tags: - raspberry pi - setup categories: - informational comments: true

date: 2021-12-25 00:00:00

DESCRIPTION

Configuration changes to make on new raspberry pi - raspbian systems.

ERRORS

Ensure rfkill is disabled

vi /etc/profile.d/wifi-check.sh
exit 0

VERIFICATION

COMMANDS

System changes

systemctl disable hciuart.service
systemctl disable bluealsa.service
systemctl disable bluetooth.service
grep disable-bt /boot/overlays/README
Name:   disable-bt
Load:   dtoverlay=disable-bt
Name:   pi3-disable-bt
Info:   This overlay has been renamed disable-bt, keeping pi3-disable-bt as an
grep disable-wifi /boot/overlays/README
Name:   disable-wifi
Load:   dtoverlay=disable-wifi
Name:   pi3-disable-wifi
Info:   This overlay has been renamed disable-wifi, keeping pi3-disable-wifi as
systemctl disable avahi-daemon.service
systemctl stop avahi-daemon.service

FIXME:

systemctl disable wpa_supplicant
mv /lib/dhcpcd/dhcpcd-hooks/10-wpa_supplicant /root
APT::Install-Recommends "0";
APT::Install-Suggests "0";
Dpkg::Options {
    "--force-confdef";
    "--force-confold";
}
apt update
apt dist-upgrade
# Disable OOM killer
vm.overcommit_memory=2
vm.overcommit_ratio=90
# -1: Allow use of (almost) all events by all users
# >=0: Disallow raw tracepoint access by users without CAP_IOC_LOCK
# >=1: Disallow CPU event access by users without CAP_SYS_ADMIN
# >=2: Disallow kernel profiling by users without CAP_SYS_ADMIN
# >=3: Disallow all event access by users without CAP_SYS_ADMIN
#
# https://lwn.net/Articles/696216/
#
kernel.perf_event_paranoid=3
kernel.core_pattern = /var/core/core_%h_%e_%u_%g_%t_%p
mkdir /var/core
export EDITOR=vi
set -o vi
export TMOUT=900
readonly TMOUT
127.0.0.1       localhost
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters

127.0.0.1       nsa02
apt install vim-nox
set syntax=on
apt install unattended-upgrades
dpkg-reconfigure unattended-upgrades
uncomment
      "origin=Debian,codename=${distro_codename}-updates";

Unattended-Upgrade::MinimalSteps "true";
Unattended-Upgrade::Automatic-Reboot "true";

systemctl status unattended-upgrades systemctl enable unattended-upgrades

user management

userdel pi
rm -rf /home/pi
%sudo   ALL=(ALL:ALL) NOPASSWD: ALL
passwd root
~~~~

* Remove passwords from users

passwd -d ubuntu


* Disable dsa key in sshd and remove dsa keys

``` comment in /etc/ssh/sshd_config
# HostKey /etc/ssh/ssh_host_dsa_key
```

```
rm /etc/ssh/ssh_host_dsa_key*
```

* Disable depreciated setting and disable forwarding

``` add/change in /etc/ssh/sshd_config
# UsePrivilegeSeparation yes
AllowAgentForwarding yes
AllowTcpForwarding yes
GatewayPorts no
X11Forwarding yes
```

* Check sshd configuration

/usr/sbin/sshd -t


## Network primary - /etc/network/interfaces.d/eth01 

* /etc/network/interfaces.d/eth0

```
auto eth0
iface eth0 inet static
address x.x.x.x
netmask 255.255.255.0
gateway x.x.x.x
```

* disable dhcpcd client

```
systemctl disable  dhcpcd.service
```

* ntp

```
/etc/systemd/timesyncd.conf:NTP=x.x.x.x y.y.y.y
```

systemctl status systemd-timesyncd.service

* rng

```
systemctl status rng-tools.service
```

## Monitoring (not done)

install and enable logcheck? logwatch?

~~~ /etc/motd
apt install tcpdump lsof

System: Move heavy writes to USB drive (to save sdcard)

blkid
fdisk /dev/sda
mkfs.ext4 /dev/sda1
PARTUUID=7e60cada-01 /data      ext4    defaults,noatime,errors=remount-ro  0       2
mkdir /data
mkdir -p /data/var/cache /data/var/spool
mv /var/log /data/var
ln -sf /data/var/log /var/log
mv /var/cache/apt /data/var/cache/
ln -s /data/var/cache/apt /var/cache/
mv /var/spool/postfix /data/var/spool/
ln -s /data/var/spool/postfix /var/spool/
reboot
grep Storage /etc/systemd/journald.conf 
Storage=volatile

systemctl restart systemd-journald.service