Raspberry Pi

• Installer Raspberry Pi OS sur un Raspberry Pi
• Installation de Pi-Hole sur RpiZeroW
• CentOS 8 minimal installation on RPi 3+ 🇬🇧
• Self host your web meetings with Jitsi and Raspberry Pi

Installer Raspberry Pi OS sur un Raspberry Pi

Installion de Raspberry Pi Imager sur l'ordinateur

Se rendre sur le site officiel de Raspberry Pi www.raspberrypi.org à la page des programmes.
Télécharger le programme correspondant à la version de son système d'exploitation (ici Windows).

On lance le programme d'installation.

Utilisation de Raspberry Pi Imager

Raspberry Pi Imager se résume à trois actions / boutons :

1. Choisissez l'OS → choisir le système d'exploitation
2. Choisissez le stockage → choisir la carte µSD qui recevra le système d'exploitation
3. Écrire → écrit le système d'exploitation sur la carte µSD

Le but étant d'avoir une application simple de base.
Cependant, des options avancés sont « cachées », pour les faire apparâitre : ctrl+maj+x (⌘+⇧+x sous MacOS) depuis la page d'accueil.

Systèmes d'exploitation (OS)

Depuis la page d'accueil de l'application, le premier bouton permet de choisir l'OS à installer sur la carte µSD.

Le premier OS présenté est celui qui est recommandé. Il s'agit du portage de Debian sur le RPi en version 32-bit.
Cette version dispose d'un environnement de bureau complet (barre des tâches, fenêtres, etc.).

Bien que le RPi 3 B, RPi 3 B+, le RPi 4 B et le RPi 400 disposent d'un processeur 64-bit, Raspberry Pi OS n'est à ce jour disponible qu'en 32-bit.

La seconde ligne présente deux autres déclinaisons de Raspberry Pi OS.

• Raspberry Pi OS Lite est le portage de Debian sans environnement de bureau (tout se passe en ligne de commande), idéal pour un serveur. Il est également possible d'installer un autre environnement de bureau par la suite.
• Raspberry Pi OS Full est le portage de Debian avec environnement de bureau ainsi qu'une multitude d'applications recommandées (LibreOffice, Sratch, etc.).

Les lignes suivantes de systèmes d'exploitation représente différentes familles d'OS suivant des usages différents :

• Autres systèmes d'exploitations (Manjaro, Ubuntu, RISC OS PI) ;
• Lecteur multimédia ;
• Émulateur de jeux ;
• Etc.

Choix du stockage

Depuis la page d'accueil de l'application, le deuxième bouton permet de choisir l'emplacement de la carte µSD.
Pour ce faire, il faut q'une carte µSD soit insérée dans l'ordinateur (soit directement, soit dans un adaptateur µSD → SD, soit un lecteur USB, etc.).

Options avancées « cachées »

Rappel : Les options avancés sont « cachées », pour les faire apparâitre : ctrl+maj+x (⌘+⇧+x sous MacOS) depuis la page d'accueil.
Ces options peuvent être paramètrées autrement, que ça soit avant, pendant ou après le premier démarrage.

La premier option est une liste déroulante. Elle permet de choisir si les options que l'on va choisir sont uniquement pour cette session ou si elles doivent demeurer pour les installations futures.

• « Disable overscan » : dans une installation normale, lors du premier démarrage du RPi, l'OS va s'étendre sur toute la capacité de la carte µSD, cette option permet de désactiver cette action. Si cette option est cochée, une partie de la carte µSD ne sera pas exploitable.
• « Set hostname » : permet de nommer l'appareil lorsqu'il sera connecté au réseau local. Par défaut, il sera nommé raspberrypi.local.
• « Enable SSH » : permet d'activer le serveur SSH sur le RPi.
  • « Use password authentification » : utilise un mot de passe pour la connexion SSH ;
  • « Allow public-key authentication only » : utilise une clés PGP/GPG public pour la connexion SSH.

• « Configue wifi » : permet de paramètrer le wifi.
  • « SSID » : identiant du réseau wifi ;
  • « Password » : mot de passe associé au réseau wifi ;
  • « Wifi country » : pays dans lequel se situe ce réseau wifi.

• « Set locale settings » : permet de personnaliser les paramètres locaux.
  • « Time Zone » : permet de choisir le duo continent/ville du fuseau horaire ;
  • « Keyboard layout » : permet de choisir la disposition du clavier ;
  • « Skip first-run wizard » : permet de passer l'assistant de configuration des paramètres locaux lors du premier lancement.
• « Persistent settings » : paramètres persistants.
  • « Play sound when finished » : l'application jouera un son (notification) lorsque l'écriture sur la carte µSD sera terminée ;
  • « Eject media when finished » : l'explorateur de fichier éjectera la carte µSD lorsque l'écriture sera terminée ;
  • « Enable telemetry » : autorise l'application à envoyer des données aux mainteneurs du projet afin d'établir des statistiques.

Écrire l'OS sur la carte µSD

Depuis la page d'accueil de l'application, le troisième bouton permet de lancer l'écriture de l'OS sur la carte µSD.

Lorsque l'on clique sur le bouton « ÉCRIRE » une fenêtre demande la confirmation d'écraser les données de la carte µSD.

D'abord l'application écrit les données sur la carte µSD.

Ensuite l'application vérifie les données écrites sur la carte µSD.

Puis l'application invite à retirer la carte µSD du lecteur.

Raspberry Pi OS - Premier lancement

Chargement de Raspberry Pi OS

Lors du démmarrage du RPi, un carré multicolor s'affiche.

Une fenêtre de bienvenue s'affiche présentant la version installée.
Note : l'icône en forme d'éclair indique que l'alimentation est inférieure aux recommandations du modèle de RPi.

Réglages de configuration

L'environnement de bureau s'affiche avec une fenêtre ouvrant sur différents réglages de configuration.

Si le réglage n'a pas été effectué dans les options avancées « cachées », il est possible de régler les paramètres locaux.

La sélection du pays se fait depuis une liste déroulante, cette option permet principalement de gérer la disposition du clavier, mais aussi la langue du système.

L'option Timezone permet de régler le fuseau horaire, donc l'heure d'affichage du système.
Note : Le RPi a besoin d'une connexion Internet pour se mettre à l'heure, il ne dispose pas d'horloge interne.

Le système prend en compte les réglages de localisation.

