From 2ac26e9a3438b826c18564d3cd422bb861b4f65c Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Tue, 4 Aug 2020 01:20:33 +0000 Subject: [PATCH] Resolve "Raspberry Pi OS bugs" --- README.md | 16 +++++++++------- scripts/install.sh | 6 +++--- scripts/subinstallers/cockpit.sh | 5 +---- scripts/subinstallers/docker_manual.sh | 8 ++++---- scripts/subinstallers/wireguard.sh | 5 +++-- 5 files changed, 20 insertions(+), 20 deletions(-) diff --git a/README.md b/README.md index 6676760..50ffc3d 100644 --- a/README.md +++ b/README.md @@ -48,7 +48,9 @@ Tested Operating Systems (in order of thoroughness): - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Debian 10 (Buster) -- Raspbian Buster +- Raspberry Pi OS (formerly Raspbian) Buster + +**Note:** Install operating system updates and restart. Raspberry Pi OS particularly needs to be restarted after kernel updates (kernel modules for the currently running kernel may be missing). Tested Browsers: - Firefox @@ -59,8 +61,8 @@ The Mistborn docker images exist for these architectures: | Mistborn Docker Images (hub.docker.com) | Architectures | |------------------------------------------------|---------------------| -| mistborn (django, celery{worker,beat}, flower) | amd64, arm64, armv7 | -| dnscrypt-proxy | amd64, arm64, armv7 | +| mistborn (django, celery{worker,beat}, flower) | amd64, arm64, arm/v7 | +| dnscrypt-proxy | amd64, arm64, arm/v7 | Recommended System Specifications: @@ -132,8 +134,8 @@ Running `install.sh` will do the following: - install Docker - install OpenSSH - install Wireguard -- install Cockpit -- create a `cockpit` system user +- install Cockpit (optional) +- create a `cockpit` system user (if Cockpit is installed) - configure unattended-upgrades - generate a self-signed TLS certificate/key (WebRTC functionality requires TLS) - create and populate traefik.toml @@ -317,7 +319,7 @@ But wait, there's more! You can: | Rocket.Chat | [Rocket.Chat](https://play.google.com/store/apps/details?id=chat.rocket.android) | [Rocket.Chat](https://apps.apple.com/us/app/rocket-chat/id1148741252) | ## TLS Certificate -Some apps require TLS (HTTPS). All traffic to Mistborn domains already occurs over Wireguard but to keep apps running, a TLS certificate exists for Mistborn and can be imported into your device's trusted credentials in the security settings. +Some apps require TLS (HTTPS). All traffic to Mistborn domains already occurs over Wireguard but to keep apps running, a TLS certificate exists for Mistborn and can be imported into your device's trusted credentials in the security settings. This certificate is checked every day and will be re-generated when expiration is less than 30 days away. The TLS certificate can be found here: ``` @@ -446,7 +448,7 @@ These are some notes regarding the technical design and implementations of Mistb ## Additonal Notes - Interface names are not hardcoded anywhere in Mistborn. Two commands that are used in different circumstances to determine the default network interface and the interface that would route a public IP address are: `ip -o -4 route show to default` and `ip -o -4 route get 1.1.1.1`. - The "Update" button will pull updated Docker images for mistborn, postgresql, redis, pihole, and dnscrypt. Those services will then be restarted. -- The generated TLS certificate has an RSA modulus of 4096 bits, is signed with SHA-256, and is good for 10 years. The nanny at Apple has decided to restrict the kinds of certificates iOS users may choose to manually trust and so you may have issues with TLS on an Apple device for now. +- The generated TLS certificate has an RSA modulus of 4096 bits, is signed with SHA-256, and is good for 397 days. The certificate is checked daily and will regenerate when expiration is within 30 days. - Outbound UDP on port 53 is blocked. All DNS requests should be handled by the dnscrypt_proxy service and if any client, service, etc. tries to circumvent that it is blocked. - Unattended upgrades are set to automatically install operating system security updates. diff --git a/scripts/install.sh b/scripts/install.sh index 2a5c4ce..a904d7c 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -69,9 +69,9 @@ fi # Install Cockpit? if [ -z "${MISTBORN_INSTALL_COCKPIT}" ]; then - read -p "Install Cockpit (a somewhat resource-heavy system