10 KiB
title |
---|
forest |
forest
is an Acer Aspire V5-123 netbook that I got for free from a great friend and turned into an Alpine server. It is the successor of mountain, and is intended to have just as many services as mountain
, but with twice as much processing power, and twice as less power usage and heat.
Specifications
- Manufacturing date: 2014-04-02
- Acquisition date: 2022-06-09T13:00Z
- Model ID: 12102G50nkk
- CPU: AMD E1-2100 APU at 1 GHz
- RAM: 2GB DDR3, up to 4GB supported
- GPU: ATI Radeon HD 8210
- 11.6" 1366×768 LCD screen
- 500GB SATA HDD
- Original disk unknown.
- Current disk: HGST Travelstar Z7K500 (HTS725050B7E630)
- Sanyo AL12B32 4-cell Li-ion battery
- Now using a random brand new unofficial battery
- Original battery:
- Design capacity: 2500 mAh
- Design minimum voltage: 14.8V
- Current capacity: 0 mAh
- Current voltage: ~5V
- Atheros AR8171 Gigabit Ethernet
- Atheros AR9565 WLAN adapter (802.11b/g/n and Bluetooth 4.0)
- 2 USB 2.0 ports, 1 USB 3.0 port
- 1 HDMI port, 1 VGA port
- Chicony Electronics Co. Ltd HD Webcam
- Built-in microphone
- SD card reader
- Maximum power: 40W
Places it went to
It might be a server, but it still might go places for various reasons!
- Grenoble
- Place Victor Hugo
- Tested it on one out of 10 power plugs that were left there, unlocked, available for everyone.
- My desk
- Set it up as my home server
- On a shelf
- Became my home server
- Place Victor Hugo
Services
- My French blog (to be moved from
mountain
) - LAN-only CUPS server for a Seiko RP-D10 thermal printer
- LAN-only Samba server for my Windows ThinkPads, for network shares and network printing
- Syncthing device which hosts all of my shares at once for Linux and Android devices
- Wireguard server (to be set up)
Server setup
Those are the notes I was supposed to make for mountain
really, but never got around to actually do.
Base setup
- Run
setup-alpine
- Use
fr-oss
as the keyboard variant - Set
forest
as the hostname - Configure
wlan0
andeth0
with DHCP - Use
chrony
as the NTP server - Create a non-root user
- Use
openssh
as the SSH server - Use the
sda
disk as anlvm
physical volume and install Alpine on it (selectsys
) - Use
f
to auto-detect the fastest mirror - Reboot once prompted, disconnect the USB key
- Login and enable the community repo (
doas vi /etc/apk/repositories
) -
doas apk add --update vim figlet htop byobu pciutils zsh doas-sudo-shim curl linux-firmware-amd-ucode tree neofetch git sudo mkdir /home/lucidiot sudo chown lucidiot:lucidiot /home/lucidiot
- Edit the /etc/motd with a
:r!figlet -f smslant forest
-
sed -i /lucidiot/s/ash/zsh/ /etc/passwd byobu-enable neofetch # btw i use alpine
SSH
- Edit
/etc/ssh/sshd_config
- Disable
PasswordAuthentication
- Disable
PermitRootLogin
- Disable
KbdInteractiveAuthentication
- Disable
sudo rc-service sshd reload
Syncthing
-
sudo apk add syncthing sudo rc-service syncthing start sudo rc-update add syncthing sudo vim /var/lib/syncthing/.config/syncthing/config.xml
-
Set the
<address>
in the<gui>
to the local IP of this machine,192.168.1.xxx
-
sudo rc-service syncthing restart
-
Open the Syncthing GUI at
http://<ip address>:8384/
-
Open the GUI settings
-
Use the Set Folder Defaults and Set Device Defaults to set your defaults.
Enable some file versioning to let the server do some sort of backups… -
Under GUI, configure a username and password and enable HTTPS.
-
Save, load the
https://
version of the site and login. -
Remove the default share.
