# flashing os to sd card unzip -p .img | dd of=/dev/mmcblk0 bs=4M conv=fsync status=progress # enable sshd and wifi on first boot mount /dev/mmcblk0#p1 /mnt/pi touch /mnt/pi/boot cp ./files/boot/wpa_supplicant.conf /mnt/pi ## edit /mnt/pi/config.txt disable_overscan=1 over_voltage=6 arm_freq=2147 gpu_freq=750 # secure ssh ## copy ssh key ssh-copy-id -i .ssh/id_rsa.pub pi@ ## edit /etc/ssh/sshd_config PermitRootLogin no PasswordAuthentication no ## restart ssh service service sshd restart # disable bluetooth rfkill block bluetooth # clear password for all users ## edit /etc/shadow # update system apt update apt upgrade apt autoremove rpi-eeprom-update # install tools sudo apt install tmux neovim ranger neofetch # install required tools for gitea sudo apt install git sqlite3 # git user useradd --create-home git # gitea wget https://dl.gitea.io/gitea/1.15.10/gitea-1.15.10-linux-arm64 chmod +x gitea-1.15.10-linux-arm64 # install pihole & pivpn curl -L https://install.pivpn.io | bash curl -sSL https://install.pi-hole.net | bash #change pihole password pihole -a -p # pivpn pivpn -d # 80 -> 8080 lighttp sed -i "s/80/8080/" /etc/lighttpd/lighttpd.conf service lighttpd restart # nginx & certbot sudo apt install nginx certbot python3-certbot-nginx # move default index page to /var/www/html/default mkdir /var/www/html/default mv /var/www/html/index* /var/www/html/default sed -i "s/w\/html/w\/html\/default/" /etc/nginx/sites-available/default service nginx restart # configure nginx to prevent spam limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; limit_req zone=one; # ufw & fail2ban sudo apt install ufw fail2ban sudo nvim /etc/default/ufw "disable ipv6" sudo ufw allow from 192.168.0.0/24 sudo ufw allow from 10.8.0.0/24 sudo ufw allow to any app "SSH" sudo ufw allow to any app "WWW Full" sudo ufw allow to any app "XMPP" sudo ufw enable # certbot certbot -d gajba.cf -d chat.gajba.cf -d git.gajba.cf --nginx # ovpn pivpn add -n aleksa # prosody sudo apt install prosody coturn admins = { "aleksa@gajba.cf" } VirtualHost "gajba.cf" service prosody restart sudo prosodyctl --root cert import /etc/letsencrypt/live/ sudo prosodyctl adduser aleksa@gajba.cf # mail server # in progress # that's it reboot