This is the code used on my personal secrets manager. As it basically was the platform where I started learning concepts about Raspberry pi's (and friends), it has had several iterations. Nowadays, it uses VaultWarden, a lighter-weight BitWarden implementation, so it can be interacted with using the many BitWarden clients/frontends.
Previously, it was based on pass. It had a
minimal web interface (mainly for use with Windows devices) and an API (which
powered a small Linux application). To see more about this older version,
checkout the pass
git tag/release.
It runs VaultWarden. The device offers both wired (USB ethernet) and wireless (access point) connection to access the web interface.
A connection is automatically established when connecting the device to another
device and an IP is leased. On Linux, the IP of PizHid is 10.77.77.77
, on
Windows it is 10.77.78.77
, and on the Access Point it is 10.77.79.77
. If the
client OS support AVAHI, the PizHid can be reached at pizhid.local
.
There are 2 physical buttons present on the device. One powers the device on/off, and the other toggles the access point.
- Set hostname to
pizhid
; - Enable SSH;
- Enable SSH public-key authentication;
- Change default user to
pizhid
- Enable network;
- Set locale to
Europe/Lisbon
/pt
; - Skip first-run wizard.
The web server is available in 3 interfaces: usb0
(Linux wired), usb1
(Windows wired), uap0
(Wireless). IPs are automatically attributed to clients
via a DHCP server.
usb0
- pizhid resides at 10.77.77.77/24 and serves IPs in the range [10.77.77.80, 10.77.77.99];usb1
- pizhid resides at 10.77.78.77/24 and serves IPs in the range [10.77.78.80, 10.77.78.99].uap0
- pizhid resides at 10.77.79.77/24 and serves IPs in the range [10.77.79.80, 10.77.79.99].
Note: pizhid is also available as pizhid.local
with
AVAHI.
The Access Point uses hostapd. The device only has 1
wlan interface. As such, it creates a virtual interface for the Access Point
added to the wlan0
physical device (see
RasAP Docs AP-STA mode).
These 2 are bridged, so clients connected to the Access Point can access the Internet through IPv4 forwarding by PizHid. Clients can only access the Internet through PizHid when connected to the Access Point, because usually devices can only connected to 1 wireless device at a time, so it is not necessary/deterimental for wired connections.
- Swap is disabled for faster boot times and SD card preservation. There were no benefits since the device memory usage is extremely low:
- Logging to the sd card causes useless wear;
- Log2Ram is used to reduce this wear;
- Install:
- Copy the config file at
/etc/log2ram.conf
.
An entry in fstab was added for /tmp
to be a tmpfs (40MB).
Just read this post (it is great): How to Squeeze 50% More Memory Out of Your Raspberry Pi with zram.
The server runs nginx to serve the SSL certificate and reverse proxy to
VaultWarden. The certificate resides in the /etc/ssl/certs
directory and the
key on the /etc/ssl/private
directory. Set these according to your needs.
- There is Ansible notebook, but it shouldn't be used:
- I didn't test it
- I didn't build it in a way that could be used more than once on the same device (idempotency)
- It is just a way for me to organize the steps
- BitWarden clients need HTTPS, so you need SSL certificates:
- These can be self-signed, but they are harder to use in some clients
- The hostapd config contains the Access Point's password in plaintext
- Just set a password for your device
- The
boot/cmdline.txt
file contains a partition UUID and stuff like that needs to be changed when applied to other devices - There are probably better/lighter-weight alternatives to nginx for this use case
- VaultWarden needs an admin token:
- Generate it using
openssl rand -base64 48
- Don't forget to pass it when starting the docker container
- Generate it using
- VaultWarden data is stored using a bind-mount at
/bw-data
Software that made this possible.
- Log2Ram -
/var/log
in a tmpfs - Zram-swap config
- DHCPCD5
- ISC DHCP
- hostapd
- Nginx
- VaultWarden
- Composite USB Gadgets on the Raspberry Pi Zero
- Arch wiki tmpfs
- Linux USB gadget configured through configfs
- Dynamic MOTD on Debian/Ubuntu
- Raspberry Pi Docs
- Building a WiFi Enabled USB Rubber Ducky with a Raspberry Pi 0 w
- Extend The Lifespan of Your Raspberry Pi's SD Card with log2ram
- How to Squeeze 50% More Memory Out of Your Raspberry Pi with zram
- Libcomposite USB gadget example
- Post-Config of a RaspberryPi Zero W as an OTG-USB Gadget for off-device computing
- RasAP Docs AP-STA mode
- Creating Wireless Router using Raspberry Pi Zero W
- Hostapd config file
- BYOPM – Bring Your Own Password Manager
I don't know. I don't care. I'm not responsible for anything.