aboutsummaryrefslogtreecommitdiffstats
path: root/hosts/tammi/CM3588.md
diff options
context:
space:
mode:
authorPetri Hienonen <petri.hienonen@gmail.com>2024-05-23 13:56:00 +0300
committerPetri Hienonen <petri.hienonen@gmail.com>2025-11-30 12:29:57 +0200
commit08297376a85a1719518507e54fca9de954d2376a (patch)
tree3b9c58304b40248533bbb2bb5b7bad2da9da1ff0 /hosts/tammi/CM3588.md
parent75c2af4aedd2ac5c2cfc74b346625fa4b265541d (diff)
downloadnixos-08297376a85a1719518507e54fca9de954d2376a.tar.zst
Agenix configuration
Diffstat (limited to '')
-rw-r--r--hosts/tammi/CM3588.md284
1 files changed, 284 insertions, 0 deletions
diff --git a/hosts/tammi/CM3588.md b/hosts/tammi/CM3588.md
new file mode 100644
index 0000000..d62780a
--- /dev/null
+++ b/hosts/tammi/CM3588.md
@@ -0,0 +1,284 @@
+---
+title: "Running the gateway for testing"
+author: [Petri Hienonen]
+date: "2023-03-31"
+---
+
+# CM3588 setup guide for Debian Bookworm
+
+[CM3588](https://www.friendlyelec.com/index.php?route=product/product&product_id=294) works as our reference hardware.
+
+`SDCARD` to `EMMC` image [should be used](https://drive.google.com/file/d/1CrYDAZFwGdZoFIRfrQGEVd6SEu6f0PwU/view)
+
+[Wiki documents things related to the device installation](https://wiki.friendlyelec.com/wiki/index.php/NanoPi_R5S)
+
+## Basic configuration
+
+Login with SSH (Username: `pi`, Password: `pi`)
+
+`/etc/systemd/network/20-wired.network`
+
+```
+[Match]
+Name=eth0
+
+[Network]
+DHCP=yes
+DNS=8.8.8.8
+MulticastDNS=true
+
+[Link]
+MTUBytes=9000
+```
+
+`/etc/systemd/timesyncd.conf`
+
+```
+[Time]
+NTP=0.arch.pool.ntp.org 1.arch.pool.ntp.org 2.arch.pool.ntp.org 3.arch.pool.ntp.org
+FallbackNTP=0.pool.ntp.org 1.pool.ntp.org 0.fr.pool.ntp.org
+```
+
+```bash
+sudo apt update && sudo apt dist-upgrade -y && sudo apt autoremove -y
+sudo systemctl stop NetworkManager
+sudo systemctl disable NetworkManager
+sudo apt remove network-manager ntp wpa_supplicant
+sudo systemctl enable systemd-timesyncd.service
+sudo systemctl start systemd-timesyncd.service
+sudo timedatectl set-timezone Europe/Helsinki
+```
+
+Modify `/etc/hostname` to wanted (tammi.cc).
+
+Modify `/etc/systemd/journald.conf` (following keys):
+
+```
+[Journal]
+Storage=volatile
+SystemMaxUse=20M
+RuntimeMaxUse=20M
+MaxRetentionSec=2day
+```
+
+Wireless network configuration (`wlan0` with [`iwd`](https://iwd.wiki.kernel.org/))
+
+```bash
+sudo apt remove wpasupplicant
+sudo apt install iwd
+sudo mkdir -p /var/lib/iwd/
+```
+
+`/etc/systemd/network/20-wired.network`
+
+```
+[Match]
+Name=eth0
+
+[Network]
+DHCP=yes
+DNSSEC=allow-downgrade
+DNS=9.9.9.9 2620:fe::fe
+LinkLocalAddresssing=yes
+```
+
+`/etc/systemd/network/26-wireless.network`
+
+```
+[Match]
+Name=wlan0
+
+[Network]
+DHCP=yes
+DNSSEC=allow-downgrade
+DNS=9.9.9.9 2620:fe::fe
+LinkLocalAddresssing=yes
+```
+
+`/var/lib/iwd/example_network.psk`:
+
+```
+[Security]
+Passphrase=Relynx8WP
+```
+
+```bash
+sudo systemctl start iwd.service
+sudo systemctl enable iwd.service
+sudo systemctl restart systemd-networkd.service
+```
+
+Create petri user:
+
+```bash
+sudo useradd -m petri
+sudo passwd petri (password)
+sudo usermod -a -G sudo petri
+sudo usermod -a -G systemd-journal petri
+sudo chsh -s /bin/bash petri
+sudo reboot
+```
+
+Stop autologin for user `petri` by commenting out user `petri` in `/etc/lightdm/lightdm.conf`.
+
+Login with `petri` user.
