--- title: "Running the gateway for testing" author: [Petri Hienonen] date: "2023-03-31" --- # CM3588 setup guide for Debian Bookworm [CM3588](https://www.friendlyelec.com/index.php?route=product/product&product_id=294) works as our reference hardware. `SDCARD` to `EMMC` image [should be used](https://drive.google.com/file/d/1CrYDAZFwGdZoFIRfrQGEVd6SEu6f0PwU/view) [Wiki documents things related to the device installation](https://wiki.friendlyelec.com/wiki/index.php/NanoPi_R5S) ## Basic configuration Login with SSH (Username: `pi`, Password: `pi`) `/etc/systemd/network/20-wired.network` ``` [Match] Name=eth0 [Network] DHCP=yes DNS=8.8.8.8 MulticastDNS=true [Link] MTUBytes=9000 ``` `/etc/systemd/timesyncd.conf` ``` [Time] NTP=0.arch.pool.ntp.org 1.arch.pool.ntp.org 2.arch.pool.ntp.org 3.arch.pool.ntp.org FallbackNTP=0.pool.ntp.org 1.pool.ntp.org 0.fr.pool.ntp.org ``` ```bash sudo apt update && sudo apt dist-upgrade -y && sudo apt autoremove -y sudo systemctl stop NetworkManager sudo systemctl disable NetworkManager sudo apt remove network-manager ntp wpa_supplicant sudo systemctl enable systemd-timesyncd.service sudo systemctl start systemd-timesyncd.service sudo timedatectl set-timezone Europe/Helsinki ``` Modify `/etc/hostname` to wanted (tammi.cc). Modify `/etc/systemd/journald.conf` (following keys): ``` [Journal] Storage=volatile SystemMaxUse=20M RuntimeMaxUse=20M MaxRetentionSec=2day ``` Wireless network configuration (`wlan0` with [`iwd`](https://iwd.wiki.kernel.org/)) ```bash sudo apt remove wpasupplicant sudo apt install iwd sudo mkdir -p /var/lib/iwd/ ``` `/etc/systemd/network/20-wired.network` ``` [Match] Name=eth0 [Network] DHCP=yes DNSSEC=allow-downgrade DNS=9.9.9.9 2620:fe::fe LinkLocalAddresssing=yes ``` `/etc/systemd/network/26-wireless.network` ``` [Match] Name=wlan0 [Network] DHCP=yes DNSSEC=allow-downgrade DNS=9.9.9.9 2620:fe::fe LinkLocalAddresssing=yes ``` `/var/lib/iwd/example_network.psk`: ``` [Security] Passphrase=Relynx8WP ``` ```bash sudo systemctl start iwd.service sudo systemctl enable iwd.service sudo systemctl restart systemd-networkd.service ``` Create petri user: ```bash sudo useradd -m petri sudo passwd petri (password) sudo usermod -a -G sudo petri sudo usermod -a -G systemd-journal petri sudo chsh -s /bin/bash petri sudo reboot ``` Stop autologin for user `petri` by commenting out user `petri` in `/etc/lightdm/lightdm.conf`. Login with `petri` user. Check that network looks sane: ```bash networkctl status --all ``` Delete `pi` user: ```bash sudo userdel -r pi ``` Create necessary keys and clone and build rust packages: ```bash sudo apt install llvm clang libssl-dev -y curl --proto '=https' --tlsv1.3 -sSf https://sh.rustup.rs | sh source "$HOME/.cargo/env" ssh-keygen -t ed25519 cat .ssh/id_ed25519.pub ``` ## Applications ### SSH Guideline from: https://infosec.mozilla.org/guidelines/openssh ```bash sudo apt install mosh ``` ### Backports ```bash echo "deb http://deb.debian.org/debian bookworm-backports main contrib non-free-firmware">/etc/apt/sources.list.d/debian-12-backports.list ``` ### BTRFS ```bash sudo apt install btrfs-progs sudo mkfs.btrfs -m raid1 -d raid1 /dev/nvme1n1 /dev/nvme0n1 sudo mkdir /media/data echo "UUID=f566eaa0-f004-4acc-9d0d-f6fb97daca5e /media/data btrfs defaults,discard=async,compress=zstd 0 0">>/etc/fstab sudo mkdir /media/data/db sudo chattr -R +C /media/data/db # make the DB not COW sudo mkdir /media/data/logs sudo chattr -R +C /media/data/logs # make the DB not COW ``` /etc/systemd/system/btrfs-scrub@.service ```systemd [Unit] Description=Btrfs scrub on %f ConditionPathIsMountPoint=%f RequiresMountsFor=%f [Service] Nice=19 IOSchedulingClass=idle KillSignal=SIGINT ExecStart=/usr/bin/btrfs scrub start -B %f ``` /etc/systemd/system/btrfs-scrub@.timer ```systemd [Unit] Description=Btrfs scrub on %f twice per month [Timer] OnCalendar=*-*-1,15 AccuracySec=1d RandomizedDelaySec=1w Persistent=true [Install] WantedBy=timers.target ``` ```bash sudo systemctl start btrfs-scrub@(systemd-escape -p /media/data).service sudo systemctl enable --now btrfs-scrub@(systemd-escape -p /media/data).timer ``` ### Docker ```bash sudo apt install docker.io docker-compose sudo usermod -aG docker $USER sudo systemctl enable docker.service ``` ### Postgresql (edit the datapaths) ```bash sudo apt install postgresql postgresql-contrib sudo mkdir /media/data/db/postgresql/16/main sudo vim /etc/postgresql/16/main/postgresql.conf sudo chown -R postgres:postgres postgresql/ ``` Add Environment=PGDATA=/media/data/db/postgresql/%I/main to /lib/systemd/system/postgresql@.service under [Service] ### Miniflux ```bash echo "deb [trusted=yes] https://repo.miniflux.app/apt/ * *" | sudo tee /etc/apt/sources.list.d/miniflux.list > /dev/null apt update && apt install miniflux systemctl status miniflux.service sudo -u postgres psql CREATE USER miniflix with PASSWORD 'miniflux'; CREATE DATABASE miniflux2 OWNER miniflux; ``` ### Vaultwarden (/etc/vaultwarden): ```bash wget -O /etc/apt/trusted.gpg.d/bananian-keyring.gpg https://bitwarden-deb.tech-network.de/bananian-keyring.gpg echo "deb http://bitwarden-deb.tech-network.de bookworm main" > /etc/apt/sources.list.d/vaultwarden.list apt update && apt install vaultwarden sudo -u postgres psql CREATE USER vaultwarden WITH ENCRYPTED PASSWORD 'yourpassword'; CREATE DATABASE vaultwarden OWNER vaultwarden; (vaultwarden binary will have to be compiled with hand to enable postgresql, this is irritating) sudo apt install libpq-dev (add following systemd service environment variable) Environment="DATABASE_URL=postgresql://vaultwarden:yourpassword@127.0.0.1:5432/vaultwarden" systemctl enable vaultwarden.service ``` /etc/enviroment ```bash PATH="/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin" ``` ### Webmin ```bash curl -o setup-repos.sh https://raw.githubusercontent.com/webmin/webmin/master/setup-repos.sh sh setup-repos.sh apt install webmin (configure using /etc/webmin/miniserv.conf) ``` ### Minio ```bash wget https://dl.min.io/server/minio/release/linux-arm64/minio_20240611031330.0.0_arm64.deb -O minio.deb sudo dpkg -i minio.deb ```