This is an old revision of the document!
Table of Contents
Raspbian
This page documents my local Raspberry Pi config for a Raspberry Pi 3 running Raspbian. This is config is based on Raspian Buster Lite released on 2020-02-13 by the Raspberry Pi Foundation which can be found here.
Before first boot
By default Raspbian attempts to grow the root partition of your system on first boot to fill your entire SD card. To disable this option do the following on the SD card image before first boot.
- Remove custom init script and quiet from /boot/cmdline.txt before first power on.
- Remove /etc/init.d/resize script.
After first boot
The following steps should be completed after first boot to configure the Pi for remote management.
Set vim as the default editor
apt install vim update-alternatives --set editor /usr/bin/vim.basic
Disble IPv6
Add the following to /etc/sysctl.d/local.conf
:
# disable IPv6 net.ipv6.conf.all.disable_ipv6=1
Configure static IP address
Edit /etc/dhcpcd.conf
and add the following:
# Static eth0 configuration interface eth0 static ip_address=10.77.3.6/24 static routers=10.77.3.1 static domain_name_servers=10.77.3.4 10.77.3.5
Add our local domain to the default search path configured by resolvconf
.
echo "search in.quay.net" >> /etc/resolv.conf.tail
Configure OpenSSHD on boot
Set to run on boot.
systemctl enable ssh systemctl start ssh
User configuration
The following user modifications are made.
local user
Add local user:
groupadd -g 1778 gabriel useradd -u 1778 -c "Gabriel O'Brien" -g 1778 -m -G sudo gabriel passwd gabriel
pi
Disable pi user:
usermod -s /usr/sbin/nologin -p '*' pi
root
Now set root password.
ansible
Add ansible user:
groupadd -g 1111 ansible useradd -u 1111 -c "Ansible control user" -g 1111 -m ansible usermod -p '*' ansible
Configure the following sudo rule for ansible:
# Ansible control user ansible ALL=(ALL) NOPASSWD:ALL
Copy SSH keys for Ansible user.
Sudoers config
Set timestamp_timeout=NN
to more useful timeout value.
Grow root partition
Use parted
and resize2fs
to manually set root filesystem size.
# grow partition parted print unit GiB resizepart 2 42.25 # resize filesystem resize2fs /dev/mmcblk0p2
raspi-config
Run the raspi-config
tool and set the following options:
- 2 Network Options → Hostname → Set hostname
- 4 Localization
- I1 Change Locale → en_CA.UTF-8 UTF-8 → disable en_GB.UTF-8 UTF-8 → Set default locale to C.UTF-8
- 4 Localization Options
- I2 Timezone → America → Toronto
- 4 Localization Options
- I3 Change Keyboard Layout → Generic 104-key PC → Other → English (US) → English (US) → The default for the keyboard layout → No compose key
- 4 Localization Options
- I4 Change WLAN Country → CA Canada
- 7 Advanced Options
- A3 Memory Split → 16
Additional hardware configuration via config.txt
These settings involve manual configuration of /boot/config.txt
to disable certain drivers. See boot overlays README for more information.
Disable unneeded networking
# disable WiFi dtoverlay=disable-wifi # disable Bluetooth dtoverlay=disable-bt
Disable modem service per boot overlays doc:
systemctl disable hciuart
Disable audio driver
Comment out the audio driver:
# Enable audio (loads snd_bcm2835) #dtparam=audio=on
Configure OpenSSH server
Disable all keys except ed25519.
cat "HostKey /etc/ssh/ssh_host_ed25519_key" >> /etc/ssh/sshd_config cd /etc/ssh/ ** rm -f *key* dpkg-reconfigure openssh-server
Packages
vim ntp isc-dhcp-server bind9 dnsutils whois fping git
Services
Service modification
systemctl disable apt-daily-upgrade.timer systemctl disable apt-daily.timer
See also
This section contains old instructions for Raspian 8 and will be deprecated in the future.
[Old] Raspian Jessie Lite instructions
- Add OpenSSH authorized_keys for root user
- Remove all key types except rsa and ed25519 from sshd_config
- Remove all default keys and regenerate
rm *key*
ssh-keygen -q -N “” -t rsa -b 8192 -f /etc/ssh/ssh_host_rsa_key
ssh-keygen -q -N “” -t ed25519 -f /etc/ssh/ssh_host_ed25519_key
service ssh restart
- Make
vi
the default editor:update-alternatives –set editor /usr/bin/vim.tiny
- Set static IP address for host by editing
/etc/dhcpcd.conf
:
# See dhcpcd.conf(5) for details. interface eth0 static ip_address=$IP/$MASK static routers=$ROUTER
- Set
resolvconf
for a static configuration by editing /etc/resolvconf.conf:
# Configuration for resolvconf(8) # See resolvconf.conf(5) for details resolv_conf=/etc/resolv.conf # If you run a local name server, you should uncomment the below line and # configure your subscribers configuration files below. search_domains=in.quay.net # BUG WORKAROUND: space separated lists of DNS servers are not currently working name_servers=$NS1 name_servers_append=$NS2 # Mirror the Debian package defaults for the below resolvers # so that resolvconf integrates seemlessly. dnsmasq_resolv=/var/run/dnsmasq/resolv.conf pdnsd_conf=/etc/pdnsd.conf unbound_conf=/var/cache/unbound/resolvconf_resolvers.conf
- Remove pi default user
- Remove pi group
- Add new default user and group
- Add sudoers entry for user
- Set password
- Update ntp config;
apt-get install ntpdate
and sync timetime.chu.nrc.ca
ntp1.torix.ca
tick.umanitoba.ca
time.nrc.ca
ntp2.torix.ca
tock.utoronto.ca
ntp3.torix.ca
tick.usask.ca
time.nist.gov
- Set timezone to Toronto:
sudo ln -fs /usr/share/zoneinfo/America/Toronto /etc/localtime
- Remove MOTD text
> /etc/motd
- Install git and needrestart
Raspbian appears to have issues with managing network dependencies during boot. This script ensures that BIND, dhcpd, and NTP start up correctly after the network interface is properly set up. It is run via /etc/rc.local
as a background process and depends on fping.
#!/bin/bash until fping -qc 3 8.8.8.8 > /dev/null 2>&1; do echo "Waiting for network..." done for daemon in isc-dhcp-server bind9; do echo "Forcing restart of $daemon" service $daemon restart done echo "Forcing restart of ntp" service ntp stop ntpdate -s 0.ca.pool.ntp.org service ntp start
Service management under systemd
- Add service to systemd init process:
systemctl enable $SERVICE
- List all services:
service –status-all
Disable WiFi completely
Blacklist the driver by creating a file in /etc/modprobe.d
called wlan-blacklist.conf
with the following contents:
blacklist brcmfmac blacklist brcmutil