+
+Check that network looks sane:
+
+```bash
+networkctl status --all
+```
+
+Delete `pi` user:
+
+```bash
+sudo userdel -r pi
+```
+
+Create necessary keys and clone and build rust packages:
+
+```bash
+sudo apt install llvm clang libssl-dev -y
+curl --proto '=https' --tlsv1.3 -sSf https://sh.rustup.rs | sh
+source "$HOME/.cargo/env"
+ssh-keygen -t ed25519
+cat .ssh/id_ed25519.pub
+```
+
+## Applications
+
+### SSH
+
+Guideline from: https://infosec.mozilla.org/guidelines/openssh
+
+```bash
+sudo apt install mosh
+```
+
+### Backports
+
+```bash
+echo "deb http://deb.debian.org/debian bookworm-backports main contrib non-free-firmware">/etc/apt/sources.list.d/debian-12-backports.list
+```
+
+### BTRFS
+
+```bash
+sudo apt install btrfs-progs
+sudo mkfs.btrfs -m raid1 -d raid1 /dev/nvme1n1 /dev/nvme0n1
+sudo mkdir /media/data
+echo "UUID=f566eaa0-f004-4acc-9d0d-f6fb97daca5e /media/data btrfs defaults,discard=async,compress=zstd 0 0">>/etc/fstab
+
+sudo mkdir /media/data/db
+sudo chattr -R +C /media/data/db # make the DB not COW
+
+sudo mkdir /media/data/logs
+sudo chattr -R +C /media/data/logs # make the DB not COW
+```
+
+/etc/systemd/system/btrfs-scrub@.service
+
+```systemd
+[Unit]
+Description=Btrfs scrub on %f
+ConditionPathIsMountPoint=%f
+RequiresMountsFor=%f
+
+[Service]
+Nice=19
+IOSchedulingClass=idle
+KillSignal=SIGINT
+ExecStart=/usr/bin/btrfs scrub start -B %f
+```
+
+/etc/systemd/system/btrfs-scrub@.timer
+
+```systemd
+[Unit]
+Description=Btrfs scrub on %f twice per month
+
+[Timer]
+OnCalendar=*-*-1,15
+AccuracySec=1d
+RandomizedDelaySec=1w
+Persistent=true
+
+[Install]
+WantedBy=timers.target
+```
+
+```bash
+sudo systemctl start btrfs-scrub@(systemd-escape -p /media/data).service
+sudo systemctl enable --now btrfs-scrub@(systemd-escape -p /media/data).timer
+```
+
+### Docker
+
+```bash
+sudo apt install docker.io docker-compose
+sudo usermod -aG docker $USER
+sudo systemctl enable docker.service
+```
+
+### Postgresql (edit the datapaths)
+
+```bash
+sudo apt install postgresql postgresql-contrib
+sudo mkdir /media/data/db/postgresql/16/main
+sudo vim /etc/postgresql/16/main/postgresql.conf
+sudo chown -R postgres:postgres postgresql/
+```
+Add Environment=PGDATA=/media/data/db/postgresql/%I/main to /lib/systemd/system/postgresql@.service under [Service]
+
+### Miniflux
+
+```bash
+echo "deb [trusted=yes] https://repo.miniflux.app/apt/ * *" | sudo tee /etc/apt/sources.list.d/miniflux.list > /dev/null
+apt update && apt install miniflux
+systemctl status miniflux.service
+
+sudo -u postgres psql
+CREATE USER miniflix with PASSWORD 'miniflux';
+CREATE DATABASE miniflux2 OWNER miniflux;
+```
+
+### Vaultwarden (/etc/vaultwarden):
+
+```bash
+wget -O /etc/apt/trusted.gpg.d/bananian-keyring.gpg https://bitwarden-deb.tech-network.de/bananian-keyring.gpg
+echo "deb http://bitwarden-deb.tech-network.de bookworm main" > /etc/apt/sources.list.d/vaultwarden.list
+apt update && apt install vaultwarden
+
+sudo -u postgres psql
+CREATE USER vaultwarden WITH ENCRYPTED PASSWORD 'yourpassword';
+CREATE DATABASE vaultwarden OWNER vaultwarden;
+
+(vaultwarden binary will have to be compiled with hand to enable postgresql, this is irritating)
+sudo apt install libpq-dev
+(add following systemd service environment variable)
+Environment="DATABASE_URL=postgresql://vaultwarden:yourpassword@127.0.0.1:5432/vaultwarden"
+systemctl enable vaultwarden.service
+```
+
+/etc/enviroment
+
+```bash
+PATH="/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin"
+```
+
+### Webmin
+
+```bash
+curl -o setup-repos.sh https://raw.githubusercontent.com/webmin/webmin/master/setup-repos.sh
+sh setup-repos.sh
+apt install webmin
+
+(configure using /etc/webmin/miniserv.conf)
+```
+
+### Minio
+
+```bash
+wget https://dl.min.io/server/minio/release/linux-arm64/minio_20240611031330.0.0_arm64.deb -O minio.deb
+sudo dpkg -i minio.deb
+```
generated by cgit v1.3-1-g0d28 (git 2.53.0) at 2026-03-29 15:39:45 +0000