kemonine
/
lollipopcloud
Archived
1
0
Fork 0

Merge branch 'misc_updates' of kemonine/docs into master

This commit is contained in:
KemoNine 2019-04-11 23:49:33 +00:00 committed by Gitea
commit 639936c45a
9 changed files with 409 additions and 70 deletions

24
advanced/firejail.md Normal file
View File

@ -0,0 +1,24 @@
# firejail
Isolation of commands / services
## Install
``` bash
mkdir /opt/firejail
cd /opt/firejail
apt install git build-essential jq
git clone https://github.com/netblue30/firejail.git .
git checkout 0.9.58.2
./configure && make && make install-strip
```
## Run
``` bash
/usr/local/bin/firejail --noprofile --netns=protected-%i bash
```

View File

@ -0,0 +1,89 @@
# namespaced-openvpn setup
Network namespace isolated VPN
## Install
``` bash
cd /opt
git clone https://github.com/slingamn/namespaced-openvpn.git
cd namespaced-openvpn
make install
/usr/local/sbin/namespaced-openvpn --config /etc/openvpn/chicago.conf --auth-user-pass /etc/openvpn/auth_pia.txt
ip netns list
ip netns exec protected links http://ifconfig.co
```
## namespaced-openvpn systemd services
``` bash
cat > /etc/systemd/system/namespaced-openvpn.service <<EOF
# This service is actually a systemd target,
# but we are using a service since targets cannot be reloaded.
[Unit]
Description=OpenVPN service in netns
After=network.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/true
ExecReload=/bin/true
WorkingDirectory=/etc/openvpn
[Install]
WantedBy=multi-user.target
EOF
cat > /etc/systemd/system/namespaced-openvpn@.service <<EOF
[Unit]
Description=OpenVPN connection to %i in netns=protected-%i
PartOf=namespaced-openvpn.service
ReloadPropagatedFrom=openvpn.service
Before=systemd-user-sessions.service
[Service]
PrivateTmp=true
KillMode=mixed
Type=simple
Restart=always
ExecStart=/usr/local/sbin/namespaced-openvpn --config %i.conf --namespace protected-%i
PIDFile=/run/namespaced-openvpn/%i.pid
ExecReload=/bin/kill -HUP $MAINPID
WorkingDirectory=/etc/openvpn
# Likely need CAP_SYS_ADMIN -- disable bounding for now
#ProtectSystem=yes
#CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE
#LimitNPROC=10
#DeviceAllow=/dev/null rw
#DeviceAllow=/dev/net/tun rw
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable namespaced-openvpn@toronto
systemctl restart namespaced-openvpn@toronto
journalctl -fu namespaced-openvpn@toronto
ip netns list # Should see protected-toronto
```
## Service bridging
``` bash
/usr/bin/socat tcp-listen:8000,fork,reuseaddr \
exec:'ip netns exec protected-%i socat STDIO tcp-connect\:127.0.0.1\:8000',nofork
```

26
advanced/var_log_move.md Normal file
View File

@ -0,0 +1,26 @@
# Move ```/var/log```
You can disable logging to ram by setting `ENABLED=false´ in `/etc/default/armbian-ramlog´.
``` bash
systemctl stop rsyslog.service
systemctl stop syslog.socket
lsof /var/log # (make sure it's empty)
systemctl stop log2ram
systemctl disable log2ram
systemctl stop armbian-ramlog.service
systemctl disable armbian-ramlog.service
systemctl stop armbian-zram-config.service
systemctl disable armbian-zram-config.service
nano -w /etc/default/armbian-ramlog
# Disable
nano -w /etc/default/armbian-zram-config
# Disable if *not* using swap in ram
mv /var/log /var/oldlog
mkdir /var/log
rsync -aPr /var/oldlog/ /var/log/
systemctl reboot
```

