About

Work

Blog

Contact

Making Use of my Raspberry Pi(s)

April 1, 2019 · 6 minutes read

What?

I’ve had a Raspberry Pi B+ and Odroid-C1 lying around collecting dust for a while now, so I’ve decided to make use of them by migrating services from my virtualized environment.

Why?

Single Board Computer’s (SBC’s) like my Raspberry Pi and Odroid consume much less power than my Dell T5400, and they’re sufficiently powerful to handle the services that I’ll be running on them for now. This allows me more flexibility to play with my Proxmox box without having to worry about interrupting anything.

How:

Hardware:

  • Raspberry Pi B+
  • 4gb micro sd

Software:

  • Raspbian (Debian 9)
  • DDClient
  • CaddyServer
  • Pi-Hole
  • OpenVPN

Initial Setup

After downloading the minimal image of Raspbian, writing it to an SD card, enabling SSH, and determining the IP of my Raspberry Pi after its first boot, I went ahead and used KiTTy to connect with SSH.

Taking a look around:


pi@raspberrypi:~ $ cat /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 9 (stretch)"
NAME="Raspbian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=raspbian
ID_LIKE=debian
HOME_URL="http://www.raspbian.org/"
SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"

pi@raspberrypi:~ $ df -h
Filesystem      Size  Used Avail Use% Mounted on
/dev/root       3.6G  1.1G  2.4G  30% /
devtmpfs        213M     0  213M   0% /dev
tmpfs           217M     0  217M   0% /dev/shm
tmpfs           217M  8.5M  209M   4% /run
tmpfs           5.0M  4.0K  5.0M   1% /run/lock
tmpfs           217M     0  217M   0% /sys/fs/cgroup
/dev/mmcblk0p1   44M   23M   22M  51% /boot
tmpfs            44M     0   44M   0% /run/user/1000

Users/groups

Raspbian doesn’t ship with a root password, and suggests keeping it that way and using an administrative account with sudo privileges instead, for increased security.

You’ll notice when first logging in that Raspbian included this nice security notice:

SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.

Instead of changing the password for the default user ‘pi’, I feel like we could increase our security more by deleting the default account and creating a new one to work with. Whether is makes a difference or not, it makes me feel a bit better thinking about someone having to figure out my passwords and my user names.

To do that, I list all the groups that the default user ‘pi’ is part of:

pi@raspberrypi:~ $ groups
pi adm dialout cdrom sudo audio video plugdev games users input netdev gpio i2c spi

And append those groups to my new user (minus the ‘pi’ group):

sudo useradd -mG adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,netdev,gpio,i2c,spi USERNAME

After a reboot and reconnecting SSH with my new user, we can delete the default user ‘pi’ and it’s empty group:

sudo deluser --remove-all-files pi && sudo delgroup pi

Updating The System

Lets first go ahead and update the system time with sudo dpkg-reconfigure tzdata
Then update packages, perform a full upgrade, and download the newest Raspberry Pi kernel with one command:

sudo apt update && sudo apt full-upgrade -y && sudo rpi-update -y

Grab a cup of coffee while it runs…

From Debian Jessie and later: APT 1.0 allows the command apt instead of apt-get and apt-cache.

apt full-upgrade is the same as apt-get dist-upgrade which will install and remove packages as necessary: https://askubuntu.com/a/500928

If rpi-update gives an error, try running this command:

sudo chmod +x /sbin/depmod

Dynamic DNS with DDClient

Setting up DDClient is a piece of cake on Debian. Just install it from the repository:

sudo apt install ddclient -y

Since it can change by distribution or version, locate the configuration file with:

sudo find / -name ddclient.conf

To make sure that DDClient starts on boot adjust parameters run_daemon to ”true” (and set everything else to "false" in:

sudo nano /etc/default/ddclient

After configuration file is written and daemon adjusted, finish up with:

sudo systemctl restart ddclient && sudo systemctl enable ddclient

Reverse Proxy with Caddy

Port forwarding has to be done first or certificates will fail.

Caddy is just as easy.
Download and install Caddy (including plugins) to the default location /usr/local/bin/caddy:

curl https://getcaddy.com | bash -s hook.service,http.ratelimit,http.realip,tls.dns.namecheap

With the hook.service plugin, install the service with:

caddy -service install -agree -email yourname@domain.com -conf /path/to/Caddyfile

Then start the service with:

caddy -service start

Network Wide Ad-Blocking with Pi-hole

Must ensure router has pihole device set as dns server, otherwise specify it for individual devices. It also has DHCP, but I still find it easier to use the router to dish out addresses.

