-
Use security best practises
-
Maximise ease of deployment, reliability and performance
-
Sustainability
-
connect NVMe SSD and NVMe USB adapter, or MicroSD card
-
install Raspberry Pi Imager from https://www.raspberrypi.com/software/
-
CHOOSE OS > Other general-purpose OS > Ubuntu > Ubuntu Server 24.04.2 LTS (64-bit)
rpi-eeprom-update -a
cat <<EOF >/etc/sysctl.d/90-local.conf
net.core.default_qdisc=fq_codel
net.ipv4.tcp_congestion_control=bbr
net.ipv4.tcp_slow_start_after_idle=0
net.ipv4.tcp_ecn=1
EOF
Disable wireless interfaces (security) and GPU (performance), adjust /boot/firmware/config.txt
# dtparam=audio=on
# dtoverlay=vc4-kms-v3d
dtoverlay=disable-bt-pi5
dtoverlay=disable-wifi-pi5
dtparam=pciex1_gen=3
dtparam=cooling_fan=on
apt purge --auto-remove wpasupplicant triggerhappy modemmanager rtkit avahi-daemon cups pi-bluetooth pi-greeter "gnome*" rsyslog alsa-utils rng-tools udisks2 policykit-1 lightdm xserver-xorg-core "fonts*" "ttf*" sosreport shellcheck open-vm-tools open-iscsi multipath-tools motd-news-config mdadm lxd-installer lxd-agent-loader lvm2 landscape-common git fonts-ubuntu-console cloud-initramfs-dyn-netconf cloud-initramfs-copymods pollinate rpi-imager snapd rsyslog modemmanager wpasupplicant fwupdmgr
apt install debsums deborphan
deborphan --guess-all --ignore-suggests --ignore-recommends | xargs apt purge --auto-remove
/etc/environment
TM=1800
/etc/systemd/system.conf
RuntimeWatchdogSec=15
RebootWatchdogSec=2min
cat <<EOF >/etc/apt/apt.conf.d/90local
# Acquire::http::Proxy "";
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
"${distro_id}ESMApps:${distro_codename}-apps-security";
"${distro_id}ESM:${distro_codename}-infra-security";
"${distro_id}:${distro_codename}-updates";
"${distro_id}:${distro_codename}-backports";
};
Unattended-Upgrade::MailOnlyOnError "false";
Unattended-Upgrade::MinimalSteps "false";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
Unattended-Upgrade::Automatic-Reboot-Time "04:00";
EOF
rpi-eeprom-update -a
Verify configuration (watchdog, no checksum corruption):
# systemctl status apt-daily.timer apt-daily-upgrade.timer
# debsums -cx
# wdctl
Verify load behaviour:
# stress-ng --verify --thermalstat 10 --timeout 48h --memthrash -1 --timestamp
Configure for Ubuntu mirror server:
# apt install nvme-cli f2fs-tools nginx ubumirror
cat <<EOF >/etc/iptables/rules.v4
*mangle
:PREROUTING ACCEPT [7:536]
:INPUT ACCEPT [7:536]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [11:744]
:POSTROUTING ACCEPT [11:744]
# CS1 background traffic
-A OUTPUT -p tcp --sport 80 -j DSCP --set-dscp 8
COMMIT
*filter
:INPUT DROP [1:338]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [9:404]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m hashlimit --hashlimit-name ratelimit --hashlimit-mode srcip --hashlimit-above 3/second --hashlimit-burst 40 --hashlimit-htable-expire 30000 -j DROP
-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -s 1.2.3.4/32 -p tcp -m tcp --dport 22 -j ACCEPT # UPDATE AS NEEDED
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
COMMIT
EOF