Install Whoami

What is Whoami?

Whoami is a web application that simply outputs the request headers that it receives (reflecting them back to the requesting client):

Run this later after you install it:
curl https://whoami.pi.example.com
(stdout)
Name: default
Hostname: 38704012c4b3
IP: 127.0.0.1
IP: ::1
IP: 172.19.0.2
RemoteAddr: 172.19.0.1:34610
GET / HTTP/1.1
Host: whoami.example.com
User-Agent: curl/7.88.1
Accept: */*
Accept-Encoding: gzip
X-Forwarded-For: 198.51.100.1
X-Forwarded-Host: whoami.example.com
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: docker
X-Real-Ip: 198.51.100.1

This output is useful for end-to-end testing, to verify that the application is capable of serving requests, and that all of the configuration is correct. Traefik middlewares may also add additional headers to incoming requests, and so whoami is a nice way to verify that those are working too. Finally, the connection test will confirm whether or not the TLS certificate is installed correctly.

Install

Create a new config:

Run this on the Raspberry Pi
pi make whoami config

The first question the config asks for is WHOAMI_TRAEFIK_HOST which should be the fully qualified domain name that the whoami app will use for its URL:

(stdout)
WHOAMI_TRAEFIK_HOST: Enter the whoami domain name (e.g., whoami.example.com)
​: whoami.pi.example.com

Optional authentication can be configured:

(stdout)
? Do you want to enable sentry authorization in front of this app (effectively making the entire site private)?
> No
  Yes, with HTTP Basic Authentication
  Yes, with Oauth2
  Yes, with Mutual TLS (mTLS)

For now, choose No, to disable authentication.

Install whoami:

Run this on the Raspberry Pi
pi make whoami install

Set up temporary DNS override

The whoami service is not public yet, it is currently only accessible from the same local network (LAN). For testing purposes, you need to set a temporary local DNS override in the Raspberry Pi’s /etc/hosts file:

Run this on the Raspberry Pi
echo "127.0.1.1       whoami.pi.example.com" | sudo tee -a /etc/hosts
Tip

Replace whoami.pi.example.com with the same domain name you set for WHOAMI_TRAEFIK_HOST.

Testing whoami

Run this on the Raspberry Pi
pi make whoami open
Tip

The open target uses the xdg-open tool to automatically open your preferred web browser to the given application’s URL. Since you are connected to the Raspberry Pi’s text console over SSH, you are limited to text-mode browsers. w3m will be used in this instance to display the page.

(stdout)
Name: default
Hostname: c3ce89b0fceb
IP: 127.0.0.1
IP: ::1
IP: 172.19.0.2
RemoteAddr: 172.19.0.1:50156
GET / HTTP/1.1
Host: whoami.pi.example.com
User-Agent: w3m/0.5.3+git20230121
Accept: text/html, text/*;q=0.5, image/*, application/*
Accept-Encoding: gzip, compress, bzip, bzip2, deflate
Accept-Language: en;q=1.0
X-Forwarded-For: 127.0.0.1
X-Forwarded-Host: whoami.pi.example.com
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: pi5
X-Real-Ip: 127.0.0.1

≪ ↑ ↓ Viewing[SSL] <>

If you see output like printed above, you have confirmed that Whoami and Traefik are functioning correctly. The status bar of w3m shows Viewing[SSL] which confirms that TLS is successfully working.

To quit w3m, press q, then y.

Alternatively, test it with curl:

Run this on the Raspberry Pi
curl https://whoami.pi.example.com

If the TLS certificate has not been issued yet, you will get this error from curl (and a similar error in w3m):

(stdout)
curl: (60) SSL certificate problem: self-signed certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Simply wait a bit longer for the TLS cert to issue, or check the logs for errors (d make traefik logs service=traefik). You can also tell curl to ignore the error (-k):

Run this on the Raspberry Pi
## This is insecure, but fine for testing:
curl -k https://whoami.pi.example.com

You can further verify the TLS certificate is issued correctly:

Run this on the Raspberry Pi
pi script tls_debug whoami.pi.example.com
(stdout)
...
issuer=C = US, O = Let's Encrypt, CN = R10
...
  • If the issuer is Let's Encrypt, then the certificate is valid ✅.
  • If the issuer is TRAEFIK DEFAULT CERT, then there is some kind of problem 💥, and you will need to inspect the traefik logs (see next section).

View the logs

It may be necessary to inspect the applicaiton logs, which you can do so as follows:

Run this on the Raspberry Pi
pi make whoami logs

To check the Traefik logs, do similar:

Run this on the Raspberry Pi
pi make traefik logs service=traefik

Next steps

  • Set up the sentry Droplet.
  • Configure WireGuard VPN.
  • Set up public SSH.
  • Install core services.
  • Install apps.