Download and install Pi-hole:

curl -sSL https://install.pi-hole.net | bash

While the installer was running, I noticed that it asked to install lighttpd as the web server for the Pi-hole administration page. I opted to let it go ahead and complete the default installation with lighttpd, but it conflicted with Caddy as it tried to run on the default HTTP port 80.

All that was needed was changing server.port = 80 to something different in the lighttpd configuration file at /etc/lighttpd/lighttpd.conf

Trimming The Fat

After everything was up to date and running correctly I wanted to strip down the amount of space that the OS was taking on my little 4GB microSD card, so I ran a few commands to remove some unnecessary packages and files.

This line of code is very handy to locate large files:

sudo find / -type f -size +10000k -exec ls -lh {} \; | awk '{ print $NF ": " $5 }'

Running this code initially returned:

/var/lib/apt/lists/raspbian.raspberrypi.org_raspbian_dists_stretch_main_binary-armhf_Packages: 59M
/var/cache/apt/archives/raspberrypi-kernel_1.20190215-1_armhf.deb: 32M
/var/cache/apt/archives/libraspberrypi-doc_1.20190215-1_armhf.deb: 30M
/var/cache/apt/pkgcache.bin: 26M
/var/cache/apt/srcpkgcache.bin: 26M
/var/swap: 100M
/opt/vc/src/hello_pi/hello_video/test.h264: 30M
/usr/local/bin/caddy: 21M
/usr/lib/gcc/arm-linux-gnueabihf/6/cc1plus: 17M
/usr/lib/gcc/arm-linux-gnueabihf/6/lto1: 15M
/usr/lib/gcc/arm-linux-gnueabihf/6/cc1: 16M
/usr/lib/arm-linux-gnueabihf/libicudata.so.57.1: 25M

So let’s get rid of those sample files with:

sudo rm -rf opt/vc

Then take a look at the development packages that we won’t need anymore with:

sudo dpkg --get-selections | grep "\-dev"

To remove them just append the string to apt remove:

sudo apt remove `sudo dpkg --get-selections | grep "\-dev" | sed s/install//`

Remove things related to the system sound that we don’t need:

sudo apt remove `sudo dpkg --get-selections | grep -v "deinstall" | grep sound | sed s/install//`

Now cut out a few other random packages before cleaning up apt and it’s cache:

sudo apt remove ca-certificates libraspberrypi-doc xkb-data locales manpages

Then clean up apt with:

sudo apt autoremove && sudo apt-get clean

Woo! After going through all of that, running our large file finder returns a slightly shorter list:

/var/lib/apt/lists/raspbian.raspberrypi.org_raspbian_dists_stretch_main_binary-armhf_Packages: 59M
/var/swap: 100M
/usr/local/bin/caddy: 21M
/usr/lib/gcc/arm-linux-gnueabihf/6/cc1: 16M
/usr/lib/arm-linux-gnueabihf/libicudata.so.57.1: 25M

And checking the file system size shows that after everything is setup and working I’ve made practically no impact:

Filesystem      Size  Used Avail Use% Mounted on
/dev/root       3.6G  1.1G  2.4G  31% /
devtmpfs        237M     0  237M   0% /dev
tmpfs           241M  272K  241M   1% /dev/shm
tmpfs           241M  3.4M  238M   2% /run
tmpfs           5.0M     0  5.0M   0% /run/lock
tmpfs           241M     0  241M   0% /sys/fs/cgroup
/dev/mmcblk0p1   44M   22M   22M  51% /boot
tmpfs            49M     0   49M   0% /run/user/999
tmpfs            49M     0   49M   0% /run/user/1001

Wrapping up

For the moment I’m satisfied with my RaspberryPi setup! DDClient is flawlessly updating several domains and subdomains for me, Caddy is easily handling the reverse proxy tasks, and Pi-Hole seems to be doing a decent job at blocking most ads on the web. Pi-Hole doesn’t seem to be blocking ads on things like YouTube or mobile applications yet, but I’m sure there are more features to offer after I can put in some research and time tweaking things.

There are also 3 less services running on my Dell T5400 now, so I’m several steps closer to migrating everything off of it and being able to do whatever I want with the system again - like setting up a GNS3 environment to use during my CCNA program.