-
Open Syncthing on other devices, add
forest
to it, and share anything you want with it. -
Accept all the devices and shares and get sync'd!
MariaDB
-
Install and start MariaDB:
sudo apk add mariadb mariadb-client sudo rc-service mariadb setup sudo rc-service mariadb start
-
Run the setup wizard:
sudo mariadb-secure-installation
-
Keep passwordless access for root without UNIX socket so you can do
sudo mariadb
-
Disallow remote login
-
Remove anonymous users and the
test
database -
Run
INSTALL SONAME 'auth_ed25519';
on the database -
Start on boot:
sudo rc-update add mariadb default
PHP
-
Install PHP:
sudo apk add php81-fpm
-
Edit
/etc/php81/php-fpm.d/www.conf
:group = nginx listen = /run/php-fpm81/php.sock listen.user = nobody listen.group = nginx
-
Start PHP:
sudo rc-service php-fpm81 start
-
Start on boot:
sudo rc-update add php-fpm81 default
Brainshit
-
sudo mkdir -p /var/www/brainshit.fr
-
Upload Brainshit source code to
/var/www/brainshit.fr/
-
sudo chown -R root:nginx /var/www/brainshit.fr
-
Install dependencies:
sudo apk add certbot-nginx php81-mbstring php81-mysqli php81-session
-
Edit nginx config:
sudo vim /etc/nginx/http.d/default.conf
-
Carry over Let's Encrypt config and certs and DB dump from the previous server:
ssh mountain sudo tar czf letsencrypt.tar.gz /etc/letsencrypt sudo mariadb-dump -p brainshit > brainshit.sql ^D scp mountain:letsencrypt.tar.gz mountain:brainshit.sql forest: ssh forest sudo mariadb -e 'CREATE DATABASE brainshit;' sudo mariadb -p brainshit < brainshit.sql sudo mariadb -e "CREATE USER brainshit@localhost IDENTIFIED BY '$PASSWORD';" sudo mariadb -e 'REVOKE ALL PRIVILEGES, GRANT OPTION FROM brainshit@localhost' sudo mariadb -e 'GRANT SELECT, INSERT, UPDATE, DELETE ON brainshit.* TO brainshit@localhost' cd / sudo tar xf ~/letsencrypt.tar.gz cd ~ rm letsencrypt.tar.gz brainshit.sql
-
Edit
/var/www/brainshit.fr/config.inc.php
to set the database credentials -
Start nginx:
sudo rc-service nginx start
-
Start nginx on boot:
sudo rc-update add nginx default
Caddy
Failed attempt at setting up Caddy instead of nginx:
-
sudo apk add caddy sudo mkdir -p /var/log/caddy sudo chown caddy:caddy /var/log/caddy sudo chown -R root:caddy /var/www/brainshit.fr
-
Edit
/etc/php81/php-fpm.d/www.conf
:group = caddy listen = /run/php-fpm81/php.sock listen.user = nobody listen.group = caddy
-
Edit
/etc/caddy/Caddyfile
-
Start Caddy:
sudo rc-service caddy start
-
Start Caddy on boot:
sudo rc-update add caddy default
CUPS
A CUPS server to print on a SII RP-D10 thermal printer, also advertised over SMB.
