1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
|
<?xml version="1.0" encoding="utf-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>Jacob McDonnell</title>
<description>Articles from Jacob McDonnell.</description>
<language>en-us</language>
<link>https://jacobmcdonnell.com/rss.xml</link>
<atom:link href="https://jacobmcdonnell.com/rss.xml" rel="self" type="application/rss+xml" />
<image>
<title>Jacob McDonnell</title>
<url>https://jacobmcdonnell.com/favicon.ico</url>
<link>https://jacobmcdonnell.com/rss.xml</link>
</image>
<!-- LB -->
<item>
<title>Hosting a Website on the Raspberry Pi with Rocky Linux</title>
<guid>https://jacobmcdonnell.com/articles/RpiRockyLinuxServer/</guid>
<link>https://jacobmcdonnell.com/articles/RpiRockyLinuxServer/</link>
<pubDate>Sun, 19 Feb 2022 15:00:00 -0500</pubDate>
<description><![CDATA[
<p>First Download Rocky Linux for the Raspberry Pi 3 & 4 from <a href='https://rockylinux.org/alternative-images'>their website</a>.</p>
<center><img class="imgs" src="img/Screen Shot 2022-02-19 at 2.15.13 PM.png" referrerpolicy="no-referrer" alt="Screen Shot 2022-02-19 at 2.15.13 PM"></center>
<p>Next you want to burn this image to the sd card that you are going to use. Now start up the Raspberry Pi and login with the default user <code>rocky</code> and the password is <code>rockylinux</code>. </p>
<p>To make the image take up the whole drive, run:</p>
<pre><code class='language-shell' lang='shell'>sudo rootfs-expand
</code></pre>
<p>Now, you should create a new user:</p>
<pre><code class='language-shell' lang='shell'>sudo useradd -m -g users -G wheel userName
sudo passwd username
</code></pre>
<p>Next, we should delete the default user so logout and login to your new user:</p>
<pre><code class='language-shell' lang='shell'>sudo userdel rocky
</code></pre>
<p> </p>
<hr />
<h2 id='setting-a-static-ip-address'>Setting a static IP address </h2>
<p>The easiest way is to run:</p>
<pre><code class='language-shell' lang='shell'>sudo nmtui
</code></pre>
<center><img class="imgs" src="img/Screen Shot 2022-02-19 at 2.18.39 PM.png" referrerpolicy="no-referrer" alt="Screen Shot 2022-02-19 at 2.18.39 PM"></center>
<p>Select <strong>Edit</strong> a connection and select your network interface. </p>
<center><img class="imgs" src="img/Screen Shot 2022-02-19 at 2.23.20 PM.png" referrerpolicy="no-referrer" alt="Screen Shot 2022-02-19 at 2.23.20 PM"></center>
<p>Select <strong>Show</strong> for <strong>IPv4 CONFIGURATION</strong> and enter the IP you want to set. Then select <strong>OK</strong> at the bottom, and quit the program.</p>
<h2 id='securing-the-pi'>Securing the PI</h2>
<h3 id='ssh-key-authorization'>SSH Key Authorization</h3>
<p>The best way to secure the pi is to use an SSH key to login instead of a password. First you want to generate an SSH key by running on your computer:</p>
<pre><code class='language-shell' lang='shell'>ssh-keygen -t rsa
</code></pre>
<p>Next, to copy your SSH key to your server, run:</p>
<pre><code class='language-shell' lang='shell'>ssh-copy-id -i ~/.ssh/mykey user@host
</code></pre>
<p>To test that it works, run:</p>
<pre><code class='language-shell' lang='shell'>ssh -i ~/.ssh/mykey user@host
</code></pre>
<p>If it worked, you should be able to connect without needing a password.</p>
<p>To force an SSH key to login, edit <code>/etc/ssh/sshd_config</code> using nano or vim.</p>
<p>Change <code>PermitRootLogin yes</code> to <code>PermitRootLogin no</code> and <code>PasswordAuthentication yes</code> to <code>PasswordAuthentication no</code>.</p>
<h3 id='setting-up-fail2ban'>Setting up fail2ban</h3>
<p>First start and enable firewalld to run at boot:</p>
<pre><code class='language-shell' lang='shell'>sudo systemctl start firewalld
sudo systemctl enable firewalld
</code></pre>
<p>Now, enable the EPEL repository for Rocky Linux and install fail2ban:</p>
<pre><code class='language-shell' lang='shell'>sudo dnf install epel-release -y
sudo dnf install fail2ban fail2ban-firewalld -y
</code></pre>
<p>Start and enable fail2ban to run at boot:</p>
<pre><code class='language-shell' lang='shell'>sudo systemctl start fail2ban
sudo systemctl enable fail2ban
</code></pre>
<p>Now, we have to make fail2ban work with firewalld, run:</p>
<pre><code class='language-shell' lang='shell'>sudo mv /etc/fail2ban/jail.d/00-firewalld.conf /etc/fail2ban/jail.d/00-firewalld.local
sudo systemctl restart fail2ban
</code></pre>
<p>To create an SSH jail, edit the ssh config file with vim or nano:</p>
<pre><code class='language-shell' lang='shell'>sudo nano /etc/fail2ban/jail.d/sshd.local
</code></pre>
<p>Paste the following into the file and change the values as you see fit:</p>
<pre><code>[sshd]
enabled = true
bantime = 1d
maxretry = 3
</code></pre>
<p>Save and close the file and restart fail2ban:</p>
<pre><code class='language-shell' lang='shell'>sudo systemctl restart fail2ban
</code></pre>
<h2 id='setting-up-dynamic-dns-with-google-domains'>Setting up Dynamic DNS with Google Domains</h2>
<h3 id='configuring-google-domains'>Configuring Google Domains</h3>
