wiki/content/forest.md

title
forest

forest is an Acer Aspire V5-123 netbook that I got for free from a great friend and turned into an Alpine server. It is the successor of mountain, and is intended to have just as many services as mountain, but with twice as much processing power, and twice as less power usage and heat.

Specifications

• Manufacturing date: 2014-04-02
• Acquisition date: 2022-06-09T13:00Z
• Model ID: 12102G50nkk
• CPU: AMD E1-2100 APU at 1 GHz
• RAM: 2GB DDR3, up to 4GB supported
• GPU: ATI Radeon HD 8210
• 11.6" 1366×768 LCD screen
• 500GB SATA HDD
  • Original disk unknown.
  • Current disk: HGST Travelstar Z7K500 (HTS725050B7E630)
• Sanyo AL12B32 4-cell Li-ion battery
  • Now using a random brand new unofficial battery
  • Original battery:
    • Design capacity: 2500 mAh
    • Design minimum voltage: 14.8V
    • Current capacity: 0 mAh
    • Current voltage: ~5V
• Atheros AR8171 Gigabit Ethernet
• Atheros AR9565 WLAN adapter (802.11b/g/n and Bluetooth 4.0)
• 2 USB 2.0 ports, 1 USB 3.0 port
• 1 HDMI port, 1 VGA port
• Chicony Electronics Co. Ltd HD Webcam
• Built-in microphone
• SD card reader
• Maximum power: 40W

Places it went to

It might be a server, but it still might go places for various reasons!

• Grenoble
  • Place Victor Hugo
    • Tested it on one out of 10 power plugs that were left there, unlocked, available for everyone.
  • My desk
    • Set it up as my home server
  • On a shelf
    • Became my home server

Services

• My French blog (to be moved from mountain)
• LAN-only CUPS server for a Seiko RP-D10 thermal printer
• LAN-only Samba server for my Windows ThinkPads, for network shares and network printing
• Syncthing device which hosts all of my shares at once for Linux and Android devices
• Wireguard server (to be set up)

Server setup

Those are the notes I was supposed to make for mountain really, but never got around to actually do.

Base setup

• Run setup-alpine
• Use fr-oss as the keyboard variant
• Set forest as the hostname
• Configure wlan0 and eth0 with DHCP
• Use chrony as the NTP server
• Create a non-root user
• Use openssh as the SSH server
• Use the sda disk as an lvm physical volume and install Alpine on it (select sys)
• Use f to auto-detect the fastest mirror
• Reboot once prompted, disconnect the USB key
• Login and enable the community repo (doas vi /etc/apk/repositories)

•   doas apk add --update vim figlet htop byobu pciutils zsh doas-sudo-shim curl linux-firmware-amd-ucode tree neofetch git
  sudo mkdir /home/lucidiot
    sudo chown lucidiot:lucidiot /home/lucidiot
  

• Edit the /etc/motd with a :r!figlet -f smslant forest

• sed -i /lucidiot/s/ash/zsh/ /etc/passwd
  byobu-enable
  neofetch # btw i use alpine
  

SSH

• Edit /etc/ssh/sshd_config
  • Disable PasswordAuthentication
  • Disable PermitRootLogin
  • Disable KbdInteractiveAuthentication
• sudo rc-service sshd reload

Syncthing

• sudo apk add syncthing
  sudo rc-service syncthing start
  sudo rc-update add syncthing
  sudo vim /var/lib/syncthing/.config/syncthing/config.xml
  

• Set the <address> in the <gui> to the local IP of this machine, 192.168.1.xxx

• sudo rc-service syncthing restart

• Open the Syncthing GUI at http://<ip address>:8384/

• Open the GUI settings

• Use the Set Folder Defaults and Set Device Defaults to set your defaults.
  Enable some file versioning to let the server do some sort of backups…

• Under GUI, configure a username and password and enable HTTPS.

• Save, load the https:// version of the site and login.

• Remove the default share.

• Open Syncthing on other devices, add forest to it, and share anything you want with it.

