. Installing zsh Plugins </h3><p>To add a series of useful plugins, edit the <code>~/.zshrc</code> file with <code>nano ~/.zshrc</code> and modify the following:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">#plugins=(git) </span></span><span class="line"><span class="cl">plugins=(git git-extras history ansible zsh-autosuggestions zsh-syntax-highlighting docker-helpers docker docker-compose kubectl kubectx colorize nmap pip ssh-agent sudo pipenv fzf fzf-docker) </span></span></code></pre></td></tr></table> </div> </div><p>We need to install the <code>zsh-autosuggestions</code>, <code>zsh-syntax-highlighting</code>, <code>docker-helpers</code>, <code>fzf</code>, and <code>fzf-docker</code> plugins.</p> <p>To install <code>zsh-autosuggestions</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">git clone https://github.com/zsh-users/zsh-autosuggestions ~/.oh-my-zsh/plugins/zsh-autosuggestions </span></span></code></pre></td></tr></table> </div> </div><p>To install <code>zsh-syntax-highlighting</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">git clone https://github.com/zsh-users/zsh-syntax-highlighting.git ~/.oh-my-zsh/plugins/zsh-syntax-highlighting </span></span></code></pre></td></tr></table> </div> </div><p>To install <code>fzf</code> use the official repositories:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">sudo pacman -Sy fzf </span></span></code></pre></td></tr></table> </div> </div><p>To install <code>fzf-docker</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">git clone https://github.com/pierpo/fzf-docker ~/.oh-my-zsh/plugins/fzf-docker </span></span></code></pre></td></tr></table> </div> </div><p>To install <code>docker-helpers</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">git clone https://github.com/unixorn/docker-helpers.zshplugin ~/.oh-my-zsh/plugins/docker-helpers </span></span></code></pre></td></tr></table> </div> </div><p>Customize to your liking and reload the <code>~/.zshrc</code> file:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">source ~/.zshrc </span></span></code></pre></td></tr></table> </div> </div><h3 id="snapd">Snapd </h3><h4 id="installation">Installation </h4><p>Install the <code>snapd</code> and <code>core</code> packages:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">sudo apt install -y snapd core </span></span></code></pre></td></tr></table> </div> </div><h4 id="add-the-snap-executables-path-to-bash-and-zsh-path">Add the Snap Executables Path to bash and Zsh PATH </h4><p>Add the snap executables path to PATH:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-gdscript3" data-lang="gdscript3"><span class="line"><span class="cl"><span class="n">echo</span> <span class="s2">&#34;export PATH=$PATH:/snap/bin&#34;</span> <span class="o">&gt;&gt;</span> <span class="o">~/.</span><span class="n">bashrc</span> </span></span><span class="line"><span class="cl"><span class="n">source</span> <span class="o">~/.</span><span class="n">bashrc</span> </span></span><span class="line"><span class="cl"><span class="n">echo</span> <span class="s2">&#34;export PATH=$PATH:/snap/bin&#34;</span> <span class="o">&gt;&gt;</span> <span class="o">~/.</span><span class="n">zshrc</span> </span></span><span class="line"><span class="cl"><span class="n">source</span> <span class="o">~/.</span><span class="n">zshrc</span> </span></span></code></pre></td></tr></table> </div> </div><p>Verify the path was added correctly:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">echo $PATH </span></span></code></pre></td></tr></table> </div> </div><h4 id="add-launchers-to-the-applications-menu">Add Launchers to the Applications Menu </h4><p>Create a symbolic link from the directory that stores snap launchers (<code>/var/lib/snapd/desktop/applications</code>) to the system applications directory (<code>usr/share/applications/</code>):</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-gdscript3" data-lang="gdscript3"><span class="line"><span class="cl"><span class="n">sudo</span> <span class="n">ln</span> <span class="o">-</span><span class="n">s</span> <span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">snapd</span><span class="o">/</span><span class="n">desktop</span><span class="o">/</span><span class="n">applications</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">share</span><span class="o">/</span><span class="n">applications</span><span class="o">/</span><span class="n">snapd</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="flatpak">Flatpak </h3><h4 id="installation-1">Installation </h4><p>From the <a class="link" href="https://flatpak.org/setup/Debian/" target="_blank" rel="noopener" >official Flatpak documentation</a>, follow these steps:</p> <ol> <li>Install Flatpak</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-zsh" data-lang="zsh"><span class="line"><span class="cl">sudo apt install flatpak -y </span></span></code></pre></td></tr></table> </div> </div><ol start="2"> <li>Add the Flatpak repository</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-zsh" data-lang="zsh"><span class="line"><span class="cl">flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo </span></span></code></pre></td></tr></table> </div> </div><ol start="3"> <li>Reboot the system to apply the changes.