Raspberry Pi install checklist

Posted on February 28, 2017 in DIY • 2 min read

UPDATE (13/07/2017): Removed RPi-Monitor and replaced it by Monitorix.

This is some memo for me, to use as a checklist whenever I set up a new Raspberry Pi which is to be running continuously (typically as a webserver).

First, I start from the lite version of Raspbian.

After install:

  1. sudo apt-get update && sudo apt-get upgrade

  2. sudo raspi-config and tweak according to my needs.

  3. Install some useful tools:

    sudo apt-get install ack-grep fail2ban git heirloom-mailx htop libxml2-dev libxslt1-dev libyaml-dev moreutils msmtp-mta python-dev python-pip python3 python3-dev python3-pip screen vim zlib1g-dev
    

  4. Install Monitorix:

    # Install dependencies
    $ sudo apt-get install rrdtool perl libwww-perl libmailtools-perl libmime-lite-perl librrds-perl \
    libdbi-perl libxml-simple-perl libhttp-server-simple-perl libconfig-general-perl \
    libio-socket-ssl-perl
    # Install nginx and fcgiwrap
    $ sudo apt-get install nginx fcgiwrap
    
    Then, download the latest Monitorix Debian package from here.
    # Install the package
    $ dpkg -i monitorix_3.9.0-izzy1_all.deb
    
    Then, configure it in /etc/monitorix/monitorix.conf and enable graphs you want (graph_enable).

  5. Some useful bash config: echo 'export PATH=$HOME/.local/bin:$PATH' >> $HOME/.bashrc; echo 'export EDITOR=vim' >> $HOME/.bashrc.

  6. Use NTP to keep the system in sync with current time: sudo timedatectl set-ntp true.

  7. Load ip_conntrack_ftp module: sudo echo "ip_conntrack_ftp" >> /etc/modules-load.d/modules.conf.

  8. Set up an iptables systemd service à la Arch Linux. See this unit. Put iptables config in /etc/iptables/ip{6,}tables.rules.

  9. Remove the file in /etc/sudoers.d which prevents pi user from having to type its password.

  10. Configure msmtp to be able to send emails using the mailserver on my main server.

  11. Harden SSH configuration as you would do for a server.

  12. sudo rm /etc/profile.d/sshpasswd.sh to remove a useless profile script raising security alerts when connecting through SSH with a not passwordless sudo user.

  13. Set a MAILTO address in crontab and edit aliases.