107
advanced/zfs.md Normal file
View File

@ -0,0 +1,107 @@
# ZFS
How to setup zfs on 64 bit arm boards.
*Note: this is wholly untested and likely to be broken on 32 bit arm boards*
## Initial Install / Setup
``` bash
apt-add-repository universe
apt install zfs-dkms spl-dkms zfsutils-linux
cat > /etc/modprobe.d/zfs.conf <<EOF
# Minimize RAM pain
#options zfs zfs_arc_max=268435456 zfs_arc_meta_limit=201326592
options zfs zfs_arc_max=134217728 zfs_arc_meta_limit=67108864
#options zfs zfs_arc_max=100663296 zfs_arc_meta_limit=50331648
EOF
```
## Disk Setup and Pool Creation
Partition the disk and setup the zfs pool with basic settings
``` bash
parted /dev/disk/by-id/ata-Samsung_Portable_SSD_T5_S3UKNP0K601164R
mklabel gpt
mkpart
zpool create -o ashift=12 \
-O copies=2 \
-O atime=off -O compression=lz4 \
-O normalization=formD \
tank \
/dev/disk/by-id/usb-JMicron_Tech_0000000055A1-0\:0-part1
zpool status
cat /sys/module/zfs/parameters/zfs_arc_max
cat /sys/module/zfs/parameters/zfs_arc_meta_limit
```
## zfs Backed Swap
Move swap from zram to zfs volumes on disk
``` bash
zfs create tank/swap
zfs create -V 1G -b $(getconf PAGESIZE) -o compression=zle \
-o logbias=throughput -o sync=always \
-o primarycache=metadata -o secondarycache=none \
-o com.sun:auto-snapshot=false tank/swap/swap.1
zfs create -V 1G -b $(getconf PAGESIZE) -o compression=zle \
-o logbias=throughput -o sync=always \
-o primarycache=metadata -o secondarycache=none \
-o com.sun:auto-snapshot=false tank/swap/swap.2
mkswap -f /dev/zvol/tank/swap/swap.1
mkswap -f /dev/zvol/tank/swap/swap.2
echo /dev/zvol/tank/swap/swap.1 none swap defaults 0 0 >> /etc/fstab
echo /dev/zvol/tank/swap/swap.2 none swap defaults 0 0 >> /etc/fstab
swapon -af
nano -w /etc/fstab # Add above swap and remove exiting ones
nano -w /etc/default/armbian-zram-config
# Disabe if NOT using /var/log in RAM
```
## Regular scrubs and integrity checks
``` bash
crontab -e
22 0 14 * * /sbin/zpool scrub tank
```
## Bulk storage and Samba filesystem shares
``` bash
# Samba toolchain
apt install samba tdb-tools
# Samba user setup
useradd -g users -s /usr/sbin/nologin [username]
passwd [username]
smbpasswd -a [username]
nano -w /etc/samba/smb.conf
workgroup = non-default
comment out all share definitions
systemctl restart smbd
# Bulk storage for all the things
zfs create -o sharesmb=on tank/downloads
zfs create -o sharesmb=on tank/scratch
cat /var/lib/samba/usershares/*
```

View File

@ -25,7 +25,7 @@ You'll see a number of devices when running ```nmcli dev show``` and it may not
## ProTip / Initial Setup
```nmtui``` can be used for an ncurses graphical interface for NetworkManager. This is particularly handy if you want to setup a quick WiFi access point for initial configuration.
The ```nmtui``` command can be used for an ncurses graphical interface for NetworkManager. This is particularly handy if you want to setup a quick WiFi access point for initial configuration.
## Helpful NetworkManager Commands
@ -42,9 +42,7 @@ Some commands that help getting the status of NetworkManager
### Enable / Disable ALL
Handy if you want to shut down *all* networking for some reason
```nmcli networking on|off```
Handy if you want to shut down *all* networking for some reason run ```nmcli networking on|off```
### Radio Control
@ -52,11 +50,11 @@ Control WiFi / GSM radios
#### Wifi
```nmcli radio wifi [on|off]```
On/off for wifi: ```nmcli radio wifi [on|off]```
#### 3G/LTE
```nmcli radio wwan [on|off]```
On off for GSM/3G/LTE: ```nmcli radio wwan [on|off]```
### Connection / Device Related

