Rebuild Raspbery PI - September 2022

[scottmuc]

Yay for Repaving!

As much as possible is documented inline in this issue template. In case of problems you may find help by viewing all the previous repave issues. Have fun!

Things to do with the existing build

• [x] Disable DHCP on the PI

  Instructions

  Ensure that when we renew our DCHP lease, it comes from our router.

  sudo systemctl stop kea-dhcp4-server

• [x] Enable DHCP on the router and remove port mapping and release/renew IP address

  Instructions

  Windows: ipconfig /release and then ipconfig /renew

• [x] Shutdown PI

  Instructions

  Make sure the USB drive has spun down before doing any work.

  sudo shutdown -h now

• [x] Create SD card with the latest Raspberry Pi OS

  Instructions

  Using the SD card in the now powered down PI.

  The new installer has [options][installer-options] to enable SSH and create a user.

  installer download

Post OS install steps on desktop

• [x] Ensure a working ansible enviroment

  Instructions

  Not much to say except use virtualenv. I don't have a consistent way to set this up because my macbook might be my controller, or my windows WSL host will be.

• [x] Turn on the PI and note the IP obtained from the Router

• [x] Transfer local public ssh key to PI

  Instructions

  In order to avoid the use of sshpass, copy the current sessions public ssh key to to ./ssh/authorized_keys of the pi user on the PI. This user is only necessary to run the bootstrap playbook (which creates an admin ansible user) and will be subsequently cleaned up.

  ssh-copy-id pi@<pi ip>

• [x] Bootstrap with Ansible

  Instructions

  ./ansible.sh bootstrap -i <pi ip>

• [x] Add the PI port forwardi

  Instructions

  Needed for the certbot ACME challenge in the next step.

• [x] Complete full configuration

  Instructions

  ./ansible.sh apply -i <pi ip>

• [x] Reboot PI

• [x] Re-add port mapping to the static IP

• [x] ~Disable DHCP on the router~

• [x] Deploy goodenoughmoney.com

• [x] Create pi Samba user

  Instructions

  Run the following on the PI sudo smbpasswd -a smbrw

• [x] Deploy navidrome

  Instructions

  run navidrome.sh as root on the PI

• [x] Make this template slightly better

How Do I Know I Am Done?

• [x] https://www.goodenoughmoney.com/ displays stuff

• [x] https://home.scottmuc.com/music/ loads navidrome and the music is playable

• [x] Z:\ on my Windows PC works

• [x] ipconfig /release and then ipconfig /renew works

• [x] nslookup analytics.google.com is refused

[scottmuc]

Main playbook failed at installer kea. Thank you @diefida for finding that kea-dhcp-server isn't in bullseye debian's package repository: https://packages.debian.org/sid/kea-dhcp4-server

ansible@raspberrypi:/etc/apt $ uname -a
Linux raspberrypi 5.15.61-v8+ #1579 SMP PREEMPT Fri Aug 26 11:16:44 BST 2022 aarch64 GNU/Linux

ansible@raspberrypi:/etc/apt $ more sources.list
deb http://deb.debian.org/debian bullseye main contrib non-free
deb http://security.debian.org/debian-security bullseye-security main contrib non-free
deb http://deb.debian.org/debian bullseye-updates main contrib non-free
# Uncomment deb-src lines below then 'apt-get update' to enable 'apt-get source'
#deb-src http://deb.debian.org/debian bullseye main contrib non-free
#deb-src http://security.debian.org/debian-security bullseye-security main contrib non-free
#deb-src http://deb.debian.org/debian bullseye-updates main contrib non-free

We've chosen (adding @lx4r) to comment out the kea install and move forward with the playbook and fix later.

ISC recommends using their package repositories because they are often more up-to-date than the OS repositories: https://kb.isc.org/docs/isc-kea-packages

[scottmuc]

Second run of the main playbook succeeded. I made a typo in re-adding port forwarding (incorrect TLS port), but once that was changed, nginx was reachable.

For some reason, the samba share isn't working, and need to fix the DHCP server installation.

The new ansible tasks worked as well as the resolver role that was created.

Lastly, the gum enabled script worked like a charm.

[scottmuc]

Now that the playbook is getting a bit large, I want to skip most of the playbook while iterating on a certain task. For the next repave, I'm going to look into using ansible tags and integrate this bit of code into the ansible runner script.

[scottmuc]

Reviewing the key management in the playbook, I saw the apt_key might be going soon. Or at least it's implementation will be changing drastically.

• https://www.linuxuprising.com/2021/01/apt-key-is-deprecated-how-to-add.html
• https://github.com/ansible/ansible/issues/55590
• https://github.com/bcoca/ansible/blob/devel/lib/ansible/modules/apt_key.py#L31

Something to possibly alter before the next repave.

[scottmuc]

Attempting to using the Cloudsmith repositories doesn't look promising. There doesn't appear to exist a package for the PI cpu architecture: https://cloudsmith.io/~isc/repos/kea-2-2/packages/detail/deb/isc-kea-dhcp6-server/2.2.0-isc20220726061131/a=amd64;d=debian%252Fbullseye;t=binary/ (I can only find amd64).

So having a running dhcpd-server is blocked because the OS repositories don't have the package, and the "supported" Cloudsmith repositories don't have the package with the correct architecture.

[scottmuc]

The following output feels like it would be valuable to add to each repave issue after completion:

ansible@raspberrypi:~ $ cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
ansible@raspberrypi:~ $ uname -a
Linux raspberrypi 5.15.61-v8+ #1579 SMP PREEMPT Fri Aug 26 11:16:44 BST 2022 aarch64 GNU/Linux

[scottmuc]

@diefida, @lx4r, thanks for following along with this repave! Looks like the KEA package thing is going to be a pain. For now I'm sticking with my router for DHPCD until the next repave. Something I could possibly do is repave with an older base image, but that defeats the purpose of doing this to keep things up-to-date.

Another alternative is to bypass apt and install the .deb directly. Not sure what ramifications that would have.

Calling this repave done. The main consequence of not having the dhcpd stuff sorted out is that my network won't be using the blocking DNS resolver (unless set manually). It's an ok compromise for now.

[scottmuc]

Using the sid repository might be an extreme and dangerous option: https://chromeunboxed.com/how-to-add-the-sid-testing-repository-and-get-the-latest-linux-apps-on-your-chromebook/

and: https://serverfault.com/questions/22414/how-can-i-run-debian-stable-but-install-some-packages-from-testing