• Accept all the devices and shares and get sync'd!

MariaDB

• Install and start MariaDB:

  sudo apk add mariadb mariadb-client
  sudo rc-service mariadb setup
  sudo rc-service mariadb start
  

• Run the setup wizard: sudo mariadb-secure-installation

• Keep passwordless access for root without UNIX socket so you can do sudo mariadb

• Disallow remote login

• Remove anonymous users and the test database

• Run INSTALL SONAME 'auth_ed25519'; on the database

• Start on boot: sudo rc-update add mariadb default

PHP

• Install PHP: sudo apk add php81-fpm

• Edit /etc/php81/php-fpm.d/www.conf:

  group = nginx
  listen = /run/php-fpm81/php.sock
  listen.user = nobody
  listen.group = nginx
  

• Start PHP: sudo rc-service php-fpm81 start

• Start on boot: sudo rc-update add php-fpm81 default

Brainshit

• sudo mkdir -p /var/www/brainshit.fr

• Upload Brainshit source code to /var/www/brainshit.fr/

• sudo chown -R root:nginx /var/www/brainshit.fr

• Install dependencies: sudo apk add certbot-nginx php81-mbstring php81-mysqli php81-session

• Edit nginx config: sudo vim /etc/nginx/http.d/default.conf

• Carry over Let's Encrypt config and certs and DB dump from the previous server:

  ssh mountain
  sudo tar czf letsencrypt.tar.gz /etc/letsencrypt
  sudo mariadb-dump -p brainshit > brainshit.sql
  ^D
  
  scp mountain:letsencrypt.tar.gz mountain:brainshit.sql forest:
  
  ssh forest
  sudo mariadb -e 'CREATE DATABASE brainshit;'
  sudo mariadb -p brainshit < brainshit.sql
  sudo mariadb -e "CREATE USER brainshit@localhost IDENTIFIED BY '$PASSWORD';"
  sudo mariadb -e 'REVOKE ALL PRIVILEGES, GRANT OPTION FROM brainshit@localhost'
  sudo mariadb -e 'GRANT SELECT, INSERT, UPDATE, DELETE ON brainshit.* TO brainshit@localhost'
  cd /
  sudo tar xf ~/letsencrypt.tar.gz
  cd ~
  rm letsencrypt.tar.gz brainshit.sql
  

• Edit /var/www/brainshit.fr/config.inc.php to set the database credentials

• Start nginx: sudo rc-service nginx start

• Start nginx on boot: sudo rc-update add nginx default

Caddy

Failed attempt at setting up Caddy instead of nginx:

• sudo apk add caddy
  sudo mkdir -p /var/log/caddy
  sudo chown caddy:caddy /var/log/caddy
  sudo chown -R root:caddy /var/www/brainshit.fr
  

• Edit /etc/php81/php-fpm.d/www.conf:

  group = caddy
  listen = /run/php-fpm81/php.sock
  listen.user = nobody
  listen.group = caddy
  

• Edit /etc/caddy/Caddyfile

• Start Caddy: sudo rc-service caddy start

• Start Caddy on boot: sudo rc-update add caddy default

CUPS

A CUPS server to print on a SII RP-D10 thermal printer, also advertised over SMB.

• sudo apk add build-base cups cups-filters cups-dev cups-filters-dev libjpeg libpng tiff ghostscript eudev
  wget https://www.seiko-instruments.de/fileadmin/user_upload/CUPSFilter_Ver.1.2.0.zip
  unzip CUPSFilter_Ver.1.2.0.zip
  cd CUPSFilter_Ver.1.2.0
  tar xf sii_mlt_cups-1.2.0.tar.gz
  cd sii_mlt_cups-1.2.0
  sudo mkdir /usr/lib/cups/filter
  ./configure # ignore the error on stamp-h1
  make
  sudo make install
  sudo apk del cups-dev cups-filters-dev build-base
  cd ../..
  rm -rf CUPSFilter_Ver.1.2.0
  

• Edit /etc/cups/cupsd.conf:

