{"id":19453634,"url":"https://github.com/erikslevin/raspberry-install","last_synced_at":"2025-07-05T21:35:40.531Z","repository":{"id":65434042,"uuid":"592281779","full_name":"ErikSlevin/raspberry-install","owner":"ErikSlevin","description":"Raspberry Pi installation and configuration with Raspbian and Docker.","archived":false,"fork":false,"pushed_at":"2023-09-10T19:26:03.000Z","size":42,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-01-08T00:35:38.205Z","etag":null,"topics":["linux","raspberry-pi","raspberry-pi-3","raspberry-pi-4","raspberrypi","raspbian"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ErikSlevin.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2023-01-23T11:46:55.000Z","updated_at":"2023-09-09T18:50:45.000Z","dependencies_parsed_at":"2023-02-12T22:46:09.363Z","dependency_job_id":null,"html_url":"https://github.com/ErikSlevin/raspberry-install","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ErikSlevin%2Fraspberry-install","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ErikSlevin%2Fraspberry-install/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ErikSlevin%2Fraspberry-install/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ErikSlevin%2Fraspberry-install/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ErikSlevin","download_url":"https://codeload.github.com/ErikSlevin/raspberry-install/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":240645623,"owners_count":19834451,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["linux","raspberry-pi","raspberry-pi-3","raspberry-pi-4","raspberrypi","raspbian"],"created_at":"2024-11-10T17:05:14.141Z","updated_at":"2025-02-25T10:20:09.682Z","avatar_url":"https://github.com/ErikSlevin.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Raspberry Installation\n\n| Datum | Beschreibung |\n|:----------:|--------------|\n| 13.01.2023 | Anleitung erstellt |\n| 09.09.2023 | Komplette Überarbeitung der Anleitung |\n\n## Vorbereitungen\n1. Raspberry Pi Imager runterladen \u0026 installieren\n   - Download: https://www.raspberrypi.com/software/\n\n2. Windows Terminal herrunterladen\n   - Download: [https://apps.microsoft.com/store/detail/windows-terminal/](https://apps.microsoft.com/store/detail/windows-terminal/9N0DX20HK701?hl=de-de\u0026gl=de)\n\n3. Raspberry Pi OS auf Medium schreiben\n   - Raspberry Pi OS (other)\n   - Raspberry Pi OS Lite (64-bit) (with no desktop enviroment)\n   - SD-Karte: Externes Medium auswählen\n   - Einstellungen:\n       - SSH aktivieren\n       - Passwort und Benutzername setzen\n       - Spracheinstellungen festlegen\n   - schreiben\n\n4. SSH Verbindung herstellen\n    - Windows Terminal öffnen\n    - `ssh username@[DYNAMISCHE IP vom Raspberry]`\n\n## Grundkonfiguration\n``` shell\n# Paketquellen aktualisieren und updaten\nsudo apt update \u0026\u0026 sudo apt upgrade -y \u0026\u0026 sudo apt autoremove -y \u0026\u0026 sudo apt autoclean -y\n\n# Raspberry Hardwarekonfiguration ändern\n# Hier wird u.A. WLAN, BT, Audio sowie die HDMI Schnittstelle deaktiviert\nsudo nano /boot/config.txt\n\n# Statische IP-Adresse konfigurieren\nsudo nano /etc/dhcpcd.conf\n\n# IPv6 deaktivieren\nsudo nano /etc/sysctl.conf\n\n# SysCtl Konfig übernehmen\nsudo sysctl -p\n\n# DCHP Dienst neustarten und