Il est important de changer le mot de passe par défaut (« raspberry ») de l'utilisateur par défaut, à savoir « pi ».
Ne pas oublier le mot de passe, il ne sera pas possible de le récupérer.

L'affichage doit occuper tout l'écran, si ce n'est pas le cas, il est possible de le recalibrer.

RPi OS a découvert un réseau Wifi, il demande la confirmation de connexion. Le nom affiché représente le SSID.

Pour finaliser la connexion Wifi, il est nécessaire d'entrer le mot de passe.

Le RPi va vérifier la présence de mises à jour. Cet étape est importante, elles concernent souvent la sécurité de l'OS.
Il est donc préférable de cliquer sur le bouton « Next ».

L'OS recherche la présence de mises à jour et les installent dans la foulée si nécessaire.

Lorsque l'opération de mise à jour est terminée, il indique que le système est à jour.

Redémarrage

Après un redémarrage, le système est à jour et en français.

Divers sources

Making Society | Raspberry Pi tout savoir pour bien débuter.

Installation de Pi-Hole sur RpiZeroW

Procédure accélérée de l'installation de Pi-Hole sur un Raspberry-Pi Zero W.

Installation de Raspberry Pi OS Lite

Téléchargement de l'OS

Installer l'image Raspberry Pi OS Lite sur le RPi0W.
Lien des images sur le site.

Préparation accès SSH du RPi0W

Éditer ou créer le fichier BOOT/wpa_supplicant.conf (soit à la racine de la carte).

country=FR
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1

network={
    ssid="<yourWiFiNetworkName>"
    psk="<yourWiFiPassword>"
}

Également à la racine, créer un fichier vide ssh :

touch ssh

Accès SSH & MàJ

Se connecter en ssh au Rpi (mot de passe par défaut raspberry):

ssh pi@raspberrypi.local
>[…]
>Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
>[…]

Mise à jour, c'est assez long…

sudo apt-get update && sudo apt-get upgrade -y

On change le mot de passe par défaut de pi avec la commande passwd.

J'en profite pour créer mon utilisateur, lui assigner un mot de passe et l'ajouter au groupe sudo :

sudo useradd -m <username> # -m pour créer le fichier home
sudo passwd <username>
>New password: 
>Retype new password: 
>passwd: password updated successfully
sudo usermod -aG sudo <username> # -a pour append, -G pour le groupe

Je change le nom de l'appareil sur le réseau :

sudo hostnamectl set-hostname pihole
sudo vim /etc/hosts # pour également changer le nom sur l'ip interne

127.0.0.1	localhost
::1		localhost ip6-localhost ip6-loopback
ff02::1		ip6-allnodes
ff02::2		ip6-allrouters

127.0.1.1	pihole # ici

sudo reboot

J'envoie ma clé publique depuis mon hôte :

ssh-copy-id -i .ssh/id_rsa.pub pihole.local

Je peux me connecter directement :

ssh pihole.local

Automatique update du RPi

Source(s) 1.

sudo apt update
sudo apt install unattended-upgrades

Mettre en place la configuration des màj automatiques.

sudo vim /etc/apt/apt.conf.d/50unattended-upgrades

Décommenter les lignes 29 et 30, pour avoir ceci :

"origin=Debian,codename=${distro_codename}-updates";
"origin=Debian,codename=${distro_codename}-proposed-updates";
"origin=Debian,codename=${distro_codename},label=Debian";
"origin=Debian,codename=${distro_codename},label=Debian-Security";

Rendre la màj automatique effective :

sudo dpkg-reconfigure --priority=low unattended-upgrades

Puis confirmer à l'écran.

Il est possible de vérifier que le service fonctionne bien :

sudo systemctl status unattended-upgrades.service

Pi-Hole

Sources d'installation & configuration 1 2.

Préparation

Il faut paramétrer la box pour attribuer une ip fixe au Rpi.

Installation du Pi-Hole

Liens :

• documentation ;
• GitHub.

curl -sSL https://install.pi-hole.net | bash

Et on répond aux questions.

Ne pas oublier de mettre le server DNS dans la Box Internet, ou de configurer le DHCP.
Voir en toute fin si 4G Box.

Configuration

Changer le mot de passe

pihole -a -p

Blocklist

Exemple de blocklist :

• Fuzz the Pi Guy
• The Firebob
• FireHOL le lien semble dans le github
• blocklists.info – Blocklists for Pihole and Adguard Home

Plusieurs urls peuvent être entrées dans les blocklist en étant séparées par des espaces. Si besoin, utiliser regular expressions 101 ( regex : \t\n pour la sélection) pour faire le tri dans les tabulations et retours de ligne.

Mise à jour de la list Gravity :

sudo pihole -g

Suivant la taille, ça peut mettre du temps.

Test

Sur le site de Fuzz the Pi Guy.

Si ça ne fonctionne pas, d'abord essayer de tout éteindre puis allumer :

1. Le Pi-Hole ;
2. La Box Internet.

Chronometer

Afin de voir un log en temps réel :

pihole -c

Vérifier les listes

Admettons que l'on souhaite charger les données de WhatsApp, on peut afficher les listes faisant barrière :

pihole -q -adlist -all "whatsapp.net"

On obtient un résultat plus ou moins long suivant les listes ajoutées, voire rien du tout.

 Match found in https://raw.githubusercontent.com/hectorm/hmirror/master/data/easyprivacy/list.txt:
   g.whatsapp.net.iberostar.com 
 Match found in https://raw.githubusercontent.com/hectorm/hmirror/master/data/spam404.com/list.txt:
   espiawhatsapp.net 
   newwhatsapp.net 
 Match found in https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/porn/hosts:
   privatestats.whatsapp.net 
 Match found in https://raw.githubusercontent.com/mhhakim/pihole-blocklist/master/list.txt:
   cdn.whatsapp.net.domain.name 
   crashlogs.whatsapp.net 
   dit.whatsapp.net 
   dit.whatsapp.net.domain.name 
   e1.whatsapp.net 
   e10.whatsapp.net 
   e11.whatsapp.net 
[…]
   media-arn2-1.cdn.whatsapp.net 
   media-ber1-1.cdn.whatsapp.net 
   media-bru2-1.cdn.whatsapp.net 
   media-cdt1-1.cdn.whatsapp.net 
   media-dfw5-1.cdn.whatsapp.net 
   media-frt3-1.cdn.whatsapp.net 
   media-frt3-2.cdn.whatsapp.net 
[…]

Pour avoir les médias, on peut ajouter le regexp suivant :

pihole --white-regex --comment "WhatsApp media" 'media-[a-z0-9\-]*\.cdn\.whatsapp\.net$'

Bonus : Choisir DNS Server sur 4G Box

Par défaut, on ne peut pas voir les paramètres de changement de DNS. Pour afficher l'option, se rendre dans DHCP, puis taper dans la console :

$('#dhcp_dns').css('display', 'block');

Et enfin, entrer l'adresse ip du Pi-Hole.

