Bits and pieces of daily computer usage
aptitude install apcupsd
In the default /etc/apcupsd/apcupsd.conf disable the DEVICE entry in line 90:
# DEVICE /dev/ttyS0
Restart daemon systemctl restart apcupsd and check working connection with apcaccess status.
apctest (stop apcupsd before) with View/Change battery dateapctest (stop apcupsd before) with View/Change alarm behaviorA backup server which can be woken via wake-on-lan will pull data from live severs via rsnapshot . Waking, creating a backup, and shutting down will be done from a specific live server.
First create an SSH key which will authorize the backup server against the live servers: On the backup server run ssh-keygen -b 4096 -f backup_auth. The generated file backup_auth.pub has to be appended to /root/.ssh/authorized_keys to enable automated login. Later we will limit commands availabe to rsync only for safety reasons. Check that the clients /etc/ssh/sshd_config sets PermitRootLogin without-password so that a first connection test from the backup server can succeed. Do this vice-versa for the live server which will later control the backup server.
Run aptitude install rsnapshot and modify /etc/rsnapshot.conf to at least (see comments in config file for explanations):
snapshot_root <path> no_create_root 1 cmd_ssh /usr/bin/ssh retain ... ssh_args -i /root/.ssh/backup_auth # live server directories backup root@server.local:/etc/ ./ backup root@server.local:/home/ ./ [...]
Extract rrsync (restricted rsync) from rsync scripts: gunzip /usr/share/doc/rsync/scripts/rrsync.gz -c > /usr/local/bin/rrsync and make it executable chmod +x /usr/local/bin/rrsync. The backup auth key can now be restricted in /root/.ssh/authorized_keys. Prepend the entry with command="/usr/local/bin/rrsync -ro /" which limits access with this key to just this command. Additionnally limiting measures can be implemented by adding further restrictions after command:
command="/usr/local/bin/rrsync -ro /",no-pty,no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-user-rc ssh-rsa ...
Additionally change PermitRootLogin in /etc/ssh/sshd_config to forced-commands-only.
wakeonlan [...]
ssh -i <keyfile> rsnapshot [...]
Keyfile should authenticate the live server against the backup server.
ssh -i <keyfile> /sbin/ethtool -s eth0 wol g ssh -i <keyfile> /sbin/shutdown -h -t 1
Run aptitude install vsftpd and modify /etc/vsftpd.conf:
listen=YES use_localtime=YES xferlog_enable=YES connect_from_port_20=YES secure_chroot_dir=/var/run/vsftpd/empty pam_service_name=vsftpd write_enable=YES anonymous_enable=YES anon_upload_enable=YES anon_mkdir_write_enable=YES anon_root=/data/ftp
Create target folder with mkdir -p /data/ftp/incoming and change incoming folder rights (basedir is left as only readable for anonymous):
chown ftp.ftp /data/ftp/incoming
Create FTP-Profiles using username anonymous and an arbitrary password (empty password did not work). Set incoming as target folder. The scan folder can be shared via Samba by adding a section for the target folder in /etc/samba/smb.conf:
[scans] comment = Scans path = /data/ftp/incoming force user = ftp force group = ftp read only = No
aptitude install hdparm smartmontools
Since Debian 9, hdparm is not run during system startup anymore. Thus, a custom systemd service has to be created in /etc/systemd/system/rc-local.service:
[Unit] Description=/etc/rc.local ConditionPathExists=/etc/rc.local [Service] Type=forking ExecStart=/etc/rc.local start TimeoutSec=0 StandardOutput=tty RemainAfterExit=yes [Install] WantedBy=multi-user.target"
Create a dummy /etc/rc.local:
#!/bin/sh -e # # rc.local # # This script is executed at the end of each multiuser runlevel. # Make sure that the script will "exit 0" on success or any other # value on error. # # In order to enable or disable this script just change the execution # bits. # # By default this script does nothing. exit 0
Make it runnable and enable the systemd service:
chmod +x /etc/rc.local systemctl enable rc-local systemctl status rc-local.service
To check health status of all disks change the DEVICESCAN line in /etc/smartd.conf to the following based on an articel in c’t 17/2011, p178:
DEVICESCAN -a -n standby -m root -M test -o on -S on -s (S/../.././0|L/../../6/0)
Description of used options:
-a: equivalent to -H, -f, -t, -l selftest, -l error, -C 197, -U 198 -n: nocheck when in given powermode -m: send warning email to ADD -M: email-behaviour -o: automatic offline tests -S: attribute autosave -s: start self-test when type/date matches regex
Letting smartd checking on the drives every 12h is sufficient for private use, so change /etc/default/smartmontools to:
start_smartd=yes smartd_opts="--interval=43200"
aptitude install lighttpd
Adapt /var/www/html/index.html and add a favicon.ico there as well.