View File

@ -6,33 +6,72 @@ Some thoughts and suggestions about Lollipop hardware options.
After much testing, discussion, success, failure, and inspiration... we are happy to announce the boards we will officially support!
We've selected 4 different boards as our primary targets for the Lollipop Cloud project. Our team members will be working with these boards heavily and will prioritize supporting them. The boards were selected for their price ($25-$100 USD), specifications, and ease-of-use, keeping in mind our goal of making self-hosted clouds an accessible reality.
We've selected different boards as our primary targets for the Lollipop Cloud project. Our team members will be working with these boards heavily and will prioritize supporting them. The boards were selected for their price ($25-$100 USD), specifications, and ease-of-use, keeping in mind our goal of making self-hosted clouds an accessible reality.
### Orange Pi PC Plus
### Raspberry Pi 3b and 3b+
The [Orange Pi PC Plus (product details / link)](http://www.orangepi.org/orangepipcplus/) is a reasonably priced arm32v7 board. This board can be purchased as a full set that includes a board, case, and power supply. It's got enough RAM, CPU, and more to run a full self-hosted cloud for an individual, family, and maybe a little more.
The [Raspberry Pi 3b and 3b+](http://raspberrypi.org/) are arm64v8 boards. They have 1Gb RAM, 4 core CPU, lots of expansion options and more.
It has an on-board WiFi chip and on-board ethernet so networking won't be a problem. It has 3 USB ports for additional WiFi adapters or USB disks. It also has a full HDMI connector so you can setup using a USB keyboard and TV/monitor/etc.
The ```Rasbian``` distribution is setup to run as arm32v7 so be mindful when reading documentation. Ubuntu offers a 64bit release that's arm64v8.
This is our recommended board for deploying a Lollipop Cloud, especially for our beginner users.
### Orange Pi PC 2
The [Orange Pi PC 2](http://www.orangepi.org/orangepipc2/) is a reasonably priced arm64v8 board. This board can be purchased as a full set that includes a board, case, and power supply. It's got enough RAM, CPU, and more to run a full self-hosted cloud for an individual, family, and maybe a little more.
It has 3 USB ports for additional WiFi adapters or USB disks. It also has a full HDMI connector so you can setup using a USB keyboard and TV/monitor/etc.
It does *not* have a WiFi chip on-board, be sure to remember a WiFi dongle if needed.
### Orange Pi Plus 2e
The [Orange Pi Plus 2e (product details / link)](http://www.orangepi.org/orangepiplus2e/) is an arm64v8 board. It packs 2Gb of RAM, 4 core CPU, lots of expansion options, built-in WiFi, built-in ethernet, and more.
The [Orange Pi Plus 2e](http://www.orangepi.org/orangepiplus2e/) is an arm32v7 board. It packs 2Gb of RAM, 4 core CPU, lots of expansion options, built-in WiFi, built-in ethernet, and more.
This board can run a self-hosted cloud for an individual, family, or small group. If you're looking for the "big board," this is it.
### O-Droid HC2
## Storage Boards
The [O-Droid HC2 (product details / link)](https://www.hardkernel.com/main/products/prdt_info.php?g_code=G151505170472) is an expensive board that packs the most computing power of our target boards. We are recommending this board for those who want to build their own "home brew" Synology NAS.
Due to our community asking for boards that support large amounts of storage we've found and tested the following setups for more storage focused Lollipop Cloud builds. The below builds are "bill of materials" that outline our tested and working configurations.
While not the cheapest option, this should be a reasonable replacement for entry level Synology NAS boxes if you're looking to self-host a NAS + Cloud without using proprietary software.
### Nano Pi Neo2 + NAS Board
### Orange Pi Zero Plus
- [Nano Pi Neo2](https://www.friendlyarm.com/index.php?route=product/product&path=69&product_id=180)
- Select ```1Gb RAM``` model
- [Nano Pi Neo2 NAS Kit](https://www.friendlyarm.com/index.php?route=product/product&path=89_93&product_id=222)
- [Noctua 5V 60mm fan (NF-A6x25 5V PWM)](https://noctua.at/en/products/fan/nf-a6x25-5v-pwm)
- 12v 5.5-2.1mm barrel jack power supply capable of providing at least 3A of power
- 2.5" sata disk
The [Orange Pi Zero Plus (product details / link)](http://www.orangepi.org/OrangePiZeroPlus/) is a small, inexpensive arm64v8 board. This board is a great starting point and can be used as a little pocket router with ad blocking, VPN, and more. This is best used as a WiFi hot spot device. It can also function as a very basic cloud but does *NOT* have quite enough RAM to function as a full cloud.