Installation de DNS Unbound

Installation basée sur la documentation de Pi-hole de unbound, cela permet de mettre en cache les demandes DNS.

Préparatifs

Tout d’abord, on fait une mise à jour :

sudo apt update && sudo apt upgrade -y

Installation de unbound

On vérifie les informations du paquet :

apt show unbound

Il ne s’agit pas de la dernière version, cependant le site officiel conseille de passer par le gestionnaire de paquets plutôt que de le compiler.

Package: unbound
Version: 1.9.0-2+deb10u2
Priority: optional
Section: net
Maintainer: unbound packagers <unbound@packages.debian.org>
Installed-Size: 3,637 kB
Depends: adduser, dns-root-data, lsb-base (>= 3.0-6), openssl, unbound-anchor, libc6 (>= 2.28), libevent-2.1-6 (>= 2.1.8-stable), libfstrm0 (>= 0.2.0), libprotobuf-c1 (>= 1.0.1), libpython3.7 (>= 3.7.0), libssl1.1 (>= 1.1.1), libsystemd0
Suggests: apparmor
Enhances: munin-node
Homepage: https://www.unbound.net/
Download-Size: 671 kB
APT-Sources: http://raspbian.raspberrypi.org/raspbian buster/main armhf Packages
Description: validating, recursive, caching DNS resolver
 Unbound is a recursive-only caching DNS server which can perform DNSSEC
 validation of results. It implements only a minimal amount of authoritative
 service to prevent leakage to the root nameservers: forward lookups for
 localhost, reverse for 127.0.0.1 and ::1, and NXDOMAIN for zones served by
 AS112. Stub and forward zones are supported.
 .
 This package contains the unbound daemon.

sudo apt install unbound

Configurer unbound

On crée le fichier /etc/unbound/unbound.conf.d/pi-hole.conf :

sudo vim /etc/unbound/unbound.conf.d/pi-hole.conf

server:
    # If no logfile is specified, syslog is used
    # logfile: "/var/log/unbound/unbound.log"
    verbosity: 0
    log-time-ascii: yes

    interface: 127.0.0.1
    port: 5335

    # May be set to yes if you have IPv6 connectivity
    do-ip6: no

    do-ip4: yes
    do-udp: yes

    # Use this only when you downloaded the list of primary root servers!
    # If you use the default dns-root-data package, unbound will find it automatically
    #root-hints: "/var/lib/unbound/root.hints"

    # Set number of threads to use
    num-threads: 1

    # Hide DNS Server info
    hide-identity: yes
    hide-version: yes

    # Limit DNS Fraud and use DNSSEC
    harden-glue: yes
    harden-dnssec-stripped: yes
    harden-referral-path: yes
    use-caps-for-id: yes
    harden-algo-downgrade: yes
    qname-minimisation: yes

    # Add an unwanted reply threshold to clean the cache and avoid when possible a DNS Poisoning
    unwanted-reply-threshold: 10000000

    # Minimum lifetime of cache entries in seconds
    cache-min-ttl: 300

    # Maximum lifetime of cached entries
    cache-max-ttl: 14400
    prefetch: yes
    prefetch-key: yes

    # Optimisations
    msg-cache-slabs: 8
    rrset-cache-slabs: 8
    infra-cache-slabs: 8
    key-cache-slabs: 8

    # Reduce EDNS reassembly buffer size.
    # IP fragmentation is unreliable on the Internet today, and can cause
    # transmission failures when large DNS messages are sent via UDP. Even
    # when fragmentation does work, it may not be secure; it is theoretically
    # possible to spoof parts of a fragmented DNS message, without easy
    # detection at the receiving end. Recently, there was an excellent study
    # >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<<
    # by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/)
    # in collaboration with NLnet Labs explored DNS using real world data from the
    # the RIPE Atlas probes and the researchers suggested different values for
    # IPv4 and IPv6 and in different scenarios. They advise that servers should
    # be configured to limit DNS messages sent over UDP to a size that will not
    # trigger fragmentation on typical network links. DNS servers can switch
    # from UDP to TCP when a DNS response is too big to fit in this limited
    # buffer size. This value has also been suggested in DNS Flag Day 2020.
    edns-buffer-size: 1232

    # increase memory size of the cache
    rrset-cache-size: 256m
    msg-cache-size: 128m

    # increase buffer size so that no messages are lost in traffic spikes
    so-rcvbuf: 1m
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10

Si on force la liste des serveurs de noms de racine (root name server) il faut penser à modifier le fichier de config en conséquence :

wget https://www.internic.net/domain/named.root -qO- | sudo tee /usr/share/dns/root.hints

On redémarre le service :

sudo service unbound restart

Test de la mise en cache du DNS

dig pi-hole.net @127.0.0.1 -p 5335

; <<>> DiG 9.11.5-P4-5.1+deb10u6-Raspbian <<>> pi-hole.net @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19530
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;pi-hole.net.			IN	A

;; ANSWER SECTION:
pi-hole.net.		300	IN	A	3.18.136.52

;; Query time: 856 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Sun Nov 07 15:06:44 CET 2021
;; MSG SIZE  rcvd: 56

Si on recommence la précédente commande :

; <<>> DiG 9.11.5-P4-5.1+deb10u6-Raspbian <<>> pi-hole.net @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63461
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;pi-hole.net.			IN	A

;; ANSWER SECTION:
pi-hole.net.		283	IN	A	3.18.136.52

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Sun Nov 07 15:07:01 CET 2021
;; MSG SIZE  rcvd: 56

On peut surtout remarquer la durée du Query time, on passe de 856 ms à 0 ms.

