# Raspberry Pi deployment from scratch

Naflashovanie SD karty s Raspberry Pi OS
```bash
fdisk /dev/mmcblk0
mkfs.vfat /dev/mmcblk0p1
dd if=2021-01-11-raspios-buster-armhf-lite.img of=/dev/mmcblk0 status=progress
```

Inštalácia nástrojov na hlavný uzol
```bash
apt update && apt upgrade
apt install vim nginx haproxy \ 
           php apache2 libapache2-mod-php libapache2-mod-security2 \
           keepalived isc-dhcp-server bind9 vnstat -y
systemctl disable nginx apache2 haproxy keepalived bind9 isc-dhcp-server
systemctl stop nginx apache2 haproxy keepalived bind9 isc-dhcp-server
a2enmod mpm_prefork
a2enmod ssl
```

# Zapojenie siete

<img src="images/topology.png" width="600"/> <img src="images/net.JPG" width="600"/>

# Konfigurácia izolovanej siete s DHCPD

##### /etc/default/isc-dhcp-server
```text
DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
DHCPDv4_PID=/var/run/dhcpd.pid
INTERFACESv4="eth0"
```

##### /etc/dhcp/dhcpd.conf
```text
default-lease-time 600;
max-lease-time 7200;
ddns-update-style none;
authoritative;

host RPi3 { hardware ethernet b8:27:eb:56:d1:97; fixed-address 192.168.0.3; }
host RPi2 { hardware ethernet b8:27:eb:cc:95:28; fixed-address 192.168.0.4; }
host ThinkPad { hardware ethernet e8:6a:64:3c:da:8a; fixed-address 192.168.0.5; }

subnet 192.168.0.0 netmask 255.255.255.0 {
    range 192.168.0.6 192.168.0.20;
    option domain-name-servers 192.168.0.2;
}
```

#####  /etc/dhcpcd.conf (snippet)
```text
interface eth0
static ip_address=192.168.0.2/24
```

### Pripojenie na zariadenie
```bash
miroslav@ThinkPad: ~ $ ssh pi@192.168.0.2 -i ~/.ssh/raspberrypi
```

### Logické zapojenie zariadení - smerovacia tabuľka
```bash
pi@malina:~ $ ip route
    192.168.0.0/24 dev eth0 proto dhcp scope link src 192.168.0.2 metric 202 
pi@raspberrypi:~ $ ip route
    192.168.0.0/24 dev eth0 proto dhcp scope link src 192.168.0.3 metric 202 
pi@RPi2B:~ $ ip route
    192.168.0.0/24 dev eth0 proto dhcp scope link src 192.168.0.4 metric 202 
miroslav@ThinkPad: ~ $ ip route
    192.168.0.0/24 dev enp3s0 proto kernel scope link src 192.168.0.5 metric 100 
```

# DNS server BIND9 (na testovanie load balancingu)

##### /etc/bind/named.conf.default-zones
```text
zone "home" { type master; file "/etc/bind/db.home"; };
```

##### /etc/bind/db.home
```text
$TTL    86400
@           IN      SOA     ns.home. root.home. ( 1 604800 86400 2419200 86400 )
@           IN      NS      ns.home.
ns          IN      A       192.168.0.2
website     IN      A       192.168.0.2
            IN      A       192.168.0.3
            IN      A       192.168.0.4
```

# Apache - webový server

##### /etc/apache2/apache2.conf
```apacheconf
DefaultRuntimeDir ${APACHE_RUN_DIR}
PidFile ${APACHE_PID_FILE}
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
HostnameLookups Off

IncludeOptional conf-enabled/*.conf
IncludeOptional sites-enabled/*.conf

<Directory />
	Options FollowSymLinks
	AllowOverride None
	Require all denied
</Directory>

<Directory /usr/share>
	AllowOverride None
	Require all granted
</Directory>

<Directory /var/www/>
	Options Indexes FollowSymLinks
	AllowOverride None
	Require all granted
</Directory>

LogFormat "%v:%p %h %l %u %{%d/%b/%Y %T}t.%{msec_frac}t %{%z}t %D \"%r\" %>s  %I %O \"%{Referer}i\" \"%{User-Agent}i\"" extended

ServerName website.home

<Location "/server-status">
    SetHandler server-status
    Require ip 127.0.0.1
</Location>

<IfModule security2_module>
    SecRuleEngine on
    ServerTokens Min
    SecServerSignature "PIB FIIT STU"
</IfModule>

```

##### /etc/apache2/sites-enabled/000-default.conf
```apacheconf
<VirtualHost *:80>
     DocumentRoot /var/www/html
     ErrorLog ${APACHE_LOG_DIR}/error.log
     CustomLog ${APACHE_LOG_DIR}/access.log extended
</VirtualHost>

<VirtualHost *:443>
    DocumentRoot /var/www/html
    SSLEngine on
    SSLCertificateFile /etc/apache2/cert.pem
    SSLCertificateKeyFile /etc/apache2/key.pem
</VirtualHost>
```

# HAProxy load balancer

##### /etc/haproxy/haproxy.cfg
```text
global
    log /dev/log local0
    chroot /var/lib/haproxy
    user haproxy
    group haproxy
    daemon
    
defaults
    log global
    mode http
    option httplog
    timeout connect 5s
    timeout client  30s
    timeout server  30s
    
frontend stats
    bind *:8404
    stats enable
    stats uri /stats
    stats refresh 10s
    stats auth admin:admin

frontend web
    bind *:8080
    option forwardfor
    default_backend webservers

backend webservers
    server A 192.168.0.2:80 
    server B 192.168.0.3:80 check
    server C 192.168.0.4:80 check
```

# NGINX load balancer

##### /etc/nginx/nginx.conf
```text
user www-data;
worker_processes auto;
pid /run/nginx.pid;

events {
    worker_connections 512;
}

http {
    log_format upstream_format '$remote_addr $time_local "$request" $status ' 
    '"$upstream_addr" $upstream_bytes_received $upstream_bytes_sent $upstream_queue_time '
    '$upstream_connect_time $upstream_header_time $upstream_response_time $upstream_http_etag';
    
    access_log /var/log/nginx/upstream.log upstream_format;
    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;
    proxy_http_version 1.1;

    upstream website {
        server 192.168.0.2:80;
        server 192.168.0.3:80;
        server 192.168.0.4:80;
    }

    server {
        listen 80;
        server_name _;

        location / {
            proxy_pass "http://website/";
        }

        location = /basic_status {
            stub_status;
            allow 127.0.0.1;
            deny all;
        }
    }
}
```

# Firewall pravidlá

```bash
# Show list of current rules
iptables -L
iptables -S

# Set the default policy of the INPUT chain to DROP
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 8080 -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Put back defaults
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD

```