plain blame
---
title: "Running the gateway for testing"
author: [Petri Hienonen]
date: "2023-03-31"
---
# CM3588 setup guide for Debian Bookworm
[CM3588](https://www.friendlyelec.com/index.php?route=product/product&product_id=294) works as our reference hardware.
`SDCARD` to `EMMC` image [should be used](https://drive.google.com/file/d/1CrYDAZFwGdZoFIRfrQGEVd6SEu6f0PwU/view)
[Wiki documents things related to the device installation](https://wiki.friendlyelec.com/wiki/index.php/NanoPi_R5S)
## Basic configuration
Login with SSH (Username: `pi`, Password: `pi`)
`/etc/systemd/network/20-wired.network`
```
[Match]
Name=eth0
[Network]
DHCP=yes
DNS=8.8.8.8
MulticastDNS=true
[Link]
MTUBytes=9000
```
`/etc/systemd/timesyncd.conf`
```
[Time]
NTP=0.arch.pool.ntp.org 1.arch.pool.ntp.org 2.arch.pool.ntp.org 3.arch.pool.ntp.org
FallbackNTP=0.pool.ntp.org 1.pool.ntp.org 0.fr.pool.ntp.org
```
```bash
sudo apt update && sudo apt dist-upgrade -y && sudo apt autoremove -y
sudo systemctl stop NetworkManager
sudo systemctl disable NetworkManager
sudo apt remove network-manager ntp wpa_supplicant
sudo systemctl enable systemd-timesyncd.service
sudo systemctl start systemd-timesyncd.service
sudo timedatectl set-timezone Europe/Helsinki
```
Modify `/etc/hostname` to wanted (tammi.cc).
Modify `/etc/systemd/journald.conf` (following keys):
```
[Journal]
Storage=volatile
SystemMaxUse=20M
RuntimeMaxUse=20M
MaxRetentionSec=2day
```
Wireless network configuration (`wlan0` with [`iwd`](https://iwd.wiki.kernel.org/))
```bash
sudo apt remove wpasupplicant
sudo apt install iwd
sudo mkdir -p /var/lib/iwd/
```
`/etc/systemd/network/20-wired.network`
```
[Match]
Name=eth0
[Network]
DHCP=yes
DNSSEC=allow-downgrade
DNS=9.9.9.9 2620:fe::fe
LinkLocalAddresssing=yes
```
`/etc/systemd/network/26-wireless.network`
```
[Match]
Name=wlan0
[Network]
DHCP=yes
DNSSEC=allow-downgrade
DNS=9.9.9.9 2620:fe::fe
LinkLocalAddresssing=yes
```
`/var/lib/iwd/example_network.psk`:
```
[Security]
Passphrase=Relynx8WP
```
```bash
sudo systemctl start iwd.service
sudo systemctl enable iwd.service
sudo systemctl restart systemd-networkd.service
```
Create petri user:
```bash
sudo useradd -m petri
sudo passwd petri (password)
sudo usermod -a -G sudo petri
sudo usermod -a -G systemd-journal petri
sudo chsh -s /bin/bash petri
sudo reboot
```
Stop autologin for user `petri` by commenting out user `petri` in `/etc/lightdm/lightdm.conf`.
Login with `petri` user.
