Condo Raspberry Pi

From Tim's Wiki
Jump to: navigation, search

Basic Info

# to connect remotely:
ssh -p 222
# to connect locally:

External Hard Drives

There are 2 encrypted 2TB external hard drives attached to the RPi. One hard drive (/dev/disk/by-id/wwn-0x5000c5007cdd970a-part1) is always mounted and is the primary data storage drive. The 2nd hard drive (/dev/disk/by-id/wwn-0x5000c5007cea02b6-part1) is marked with a yellow sticker as "Backup" and is a mirror of the first drive.

# to decrypt and mount primary drive:
sudo /usr/local/sbin/mount-external
<enter passphrase>
# to encrypt and unmount primary drive:
sudo /usr/local/sbin/umount-external

Or the steps can be run manually:

# to decrypt primary drive:
sudo cryptsetup luksOpen /dev/disk/by-id/wwn-0x5000c5007cdd970a-part1 external
<enter passphrase>
# to mount:
sudo mount /dev/mapper/external /external
# to unmount:
sudo umount /external
# to encrypt:
sudo cryptsetup close external


Backups of the local /etc/, /home/, and /usr/local/ directories are made daily by rsnapshot to /external/rsnapshot. The backup schedule is in /etc/cron.d/rsnapshot.

The 2nd hard drive (/dev/disk/by-id/wwn-0x5000c5007cea02b6-part1) is mounted weekly by a cron job, mirrored to the first drive with rsync, and is unmounted. The idea behind this is the drive will last longer because it is only spinning once a week. The backup script is located on the RPi here: /usr/local/sbin/backup-external. The cron job schedule is here: /etc/cron.d/backup-external.

Setup Info

Basic setup

sudo raspi-config

  • Expand filesystem
  • Change user password
  • Hostname: set to "condo"
  • Memory split: set to 16

Set FQDN by adding to /etc/hosts: condo

Set timezone to America/Los_Angeles:

sudo dpkg-reconfigure tzdata

Install VIM

sudo apt-get install vim

Edit /etc/vim/vimrc for your liking. I added this:

syntax on
colorscheme torte
set background=dark

And uncommented this:

" Uncomment the following to have Vim jump to the last position when
" reopening a file
if has("autocmd")
  au BufReadPost * if line("'\"") > 1 && line("'\"") <= line("$") | exe "normal! g'\"" | endif

" Uncomment the following to have Vim load indentation rules and plugins
" according to the detected filetype.
if has("autocmd")
  filetype plugin indent on

Set default editor:

sudo update-alternatives --config editor

Fix Locale

Fixes this warning on login:

-bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)

Edit /etc/locale.gen, and uncomment en_US.UTF-8

sudo locale-gen en_US.UTF-8
sudo update-locale LANG=en_US.UTF-8

Set up users

For each new user:

sudo adduser <username>
sudo adduser <username> sudo
sudo adduser <username> users
sudo adduser <username> adm

Disable login from "pi" user:

sudo passwd pi -d
sudo visudo # comment out "pi ALL=(ALL) NOPASSWD: ALL"

Make user change password on next login:

sudo chage -d 0 <username>

Set up email delivery

Info from here.

sudo apt-get install exim4
sudo dpkg-reconfigure exim4-config
mail configuration: mail sent by smarthost; received via SMTP or fetchmail
System mail name:
Incomming SMTP connections: (don't include  "::1")
Other destinations: none
Relay servers: none
Outgoing smarthost:
Hide local mail name: No
Minimal DNS: No
Delivery method: mbox format in /var/mail
Split configuration files: No

Add username/password to /etc/exim4/passwd.client

Set up DDNS

  • Generate ssh keys with ssh-keygen.
  • Add public key to bitbucket account
  • git clone
  • Install Amazon aws utilities:
sudo apt-get install dnsutils
sudo apt-get install python-virtualenv
virtualenv ~/.venvs/aws
source ~/.venvs/aws/bin/activate
pip install awscli
pip install cli53
  • Add to ~/.boto:
aws_access_key_id = <access_key>
aws_secret_access_key = <secret_key>
  • Add to local user crontab:
*/5 * * * * /home/tim/ddns/

Configure firewall

sudo apt-get install ufw
sudo ufw allow 22
# multicast packets from router will clutter up the logs unless explicitly blocked
sudo ufw deny from to
sudo ufw enable
sudo ufw status

External hard drives

The external hard drives were set up with these commands:

sudo cryptsetup luksFormat /dev/disk/by-id/wwn-0x5000c5007cdd970a-part1
sudo cryptsetup luksFormat /dev/disk/by-id/wwn-0x5000c5007cea02b6-part1
sudo cryptsetup luksOpen /dev/disk/by-id/wwn-0x5000c5007cdd970a-part1 external
sudo cryptsetup luksOpen /dev/disk/by-id/wwn-0x5000c5007cea02b6-part1 backup
sudo mount /dev/mapper/external /external/
sudo mkfs.ext4 /dev/mapper/external
sudo tune2fs -m 0 /dev/mapper/external
sudo mkfs.ext4 /dev/mapper/backup
sudo tune2fs -m 0 /dev/mapper/backup
sudo mount /dev/mapper/external /external/
sudo cryptsetup luksClose backup
dd bs=512 count=4 if=/dev/urandom of=/external/backup.key iflag=fullblock
sudo chown root:root /external/backup.key
sudo chmod 400 /external/backup.key
sudo cryptsetup luksAddKey /dev/disk/by-id/wwn-0x5000c5007cea02b6-part1 /external/backup.key