-
sudo apk add build-base cups cups-filters cups-dev cups-filters-dev libjpeg libpng tiff ghostscript eudev wget https://www.seiko-instruments.de/fileadmin/user_upload/CUPSFilter_Ver.1.2.0.zip unzip CUPSFilter_Ver.1.2.0.zip cd CUPSFilter_Ver.1.2.0 tar xf sii_mlt_cups-1.2.0.tar.gz cd sii_mlt_cups-1.2.0 sudo mkdir /usr/lib/cups/filter ./configure # ignore the error on stamp-h1 make sudo make install sudo apk del cups-dev cups-filters-dev build-base cd ../.. rm -rf CUPSFilter_Ver.1.2.0
-
Edit /etc/cups/cupsd.conf:
- Add Listen 192.168.1.xxx:631
- Add Allow All on every location
- Add AutoPurgeJobs yes
- Add PreserveJobFiles no
-
sudo addgroup lucidiot lpadmin sudo rc-service cupsd start sudo rc-update add cupsd default
-
lsusb
to find out which is the bus and device of the printer -
udevadm info -p $(udevadm info -q path -n /dev/bus/usb/<bus>/<device>)
-
look for the
PRODUCT:
-
echo 'SUBSYSTEM=usb;PRODUCT=619/127/106;.* root:lp 660 */lib/mdev/usbdev' | sudo tee -a /etc/mdev.conf
-
plug or unplug+replug the printer
-
lpinfo -v
to find out the usb:// path -
lpadmin -p thermal -E -v usb://SII/RP-D10 -P /usr/share/cups/model/sii_rpfg10_80.ppd lpadmin -p thermal -o PageSize=X72MMY1000MM -o CutTiming=Document -o BlankImage=nonfeed lpoptions -d thermal
Samba
-
sudo apk add samba-server samba-common-tools acl
-
Edit
/etc/samba/smb.conf
:-
Set
global.workgroup
toCYBRECLUSTER
-
Set
global.server string
toForest Sector
-
Set
global.hosts allow
to192.168.1. 127.
-
Set
global.wins support
toyes
-
Set
global.use sendfile
toyes
-
Set
global.server min protocol
toNT1
-
Set
global.ntlm auth
toyes
-
Set
global.log file
to/var/log/samba/log.%m
-
Disable the default
[homes]
share -
Set the path for the printer share to
/var/spool/samba
-
Add a new share:
[stuff] comment = Local Stuff path = /var/lib/samba/stuff valid users = lucidiot public = no writable = yes printable = no
-
sudo mkdir /var/lib/samba/stuff /var/spool/samba
sudo setfacl -R -m u:lucidiot:rwx /var/lib/samba/stuff /var/spool/samba
sudo smbpasswd -a lucidiot
sudo rc-service samba start
sudo rc-update add samba
Wireguard
TODO
sudo apk add wireguard-tools
iptables
TODO
https://lambdacreate.com/posts/37
msmtp
sudo apk add msmtp
- Edit
/etc/msmtprc
:account default host <SMTP server hostname> port <SMTP port> tls on tls_starttls off auth on user <SMTP username> passwordeval <command to get password> # less safe alternative password <plaintext password> from <From address> allow_from_override off syslog on aliases /etc/msmtp_aliases
-
echo 'default: <destination address>' > /etc/msmtp_aliases echo 'set sendmail="/usr/bin/msmtp"' > /etc/mail.rc
"Monitoring"
-
Add the amazing
alertwrapper
script:mkdir -p ~/bin cat >~/bin/alertwrapper <<<EOF #!/bin/sh -e output="$(mktemp)" notify () { { echo "Subject: $*"; echo; cat "$output"; } | msmtp lucidiot exit 1 } job_name="$1" shift sh -c "$@" 2>&1 >"$output" || notify "Job $job_name failed!" grep -q '[^[:space:]]' "$output" && notify "Job $job_name returned some output" EOF
-
Setup your crontab with some checks:
*/10 * * * * /home/lucidiot/bin/alertwrapper cpu_over_80C 'test $(</sys/class/thermal/thermal_zone0/temp) -le 80000' 42 * * * * /home/lucidiot/bin/alertwrapper curl_brainshit 'curl -s --fail https://brainshit.fr | grep -qi rss' 40 * * * * /home/lucidiot/bin/alertwrapper openrc 'rc-status -f ini | grep -v -e '"'"'^\['"'"' -e '"'"'=\s*started'"'"' || true'
SMART
sudo apk add smartmontools
sudo rc-service smartd start
sudo rc-update add smartd
sudo smartctl -a /dev/sda | less
TODO