In my home network, I have a Raspberry Pi4 which provides DNS (pi-hole) and NTP (chrony). Its a device that I don’t touch often and is a ‘production’ type service — in my lab I don’t mind blowing up \/ breaking things… but this device needs to be stable. If DNS goes offline the family can’t stream shows and it’s a real production down sort of situation. Systems in my lab consume NTP from this device, and regular devices in my home network rely on it providing DNS (for ad blocking as well as conditional forwarding of lab domains to DNS servers in the lab). A few days ago, I noticed that this system was down — it wasn’t answering DNS requests and SSH\/VNC wasn’t working. After power cycling the system, I was also no longer able to ping the device. After a bit of troubleshooting, I realized that the SD card used as boot media had failed. The system had been running 24×7 for ~5 years, logging DNS requests and such, probably more write IO than anyone should expect from a consumer SD card.<\/p>\n\n\n\n
To resolve the issue I ordered a new SD card… but I realized that this system had about 5 years of various configurations. I’m going to attempt to document the configuration (at least what I remember about it) below.<\/p>\n\n\n\n
The previous Raspberry Pi used the Raspbian OS with a GUI. However, I never really used the GUI and primarily access this system remotely. Since most other systems I manage use Ubuntu (specifically 24.04), I decided to install that OS using the server instructions from here: https:\/\/ubuntu.com\/tutorials\/how-to-install-ubuntu-on-your-raspberry-pi#1-overview<\/a>.<\/p>\n\n\n\n I used the Raspberry Pi Imager for Windows, which allowed me to customize the username\/password, hostname, etc of the OS so that it booted up and I could connect via ssh.<\/p>\n\n\n\n Once I was logged into the system, the first thing I did was make sure it was up to date using In rare cases, I’ll access something from my lab from the Raspberry Pi. To make this work without certificate warnings, I installed the lab CA certificate. This is just two commands, one to copy the file and another to update the certs.<\/p>\n\n\n\n I had a handful of extra packages that I installed. I’ll discuss each of these later, but for now we’ll install them all in one pass.<\/p>\n\n\n\n For some occasional testing, I’ll use a proxy server in my lab. This was running in a dedicated VM, but while I’m revisiting things, I decided to co-locate it on this appliance.<\/p>\n\n\n\n I prefer having NTP servers running on physical devices. Since I don’t have many of those in the lab, I use the Raspberry Pi as a locally accessible NTP server. I’m using the The reason I first purchased this Raspberry Pi was to block ads on my home network using pi-hole. <\/p>\n\n\n\n Most Ubuntu boxes in my lab are joined to Active Directory for common logins. I configured the same for the Raspberry Pi, although it is not really required.<\/p>\n\n\n\n Once everything was configured\/ready, I decided to put the device in service by changing the IP from the DHCP address originally obtained to the static IP address I have configured on most devices.<\/p>\n\n\n\n To make the new network settings active, we must apply those file changes with The Raspberry Pi Imager utility used The Raspberry Pi in my lab has been running for about 5 years with little to no maintenance. Other than this one failed SD card things have been very reliable. The steps here are mostly notes for future reference if I need to rebuild the device again. Hopefully you’ll find the notes helpful. <\/p>\n","protected":false},"excerpt":{"rendered":" In my home network, I have a Raspberry Pi4 which provides DNS (pi-hole) and NTP (chrony). Its a device that I don’t touch often and is a ‘production’ type service — in my lab I don’t mind blowing up \/ … Continue reading sudo apt update && sudo apt upgrade<\/code>. This installed a bunch of updates, so I rebooted for good measure.<\/p>\n\n\n\nLab Certificate<\/h2>\n\n\n\n