Check that network looks sane:
```bash
networkctl status --all
```
Delete `pi` user:
```bash
sudo userdel -r pi
```
Create necessary keys and clone and build rust packages:
```bash
sudo apt install llvm clang libssl-dev -y
curl --proto '=https' --tlsv1.3 -sSf https://sh.rustup.rs | sh
source "$HOME/.cargo/env"
ssh-keygen -t ed25519
cat .ssh/id_ed25519.pub
```
## Applications
### SSH
Guideline from: https://infosec.mozilla.org/guidelines/openssh
```bash
sudo apt install mosh
```
### Backports
```bash
echo "deb http://deb.debian.org/debian bookworm-backports main contrib non-free-firmware">/etc/apt/sources.list.d/debian-12-backports.list
```
### BTRFS
```bash
sudo apt install btrfs-progs
sudo mkfs.btrfs -m raid1 -d raid1 /dev/nvme1n1 /dev/nvme0n1
sudo mkdir /media/data
echo "UUID=f566eaa0-f004-4acc-9d0d-f6fb97daca5e /media/data btrfs defaults,discard=async,compress=zstd 0 0">>/etc/fstab
sudo mkdir /media/data/db
sudo chattr -R +C /media/data/db
sudo mkdir /media/data/logs
sudo chattr -R +C /media/data/logs
```
/etc/systemd/system/btrfs-scrub@.service
```systemd
[Unit]
Description=Btrfs scrub on %f
ConditionPathIsMountPoint=%f
RequiresMountsFor=%f
[Service]
Nice=19
IOSchedulingClass=idle
KillSignal=SIGINT
ExecStart=/usr/bin/btrfs scrub start -B %f
```
/etc/systemd/system/btrfs-scrub@.timer
```systemd
[Unit]
Description=Btrfs scrub on %f twice per month
[Timer]
OnCalendar=*-*-1,15
AccuracySec=1d
RandomizedDelaySec=1w
Persistent=true
[Install]
WantedBy=timers.target
```
```bash
sudo systemctl start btrfs-scrub@(systemd-escape -p /media/data).service
sudo systemctl enable --now btrfs-scrub@(systemd-escape -p /media/data).timer
```
### Docker
```bash
sudo apt install docker.io docker-compose
sudo usermod -aG docker $USER
sudo systemctl enable docker.service
```
### Postgresql (edit the datapaths)
```bash
sudo apt install postgresql postgresql-contrib
sudo mkdir /media/data/db/postgresql/16/main
sudo vim /etc/postgresql/16/main/postgresql.conf
sudo chown -R postgres:postgres postgresql/
```
Add Environment=PGDATA=/media/data/db/postgresql/%I/main to /lib/systemd/system/postgresql@.service under [Service]
### Miniflux
```bash
echo "deb [trusted=yes] https://repo.miniflux.app/apt/ * *" | sudo tee /etc/apt/sources.list.d/miniflux.list > /dev/null
apt update && apt install miniflux
systemctl status miniflux.service
sudo -u postgres psql
CREATE USER miniflix with PASSWORD 'miniflux';
CREATE DATABASE miniflux2 OWNER miniflux;
```
### Vaultwarden (/etc/vaultwarden):
```bash
wget -O /etc/apt/trusted.gpg.d/bananian-keyring.gpg https://bitwarden-deb.tech-network.de/bananian-keyring.gpg
echo "deb http://bitwarden-deb.tech-network.de bookworm main" > /etc/apt/sources.list.d/vaultwarden.list
apt update && apt install vaultwarden
sudo -u postgres psql
CREATE USER vaultwarden WITH ENCRYPTED PASSWORD 'yourpassword';
CREATE DATABASE vaultwarden OWNER vaultwarden;
(vaultwarden binary will have to be compiled with hand to enable postgresql, this is irritating)
sudo apt install libpq-dev
(add following systemd service environment variable)
Environment="DATABASE_URL=postgresql://vaultwarden:yourpassword@127.0.0.1:5432/vaultwarden"
systemctl enable vaultwarden.service
```
/etc/enviroment
```bash
PATH="/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin"
```
### Webmin
```bash
curl -o setup-repos.sh https://raw.githubusercontent.com/webmin/webmin/master/setup-repos.sh
sh setup-repos.sh
apt install webmin
(configure using /etc/webmin/miniserv.conf)
```
### Minio
```bash
wget https://dl.min.io/server/minio/release/linux-arm64/minio_20240611031330.0.0_arm64.deb -O minio.deb
sudo dpkg -i minio.deb
```