#### Notes
This is a great choice if you're looking for something pocket sized and/or minimal.
- The 60mm fan can be mounted directly above the main board components at the back of the case by cutting a 55mm square hole in the top of the case as well as drilling 4 holes for securing the fan to the case.
- If you don't need/want the metal case you can select the ```Heatsink``` and ```1-bay NAS dock``` options on the main Nano Pi Neo2 product page and run it without a case
- If running the build without a case the [Noctua 5v 40mm fans (NF-A4x10 5V PWM)](https://noctua.at/en/products/fan/nf-a4x10-5v-pwm) fits perfectly on top of the Neo2 heatsink and will provide enough airflow to keep the build from overheating
- ZFS works well on this board if focused on bulk storage, samba (windows file sharing) and/or nfs
- The **ENTIRE** amount of usb, disk and network speed **COMBINED** will total between 50 and 75 M/s. The disk is attached to the usb controller which also seems to influence network io speeds in our tests. This will *not* be fast but it will act as (and feel like) a very capable USB2 disk running services attached to your network.
### Nano Pi M4 + SATA Hat
- [Nano Pi M4 + Heat Sink + SATA Hat](https://www.friendlyarm.com/index.php?route=product/product&path=69&product_id=234)
- Select either RAM option, 4Gb is better if your budget allows
- Select ```Heat Sink``` (this is NOT optional as the board WILL overheat without the heatsink)
- Select ```4x SATA HAT```
- [Noctua 5v 40mm fans (NF-A4x10 5V PWM)](https://noctua.at/en/products/fan/nf-a4x10-5v-pwm)
- [Noctua 5V 60mm fan (NF-A6x25 5V PWM)](https://noctua.at/en/products/fan/nf-a6x25-5v-pwm)
- Sata power splitter(s) so you can power the desired number of disks *and* the 2 four pin fans listed above
- 12V 5.5-2.1mm barrel jack power supply capable of providing at least 5A of power (8A max)
- Sata Disks
#### Notes
- Attach the 40mm Noctua fan to the SATA Hat heat sink, it gets very warm when under load and can easily become thermal throttled
- Attach the 60mm Noctua fan upright at the front of the main board + heatsink. The main board gets over 80C under load without active cooling is and is prone to thermal shutdown events
- There is no case that we've been able to find, this is a "naked build"
- Sata power splitters and sata -> pwm fan adapters can be used to provide >2 sata power ports for disks attached to the hat and powered by the hat
- Consider a 40mm or 60mm fan for cooling disks, you can double stick tape the disks together (use mutiple layers to allow about 2-5mm space between disks) and then mount a fan to the front of the disks to keep them cool
- ZFS runs in a *default* configuration on this setup, you do *not* need the module tuning in our documentation for this deployment. However, if using the 2Gb RAM model, using the 3rd tuning option from our documentation (the one with the most RAM usage) can help reduce zfs RAM usage and allow more services to be setup
## Expansion Options
@ -42,10 +81,10 @@ If you're going to run services like NextCloud, Syncthing and/or Samba you will
### WiFi
- The author has had decent luck with the [ASUS USB-N13 (link)](https://www.asus.com/us/Networking/USB-N13/) adapter in client mode. Be minful of your 2.4ghz channel setup. If this adapter and your AP share a channel in 2.4ghz this adapter *will* drop packets and/or suffer disconnections
- The author has had decent luck with the [ASUS USB-N13](https://www.asus.com/us/Networking/USB-N13/) adapter in client mode. Be minful of your 2.4ghz channel setup. If this adapter and your AP share a channel in 2.4ghz this adapter *will* drop packets and/or suffer disconnections
- Sometimes a reboot is necessary to get authentication to work properly after initial setup
- The author has **NOT** tested AP mode
- The author has had very good luck with the [ASUS USB-N53 (link)](https://www.asus.com/us/Networking/USBN53/) in AP mode. *Both* 2.4ghz and 5ghz can used for AP mode at the same time.
- The author has had very good luck with the [ASUS USB-N53](https://www.asus.com/us/Networking/USBN53/) in AP mode. *Both* 2.4ghz and 5ghz can used for AP mode at the same time.
- The author has **NOT** tested client mode
- The author has had decent luck with the TP-Link N150 USB WiFi adapter in client mode
- The author could not get the TP-Link N300 USB WiFi adapter to work in client mode