Test du DNSSEC

Pour se faire, on fait un appel qui doit renvoyer un erreur et un autre qui doit marcher.

dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5335

; <<>> DiG 9.11.5-P4-5.1+deb10u6-Raspbian <<>> sigfail.verteiltesysteme.net @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 30491
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;sigfail.verteiltesysteme.net.	IN	A

;; Query time: 1166 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Sun Nov 07 15:11:42 CET 2021
;; MSG SIZE  rcvd: 57

Le status doit être à SERVFAIL et ne pas fournir d'adresse IP.

dig sigok.verteiltesysteme.net @127.0.0.1 -p 5335

; <<>> DiG 9.11.5-P4-5.1+deb10u6-Raspbian <<>> sigok.verteiltesysteme.net @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51837
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;sigok.verteiltesysteme.net.	IN	A

;; ANSWER SECTION:
sigok.verteiltesysteme.net. 60	IN	A	134.91.78.139

;; Query time: 89 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Sun Nov 07 15:12:15 CET 2021
;; MSG SIZE  rcvd: 71

Le status doit être à NOERRORet fournir une adresse IP.

Configuration du Pi-hole

À la page d’administration du Pi-hole, dans la partie Settings, on désactive tous les serveurs DNS précédemment entrés puis on inscrit l’adresse du localhost suivi du port de unbound (séparé par un #), à savoir 127.0.0.1#5335.

Cloudflared (DoH)

À voir ici.

VPN : WireGuard

La doc est ici.

CentOS 8 minimal installation on RPi 3+ 🇬🇧

Installation

CentOS tuto for installation on RaspberryPi ¹ ².

Just for memory: Fedora link for arm architecture.

SSH

To know ip on local network:

arp -a

Hosts

On the client machine add the server ip address in /etc/hosts.

Add to known hosts

ssh-keyscan mycentos8 >> ~/.ssh/known_hosts

After, edit the file to keep the ecdsa line.

Repo

Install EPEL Repo

dnf info epel-release
dnf install epel-release

Adduser

Adduser

adduser <username>
passwd <username>

Adding user to group wheel:

gpasswd -a <username> wheel

Manage users and groups.

Change shell for zsh

usermod --shell /bin/zsh <username> 

Oh-my-zsh

Install Oh-my-zsh:

sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)"

Copy theme 'amuse' to the same folder for '01amuse'

vim ~/.zshrc

ZSH_THEME='01amuse'

Add information to the ligne PROMPT= without delete previous options (more tips here):

vim ~/.oh-my-zsh/themes/01amuse.zsh-theme 

PROMPT='[...keep prev...]%{$fg[magenta]%}%n%{$reset_color%} at %{$fg[yellow]%}%m%{$reset_color%}'

Use plugins:

plugins=(git dnf history tmux)

• dnf

  Alias	Command	Description
  dnfl	dnf list	List packages
  dnfli	dnf list installed	List installed packages
  dnfgl	dnf grouplist	List package groups
  dnfmc	dnf makecache	Generate metadata cache
  dnfp	dnf info	Show package information
  dnfs	dnf search	Search package
  dnfu	sudo dnf upgrade	Upgrade package
  dnfi	sudo dnf install	Install package
  dnfgi	sudo dnf groupinstall	Install package group
  dnfr	sudo dnf remove	Remove package
  dnfgr	sudo dnf groupremove	Remove package group
  dnfc	sudo dnf clean all	Clean cache

• git
• history

  Alias	Command	Description
  h	history	Prints your command history
  hs	history | grep	Use grep to search your command history
  hsi	history | grep -i	Use grep to do a case-insensitive search of your command history

• vscode
• npm
• tmux

  Alias	Command	Description
  ta	tmux attach -t	Attach new tmux session to already running named session
  tad	tmux attach -d -t	Detach named tmux session
  ts	tmux new-session -s	Create a new named tmux session
  tl	tmux list-sessions	Displays a list of running tmux sessions
  tksv	tmux kill-server	Terminate all running tmux sessions
  tkss	tmux kill-session -t	Terminate named running tmux session
  tmux	_zsh_tmux_plugin_run	Start a new tmux session

• nmap

  Alias	Description
  nmap_open_ports	scan for open ports on target
  nmap_list_interfaces	list all network interfaces on host where the command runs
  nmap_slow	slow scan that avoids to spam the targets logs
  nmap_fin	scan to see if hosts are up with TCP FIN scan
  nmap_full	aggressive full scan that scans all ports, tries to determine OS and service versions
  nmap_check_for_firewall	TCP ACK scan to check for firewall existence
  nmap_ping_through_firewall	host discovery with SYN and ACK probes instead of just pings to avoid firewall restrictions
  nmap_fast	fast scan of the top 300 popular ports
  nmap_detect_versions	detects versions of services and OS, runs on all ports
  nmap_check_for_vulns	uses vulscan script to check target services for vulnerabilities
  nmap_full_udp	same as full but via UDP
  nmap_traceroute	try to traceroute using the most common ports
  nmap_full_with_scripts	same as nmap_full but also runs all the scripts
  nmap_web_safe_osscan	little "safer" scan for OS version as connecting to only HTTP and HTTPS ports doesn't look so attacking
  nmap_ping_scan	ICMP scan for active hosts

Note : elements in zsh arrays are separated by spaces.
Do not use commas.

Execute sudo without Password

Link here.
You can configure sudo to never ask for your password.

Open a Terminal window and type:

sudo visudo

In the bottom of the file, add the following line:

$USER ALL=(ALL) NOPASSWD: ALL

Where $USER is your username on your system.

Or, in my case, uncomment :

## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL

SSH keys

First create a ssh rsa key on computer:

ssh-keygen -t rsa

Then :

ssh myuser@server.com mkdir .sshscp ~/.ssh/id_rsa.pub myuser@server.com:.ssh/authorized_keys

GitHub

Use SSH keys

First, check if existing SSH keys are present:

ls -al ~/.ssh

Generate key pair:

ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

Start the SSH agent in background:

eval "$(ssh-agent -s)"

Add the SSH private key to the ssh-agent:

ssh-add ~/.ssh/id_rsa

Copy the public key to the clipboard and paste it in Github.

To test the connection:

ssh -T git@github.com

Personnalize motd

Edit motd file:

vim /etc/motd

For ASCII check this site.