sudo wget http:\/\/www.example.com\/build\/rootca-example-com.crt -P \/usr\/local\/share\/ca-certificates\nsudo update-ca-certificates<\/code><\/pre>\n\n\n\nInstall extra packages<\/h2>\n\n\n\n
sudo apt install sssd-ad sssd-tools realmd adcli chrony tinyproxy<\/code><\/pre>\n\n\n\nProxy Server<\/h2>\n\n\n\n
# configure proxy\nsudo nano \/etc\/tinyproxy\/tinyproxy.conf\n\n# change LogLevel from Info to Warning\n# Allow 192.168.0.0\/16 by removing comment\n\nsudo systemctl reload tinyproxy<\/code><\/pre>\n\n\n\nNTP (chrony)<\/h2>\n\n\n\n
chrony<\/code> service to do this and allow anything in the lab to query this device for time. <\/p>\n\n\n\n# configure NTP\nsudo nano \/etc\/chrony\/chrony.conf\n# append the following comment \/ allow lines to the file\n# Define the subnets that can use this host as an NTP server\nallow 192.168.0.0\/16\n\nsudo systemctl restart chrony.service<\/code><\/pre>\n\n\n\nPi-Hole<\/h2>\n\n\n\n
curl -sSL https:\/\/install.pi-hole.net | bash\n\n# create a custom config file for various forward\/reverse domain forwarding:\nsudo nano \/etc\/dnsmasq.d\/05-custom.conf\n\n# contents of above new file\nserver=\/lab.enterpriseadmins.org\/192.168.127.30\nserver=\/lab.enterpriseadmins.org\/192.168.32.30\nserver=\/example.com\/192.168.127.30\nserver=\/example.com\/192.168.32.30\nserver=\/168.192.in-addr.arpa\/192.168.127.30\nserver=\/168.192.in-addr.arpa\/192.168.32.30\n\n# from web UI, restart resolver.\n# Update pihole settings > DNS, change from recommended allow only local requests to 'permit all origins' so that all lab subnets can resolve names.\n\n# enable php for non-pihole \/admin locations\nsudo lighttpd-enable-mod fastcgi fastcgi-php\nsudo service lighttpd reload\n\n# Create redirect page for \/ to \/admin\necho '<head> <meta http-equiv=\"Refresh\" content=\"0; URL=\/admin\" \/> <\/head>' | sudo tee \/var\/www\/html\/index.html\n\n# Create 'get-hostname.php' file in \/var\/www\/html as well, this is for Aria Ops management pack. The contents of the file should be:\n<?php echo '{\"hostname\":\"' . gethostname() . '\"}'; ?><\/code><\/pre>\n\n\n\nActive Directory Join<\/h2>\n\n\n\n
# configure AD\necho '%lab\\ linux\\ sudoers ALL=(ALL) NOPASSWD:ALL' | sudo tee -a \/etc\/sudoers\nsudo \/usr\/sbin\/pam-auth-update --enable mkhomedir\n\nsudo \/usr\/sbin\/realm join lab.enterpriseadmins.org -U svc-windowsjoin --computer-ou \"ou=services,ou=lab servers,dc=lab,dc=enterpriseadmins,dc=org\"\nsudo sed -i -e 's\/^#\\?use_fully_qualified_names.*\/use_fully_qualified_names = False\/g' \/etc\/sssd\/sssd.conf\nsudo systemctl restart sssd.service<\/code><\/pre>\n\n\n\nStatic IP<\/h2>\n\n\n\n
network:\n version: 2\n ethernets:\n eth0:\n match:\n macaddress: \"dc:a6:32:aa:aa:aa\"\n dhcp4: no\n addresses: [192.168.127.53\/24]\n routes:\n - to: default\n via: 192.168.127.254\n nameservers:\n addresses: [192.168.127.53,192.168.32.53]<\/code><\/pre>\n\n\n\nsudo netplan apply<\/code>.<\/p>\n\n\n\nCleanup<\/h2>\n\n\n\n
cloud-init<\/code> to do some customizations. This was running at each startup and left a few messages on the system console. Since we no longer need cloud-init<\/code> after the system is online, we’ll just remove the package with:<\/p>\n\n\n\nsudo apt purge cloud-init<\/code><\/pre>\n\n\n\nConclusion<\/h2>\n\n\n\n