View File

@ -63,7 +63,10 @@ Setup PPS for chrony
``` bash
cat >> /boot/armbianEnv.txt <<EOF
param_pps_pin=PA6
# Orange Pi PC 2e PPS Pin
# param_pps_pin=PA6
# Pine64 PPS Pin
# param_pps_pin=PH9
EOF
systemctl reboot
@ -182,3 +185,69 @@ systemctl enable gpsconvert.timer
systemctl start gpsconvert.timer
```
## A-GPS
This sets up a form of A-GPS to speed locks when indoors or having a hard time getting a lock in general.
*This setup is specific to the Adafruit Ultimate GPS modules. You'll need to adapt this if using a different GPS receiver.*
### Setup mt3339 utils and get latest sattelite hints
``` bash
apt install python-pip python-setuptools python-wheel python3-pip python3-setuptools python3-wheel geoip-bin
pip install -U pyserial && pip3 install -U pyserial
cd /opt
git clone https://github.com/f5eng/mt3339-utils.git
cd /opt/mt3339-utils
./eporetrieve
```
### Get your current ip address
*Note: this MUST be done from your main internet connection, NOT VPN*
``` bash
curl http://ifconfig.co
```
### Setup Maxmind GeoIP database
``` bash
mkdir GeoLite2
cd GeoLite2
wget https://geolite.maxmind.com/download/geoip/database/GeoLite2-City.tar.gz
tar -xzf GeoLite2-City.tar.gz
cd ..
```
### Get IP Address Location
```
pip3 install -U maxminddb
python3
import maxminddb
reader = maxminddb.open_database('./GeoLite2/GeoLite2-City_20190402/GeoLite2-City.mmdb')
rec = reader.get('anipaddress')
print('%s,%s,0' %(rec['location']['latitude'], rec['location']['longitude']))
exit()
```
### Seed GPS Unit With Rough Location and System Time
``` bash
systemctl stop gpsd gpsd.socket gpsconvert.timer gpsconvert.service gps-logger
./epoloader --speed 9600 --time - --location python_output ./MTK14.EPO /dev/ttyS2
systemctl restart gpsd gpsd.socket gpsconvert.timer gpsconvert.service gps-logger
```

6
hardware/pine64.md Normal file
View File

@ -0,0 +1,6 @@
# Pine64 Notes
Some useful links
- [Pinouts](http://joey.hazlett.us/pine64/Pine%20A64%20Pin%20Assignment%20160119.pdf)
- [Battery Status/Level Script (3.10.x kernel only)](https://gist.github.com/pfeerick/05e5715733f00dcf303636c80abff598)