Or, much better, create motd.sh in /etc/profile.d/ with:

#!/bin/sh
#

printf "\n"
printf "    ┌┬┐┬ ┬╔═╗┌─┐┌┐┌┌┬┐╔═╗╔═╗\n"
printf "    │││└┬┘║  ├┤ │││ │ ║ ║╚═╗\n"
printf "    ┴ ┴ ┴ ╚═╝└─┘┘└┘ ┴ ╚═╝╚═╝\n"
printf "       ╔╦╗┬┌─┐┬┌─┌─┐┌─┐┬\n"
printf "       ║║║││  ├┴┐├─┤├┤ │\n"
printf "       ╩ ╩┴└─┘┴ ┴┴ ┴└─┘┴─┘\n"

printf "\n"
printf "\t- %s\n\t- Kernel %s\n" "$(cat /etc/redhat-release)" "$(uname -r)"
printf "\n"



date=`date`
load=`cat /proc/loadavg | awk '{print $1}'`
root_usage=`df -h / | awk '/\// {print $(NF-1)}'`
memory_usage=`free -m | awk '/Mem:/ { total=$2 } /buffers\/cache/ { used=$3 } END { printf("%3.1f%%", used/total*100)}'`
swap_usage=`free -m | awk '/Swap/ { printf("%3.1f%%", "exit !$2;$3/$2*100") }'`
users=`users | wc -w`
time=`uptime | grep -ohe 'up .*' | sed 's/,/\ hours/g' | awk '{ printf $2" "$3 }'`
processes=`ps aux | wc -l`
ethup=$(ip -4 ad | grep 'state UP' | awk -F ":" '!/^[0-9]*: ?lo/ {print $2}')
ip=$(ip ad show dev $ethup |grep -v inet6 | grep inet|awk '{print $2}')

echo "System information as of: $date"
echo
printf "System load:\t%s\tIP Address:\t%s\n" $load $ip
printf "Memory usage:\t%s\tSystem uptime:\t%s\n" $memory_usage "$time"
printf "Usage on /:\t%s\tSwap usage:\t%s\n" $root_usage $swap_usage
printf "Local Users:\t%s\tProcesses:\t%s\n" $users $processes
echo

[ -f /etc/motd.tail ] && cat /etc/motd.tail || true

(Idea from here.)

Vim

Config

File .vimrc:

# choose theme color
colo desert

# enable syntax highlighting
syntax on

# set mouse
set mouse=a

# you can show line numbers
set number

# show the editing mode on the last line
set showmode

# tell vim to keep a backup file
set backup

# tell vim where to put its backup files but the file must be created
set backupdir=~/.vim_backup/

# tell vim where to put swap files
# set dir=/private/tmp

# i don't use autoindent, but here's how to configure it:
# set autoindent

# highlight matching search strings
# set hlsearch

# make searches case insensitive
# set ignorecase

Plugins

Vim-powerline

sudo dnf install vim-powerline

Tmux

Installation

Tmux is a Terminal Multiplexer. It enables a number of terminals to be created, accessed and controlled from a single screen.

Install with dnfi tmux -y to get version 1.8, but there isn't plugins available... so, see next!

Build Tmux

Source here.

First, install C compiler:

sudo dnf install -y gcc

Build Libevent

Libevent source releases.

wget https://github.com/libevent/libevent/releases/download/release-2.1.8-stable/libevent-2.1.8-stable.tar.gz
tar zxvf libevent-*.tar.gz
cd libevent-2.1.8-stable
mkdir -p $HOME/.local
./configure --prefix="$HOME/.local"
make -j && make install

Build Ncurses

Ncurses source releases.

wget http://ftp.gnu.org/pub/gnu/ncurses/ncurses-6.1.tar.gz
tar zxvf ncurses-6.1.tar.gz
cd ncurses-6.1
./configure --prefix="$HOME/.local"
make -j && make install

Build Tmux

Tmux source releases.

wget https://github.com/tmux/tmux/releases/download/2.8/tmux-2.8.tar.gz
tar zxvf tmux-2.8.tar.gz
cd tmux-2.8
./configure --prefix=$HOME/.local \
 > CPPFLAGS="-I$HOME/.local/include -I$HOME/.local/include/ncurses" \
 > LDFLAGS="-L$HOME/.local/lib"
make -j && make install
export PATH=$HOME/.local/bin:$PATH
export LD_LIBRARY_PATH=/home/mickael/.local/lib 

To make folders persistent:

echo 'export PATH=$HOME/.local/bin:$PATH' >> ~/.zshrc
echo 'export LD_LIBRARY_PATH=$HOME/.local/lib' >> ~/.zshrc

Chech with :

$PATH
env | grep '^LD_LIBRARY_PATH'

Configuration

First param

Edit an other configuration file:

vim ~/.tmux.conf

Here an example of config's file.

And write:

# C-b is not acceptable -- Vim uses it
set-option -g prefix C-a
bind C-a last-window

# windows starts at 1
set -g base-index 1
set -g pane-base-index 1

# display messages for a second
set -g display-time 2500

# List of plugins
#set -g @plugin 'tmux-plugins/tpm'
#set -g @plugin 'tmux-plugins/tmux-sensible'

# Mouse support - set to on if you want to use the mouse
set -g mode-mouse on

# Toggle mouse mode to allow mouse copy/paste
# set mouse on with prefix m
bind m \
set -g mouse on \; \
	display-message "Mouse: ON"
# set mouse off with prefix M
bind M \
set -g mouse off \; \
	display-message "Mouse: OFF"

# bind reload
bind r source-file ~/.tmux.conf

# Use Vi mode
set -g mode-keys vi

# Other examples:
# set -g @plugin 'github_username/plugin_name'
# set -g @plugin 'git@github.com/user/plugin'
# set -g @plugin 'git@bitbucket.com/user/plugin'

# Initialize TMUX plugin manager (keep this line at the very bottom of tmux.conf)
#run -b '~/.tmux/plugins/tpm/tpm'

It gives access to vim keys:

Function	vi		Function	vi
Back to indentation	^		Half page up	C-u
Clear selection	Escape		Next page	C-f
Copy selection	Enter		Next word	w
Cursor down	j		Paste buffer	p
Cursor left	h		Previous page	C-b
Cursor right	l		Previous word	b
Cursor to bottom line	L		Quit mode	q
Cursor to middle line	M		Scroll down	C-Down or J
Cursor to top line	H		Scroll up	C-Up or K
Cursor up	k		Search again	n
Delete entire line	d		Search backward	?
Delete to end of line	D		Search forward	/
End of line	$		Start of line	0
Goto line	:		Start selection	Space
Half page down	C-d