management graphical user interface)? [Y/n]: " MISTBORN_INSTALL_COCKPIT + read -p "Install Cockpit (a somewhat resource-heavy system management graphical user interface -- NOT RECOMMENDED on Raspberry Pi)? [y/N]: " MISTBORN_INSTALL_COCKPIT echo - MISTBORN_INSTALL_COCKPIT=${MISTBORN_INSTALL_COCKPIT:-Y} + MISTBORN_INSTALL_COCKPIT=${MISTBORN_INSTALL_COCKPIT:-N} fi # SSH keys @@ -132,7 +132,7 @@ sudo -E apt-get install -y dnsutils fail2ban # Install kernel headers if [ "$DISTRO" == "ubuntu" ] || [ "$DISTRO" == "debian" ]; then sudo -E apt install -y linux-headers-$(uname -r) -elif [ "$DISTRO" == "raspbian" ]; then +elif [ "$DISTRO" == "raspbian" ] || [ "$DISTRO" == "raspios" ]; then sudo -E apt install -y raspberrypi-kernel-headers fi diff --git a/scripts/subinstallers/cockpit.sh b/scripts/subinstallers/cockpit.sh index 445ea69..fbdb141 100755 --- a/scripts/subinstallers/cockpit.sh +++ b/scripts/subinstallers/cockpit.sh @@ -10,11 +10,8 @@ elif [ "$DISTRO" == "debian" ]; then && echo "buster-backports already in sources" \ || echo 'deb http://deb.debian.org/debian buster-backports main' | sudo tee -a /etc/apt/sources.list.d/backports.list - -elif [ "$DISTRO" == "raspbian" ]; then - +elif [ "$DISTRO" == "raspbian" ] || [ "$DISTRO" == "raspios" ]; then echo "Raspbian repos contain cockpit" - fi sudo -E apt-get install -y cockpit diff --git a/scripts/subinstallers/docker_manual.sh b/scripts/subinstallers/docker_manual.sh index 5fca1c9..2cbb329 100755 --- a/scripts/subinstallers/docker_manual.sh +++ b/scripts/subinstallers/docker_manual.sh @@ -15,7 +15,7 @@ if [ "$DISTRO" == "ubuntu" ]; then curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - elif [ "$DISTRO" == "debian" ]; then curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add - -elif [ "$DISTRO" == "raspbian" ]; then +elif [ "$DISTRO" == "raspbian" ] || [ "$DISTRO" == "raspios" ]; then curl -fsSL https://download.docker.com/linux/$(. /etc/os-release; echo "$ID")/gpg | sudo apt-key add - fi @@ -31,7 +31,7 @@ elif [ "$DISTRO" == "debian" ]; then "deb https://download.docker.com/linux/debian \ $(lsb_release -cs) \ stable" -elif [ "$DISTRO" == "raspbian" ]; then +elif [ "$DISTRO" == "raspbian" ] || [ "$DISTRO" == "raspios" ]; then echo "deb [arch=armhf] https://download.docker.com/linux/$(. /etc/os-release; echo "$ID") \ $(lsb_release -cs) stable" | \ sudo tee /etc/apt/sources.list.d/docker.list @@ -43,7 +43,7 @@ sudo apt-get update if [ "$DISTRO" == "ubuntu" ] || [ "$DISTRO" == "debian" ]; then sudo -E apt-get install -y docker-ce docker-ce-cli containerd.io -elif [ "$DISTRO" == "raspbian" ]; then +elif [ "$DISTRO" == "raspbian" ] || [ "$DISTRO" == "raspios" ]; then sudo -E apt install -y --no-install-recommends \ docker-ce \ cgroupfs-mount @@ -59,7 +59,7 @@ echo "Installing Docker Compose" # sudo chmod +x /usr/local/bin/docker-compose #elif [ "$DISTRO" == "raspbian" ]; then # Install required packages -sudo -E apt install -y python-backports.ssl-match-hostname +#sudo -E apt install -y python-backports.ssl-match-hostname # Install Docker Compose from pip # This might take a while diff --git a/scripts/subinstallers/wireguard.sh b/scripts/subinstallers/wireguard.sh index a544591..1b7b339 100755 --- a/scripts/subinstallers/wireguard.sh +++ b/scripts/subinstallers/wireguard.sh @@ -9,18 +9,19 @@ if ! $(sudo apt-cache show wireguard > /dev/null 2>&1) ; then echo "Adding Wireguard PPAs" # Wireguard - if [ "$DISTRO" == "raspbian" ]; then + if [ "$DISTRO" == "raspbian" ] || [ "$DISTRO" == "raspios" ]; then echo "Adding Wireguard repo keys" sudo -E apt-get install -y dirmngr sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 8B48AD6246925553 sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 7638D0442B90D010 sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 04EE7237B7D453EC + sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 648ACFD622F3D138 fi if [ "$DISTRO" == "ubuntu" ]; then # Ubuntu sudo add-apt-repository -y ppa:wireguard/wireguard - elif [ "$DISTRO" == "debian" ] || [ "$DISTRO" == "raspbian" ]; then + elif [ "$DISTRO" == "debian" ] || [ "$DISTRO" == "raspbian" ] || [ "$DISTRO" == "raspios" ]; then # Debian sudo bash -c 'echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list' sudo bash -c "printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable"