(just keeping track of) Changes to pi:
- added authorized_keys
- Improve SSH security
- added pi-hole (https://github.com/pi-hole/pi-hole)
sudo vi /etc/lighttpd/external.conf
and add:server.port := 8093
and reboot lighthttpd servicesudo /etc/init.d/lighttpd restart
(so pi-hole admin interface will run on PORT 8093 now)
sudo apt-get install vim
(see https://askubuntu.com/questions/293407/ubuntu-terminal-is-not-working-properly-in-vi-editor)- Added https://wiki.debian.org/UnattendedUpgrades
- configured default
- install K3s
- (optional, if FritzBox) I made these changes to my FritzBox
- configure 'private' manners (API keys etc.)
Add/Uncomment in /etc/ssh/sshd_config
.
Protocol 2 #switch to SSH version 2
Port XXX #change to different port to reduce noise
PasswordAuthentication no #force use of keys instead of passwords
PermitEmtpyPasswords no #no empty passwords allowed
X11Forwarding no #no GUI display
PermitRootLogin prohibit-password #root can't log in with password (also needs to use keys)
restart ssh demon sudo systemctl restart sshd
K3S networking features require iptables and do not work with nftables. Raspberry Pi OS (formerly Raspbian) defaults to using nftables instead of iptables. Follow the steps below to switch configure Buster to use legacy iptables:
sudo iptables -F
sudo update-alternatives --set iptables /usr/sbin/iptables-legacy
sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
sudo reboot
Standard Raspberry Pi OS installations do not start with cgroups enabled. K3S needs cgroups to start the systemd service. cgroupscan be enabled by appending
cgroup_memory=1 cgroup_enable=memory
to /boot/cmdline.txt
.
sudo reboot
git clone https://github.com/H3rby7/pi-pimps.git
sudo mkdir -p /etc/rancher/k3s
sudo cp ./pi-pimps/etc/rancher/k3s/config.yaml /etc/rancher/k3s/config.yaml
sudo chmod 644 /etc/rancher/k3s/config.yaml
Copy custom manifests to k3s auto-deploy directory. Can repeat the cp -rf
command on changes to reflect them in that auto-deploy directory (For example after pulling an update from this repo).
sudo mkdir -p /var/lib/rancher/k3s/server/manifests
sudo cp -rf ./var/lib/rancher/k3s/server/manifests/custom/* /var/lib/rancher/k3s/server/manifests/custom/
export K3S_TOKEN=XXXXXXXXXXXXXXXXX-XXXXXXXXXXXXXX-XXXXXXXXXXXXXX
curl -sfL https://get.k3s.io | sh -
After installation check with sudo kubectl version
.
Running DynDNS on the Pi itself, to get IPV6 working properly. I chose DuckDNS.
Created an own shell script at ~/duckdns/duck.sh
to run with crontab.
Started with DuckDNS Sample and added IPV6 support.
ipv6=$(curl http://ip1.dynupdate6.no-ip.com/)
echo url="https://www.duckdns.org/update?domains=mydomain&token=your-token-from-duck-dns&ipv6=${ipv6}&ip=" | curl -k -o ~/duckdns/duck.log -K -
My crontab runs every 10 minutes (not 5), to not get banned by the IPV6 service.
crontab -e
*/10 * * * * ~/duckdns/duck.sh >/dev/null 2>&1
Copy the templates
cp -r templates/* private/
And fill in your own data/keys/etc.
Create necessary secrets:
kubectl -ncert-manager create secret generic issuer-account-key --from-literal=tls.key=YOURTLSKEY
Description | Port | Protect from Internet Traffic? |
---|---|---|
HTTP to HTTPS redirect | 30080 | no |
Traefik Ingress Routing | 30443 | no |
Traefik Dashboard | 30900 | Definitely YES! |
Useful commands to interact with K3S
Command | Purpose |
---|---|
k3s-killall.sh |
Provided by K3S binaries, stops K3S service and the K3S Kubernetes Cluster |
k3s-uninstall.sh |
Provided by K3S binaires, completely uninstall K3S from the system (also clears all */rancher/k3s/* directories, so make sure to have backups of those files if necessary. |
curl -sfL https://get.k3s.io | INSTALL_K3S_SKIP_DOWNLOAD=true INSTALL_K3S_FORCE_RESTART=true sh - |
force K3S (Service) Restart |