Initial Setup (Arch Linux)
If at any point it is impossible to access your Raspberry Pi, then connect the micro SD card (containing your operating system) back to your main computer and edit any files necessary to get it to work again.
We can now insert the SD card into the Raspberry Pi, and connect the power (there is no on/off switch).
We should set up SSH on our main computer so that we can connect to the piserver simply with
ssh piserver. On our main computer we edit
Host piserver HostName <PISERVER IP ADDRESS>
Substituting in the IP address of the Raspberry Pi. We could:
- Try lots of random IP addresses until we find the right one (they're usually
192.168.1.x, and we can
pingto narrow down the list),
- Use the MAC address on the Raspberry Pi obtained from
ip link listand look at the list of devices on our DHCP server (i.e. our router),
- Set a static IP address on the Raspberry Pi,
- Set a static IP address for the Raspberry Pi on our DHCP server,
- Set up Service Discovery (Avahi) so that we can set
HostName piserver.localwhich works no matter what IP address the router has.
Users and Sudo
The system comes with two users:
root(the super-user), and
This is insecure, so we will remove access to both accounts.
We need to SSH into the piserver and switch to the root account.
# On your computer ssh alarm@piserver # Now on the Raspberry Pi su - root
We install some basic tools:
sudois used for security, allowing us to execute root commands without logging in as root.
pacmaticis a simple wrapper around
pacmanwhich can give warnings when doing system upgrades.
vimis the one true text editor.
pacman -Syu --needed sudo pacmatic vim
We create our adminstrative user, substiting
<YOU> for the username we like the most
useradd --groups wheel --create-home <YOU>
We give the adminstrative group
wheel sudo privileges by properly using
visudo -f /etc/sudoers.d/wheel
%wheel ALL=(ALL) NOPASSWD:ALL
We add our SSH key
Now we should logout, and SSH in as our new user to test everything is working.
Then we proced to remove the default
alarm user and lock
sudo userdel --remove alarm sudo passwd --lock root
The only way to login as root is to switch to it with
sudo su - root.
Hostname, Locale, Timezone
We set a hostname, and our locale. We may also set a non-UTC timezone if we like that kind of thing for our servers.
vim /etc/locale.gen locale-gen localectl set-locale <LOCALE> hostnamectl set-hostname piserver timedatectl set-timezone $(tzselect)
- [ ] https://wiki.archlinux.org/index.php/Installation_guide#Localization
- [ ] Font & Keymap
- [ ] Does /etc/hosts need to be updated, or does hostnamectl do it?
- [ ] Move into the appendix and expand out.
~/.pam_environment for cross-shell environment variables.
This is a little more annoying than just using
.bashrc, but it does let us switch between shells more easily.
Install the fish shell :)
Change port to 22, forbid root, etc. etc.
We enable time synchronisation because it is important for many different services. The built-in systemd-timesyncd service is easy to use.
sudo systemctl enable systemd-timesyncd.service sudo timedatectl set-ntp true
Pacman will build up an infinite collection of cached system packages in
/etc/cache/pacman/pkg. This is not useful, and it is likely we have limited disk space on the PiServer. We can remove old cached packages using a pacman hook that runs after we execute certain pacman commands.
Keeping some old versions is useful for the (very) rare occasion that you want to downgrade.
To remove all versions of an uninstalled package, we
[Trigger] Operation = Remove Type = Package Target = * [Action] Description = Removing package cache for uninstalled packages... When = PostTransaction Exec = /usr/bin/paccache -ruk0
To keep the last 3 versions of each package we still have installed, we
[Trigger] Operation = Upgrade Type = Package Target = * [Action] Description = Removing old cached packages... When = PostTransaction Exec = /usr/bin/paccache -rk3
Trim Flash Drives
Flash-based systems should be "trimmed" regularly to ensure optimal performance. This process physically clears the flash blocks for deleted files, which allows writes to those blocks to happen faster in the future.
SD cards and SSD drives normally support trim, while USB flash drives normally do not. The output of
mkfs.f2fs reveals whether trim is supported.
- [ ] In installation? What is the output?
It is possible trim when the file is deleted, but this is normally unnecessary. Therefore, we will enable
/usr/lib/systemd/system/fstrim.timer which trims all supported filesystems in
sudo systemctl enable --now fstrim.timer
On encrypted file systems, this will leak which areas of the drive are empty.
SD Card Longevity
Figure out writes with:
Flash NAND storage has limited write durability. Note: even a tiny 1 byte write can cause an entire erase-block (maybe 2MB) to be re-written.
mount with = noatime, lazytime
Don't do this: Because /var/tmp is across reboots: Mount tmp in 50MB RAM:
tmpfs /var/tmp tmpfs nodev,nosuid,size=50M 0 0
Keep swap off.
Consider tmpfs for
Consider mount option
Leave plenty of free space for wear-levelling.
TODO: Systemd write-batching, and log file size limit.
- [ ] Fix network issues reported by netdata:
sudo sysctl -a | grep netdev sudo sysctl net.core.netdev_budget=3000 sudo sysctl net.core.netdev_budget_usecs=4000
Simple Outbound Mail
- [ ] Migrate from blog. Move to "Things we can do".
There are further steps that we can take, however they offer increasingly diminishing returns. We do not consider MAC/ACLs/SELinux because they are, apparently, a PITA.
- [ ] Delay after login attempts (user accounts).
- [ ] Limit number of processes a user may have.
- [ ] Limit users which may login as root: https://wiki.archlinux.org/index.php/Security#Allow_only_certain_users
- [ ] Kernel hardening: https://wiki.archlinux.org/index.php/Security#Kernel_hardening
Firewall - UFW
https://wiki.archlinux.org/index.php/Umask#Set_the_mask_value. However, it might be really inconvenient.
Since it's headless we don't need those ports.
TBD: What does this protect against exactly?
We cannot just disable the USB controller because that would also disable the ethernet.
A few tips for
# Misc options Color TotalDownload