Second param

Edit the tmux.plugin.zsh.

vim ~/.oh-my-zsh/plugins/tmux/tmux.plugin.zsh

Set autostart:

# Automatically start tmux
: ${ZSH_TMUX_AUTOSTART:=true}

Full:

if ! (( $+commands[tmux] )); then
  print "zsh tmux plugin: tmux not found. Please install tmux before using this plugin." >&2
  return 1
fi

# ALIASES

alias ta='tmux attach -t'
alias tad='tmux attach -d -t'
alias ts='tmux new-session -s'
alias tl='tmux list-sessions'
alias tksv='tmux kill-server'
alias tkss='tmux kill-session -t'

# CONFIGURATION VARIABLES
# Automatically start tmux
: ${ZSH_TMUX_AUTOSTART:=true}
# Only autostart once. If set to false, tmux will attempt to
# autostart every time your zsh configs are reloaded.
: ${ZSH_TMUX_AUTOSTART_ONCE:=true}
# Automatically connect to a previous session if it exists
: ${ZSH_TMUX_AUTOCONNECT:=true}
# Automatically close the terminal when tmux exits
#: ${ZSH_TMUX_AUTOQUIT:=$ZSH_TMUX_AUTOSTART}
: ${ZSH_TMUX_AUTOQUIT:=false}
# Set term to screen or screen-256color based on current terminal support
: ${ZSH_TMUX_FIXTERM:=true}
# Set '-CC' option for iTerm2 tmux integration
: ${ZSH_TMUX_ITERM2:=false}
# The TERM to use for non-256 color terminals.
# Tmux states this should be screen, but you may need to change it on
# systems without the proper terminfo
: ${ZSH_TMUX_FIXTERM_WITHOUT_256COLOR:=screen}
# The TERM to use for 256 color terminals.
# Tmux states this should be screen-256color, but you may need to change it on
# systems without the proper terminfo
: ${ZSH_TMUX_FIXTERM_WITH_256COLOR:=screen-256color}
# Set the configuration path
: ${ZSH_TMUX_CONFIG:=$HOME/.tmux.conf}
# Set -u option to support unicode
: ${ZSH_TMUX_UNICODE:=false}

# Determine if the terminal supports 256 colors
if [[ $terminfo[colors] == 256 ]]; then
  export ZSH_TMUX_TERM=$ZSH_TMUX_FIXTERM_WITH_256COLOR
else
  export ZSH_TMUX_TERM=$ZSH_TMUX_FIXTERM_WITHOUT_256COLOR
fi

# Set the correct local config file to use.
if [[ "$ZSH_TMUX_ITERM2" == "false" && -e "$ZSH_TMUX_CONFIG" ]]; then
  export ZSH_TMUX_CONFIG
  export _ZSH_TMUX_FIXED_CONFIG="${0:h:a}/tmux.extra.conf"
else
  export _ZSH_TMUX_FIXED_CONFIG="${0:h:a}/tmux.only.conf"
fi

# Wrapper function for tmux.
function _zsh_tmux_plugin_run() {
  if [[ -n "$@" ]]; then
    command tmux "$@"
    return $?
  fi

  local -a tmux_cmd
  tmux_cmd=(command tmux)
  [[ "$ZSH_TMUX_ITERM2" == "true" ]] && tmux_cmd+=(-CC)
  [[ "$ZSH_TMUX_UNICODE" == "true" ]] && tmux_cmd+=(-u)

  # Try to connect to an existing session.
  [[ "$ZSH_TMUX_AUTOCONNECT" == "true" ]] && $tmux_cmd attach

  # If failed, just run tmux, fixing the TERM variable if requested.
  if [[ $? -ne 0 ]]; then
    if [[ "$ZSH_TMUX_FIXTERM" == "true" ]]; then
      tmux_cmd+=(-f "$_ZSH_TMUX_FIXED_CONFIG")
    elif [[ -e "$ZSH_TMUX_CONFIG" ]]; then
      tmux_cmd+=(-f "$ZSH_TMUX_CONFIG")
    fi
    $tmux_cmd new-session
  fi

  if [[ "$ZSH_TMUX_AUTOQUIT" == "true" ]]; then
    exit
  fi
}

# Use the completions for tmux for our function
compdef _tmux _zsh_tmux_plugin_run
# Alias tmux to our wrapper function.
alias tmux=_zsh_tmux_plugin_run

# Autostart if not already in tmux and enabled.
if [[ -z "$TMUX" && "$ZSH_TMUX_AUTOSTART" == "true" && -z "$INSIDE_EMACS" && -z "$EMACS" && -z "$VIM" ]]; then
  # Actually don't autostart if we already did and multiple autostarts are disabled.
  if [[ "$ZSH_TMUX_AUTOSTART_ONCE" == "false" || "$ZSH_TMUX_AUTOSTARTED" != "true" ]]; then
    export ZSH_TMUX_AUTOSTARTED=true
    _zsh_tmux_plugin_run
  fi
fi

Plugins

• Tpm is a plugin manager:
  • prefix + I to install new plugin.
  • prefix + U to update plugins.
  • prefix + alt u to remove/uninstall plugins not on the plugin list.
• Tmux-resurrect to save & restore session after reboot:
  • prefix + Ctrl s to save.
  • prefix + Ctrl r to restore.
• Tmux-yank to copy to system clipboard (need configuration steps).
• Tmux-copycat enable regex search with prefix + /:
  • prefix + ctrl f : simple file search.
  • prefix + ctrl g : jumping over git status files (best used after git status command).
  • prefix + alt h : jumping over SHA-1/SHA-256 hashes (best used after git log command).
  • prefix + ctrl u : url search (http, ftp and git urls).
  • prefix + ctrl d : number search (mnemonic d, as digit).
  • prefix + alt i : ip address search.
• Themes pack.
  • To unable theme packs like powerline, you need to install powerline fonts on ssh machine as well (here) and change font for a powerline font in the terminal preferencies.

Various app

• Links : Web browser running in both graphics and text mode sudo dnf install -y links.
• Tree : Tree structure for folders sudo dnf install -y tree (tips).

Security

SSH Key authentication

From Nicolas Kovacs from microlinux.fr.