Status überprüfen\nsudo systemctl restart dhcpcd.service\nsudo service dhcpcd status\n\n# Hostname ändern\nsudo nano /etc/hostname\n\n# Hosts ändern\nsudo nano /etc/hosts\n\n# Locale einstellen\nsudo raspi-config nonint do_change_locale de_DE.UTF-8 UTF-8\nsudo raspi-config nonint do_change_locale de_DE.UTF-8\n\n# Timezone einstellen\nsudo raspi-config nonint do_change_timezone Europe/Berlin\n\n# Neustart\nsudo reboot\n```\n\u003e [`config.txt`](files/Grundkonfiguration/config.txt)\n\u003e [`dhcpcd.conf`](files/Grundkonfiguration/dhcpcd.conf)\n\u003e [`sysctl.conf`](files/Grundkonfiguration/sysctl.conf)\n\u003e [`hostname`](files/Grundkonfiguration/hostname)\n\u003e [`hosts`](files/Grundkonfiguration/hosts)\n\n## Automatische Updates einrichten\n``` shell\n# unattended-upgrades installieren und konfigurieren\nsudo apt install unattended-upgrades -y\nsudo dpkg-reconfigure --priority=low unattended-upgrades\n\n# Konfigurationsdateien anpassen inkl. Push-Notification via Gotify\n# Der Notify-Container Gotify wird später noch eingerichtet\nsudo nano /etc/apt/apt.conf.d/20auto-upgrades\nsudo nano /etc/apt/apt.conf.d/50unattended-upgrades\n\n# Push-Benachrichtigung, wenn automatische Updates installiert wurden\nsudo mkdir ~/skripte -v\nsudo nano /home/erik/skripte/unattended-upgrades-notify.sh\nsudo chmod +x /home/erik/skripte/unattended-upgrades-notify.sh\n\n# Neustart (zwingend erforderlich wegen SSH Konfiguration)\nsudo reboot\n```\n\u003e [`20auto-upgrades`](files/unattended-upgrades/20auto-upgrades)\n\u003e [`50unattended-upgrades`](files/unattended-upgrades/50unattended-upgrades)\n\u003e [`unattended-upgrades-notify.sh`](files/unattended-upgrades/unattended-upgrades-notify.sh)\n\n## SSH einrichten\n\n``` shell\n# SSH Backup erstellen \nsudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak -v\n\n# zum root-User wechseln\nsudo su\n\n# SSH Schlüssel löschen und neu generieren\nrm /etc/ssh/ssh_host_*\nssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N \"\"\nssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N \"\"\n\n# entfernt kleine Diffie-Hellman-Module\nawk '$5 \u003e= 3071' /etc/ssh/moduli \u003e /etc/ssh/moduli.safe\nmv /etc/ssh/moduli.safe /etc/ssh/moduli\n\n# Beschränkt den Schlüsselaustausch auf (key exchange), Chiffrier- (cipher) und MAC-Algorithmen.\nnano /etc/ssh/sshd_config.d/ssh-audit_hardening.conf\n\n# wechselt zum normalen Benutzer zurück.\nexit\n\n# Generiert einen sicheren SSH-Key (ed25519) - mit y Bestätigen.\nsudo ssh-keygen -o -a 100 -t ed25519 -N \"\" -f /etc/ssh/ssh_host_ed25519_key -C \"$(date '+%Y%m%d')-$(hostname -s)-ed25519_key\"\n\n# .ssh Ordner und authorized_keys erstellen\nmkdir ~/.ssh\ntouch ~/.ssh/{authorized_keys,config}\n\n# Verschiebt den ssh_host_ed25519_key.pub nach authorized_keys.\nsudo cat /etc/ssh/ssh_host_ed25519_key.pub \u003e\u003e ~/.ssh/authorized_keys\n\n# Das .ssh-Verzeichnis für andere Benutzer und Gruppen das leserecht entziehen.\nchmod 700 ~/.ssh\n\n# Legt fest, dass die SSH-Schlüsselpaare nur gelesen werden können.\nsudo chmod 400 /etc/ssh/ssh_host_ed25519_key*\n\n# Setzt den lokalen Benutzer als Besitzer des Public-Keys.\nchown $USER:$USER ~/.ssh/authorized_keys\n\n# Platzhalter erstellen für zukünfige Server zu Server Verbindungen etc.