<p>First, on <a href='https://domains.google.com/'>Domains.google.com</a> go the DNS page for your domain. Scroll down and click on <strong>Show advanced settings</strong>, Click <strong>Manage dynamic DNS</strong>, and then click <strong>Create new record</strong>. Enter your subdomain or leave it black for the domain itself. Finally, click Save.</p>
<h3 id='installing-ddclient'>Installing ddclient</h3>
<p>To install ddclient you need to enable the PowerTools Repo for the perl dependency.</p>
<p>First, install <code>dnf-plugins-core</code>:</p>
<pre><code class='language-shell' lang='shell'>sudo dnf -y install dnf-plugins-core
sudo dnf upgrade
</code></pre>
<p>Next, enable PowerTools:</p>
<pre><code class='language-shell' lang='shell'>sudo dnf config-manager --set-enabled powertools
</code></pre>
<p>Then, you can install ddclient:</p>
<pre><code class='language-shell' lang='shell'>sudo dnf install ddclient
</code></pre>
<p>Now, we want to edit the config file for ddclient:</p>
<pre><code class='language-shell' lang='shell'>sudo nano /etc/ddclient.conf
</code></pre>
<p>You'll want to look for where it says <code>protocol=dyndns2</code>, and enter your information:</p>
<pre><code>##
## nsupdate.info IPV4(https://www.nsupdate.info)
##
protocol=dyndns2
use=web, web=http://ipv4.nsupdate.info/myip
server=domains.google.com
login=username
password=password
domain.tld
</code></pre>
<p>Wait about 5 minutes and on the Google Domains website, under Dynamic DNS you should see your IP address under <strong>Data</strong>.</p>
<h2 id='setting-up-nginx-and-lets-encrypt'>Setting up NGINX and Let's Encrypt</h2>
<h3 id='installing-nginx'>Installing NGINX</h3>
<p>First, install nginx Webserver:</p>
<pre><code class='language-shell' lang='shell'>sudo dnf install nginx
</code></pre>
<p>Next, start and enable nginx to run at boot:</p>
<pre><code class='language-shell' lang='shell'>sudo systemctl start nginx
sudo systemctl enable nginx
</code></pre>
<p>Then, check the status to see if it is running:</p>
<pre><code class='language-shell' lang='shell'>sudo systemctl status nginx
</code></pre>
<center><img class="imgs" src="img/Screen Shot 2022-02-19 at 2.56.21 PM.png" referrerpolicy="no-referrer" alt="Screen Shot 2022-02-19 at 2.56.21 PM"></center>
<p>Now, we have to allow HTTP traffic through the firewall:</p>
<pre><code class='language-shell' lang='shell'>sudo firewall-cmd --add-service=http --permanent
sudo firewall-cmd --add-service=https --permanent
sudo firewall-cmd --reload
</code></pre>
<p>In a web browser, go to the local ip of the server and you should see the nginx welcome page.</p>
<center><img class="imgs" src="img/Screen Shot 2022-02-19 at 2.58.29 PM.png" referrerpolicy="no-referrer" alt="Screen Shot 2022-02-19 at 2.58.29 PM"></center>
<h3 id='configuring-nginx'>Configuring NGINX</h3>
<p>First, make your folder for the website, this is where your website will live:</p>
<pre><code class='language-shell' lang='shell'>sudo mkdir -p /var/www/websiteName
</code></pre>
<p>Next, we need to set the proper permissions to make sure everything works:</p>
<pre><code class='language-shell' lang='shell'>sudo chown -R nginx /var/www/websiteName
sudo chmod -R 755 /var/www/websiteName
</code></pre>
<p>Now, we will create the config file for website:</p>
<pre><code class='language-shell' lang='shell'>sudo nano /etc/nginx/conf.d/websiteName.conf
</code></pre>
<p>and paste the following into the file:</p>
<pre><code>server {
listen 80;
server_name domain.tld www.domain.tld;
root /var/www/websiteName;
index index.php index.html index.htm;
access_log /var/log/nginx/websiteName.access.log;
error_log /var/log/nginx/websiteName.error.log;
}
</code></pre>
<p>Now, confirm that the nginx configuration is ok:</p>
<pre><code class='language-shell' lang='shell'>sudo nginx -t
</code></pre>
<p>Restart nginx:</p>
<pre><code class='language-shell' lang='shell'>sudo systemctl restart nginx
sudo systemctl status nginx
</code></pre>
<p>Next, set SELinux to permissive mode:</p>
<pre><code class='language-shell' lang='shell'>sudo setenforce permissive
sudo getenforce
</code></pre>
<p>Now, we will need to set SELinux to permissive mode permanently:</p>
<pre><code class='language-shell' lang='shell'>sudo sed -i --follow-symlinks 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/sysconfig/selinux
</code></pre>
<h3 id='installing-and-running-certbot'>Installing and Running Certbot</h3>
<p>To install Certbot run:</p>
<pre><code class='language-shell' lang='shell'>sudo dnf install certbot python3-certbot-nginx
</code></pre>
<p>To get SSL certificates for your websites run:</p>
<pre><code class='language-shell' lang='shell'>sudo certbot --nginx
</code></pre>
<p>Answer the prompts that show up on screen as you wish.</p>
<p>To configure auto renewal of the SSL certificate run:</p>
<pre><code class='language-shell' lang='shell'>crontab -e
</code></pre>
<p>and add the following line:</p>
<pre><code>0 12 * * * /usr/bin/certbot renew --quiet
</code></pre>
<p>This will check everyday at noon to see if the certificate will expire in the next month, if so it will renew the certificate.</p>
<p>Now your website should be operational. </p><br>
]]></description>
</item>
</channel>
</rss>
|