From host machin (it takes a while):

ssh-keygen -t rsa -b 16384
> Generating public/private rsa key pair.
> Enter file in which to save the key (/Users/mickael/.ssh/id_rsa): 
> Enter passphrase (empty for no passphrase): 
> Enter same passphrase again: 
> Your identification has been saved in /Users/mickael/.ssh/id_rsa.
> Your public key has been saved in /Users/mickael/.ssh/id_rsa.pub.
> The key fingerprint is: [...]

Send public key to the distant server:

ssh-copy-id -i .ssh/id_rsa.pub mycentos               
> /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_rsa.pub"
> /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
> /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
> <username>@mycentos's password: 

> Number of key(s) added:        1

> Now try logging into the machine, with: "ssh 'mycentos'" and check to make sure that only the key(s) you wanted were added.

Connect and check:

ssh mycentos 
> Last login: Tue Apr 28 14:01:03 2020 from 192.168.1.198

cat ~/.ssh/authorized_keys

GPG Keys

Check gpg keys:

gpg --list-keys

Create:

gpg --gen-key

Re-check.

Echanging key:

# For export
gpg --output <name>.gpg --export <UID>

# For ASCII format
gpg --armor --export <UID>

Edit ~/.zshrc and add:

# Fix gpg passphrase
export GPG_TTY=$(tty)

To test:

echo "test" | gpg2 --clearsign

Packages

Packages search for Linux & Unix.

Nmap

Nmap is one of the most popular tools for network mapping. You can discover active hosts within a network, and a wide range of other detection features. Nmap has functions for host discovery, port scanning, OS detection, app versions, and other scripting interactions.

sudo dnf install -y nmap

Others

• Kismet Wireless
• John the Ripper
• THC Hydra
• Metasploit Framework
• OpenVAS

Configuration

• FirewallD sur un serveur LAN by MicroLinux 🇫🇷.
• FirewallD sur un serveur dédié by MicroLinux 🇫🇷.
• Bloquer les attaques par force brute avec Fail2ban sous CentOS 7 by MicroLinux 🇫🇷.

Check

For check open ports and write it in a file:

mkdir tmp
nmap -p 0-65535 portquiz.net > tmp/nmaptest
grep filtered tmp/nmaptest

Git

Config

Git tools - signing your work

git config --global user.email <user@exemple.com>
git config --global user.name <Username>
git config --global user.signingkey = <UID>
git config --global color.ui = always
git config --global color.branch = always
git config --global color.diff = always
git config --global color.interactive = always
git config --global color.status = always
git config --global push.default = simple
git config --global gpg.program = gpg2
git config --global commit.gpgSign = true

To get in .gitconfig:

[user]
        email = <user@exemple.com>
        name = <Username>
        signingkey = <signingkey>
[color]
        ui = always
        branch = always
        diff = always
        interactive = always
        status = always
[push]
        default = simple
[gpg]
        program = gpg2
[commit]
        gpgSign = true

Tips

Zsh

• Official site.
• Find all files in path that contain text : sudo grep -Rnil 'text' path.
• 75 dnf commands, tips & plugins.
• Fonction used for ignore tmux.plugin.zsh:

var="$HOME/.oh-my-zsh" ; find "$var" | while read -r line; do echo "$var/$line"; done >> ~/.gitignore

• Add timestamp to a file:

h >> "~/list-$(date '+%s').txt"

• Test script with ShellCheck.
• Make dir and cd it:

mkdir "<folder>" && cd "$_"

• Or paste following lines in .zshrc and refresh after:

mkcdir ()
{
    mkdir -p -- "$1" &&
	cd -P -- "$1"
}

Dnf

• Dnf doc.
• 25 useful dnf command examples.
• How to install and remove packages with DNF in Fedora.
• Dnf, le gestionnaire de paquets de Fedora 🇫🇷.

Tmux

• Shortcuts & cheatsheet.
• Cheat sheet 1.
• Cheat sheet 2.
• Cheat sheet 3.
• Manual.
• Help : Ctrl b + ? (or Ctrl a + ? in my case).

Git

• Git tutorial.
• Git tutorial from Bitbucket.
• Devenez un expert de git.
• List files not add and not in .ignore file : git ls-files -o --exclude-standard | cut -d/ -f1 | uniq.
• Add user sign key: git config --global user.signingkey <gpg-key-id>.
• Sign a commit : git commit -a -S -m 'commit signé'.

Vim

• Vim The editor original tips.
• Cheat sheet.
• Save sudo without root permission: :w! sudo tee %.
• Delete tips.
• Comment lines 66 to 70: :66,70s/^/#
• To yank all the lines and copy to the clipboard : :% y + or :g g " + y G.
• Clear the last search: :let @/ = "" or noh.
• Search & Replace.
• Vim Tips form Alvin Alexander.

pip

• Upgrade pip: pip install --upgrade pip

Various

• Check if a package if present rpm -qa | grep -i packageName.
• Use history.
• Interactive search : Ctrl r.
• How to install an RPM package into a different directory in CentOS/RHEL/Fedora.
• Special-use IPv4 addresses.
• To know its ip address: host myip.opendns.com resolver1.opendns.com.
• Remove user and every trace.
• Tar command with examples.
• Bash reference manual.
• Command not found.

Various

Sources

• MicroLinux 🇫🇷.
• It-Connect.fr 🇫🇷.
• Pwet/man/linux 🇫🇷.
• IP addresses tools.
• Linux help.
• PhoenixNAP.
• GPG with LinuxPedia.

Go further

• How to set up your own private Git server on Linux.
• RaspberryPi OwnCloud.
• RaspberryPi projetcs.
• Installer un serveur de réseau local & Make a samba server on RHEL 7.
• How to cross-compile

Todo

• Find cross-compiling for nodeJS : 1 2 3.
• To try to install Joplin.
• Find to install on hdd or ssd.

Self host your web meetings with Jitsi and Raspberry Pi

Source: https://peppe8o.com/self-host-your-web-meetings-with-jitsi-and-raspberry-pi/
Author: peppe8o

Self host your web meetings with Jitsi and Raspberry PI

Excerpt

Even if already used with smartphones, video meetings overwhelmingly raised with Covid pandemic. Between solutions discovered in this context, a great open sour

---

Even if already used with smartphones, video meetings overwhelmingly raised with Covid pandemic. Between solutions discovered in this context, a great open source and web application to host your video meetings, Jitsi, can run on Raspberry PI

In this tutorial I’m going to show you how to install a Jitsi meet server in your Raspberry PI computer board.