\nsudo nano ~/.ssh/config\n\n# zeigt den ssh_host_ed25519_key an.\nsudo cat /etc/ssh/ssh_host_ed25519_key \u003e\u003e $(date '+%Y%m%d')-$(hostname -s)-ed25519_key\n   # --\u003e Windows -\u003e in Datei speichern ODER scp pi-docker-1:~/*key C:\\Users\\erikw\\.ssh\\\n   # --\u003e !! ACHTUNG ZEILENENDESEQUENZ LF, NICHT CRLF !!!\n   # --\u003e Am besten in VSC öffnen und speichern \n   # --\u003e Dateiname: echo $(hostname)-$(date -I)\n\n# startet den SSH-Dienst neu\nsudo service ssh restart\n\n# sshd_conf übernehmen \nsudo nano /etc/ssh/sshd_config\n\n# issue.net anpassen\nsudo nano /etc/issue.net\n\n# MOTD löschen\nsudo rm /etc/motd\nsudo rm /etc/update-motd.d/10-uname\n\n# Gotify Benachrichtigung via SSH \nsudo nano /opt/shell-login.sh\nsudo chmod 755 /opt/shell-login.sh\necho \"/opt/shell-login.sh \u003e /dev/null 2\u003e\u00261\" | sudo tee -a /etc/profile\n\n```\n\u003e [`ssh-audit_hardening.conf`](files/ssh/ssh-audit_hardening.conf)\n\u003e [`config`](files/ssh/config)\n\u003e [`sshd_config`](files/ssh/sshd_config)\n\u003e [`issue.net`](files/ssh/issue.net)\n\u003e [`motd`](files/ssh/motd)\n\u003e [`shell-login.sh`](files/ssh/shell-login.sh)\n\n## Firewall unf Fail2Bann einrichten\n``` shell\n# UFW installieren\nsudo apt install ufw -y \u0026\u0026 sudo apt autoclean -y \u0026\u0026 sudo apt autoremove -y\n\n# eingehende Verbindungen werden abgelehnt und ausgehende Verbindungen zugelassen.\nsudo ufw default deny incoming\nsudo ufw default allow outgoing\n\n# SSH Verbindungen zulassen\n# ACHTUNG: bitte SSH-Port-Nummer anpassen\nsudo ufw allow 62253 comment \"ssh\"\n\n# UFW aktivieren - mit y bestätigen\nsudo ufw enable\n\n# installiert die neueste Fail2ban Version\nsudo apt install fail2ban -y -y \u0026\u0026 sudo apt autoclean -y \u0026\u0026 sudo apt autoremove -y\n\n# erstellt eine Kopie der Konfigurationsdatei.\nsudo cp /etc/fail2ban/jail.{conf,local} -v\n\n# zum root-User wechseln\nsudo su\n\n# [sshd] Jail konfigurieren\n# Zeilennummer vom sshd-Jail in Variable speichern\ni=$(grep -n '\\[sshd\\]' /etc/fail2ban/jail.local | awk 'NR==2 {print}' | cut -d ':' -f 1 | awk '{print $1 + 1}')\n\n# Grundeinstellungen vom Jail entfernen\nsudo sed -i \"${i},$((i+7))d\" /etc/fail2ban/jail.local\n\n# Neue Einstellungen für den Jail hinzufügen\n# Folgende Einstellungen werden mit dem echo-Befehl hinzugefügt:\n# Wenn Änderungen gewünscht (z.B. SSH-Port) dann bitte den echo befehl anpassen,\n# nicht die untenstehenden Kommentarzeilen!\n# enabled = true\t\tport = 62253\tlogpath = %(sshd_log)s\tbantime = 2h\t\n# backend = %(sshd_backend)s\tmaxretry = 3\tignoreip = 127.0.0.1/8\tfindtime = 1d\necho -e \"enabled = true\\nport = 62253\\nlogpath = %(sshd_log)s\\nbackend = %(sshd_backend)s\" \\\n\t\"\\nmaxretry = 3\\nfindtime = 1d\\nbantime = 2h\\nignoreip = 127.0.0.1/8\" | \\\n\t sed -i \"${i}r /dev/stdin\" /etc/fail2ban/jail.local\n\n# wechselt zum normalen Benutzer zurück.\nexit\n\n# Fail2ban neu starten.