Copy backup scripts to /usr/local/sbin.

sudo apt-get install rsnapshot
sudo mkdir /external/rsnapshot

Edit /etc/rsnapshot.conf:

< snapshot_root	/var/cache/rsnapshot/
> snapshot_root	/external/rsnapshot
< #no_create_root	1
> no_create_root	1
< retain		hourly	6
> #retain		hourly	6
< #retain	monthly	3
> retain		monthly	6
< #logfile	/var/log/rsnapshot.log
> logfile		/var/log/rsnapshot.log
< #one_fs		0
> one_fs		1
< #sync_first	0
> sync_first	1

Add to /etc/cron.d/rsnapshot:

30 2 * * *		root	/usr/bin/rsnapshot sync && /usr/bin/rsnapshot daily
0  2 * * 1		root	/usr/bin/rsnapshot weekly
30 1 1 * *		root	/usr/bin/rsnapshot monthly

Add to /etc/cron.d/backup-external:

# Mirror /external to backup hard drive every Tuesday at 3pm

0 15 * * 2		root	/usr/local/sbin/backup-external


To email root when rebooted, add this to /etc/cron.d/reboot:

@reboot	root	/bin/echo "Rebooted at: $(date)"


sudo apt-get install nginx ssl-cert
sudo mkdir -p /var/www/html
sudo bash -c "echo condo > /var/www/html/index.html"
sudo ufw allow 443
sudo ufw allow 80

Copy to /etc/nginx/sites-available/condo:

server {
	listen 80 default_server;

	# SSL configuration
	listen 443 ssl default_server;
	ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
	ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;

	root /var/www/html;

	index index.html index.htm index.nginx-debian.html;

	server_name _;

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ =404;
	location /munin/static/ {
		alias /etc/munin/static/;
		expires modified +1w;
	location ^~ /munin-cgi/munin-cgi-graph/ {
		access_log off;
		fastcgi_split_path_info ^(/munin-cgi/munin-cgi-graph)(.*);
		fastcgi_param PATH_INFO $fastcgi_path_info;
		fastcgi_pass unix:/var/run/munin/fcgi-graph.sock;
		include fastcgi_params;
	location /munin/ {
		fastcgi_split_path_info ^(/munin)(.*);
		fastcgi_param PATH_INFO $fastcgi_path_info;
		fastcgi_pass unix:/var/run/munin/fcgi-html.sock;
		include fastcgi_params;
sudo unlink /etc/nginx/sites-enabled/default
sudo ln -s /etc/nginx/sites-available/condo  /etc/nginx/sites-enabled/condo
sudo update-rc.d nginx defaults
sudo service nginx start


sudo apt-get install munin spawn-fcgi

Edit /etc/munin/munin.conf:

< graph_strategy cgi
> #graph_strategy cron
< html_strategy cgi
> #html_strategy cron
< max_processes 4
> #max_processes 16
< []
> [localhost.localdomain]
sudo curl -o /etc/init.d/spawn-fcgi-munin-graph
sudo curl -o /etc/init.d/spawn-fcgi-munin-html
sudo chmod +x /etc/init.d/spawn-fcgi-munin-graph /etc/init.d/spawn-fcgi-munin-html

Change $SOCK_FILE in /etc/init.d/spawn-fcgi-munin-graph and /etc/init.d/spawn-fcgi-munin-html to /var/run/munin/{fcgi-graph,fcgi-html}.sock.

sudo mkdir -p /usr/local/share/munin/plugins
sudo curl -o /usr/local/share/munin/plugins/packetloss_
sudo sed -i 's/\r//' /usr/local/share/munin/plugins/packetloss_
sudo chmod +x /usr/local/share/munin/plugins/packetloss_
sudo ln -s /usr/local/share/munin/plugins/packetloss_ /etc/munin/plugins/
sudo curl -o /usr/local/share/munin/plugins/pisense_
sudo chmod +x /usr/local/share/munin/plugins/pisense_
sudo ln -s /usr/local/share/munin/plugins/pisense_ /etc/munin/plugins/pisense_volt
sudo ln -s /usr/local/share/munin/plugins/pisense_ /etc/munin/plugins/pisense_temp

# fix for irqstats error in /var/log/munin/munin-node.log
curl -o /tmp/patch
sudo patch /usr/share/munin/plugins/irqstats -p0 < /tmp/patch
rm /tmp/patch

for f in /etc/munin/plugins/nfs*; do sudo unlink $f; done
for f in /etc/munin/plugins/ntp_*; do sudo unlink $f; done

Add /etc/munin/plugin-conf.d/packetloss:

timeout 60
user root

Add /etc/munin/plugin-conf.d/multiping:


Add /etc/munin/plugin-conf.d/pisense:

user root
sudo update-rc.d spawn-fcgi-munin-graph defaults
sudo update-rc.d spawn-fcgi-munin-html defaults
sudo update-rc.d munin-node defaults
sudo service spawn-fcgi-munin-graph start
sudo service spawn-fcgi-munin-html start
sudo service munin-node restart


Add the message of the day to /etc/motd