troyfontaine

Installing cloud-init on a fresh Raspbian Lite image

This is a work in Progress!

Purpose

This mainly demonstrates my goal of preparing a Raspberry Pi to be provisioned prior to its first boot. To do this I have chosen to use the same cloud-init that is the standard for provisioning servers at Amazon EC2, Microsoft Azure, OpenStack, etc.

I found this to be quite challenging because there is little information available for using cloud-init without a cloud. So, this project also servers as a demonstration for anyone on any version of Linux who may want to install from source, and/or use without a cloud. If you fall into that later group, you probably just want to read the code. It's bash so everything I do, you could also do at the command line. (Even the for loop.)

troyfontaine

Based on the work by wjordan in this comment

The solution is to force the update of RubyGems to side step the issue.

gem update --force --system 2.6.11

Then the error does not occur.

troyfontaine

Overview

You must connect to your Cisco device from another machine using an earlier version of OpenSSH as the reason for this error is:

1. The new version of OpenSSH does not support RSA Host Keys less than 1024 bits in length
2. The switch by default has an RSA Host Key of less than 1024 bits

The solution is as follows:

Step 1. Connect from another device

You can actually get away with (for now) using Bitvise SSH on Windows and enabling the disabled Algorithms, etc. to allow you to connect to the Cisco device.

troyfontaine

Configuring the Unifi Guest Network Secure Hotspot Portal to use SSL

Requirements:

• Unifi Controller v5 running on a Unifi CloudKey (UCK)
• A Unifi USG
• A Unifi Access Point such as the UAP-AC-LR, UAP-AC-Lite, UAP-AC-Pro (UAP)
• Your own valid purchased Domain Name (in order to purchase an SSL Certificate)
• Your own DNS Provider (This can be through your domain registrar or through a third party such as CloudFlare or Hurricane Electric)
• The ability to purchase SSL Certificates (or use Let's Encrypt with DNS Validation)

This document is written for Unifi Controller Software v5. Configuring the Unifi Controller Guest Network, the Hotspot Portal and SSL is actually fairly involved and requires modifying the configuration in several locations-as well as adding the SSL certificate via SSH. So this will consist of several discrete procedures to achieve the end goal.

troyfontaine

Customizing the Unifi Controller v5.6+ Hot Spot Portal

Overview

This document provides some basic guidance on how to customize the Unifi Controller v5.6+ Hot Spot Portal feature. Existing documentation seems to be scarce in this technician's opinion.

This readme is the culmination of some exploration in customizing the portal for business use. Please note, all examples use the installed location of the Unifi v5 Controller software on the Unifi CloudKey.

Unifi Controller v5.10+

Some issues have been encountered after upgrading the Unifi Controller to newer releases specifically with the Hot Spot Portal customizations on Unifi Controller versions greater than 5.10 relating to the use of these instructions. You may not have a choice but to upgrade your included default template to the latest version and re-modify your portal files.

troyfontaine

How to Manually Generate a Certificate using ACMESharp and CloudFlare DNS Integration

Install ACMESharp as per here.

Follow the installation steps from the getting started guide before using the instructions below.

Install Cloudflare Module

Run the following command to install the module:

Install-Module ACMESharp.Providers.CloudFlare

troyfontaine

Ubiquiti USG Advanced Configuration

Overview

Integrated DNS Overview

When using a USG with Ubiquiti's Unifi Controller software (version 5.6 and earlier), the functionality of integrating the hostnames of clients (when they request a DHCP lease) into local DNS does not appear to work as you would find with Consumer grade routers. To work around this limitation, we can add static host mappings to a configuration file that will be provisioned to the USG when either a configuration change is made or we force provisioning to the USG itself.

Non-GUI Supported Dynamic DNS Providers

I've added in the necessary syntax for adding Cloudflare DDNS to the USG for VPN/Services setup courtesy of this post by britannic on the Ubiquiti Forums.

Configuration File

troyfontaine

Cloudflare

DNSSEC with Route 53

"257-KSK" as a "Flag" and "13 - ECDSA Curve P-256 with SHA-256" as an algorithm.

AWS ELBs

troyfontaine

    # Sampling of security headers
    http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    http-response set-header X-Frame-Options SAMEORIGIN
    http-response set-header X-XSS-Protection "1; mode=block"
    http-response set-header Referrer-Policy no-referrer-when-downgrade

troyfontaine

How to add an image to a gist

1. Create a gist if you haven't already.
2. Clone your gist:

   # make sure to replace `<hash>` with your gist's hash
   git clone https://gist.github.com/<hash>.git # with https
   git clone git@gist.github.com:<hash>.git     # or with ssh