Condo Raspberry Pi
From Tim's Wiki
Contents
Basic Info
# to connect remotely: ssh -p 222 condo.timmontague.com # to connect locally: ssh 192.168.0.5
External Hard Drives
There are 2 encrypted 2TB external hard drives attached to the RPi. One hard drive (/dev/disk/by-id/wwn-0x5000c5007cdd970a-part1) is always mounted and is the primary data storage drive. The 2nd hard drive (/dev/disk/by-id/wwn-0x5000c5007cea02b6-part1) is marked with a yellow sticker as "Backup" and is a mirror of the first drive.
# to decrypt and mount primary drive: sudo /usr/local/sbin/mount-external <enter passphrase> # to encrypt and unmount primary drive: sudo /usr/local/sbin/umount-external
Or the steps can be run manually:
# to decrypt primary drive: sudo cryptsetup luksOpen /dev/disk/by-id/wwn-0x5000c5007cdd970a-part1 external <enter passphrase> # to mount: sudo mount /dev/mapper/external /external # to unmount: sudo umount /external # to encrypt: sudo cryptsetup close external
Backups
Backups of the local /etc/, /home/, and /usr/local/ directories are made daily by rsnapshot to /external/rsnapshot. The backup schedule is in /etc/cron.d/rsnapshot.
The 2nd hard drive (/dev/disk/by-id/wwn-0x5000c5007cea02b6-part1) is mounted weekly by a cron job, mirrored to the first drive with rsync, and is unmounted. The idea behind this is the drive will last longer because it is only spinning once a week. The backup script is located on the RPi here: /usr/local/sbin/backup-external. The cron job schedule is here: /etc/cron.d/backup-external.
Setup Info
Basic setup
sudo raspi-config
- Expand filesystem
- Change user password
- Hostname: set to "condo"
- Memory split: set to 16
Set FQDN by adding to /etc/hosts:
127.0.0.1 condo.timmontague.com condo
Set timezone to America/Los_Angeles:
sudo dpkg-reconfigure tzdata
Install VIM
sudo apt-get install vim
Edit /etc/vim/vimrc for your liking. I added this:
syntax on colorscheme torte set background=dark
And uncommented this:
" Uncomment the following to have Vim jump to the last position when
" reopening a file
if has("autocmd")
au BufReadPost * if line("'\"") > 1 && line("'\"") <= line("$") | exe "normal! g'\"" | endif
endif
" Uncomment the following to have Vim load indentation rules and plugins
" according to the detected filetype.
if has("autocmd")
filetype plugin indent on
endif
Set default editor:
sudo update-alternatives --config editor
Fix Locale
Fixes this warning on login:
-bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
Edit /etc/locale.gen, and uncomment en_US.UTF-8
sudo locale-gen en_US.UTF-8 sudo update-locale LANG=en_US.UTF-8
Set up users
For each new user:
sudo adduser <username> sudo adduser <username> sudo sudo adduser <username> users sudo adduser <username> adm
Disable login from "pi" user:
sudo passwd pi -d sudo visudo # comment out "pi ALL=(ALL) NOPASSWD: ALL"
Make user change password on next login:
sudo chage -d 0 <username>
Set up email delivery
sudo apt-get install exim4 sudo dpkg-reconfigure exim4-config
mail configuration: mail sent by smarthost; received via SMTP or fetchmail System mail name: condo.timmontague.com Incomming SMTP connections: 127.0.0.1 (don't include "::1") Other destinations: none Relay servers: none Outgoing smarthost: email-smtp.us-east-1.amazonaws.com::587 Hide local mail name: No Minimal DNS: No Delivery method: mbox format in /var/mail Split configuration files: No
Add username/password to /etc/exim4/passwd.client
Set up DDNS
- Generate ssh keys with
ssh-keygen. - Add public key to bitbucket account
-
git clone git@bitbucket.org:timmontague/ddns.git - Install Amazon aws utilities:
sudo apt-get install dnsutils sudo apt-get install python-virtualenv virtualenv ~/.venvs/aws source ~/.venvs/aws/bin/activate pip install awscli pip install cli53 deactivate
- Add to ~/.boto:
[Credentials] aws_access_key_id = <access_key> aws_secret_access_key = <secret_key>
- Add to local user crontab:
*/5 * * * * /home/tim/ddns/update.sh
Configure firewall
sudo apt-get install ufw sudo ufw allow 22 # multicast packets from router will clutter up the logs unless explicitly blocked sudo ufw deny from 192.168.0.1 to 224.0.0.1 sudo ufw enable sudo ufw status
External hard drives
The external hard drives were set up with these commands:
sudo cryptsetup luksFormat /dev/disk/by-id/wwn-0x5000c5007cdd970a-part1 sudo cryptsetup luksFormat /dev/disk/by-id/wwn-0x5000c5007cea02b6-part1 sudo cryptsetup luksOpen /dev/disk/by-id/wwn-0x5000c5007cdd970a-part1 external sudo cryptsetup luksOpen /dev/disk/by-id/wwn-0x5000c5007cea02b6-part1 backup sudo mount /dev/mapper/external /external/ sudo mkfs.ext4 /dev/mapper/external sudo tune2fs -m 0 /dev/mapper/external sudo mkfs.ext4 /dev/mapper/backup sudo tune2fs -m 0 /dev/mapper/backup sudo mount /dev/mapper/external /external/ sudo cryptsetup luksClose backup dd bs=512 count=4 if=/dev/urandom of=/external/backup.key iflag=fullblock sudo chown root:root /external/backup.key sudo chmod 400 /external/backup.key sudo cryptsetup luksAddKey /dev/disk/by-id/wwn-0x5000c5007cea02b6-part1 /external/backup.key
Backups
Copy backup scripts to /usr/local/sbin.