View File

@ -35,15 +35,17 @@ armbian-config # enable i2c busses
systemctl reboot # reboot to enable bus(es)
apt install i2c-tools # install tools
i2cdetect -l # check to ensure busses are present
i2cdetect -y 0 # 0 for orange pi zero ; 1 for recent pi's
i2cdetect -y 1 # 0 for orange pi zero ; 1 for recent pi's
modprobe rtc-pcf8523 # load the proper rtc module (adafruit cheap model)
echo pcf8523 0x68 > /sys/class/i2c-adapter/i2c-0/new_device # setup device so it's seen
echo pcf8523 0x68 > /sys/class/i2c-adapter/i2c-1/new_device # setup device so it's seen
dmesg | grep rtc # verify the kernel sees the rtc
ls /dev/rtc* # should have rtc1
hwclock -r -f /dev/rtc1 # See if anything is on the rtc
hwclock -f /dev/rtc1 --systohc -D --noadjfile --utc # set / init the rtc
hwclock -r -f /dev/rtc1 # read the value from the rtc
hwclock -w -f /dev/rtc1 # write the current time to the rtc
apt remove --purge fake-hwclock # purge the fake hwclock as we have a real one now
systemctl disable fake-hwclock # Disable any dangling services
```
@ -58,50 +60,6 @@ EOF
```
## Internal RTC Adjustments
A systemd service to ensure the internal RTC is 'close' to the real time w/o battery.
``` bash
# Set the internal RTC on shutdown to match ntpified time
cat > /etc/systemd/system/rtc0-shutdown-fix.service <<EOF
[Unit]
Description=Set sunxi internal RTC on shutdown
DefaultDependencies=no
Before=shutdown.target reboot.target halt.target
[Service]
Type=oneshot
ExecStart=/sbin/hwclock --systohc -D --noadjfile --utc -f /dev/rtc0
[Install]
WantedBy=halt.target reboot.target shutdown.target
EOF
systemctl daemon-reload
systemctl enable rtc0-shutdown-fix
# Trick for getting the early boot time 'close'
cat > /etc/systemd/system/rtc0-online.service <<EOF
[Unit]
Description=Set system clock to rtc0
DefaultDependencies=no
Before=time-sync.target
[Service]
Type=oneshot
ExecStart=/sbin/hwclock -s -f /dev/rtc0
[Install]
WantedBy=time-sync.target
EOF
systemctl daemon-reload
systemctl enable rtc0-online
```
## External RTC On Boot
A systemd unit that brings the external RTC online during boot
@ -113,17 +71,15 @@ cat > /etc/systemd/system/rtc1-online.service <<EOF
Description=Setup rtc1 as primary clock
DefaultDependencies=no
Before=time-sync.target
After=rtc0-online.service
[Service]
Type=oneshot
ExecStart=/bin/sh -c '/sbin/modprobe rtc_pcf8523 \
&& echo pcf8523 0x68 > /sys/class/i2c-adapter/i2c-0/new_device \
ExecStart=/bin/sh -c '/sbin/modprobe rtc-pcf8523 \
&& echo pcf8523 0x68 > /sys/class/i2c-adapter/i2c-1/new_device \
&& /sbin/hwclock -s -f /dev/rtc1'
[Install]
WantedBy=time-sync.target
After=rtc0-online
EOF
systemctl daemon-reload
@ -131,6 +87,31 @@ systemctl enable rtc1-online
```
## Set RTC on shutdown
A systemd unit that sets the current time to the rtc on shutdown to minimize clock drift during next boot
``` bash
cat > /etc/systemd/system/rtc1-shutdown-fix.service <<EOF
[Unit]
Description=Set rtc1 on shutdown
DefaultDependencies=no
Before=shutdown.target reboot.target halt.target
[Service]
Type=oneshot
ExecStart=/sbin/hwclock --systohc -D --noadjfile --utc -f /dev/rtc1
[Install]
WantedBy=halt.target reboot.target shutdown.target
EOF
systemctl daemon-reload
systemctl enable rtc1-shutdown-fix
```
## Misc Notes
``` bash