I've had a raspberry pi mainly sitting in a drawer for a while now. Haphazardly I dust off the SD card to set up the box with dynamic DNS and play with it as a personal server. It always went back to the drawer when I broke the SO with some crazy experiment.
As an SRE, I spend most of my time thinking about what flows are more burdensome to the team and how to automate the process to gain more time to do other important stuff. But with my RBP it was different. I'd never versioned the scripts I executed and never thought about creating proper automation for the box.
To avoid giving up on the Pi again, I started my journey differently this time. Every configuration running on the Pi must be replayable to fix it just by burning a new SO in the SD card and running the automation to set it up. This is what I have up to now.
Provisioning Raspbian
I started with the Rasbian Buster Lite image and burned it on the SD card. Assure you're pointing to the correct disk before running the commands below!
unzip -p 2020-02-13-raspbian-buster-lite.zip | sudo dd of=/dev/disk2 bs=4m
touch /Volumes/boot/ssh # to enable ssh
Ansible automation
Ansible Ansible is an excellent tool for automating systems configurations. This setup starts with the default user and password.
Initialize
The initialize playbook adds my user and public keys to the RBP and disables password ssh logins.
ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook initialize.yaml -i inventories/thspinto
Notice that inventories/thspinto/all.yaml is unreadable. That's because its encrypted with Ansible Vault. I don't recommend versioning secrets in public repositories for most use cases, even if they are encrypted. In my case, I versioned it because I'll certainly lose the file otherwise. Also the only sensitive information I have is a token to alter my DNS registry. Since there is virtually no traffic in my domain, it's no big deal.
Basic setup
In the second phase, I did a little hardening and added docker. This is done by the setup playbook:
ansible-galaxy install -r requirements.yml
ansible-playbook --vault-password-file /path/to/my/vault-password-file setup.yaml -i inventories/thspinto
Services
The last playbook spins up the services I want to run using docker-compose. I separated it from the rest because it is frequently changed and deployed.
ansible-playbook --vault-password-file /path/to/my/vault-password-file services.yaml -i inventories/thspinto
Currently I run:
- Cloudflare DDNS to register the Pi's id the my domain.
- Traefik 2.1 as proxy with docker service discovery
- ForwardAuth to have OpenConnectID login using Auth0
My Pi
Everything runs fine on model B with one 700MHz core and 512MB of ram. Checkout the raspberry-config repo for more details and updates. However I can't really do much with this hardware. That's why as next steps I'm considering buying more RBPs and setting up a clustered environment with k3s.
Top comments (0)