  • Add Listen 192.168.1.xxx:631
  • Add Allow All on every location
  • Add AutoPurgeJobs yes
  • Add PreserveJobFiles no

• sudo addgroup lucidiot lpadmin
  sudo rc-service cupsd start
  sudo rc-update add cupsd default
  

• lsusb to find out which is the bus and device of the printer

• udevadm info -p $(udevadm info -q path -n /dev/bus/usb/<bus>/<device>)

• look for the PRODUCT:

• echo 'SUBSYSTEM=usb;PRODUCT=619/127/106;.* root:lp 660 */lib/mdev/usbdev' | sudo tee -a /etc/mdev.conf

• plug or unplug+replug the printer

• lpinfo -v to find out the usb:// path

• lpadmin -p thermal -E -v usb://SII/RP-D10 -P /usr/share/cups/model/sii_rpfg10_80.ppd
  lpadmin -p thermal -o PageSize=X72MMY1000MM -o CutTiming=Document -o BlankImage=nonfeed
  lpoptions -d thermal
  

Samba

• sudo apk add samba-server samba-common-tools acl
  

• Edit /etc/samba/smb.conf:

  • Set global.workgroup to CYBRECLUSTER

  • Set global.server string to Forest Sector

  • Set global.hosts allow to 192.168.1. 127.

  • Set global.wins support to yes

  • Set global.use sendfile to yes

  • Set global.server min protocol to NT1

  • Set global.ntlm auth to yes

  • Set global.log file to /var/log/samba/log.%m

  • Disable the default [homes] share

  • Set the path for the printer share to /var/spool/samba

  • Add a new share:

    [stuff]
        comment = Local Stuff
        path = /var/lib/samba/stuff
        valid users = lucidiot
        public = no
        writable = yes
        printable = no
    

sudo mkdir /var/lib/samba/stuff /var/spool/samba
sudo setfacl -R -m u:lucidiot:rwx /var/lib/samba/stuff /var/spool/samba
sudo smbpasswd -a lucidiot
sudo rc-service samba start
sudo rc-update add samba

Wireguard

TODO

sudo apk add wireguard-tools

iptables

TODO

https://lambdacreate.com/posts/37

msmtp

• sudo apk add msmtp
• Edit /etc/msmtprc:

  account default
  host <SMTP server hostname>
  port <SMTP port>
  tls on
  tls_starttls off
  auth on
  user <SMTP username>
  passwordeval <command to get password>
  # less safe alternative
  password <plaintext password>
  from <From address>
  allow_from_override off
  syslog on
  aliases /etc/msmtp_aliases
  

• echo 'default: <destination address>' > /etc/msmtp_aliases
  echo 'set sendmail="/usr/bin/msmtp"' > /etc/mail.rc
  

"Monitoring"

• Add the amazing alertwrapper script:

  mkdir -p ~/bin
  cat >~/bin/alertwrapper <<<EOF
  #!/bin/sh -e
  output="$(mktemp)"
  
  notify () {
    { echo "Subject: $*"; echo; cat "$output"; } | msmtp lucidiot
    exit 1
  }
  
  job_name="$1"
  shift
  
  sh -c "$@" 2>&1 >"$output" || notify "Job $job_name failed!"
  grep -q '[^[:space:]]' "$output" && notify "Job $job_name returned some output"
  EOF
  

• Setup your crontab with some checks:

  */10 * * * * /home/lucidiot/bin/alertwrapper cpu_over_80C 'test $(</sys/class/thermal/thermal_zone0/temp) -le 80000'
  42 * * * * /home/lucidiot/bin/alertwrapper curl_brainshit 'curl -s --fail https://brainshit.fr | grep -qi rss'
  40 * * * * /home/lucidiot/bin/alertwrapper openrc 'rc-status -f ini | grep -v -e '"'"'^\['"'"' -e '"'"'=\s*started'"'"' || true'
  

SMART

sudo apk add smartmontools
sudo rc-service smartd start
sudo rc-update add smartd
sudo smartctl -a /dev/sda | less

TODO