\nsudo service fail2ban restart\n\n# Fail2ban nach Reboot automatisch starten\nsudo systemctl enable fail2ban\n```\n\u003e [`20auto-upgrades`](files/unattended-upgrades/20auto-upgrades)\n\u003e [`50unattended-upgrades`](files/unattended-upgrades/50unattended-upgrades)\n\u003e [`unattended-upgrades-notify.sh`](files/unattended-upgrades/unattended-upgrades-notify.sh)\n\n## Docker und Portainer\n``` shell\n# Docker installieren\nsudo mkdir ~/docker_files -v\nsudo curl -fsSL https://get.docker.com -o get-docker.sh \u0026\u0026  sudo sh get-docker.sh \nsudo rm get-docker.sh\nsudo groupadd docker\nsudo usermod -aG docker $USER\n\n# Neustart zwingend durch führen!\nsudo reboot\n\n# Docker Netzwerke erstellen\ndocker network create --subnet=10.0.10.0/24 --gateway=10.0.10.1 intern\ndocker network create --subnet=10.0.20.0/24 --gateway=10.0.20.1 extern\n\n# Portainer deployen\ndocker run -d -p 9000:9443 --name portainer \\\n\t--restart=always \\\n\t-v /var/run/docker.sock:/var/run/docker.sock \\\n\t-v portainer:/data \\\n\t--label \"com.centurylinklabs.watchtower.enable=true\" \\\n\t--network intern \\\n\tportainer/portainer-ce:latest\n\n###################### OPTIONAL ###########################\n### Weitere Docker-Hosts via Portainer Agent hinzufügen ###\n\ndocker run -d \\\n  -p 9001:9001 \\\n  --name portainer_agent \\\n  --restart=always \\\n  -v /var/run/docker.sock:/var/run/docker.sock \\\n  -v /var/lib/docker/volumes:/var/lib/docker/volumes \\\n  --label \"com.centurylinklabs.watchtower.enable=true\" \\\n  --network intern \\\n  portainer/agent:latest\n\n```\n\n## Optional: Server Schlüsselpare austauschen\n\n```console\n# 1. Schlüssel vom Server 1 (pi-docker-1) dem Server 2 (pi-docker-2) mitteilen\nscp C:\\Users\\erik/.ssh/20230910-pi-docker-1-ed25519_key pi-docker-1:~/.ssh/20230910-pi-docker-2-ed25519_key\n\n# 2. Auf Server 2 Schlüsseldatei die richtigen Berechtigungen geben\nsudo chmod 600 ~/.ssh/20230910-pi-docker-2-ed25519_key\n\n# 3. SSH-Agenten starten\neval \"$(ssh-agent -s)\"\n\n# 4. Schlüssel hinzufügen via ssh-add\nssh-add 20230910-pi-docker-1-ed25519_key\n\n# Ausgabe: Identity added: 20230910-pi-docker-1-ed25519_key (20230910-pi-docker-1-ed25519_key)\n\n# 5. SSH-Profil anpassen\nsudo nano ~/.ssh/config\n\n# Zukünftig kann man via ssh pi-docker-1 eine Verbindung herstellen oder via scp docker-pi-1 Dateien senden\n\n```\n\n\u003e [`config`](files/ssh/config)\n\n## Quellen\n- [*How to Configure Static IP Address on Raspberry Pi*](https://sleeplessbeastie.eu/2022/05/23/how-to-configure-static-ip-address-on-raspberry-pi/)\n- [*Raspberry Pi: Internes WLAN und Bluetooth deaktivieren*](https://www.xgadget.de/anleitung/raspberry-pi-internes-wlan-und-bluetooth-deaktivieren/)\n- [*YouTube: How to protect Linux from Hackers // My server security strategy!*](https://www.youtube.com/watch?v=Bx_HkLVBz9M\u0026t=393s)\n- [*How To Harden OpenSSH on Ubuntu 18.04*](https://www.digitalocean.com/community/tutorials/how-to-harden-openssh-on-ubuntu-18-04-de)\n- [*OpenSSH Server härten und absichern unter Linux*](https://sakis.tech/openssh-server-abhaerten-und-absichern-unter-linux/)\n- [*SSH Audit Hardening Guides*](https://www.sshaudit.com/hardening_guides.html)\n- [*Absicherung eines Debian Servers*](https://www.thomas-krenn.com/de/wiki/Absicherung_eines_Debian_Servers)\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ferikslevin%2Fraspberry-install","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ferikslevin%2Fraspberry-install","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ferikslevin%2Fraspberry-install/lists"}