</li> </ol> <h4 id="add-launchers-to-the-menu">Add Launchers to the Menu </h4><p>Create a symbolic link from the directory that stores flatpak launchers (<code>/var/lib/flatpak/exports/share/applications/</code>) to the system applications directory (<code>usr/share/applications/</code>):</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-gdscript3" data-lang="gdscript3"><span class="line"><span class="cl"><span class="n">sudo</span> <span class="n">ln</span> <span class="o">-</span><span class="n">s</span> <span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">flatpak</span><span class="o">/</span><span class="n">exports</span><span class="o">/</span><span class="n">share</span><span class="o">/</span><span class="n">applications</span><span class="o">/</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">share</span><span class="o">/</span><span class="n">applications</span><span class="o">/</span><span class="n">flatpak</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="keepassxc">KeePassXC </h3><p>Note: installed via Snap because the official repositories have an outdated version.</p> <ol> <li>Install via Snap:</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">sudo snap install keepassxc </span></span></code></pre></td></tr></table> </div> </div><ol start="2"> <li> <p>Download the browser extension.</p> </li> <li> <p>Configure the browser extension using an <a class="link" href="https://raw.githubusercontent.com/keepassxreboot/keepassxc/master/utils/keepassxc-snap-helper.sh" target="_blank" rel="noopener" >official KeePassXC script</a>. Save the script and run it:</p> </li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">wget https://raw.githubusercontent.com/keepassxreboot/keepassxc/master/utils/keepassxc-snap-helper.sh </span></span><span class="line"><span class="cl">zsh keepassxc-snap-helper.sh </span></span></code></pre></td></tr></table> </div> </div><p>If you get the error <code>Could not find keepassxc.proxy! Ensure the keepassxc snap is installed properly.</code>, this is because the snap executables path is missing from PATH. Add it with:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-gdscript3" data-lang="gdscript3"><span class="line"><span class="cl"><span class="n">echo</span> <span class="s2">&#34;export PATH=$PATH:/snap/bin&#34;</span> <span class="o">&gt;&gt;</span> <span class="o">~/.</span><span class="n">zshrc</span> </span></span><span class="line"><span class="cl"><span class="n">source</span> <span class="o">~/.</span><span class="n">zshrc</span> </span></span><span class="line"><span class="cl"><span class="n">echo</span> <span class="s2">&#34;export PATH=$PATH:/snap/bin&#34;</span> <span class="o">&gt;&gt;</span> <span class="o">~/.</span><span class="n">bashrc</span> </span></span><span class="line"><span class="cl"><span class="n">source</span> <span class="o">~/.</span><span class="n">bashrc</span> </span></span></code></pre></td></tr></table> </div> </div><p>Run the script again:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">bash keepassxc-snap-helper.sh </span></span></code></pre></td></tr></table> </div> </div><h3 id="vscodium">VSCodium <sup id="fnref1:4"><a href="#fn:4" class="footnote-ref" role="doc-noteref">4</a></sup> </h3><ol> <li>Add the repository GPG key:</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">wget -qO - https://gitlab.com/paulcarroty/vscodium-deb-rpm-repo/raw/master/pub.gpg | gpg --dearmor | sudo dd of=/etc/apt/trusted.gpg.d/vscodium.gpg </span></span></code></pre></td></tr></table> </div> </div><ol start="2"> <li>Add the repository:</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">echo &#39;deb </span></span><span class="line"><span class="cl"> [ signed-by=/usr/share/keyrings/vscodium-archive-keyring.gpg ] </span></span><span class="line"><span class="cl">https://paulcarroty.gitlab.io/vscodium-deb-rpm-repo/debs vscodium main&#39; </span></span><span class="line"><span class="cl"> | sudo tee /etc/apt/sources.list.d/vscodium.list </span></span></code></pre></td></tr></table> </div> </div><ol start="3"> <li>Update repositories and install