Rebuild Raspbery PI - June 2022

[scottmuc]

Yay for Repaving!

As much as possible is documented inline in this issue template. In case of problems you may find help by viewing all the previous repave issues. Have fun!

Things to do with the existing build

• [x] Disable DHCP on the PI

  Instructions

  Ensure that when we renew our DCHP lease, it comes from our router.

  sudo systemctl stop kea-dhcp4-server

• [x] Enable DHCP on the router and remove port mapping and release/renew IP address

  Instructions

  Windows: ipconfig /release and then ipconfig /renew

• [x] Shutdown PI

  Instructions

  Make sure the USB drive has spun down before doing any work.

  sudo shutdown -h now

• [x] Create SD card with the latest Raspberry Pi OS

  Instructions

  Using the SD card in the now powered down PI.

  installer download

• [x] Touch ssh on the boot volume of the SD Card

  Instructions

  See this handy post for details. This requires disconnecting the SD card and plugging it back in so it gets mounted in Windows.

Post OS install steps on desktop

• [x] Ensure a working ansible enviroment

  Instructions

  Not much to say except use virtualenv. I don't have a consistent way to set this up because my macbook might be my controller, or my windows WSL host will be.

• [x] Turn on the IP and note the IP obtained from the Router

• [x] Transfer local public ssh key to PI

  Instructions

  In order to avoid the use of sshpass, copy the current sessions public ssh key to to ./ssh/authorized_keys of the pi user on the PI. This user is only necessary to run the bootstrap playbook (which creates an admin ansible user) and will be subsequently cleaned up.

  ssh-copy-id pi@<pi ip>

• [x] Bootstrap with Ansible

  Instructions

  ./ansible.sh bootstrap -i <pi ip>

• [x] Add the PI port forwardi

  Instructions

  Needed for the certbot ACME challenge in the next step.

• [x] Complete full configuration

  Instructions

  ./ansible.sh apply -i <pi ip>

• [x] Reboot PI

• [x] Re-add port mapping to the static IP

• [x] Disable DHCP on the router

• [x] Deploy goodenoughmoney.com

• [x] Create pi Samba user

  Instructions

  Run the following on the PI sudo smbpasswd -a pi

• [x] Deploy navidrome

  Instructions

  run navidrome.sh as root on the PI

• [x] Make this template slightly better

How Do I Know I Am Done?

• [x] https://www.goodenoughmoney.com/ displays stuff

• [x] https://home.scottmuc.com/music/ loads navidrome and the music is playable

• [x] Z:\ on my Windows PC works

• [x] ipconfig /release and then ipconfig /renew works

• [x] nslookup analytics.google.com is refused

[scottmuc]

@Konradfischer here's some interesting access logs that one sees when exposing a webserver to the public:

 NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
95.249.144.100 - - [24/Jun/2022:05:39:04 +0100] "GET /php-my-admin/index.php?lang=en HTTP/1.1" 404 199 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
95.249.144.100 - - [24/Jun/2022:05:39:04 +0100] "GET /sql/webadmin/index.php?lang=en HTTP/1.1" 404 199 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
95.249.144.100 - - [24/Jun/2022:05:39:04 +0100] "GET /phpMyAdmin5.2/index.php?lang=en HTTP/1.1" 404 199 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
95.249.144.100 - - [24/Jun/2022:05:39:04 +0100] "GET /phpMyAdmin5.1/index.php?lang=en HTTP/1.1" 404 199 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
95.249.144.100 - - [24/Jun/2022:05:39:04 +0100] "GET /db/index.php?lang=en HTTP/1.1" 404 199 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
95.249.144.100 - - [24/Jun/2022:05:39:04 +0100] "GET /admin/sqladmin/index.php?lang=en HTTP/1.1" 404 199 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
95.249.144.100 - - [24/Jun/2022:05:39:04 +0100] "GET /administrator/pma/index.php?lang=en HTTP/1.1" 404 199 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
95.249.144.100 - - [24/Jun/2022:05:39:04 +0100] "GET /database/index.php?lang=en HTTP/1.1" 404 199 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
95.249.144.100 - - [24/Jun/2022:05:39:04 +0100] "GET /sql/phpmyadmin5/index.php?lang=en HTTP/1.1" 404 199 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
186.33.91.108 - - [24/Jun/2022:05:55:53 +0100] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"
165.22.206.82 - - [24/Jun/2022:05:58:04 +0100] "GET / HTTP/1.1" 200 396 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0"
157.230.216.203 - - [24/Jun/2022:06:07:27 +0100] "GET /ab2g HTTP/1.1" 400 173 "-" "-"
157.230.216.203 - - [24/Jun/2022:06:07:27 +0100] "GET /ab2h HTTP/1.1" 400 173 "-" "-"
64.62.197.92 - - [24/Jun/2022:06:09:34 +0100] "GET / HTTP/1.1" 200 612 "-" "-"
185.7.214.104 - - [24/Jun/2022:06:26:15 +0100] "POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 199 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
157.245.210.128 - - [24/Jun/2022:06:29:04 +0100] "GET /cookieconv.php HTTP/1.1" 404 199 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36"
192.241.206.15 - - [24/Jun/2022:06:34:04 +0100] "GET / HTTP/1.1" 400 271 "-" "Mozilla/5.0 zgrab/0.x"
root@raspberrypi:/var/log/nginx# tail /var/log/nginx/access.log
95.249.144.100 - - [24/Jun/2022:05:39:04 +0100] "GET /database/index.php?lang=en HTTP/1.1" 404 199 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
95.249.144.100 - - [24/Jun/2022:05:39:04 +0100] "GET /sql/phpmyadmin5/index.php?lang=en HTTP/1.1" 404 199 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
186.33.91.108 - - [24/Jun/2022:05:55:53 +0100] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"
165.22.206.82 - - [24/Jun/2022:05:58:04 +0100] "GET / HTTP/1.1" 200 396 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0"
157.230.216.203 - - [24/Jun/2022:06:07:27 +0100] "GET /ab2g HTTP/1.1" 400 173 "-" "-"
157.230.216.203 - - [24/Jun/2022:06:07:27 +0100] "GET /ab2h HTTP/1.1" 400 173 "-" "-"
64.62.197.92 - - [24/Jun/2022:06:09:34 +0100] "GET / HTTP/1.1" 200 612 "-" "-"
185.7.214.104 - - [24/Jun/2022:06:26:15 +0100] "POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 199 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
157.245.210.128 - - [24/Jun/2022:06:29:04 +0100] "GET /cookieconv.php HTTP/1.1" 404 199 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36"
192.241.206.15 - - [24/Jun/2022:06:34:04 +0100] "GET / HTTP/1.1" 400 271 "-" "Mozilla/5.0 zgrab/0.x"

[scottmuc]

Turns out that pi:raspberry is no longer the default user and password (reference).

Here's the way to create a user by default: https://www.raspberrypi.com/documentation/computers/configuration.html#configuring-a-user

[scottmuc]

Main ansible execution is failing because it cannot delete the pi user. It complains that pi has processes running. Need to investigate what's going on.

[scottmuc]

Certificate task failed because my IP address had changed and I hadn't updated Gandi.net.

[scottmuc]

Looks like the imager tool has the capability to setup the boot volume.

[scottmuc]

@konradfischer there were some interesting issues with this repave because the base image has been updated in such a way that the user I assumed existed by default, no longer exists: https://www.raspberrypi.com/news/raspberry-pi-bullseye-update-april-2022/

Not the problem with the repave I was expecting today :-)

[scottmuc]

Everything working fine for now.