Beside having an online free service, Jitsi can transform your RPI into a web meeting server able to connect you with your parents and friends both from a web browser as from client applications available from quite all app stores.

Jitsi is a set of open source projects that allows you to easily build and deploy secure video conferencing solutions. At the heart of Jitsi are Jitsi Videobridge and Jitsi Meet, which let you have conferences on the internet, while other projects in the community enable other features such as audio, dial-in, recording, and simulcasting.

Ref.: Jitsi official website, About page

What is interesting in Jitsi is its ease setup of a meeting: you just type the meeting name and share its URL, having your friends directly accessing to your conference.

I have to admit that it took to me a few days to setup a Jitsi server. This because you can install also from a 32-bit system with no errors, but you will get a frustrating and repeating “Unfortunately something went wrong. We are trying to fix this. Reconnecting in xx seconds” error with no apparent reason. The solution was installing a 64-bit OS (also available from Raspberry PI Foundation.

If you want to use your meeting server over the internet, you will need a public IP address. More info can be found in my How to configure No-IP DUC service in your Raspberry PI tutorial. Here you can also learn how to get a free domain to use instead of a simple IP address (in this tutorial I will use “myhomepi.webhop.me” example domain). If you can’t get a public IP, your meeting server will only work inside your local network, using IP address instead of domain name for setup.

Following port forwarding rules will be also required in your router:

• 80/tcp
• 443/tcp
• 10000/udp
• 3478/udp
• 5349/tcp

Raspberry PI OS doesn’t come with an internal firewall, so you don’t need to create ufw access rules. Jitsi docs also list 22/tcp port, but this is for your ssh access and you shouldn’t forward this port to internet.

Final note, Jitsi uses a lot of RAM. Raspberry PI 3 boards hardly will be able to run jitsi, but from Raspberry PI 4 computer models you can get a 4GB RAM (or more) versions able to support your web conferences.

For this tutorial I’m going to use a Raspberry PI 4 Model B (4GB RAM version).

Step-by-Step Procedure

Prepare Operating System

As Jitsi requires computing resources, I suggest to use the Lite version of Raspberry PI OS. This allows a headless and performing OS.

Get your 64-bit RaspiOS image, dowloading it from https://downloads.raspberrypi.org/raspios_lite_arm64/images/ official repository. You can download latest version in “zip” file, as common flashing software can manage these compressed files.

Flash this OS to your SD card with my tutorial to install Raspberry PI OS Lite.

Make your OS up to date. From terminal, use following command:

sudo apt update -y && sudo apt upgrade -y

Create Port Forwarding Rules in your Router

At this stage, you have your Raspberry PI’s local IP address. It’s time to configure port forwarding rules in your router. Ports used are the following:

• 80/tcp
• 443/tcp
• 10000/udp
• 3478/udp
• 5349/tcp

This procedure changes depending on your router brand and model. For example, in my ASUS router I set them into “WAN” -> “Virtual Server / Port Forwarding” menù, adding the following list (where 192.168.1.133 is my local Raspberry PI’s IP address):

Install Jitsi

Install required packages. From terminal:

sudo apt install gnupg2 nginx
 apt-transport-https

We’ll use an internet domain (myhomepi.webhop.me), so we have to make our RPI aware of its external name (If you are going to use a direct IP address, you can skip this part). Remeber to use your domain instead of mine:

sudo hostnamectl set-hostname myhomepi.webhop.me

Also add your domain resolution in your hosts file:

sudo nano /etc/hosts

append a row with your public IP address and domain name, like in following picture (I’ve covered with yellow my public IP):

Add the jitsi repository to your apt sources. This makes Jitsi Meet packages available directly from apt. Please note that following commands will be blaced each one into a single terminal line:

curl https://download.jitsi.org/jitsi-key.gpg.key | sudo sh -c 'gpg --dearmor > /usr/share/keyrings/jitsi-keyring.gpg'

echo 'deb [signed-by=/usr/share/keyrings/jitsi-keyring.gpg] https://download.jitsi.org stable/' | sudo tee /etc/apt/sources.list.d/jitsi-stable.list > /dev/null

Update apt:

sudo apt update

And finally run jitsi installation:

sudo apt install jitsi-meet

This setup will download all software needed and will require only 2 confirmations.

First dialog screen requests hostname where Jitsi will listen. Use your internet domain or your Raspberry PI’s IP address (if you are going to install without a domain name):

The second dialog screen will require if you already own a certificate to expose jitsi from https instead of an insecure http. Use first option, as we’ll install a certbot certificate in very next step:

When installation is finished, use following command to get your https certificate. Remember to answer with a valid email address (when requested) to make it working:

sudo /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh

Use Jitsi Meet

You are now ready to connect from a client browser (maybe a smartphone or a computer) to your personal Jitsi meet server by using your domain address:

From here you can fill a name for your meeting in text box and click “start meeting button”. This will redirect to a meeting room that you can share with your friends by sending them the resulting room url.

Please note that in Jitsi community there is reported a known issue with Firefox browsers not having remote video/audio. Jitsi staff suggest to use Chrome browser instead.

Enjoy!

Common Issues/Errors

Last section of this tutorial regards some problems I had to fight in these days with Jitsi. Please note that these errors where all solved by using a 64-bit distribution instead of default 32-bit one.

Getting Certificates Failed

With 32-bit OS the install-letsencrypt-cert.sh script will fail with following error:

nginx: [emerg] "server_names_hash_bucket_size" directive is duplicate in /etc/nginx/sites-enabled/myhomepi.webhop.me.conf:1
Cleaning up challenges
nginx restart failed:

This failure can be passed by commenting “server_names_hash_bucket_size 64” in “/etc/nginx/sites-enabled/myhomepi.webhop.me.conf” (change myhomepi.webhop.me with your own domain name) and using classic let’s encrypt installation procedure for Nginx:

sudo apt install certbot python-certbot-nginx
sudo certbot --nginx

“Unfortunately something went wrong” Browser Error

Again, this is caused by 32-bit OS and moving to 64-bit distribution will solve. Some users with older Jitsi versions solved with following steps.

Check that 10000/UDP and 443/TCP port are correctly forwarded in your router.

Edit “sip-communicator.properties” file:

sudo nano /etc/jitsi/videobridge/sip-communicator.properties

Appending following:

org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=put here your local ip address
org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=put here your public ip address

Restart Jitsi services:

sudo systemctl restart prosody.service jicofo.service jitsi-videobridge2.service