VSCodium:</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">sudo apt update &amp;&amp; sudo apt install codium </span></span></code></pre></td></tr></table> </div> </div><div class="footnotes" role="doc-endnotes"> <hr> <ol> <li id="fn:1"> <p><a class="link" href="https://www.atareao.es/podcast/ubuntu-en-la-raspberry/" target="_blank" rel="noopener" >Installing Ubuntu on the Raspberry - Atareao</a>&#160;<a href="#fnref:1" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a></p> </li> <li id="fn:2"> <p><a class="link" href="https://archlinuxarm.org/platforms/armv8/broadcom/raspberry-pi-4" target="_blank" rel="noopener" >ArchLinux, Arch</a>&#160;<a href="#fnref:2" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a></p> </li> <li id="fn:3"> <p><a class="link" href="https://gist.github.com/TheZoc/849a82d3eed219998cd82fb4040607ae" target="_blank" rel="noopener" >sTheZoc, Raspberry Pi Setup Guide</a>&#160;<a href="#fnref:3" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a>&#160;<a href="#fnref1:3" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a></p> </li> <li id="fn:4"> <p><a class="link" href="https://wiki.debian.org/Fonts" target="_blank" rel="noopener" >Debian Documentation, Fonts</a>&#160;<a href="#fnref:4" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a>&#160;<a href="#fnref1:4" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a></p> </li> <li id="fn:5"> <p><a class="link" href="https://vscodium.com/" target="_blank" rel="noopener" >VSCodium Documentation, Installation</a>&#160;<a href="#fnref:5" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a></p> </li> </ol> </div>OS and SSH Hardeninghttps://adurrr.github.io/en/p/os-and-ssh-hardening/Thu, 21 Oct 2021 00:00:00 +0000https://adurrr.github.io/en/p/os-and-ssh-hardening/<p>This post outlines the steps to harden the OS and SSH on a Raspberry Pi, so you can later deploy a set of secured services.</p> <h3 id="1-ssh-configuration">1. SSH Configuration </h3><p>The next step requires copying your public key to the <code>~/.ssh/authorized_keys</code> file on the Raspberry Pi. Use the following command:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-zsh" data-lang="zsh"><span class="line"><span class="cl">ssh-copy-id -i &lt;identity.pub&gt; pi@&lt;raspberry ip or node-1&gt; </span></span></code></pre></td></tr></table> </div> </div><p>It will prompt for your SSH key password. Then connect to the Raspberry Pi with:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-zsh" data-lang="zsh"><span class="line"><span class="cl">ssh pi@node-1 </span></span></code></pre></td></tr></table> </div> </div><h3 id="2-installing-ansible">2. Installing Ansible </h3><ul> <li>Debian</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-zsh" data-lang="zsh"><span class="line"><span class="cl">sudo apt install -y ansible </span></span></code></pre></td></tr></table> </div> </div><ul> <li>Arch:</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-zsh" data-lang="zsh"><span class="line"><span class="cl">sudo pacman -Sy ansible </span></span></code></pre></td></tr></table> </div> </div><h3 id="3-os-and-ssh-configuration-using-ansible">3. OS and SSH Configuration Using Ansible </h3><h4 id="31-using-a-collection">3.1. Using a collection </h4><ul> <li>Installation:</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-zsh" data-lang="zsh"><span class="line"><span class="cl">ansible-galaxy install dev-sec.os-hardening </span></span><span class="line"><span class="cl">ansible-galaxy install dev-sec.ssh-hardening </span></span></code></pre></td></tr></table> </div> </div><ul> <li> <p>Create a playbook for each Ansible role named <code>ansible-os-hardening.yaml</code> and <code>ansible-ssh-hardening.yaml</code>.</p> </li> <li> <p>Run these playbooks with the following commands:</p> </li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-zsh" data-lang="zsh"><span class="line"><span class="cl">ansible-playbook ansible-os-hardening.yaml --ask-become-pass </span></span><span class="line"><span class="cl">ansible-playbook ansible-ssh-hardening.yaml --ask-become-pass </span></span></code></pre></td></tr></table> </div> </div><h4 id="32-using-a-basic-playbook">3.2. Using a basic playbook </h4><ul> <li>Add your SSH key to an ssh-agent using zsh (or bash):</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">ssh-agent zsh </span></span><span class="line"><span class="cl">ssh-add ~/.ssh/id_ed25519 </span></span></code></pre></td></tr></table> </div> </div><ul> <li>Run the Ansible playbook with the sudo password required for the commands:</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">ansible-playbook playbook.yaml --ask-become-pass </span></span></code></pre></td></tr></table> </div> </div>