sudo apt-get install rsnapshot sudo mkdir /external/rsnapshot
Edit /etc/rsnapshot.conf:
27c27 < snapshot_root /var/cache/rsnapshot/ --- > snapshot_root /external/rsnapshot 33c33 < #no_create_root 1 --- > no_create_root 1 97c97 < retain hourly 6 --- > #retain hourly 6 100c100 < #retain monthly 3 --- > retain monthly 6 124c124 < #logfile /var/log/rsnapshot.log --- > logfile /var/log/rsnapshot.log 158c158 < #one_fs 0 --- > one_fs 1 190c190 < #sync_first 0 --- > sync_first 1 232a233 >
Add to /etc/cron.d/rsnapshot:
30 2 * * * root /usr/bin/rsnapshot sync && /usr/bin/rsnapshot daily 0 2 * * 1 root /usr/bin/rsnapshot weekly 30 1 1 * * root /usr/bin/rsnapshot monthly
Add to /etc/cron.d/backup-external:
# Mirror /external to backup hard drive every Tuesday at 3pm 0 15 * * 2 root /usr/local/sbin/backup-external
Monitoring
To email root when rebooted, add this to /etc/cron.d/reboot:
@reboot root /bin/echo "Rebooted at: $(date)"
nginx
sudo apt-get install nginx ssl-cert sudo mkdir -p /var/www/html sudo bash -c "echo condo > /var/www/html/index.html" sudo ufw allow 443 sudo ufw allow 80
Copy to /etc/nginx/sites-available/condo:
server {
listen 80 default_server;
# SSL configuration
listen 443 ssl default_server;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
location /munin/static/ {
alias /etc/munin/static/;
expires modified +1w;
}
location ^~ /munin-cgi/munin-cgi-graph/ {
access_log off;
fastcgi_split_path_info ^(/munin-cgi/munin-cgi-graph)(.*);
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass unix:/var/run/munin/fcgi-graph.sock;
include fastcgi_params;
}
location /munin/ {
fastcgi_split_path_info ^(/munin)(.*);
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass unix:/var/run/munin/fcgi-html.sock;
include fastcgi_params;
}
}
sudo unlink /etc/nginx/sites-enabled/default sudo ln -s /etc/nginx/sites-available/condo /etc/nginx/sites-enabled/condo sudo update-rc.d nginx defaults sudo service nginx start
Munin
sudo apt-get install munin spawn-fcgi
Edit /etc/munin/munin.conf:
40c40 < graph_strategy cgi --- > #graph_strategy cron 69c69 < html_strategy cgi --- > #html_strategy cron 80c80 < max_processes 4 --- > #max_processes 16 98c98 < [condo.timmontague.com] --- > [localhost.localdomain]
sudo curl http://files.julienschmidt.com/public/cfg/munin/spawn-fcgi-munin-graph -o /etc/init.d/spawn-fcgi-munin-graph sudo curl http://files.julienschmidt.com/public/cfg/munin/spawn-fcgi-munin-html -o /etc/init.d/spawn-fcgi-munin-html sudo chmod +x /etc/init.d/spawn-fcgi-munin-graph /etc/init.d/spawn-fcgi-munin-html
Change $SOCK_FILE in /etc/init.d/spawn-fcgi-munin-graph and /etc/init.d/spawn-fcgi-munin-html to /var/run/munin/{fcgi-graph,fcgi-html}.sock.
sudo mkdir -p /usr/local/share/munin/plugins sudo curl http://munin-monitoring.org/export/ddc595889f8d61a865df2d7f5486ecb5e14a098f/munin-contrib/plugins/network/packetloss -o /usr/local/share/munin/plugins/packetloss_ sudo sed -i 's/\r//' /usr/local/share/munin/plugins/packetloss_ sudo chmod +x /usr/local/share/munin/plugins/packetloss_ sudo ln -s /usr/local/share/munin/plugins/packetloss_ /etc/munin/plugins/packetloss_google.com sudo curl https://raw.githubusercontent.com/perception101/pisense/master/pisense_ -o /usr/local/share/munin/plugins/pisense_ sudo chmod +x /usr/local/share/munin/plugins/pisense_ sudo ln -s /usr/local/share/munin/plugins/pisense_ /etc/munin/plugins/pisense_volt sudo ln -s /usr/local/share/munin/plugins/pisense_ /etc/munin/plugins/pisense_temp # fix for irqstats error in /var/log/munin/munin-node.log curl http://munin-monitoring.org/raw-attachment/ticket/1462/munin-v2.0.6-raspberry_pi-irqstats-usb_fiq.patch -o /tmp/patch sudo patch /usr/share/munin/plugins/irqstats -p0 < /tmp/patch rm /tmp/patch for f in /etc/munin/plugins/nfs*; do sudo unlink $f; done for f in /etc/munin/plugins/ntp_*; do sudo unlink $f; done
Add /etc/munin/plugin-conf.d/packetloss:
[packetloss_*] timeout 60 user root
Add /etc/munin/plugin-conf.d/multiping:
[multiping] env.host google.com timmontague.com vanerp.org
Add /etc/munin/plugin-conf.d/pisense:
[pisense_*] user root
sudo update-rc.d spawn-fcgi-munin-graph defaults sudo update-rc.d spawn-fcgi-munin-html defaults sudo update-rc.d munin-node defaults sudo service spawn-fcgi-munin-graph start sudo service spawn-fcgi-munin-html start sudo service munin-node restart
motd
Add the message of the day to /etc/motd