Adapt certificate paths in /etc/lighttpd/conf-available/10-ssl.conf and add the server name:
# /usr/share/doc/lighttpd/ssl.txt
# check against https://www.ssllabs.com/ssltest/ for issues
$SERVER["socket"] == "0.0.0.0:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/letsencrypt/live/domain.example/cert+privkey.pem"
ssl.ca-file = "/etc/letsencrypt/live/domain.example/fullchain.pem"
server.name = "domain.example"
ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
ssl.honor-cipher-order = "enable"
}
Additionally redirect by default to https by creating /etc/lighttpd/conf-available/10-http-https-redirect.conf:
$HTTP["scheme"] == "http" {
$HTTP["host"] =~ ".*" {
url.redirect = (".*" => "https://%0$0")
}
}
Activate the redirection by running lighty-enable-mod http-https-redirect and reloading lighttpd.
A small footprint solution for webmail is using roundcube in conjunction with sqlite3 and lighttpd. The order of installing PHP packaches is important as otherwise we end up with Apache dependencies.
apt-get install lighttpd php-cgi php
Because of https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898040 installing roundcube needs some help to work correctly. Install roundcube while also getting low priority questions. Choose default answers where applicable but don’t select any https serverto be configured.
DEBIAN_PRIORITY=low apt-get install dbconfig-sqlite3 roundcube-core roundcube-sqlite3
Manually enable roundcube in lighttpd with
ln -s /etc/roundcube/lighttpd.conf /etc/lighttpd/conf-available/50-roundcube.conf lighty-enable-mod roundcube fastcgi fastcgi-php
Session timeout can be configured in /etc/roundcube/defaults.inc.php via
// Session lifetime in minutes $config['session_lifetime'] = 360;
Setting attachment sizes in /etc/php/7.0/cgi/php.ini
upload_max_filesize = 20M post_max_size = 30M
Surveillance cameras can be captured using ffmpeg wrapped in a script:
#!/bin/bash
set -e
if [ -z "$1" ]; then
echo "Usage: $0 duration stream acodec destdir prefix"
exit -1
fi
ffmpeg -t $1 -i $2 -acodec $3 -vcodec copy -y $4/${5}_$(date +\%F-\%T | sed 's/:/_/g' ).mp4
Calling it from cron every hour which will generate timestamped files in /data/cctv prefixed with cam1 and a duration of little more than an hour:
5 * * * * cctv_record.sh 3900 rtsp://camera.example.domain/live.sdp mp2 /data/cctv cam1
Additionally disk space needs to be monitored and old recordings removed as required.
Time lapse videos can be created by getting an image regularly and saving it with timestamp info. The actual video can be done via ffmpeg.
aptitude install samba
Changes in default smb.conf:
Add own sections as needed:
[section_name] comment = Section description path = /what/to/share read only = Yes/No
smbpasswd -a username # will ask for SMB password smbpasswd -e username # enables this user
The aim is to setup a headless VDR backend which:
aptitude install vdr vdr-plugin-vnsiserver vdr-plugin-live vdr-plugin-streamdev-server vdr-plugin-epgsearch
Main configuration is located in /etc/vdr/conf.d/00-vdr.conf. Add -l 2 to reduce log spamming and specify --video= to the actual recordings location. Afterwards restart vdr to let it create a default /etc/vdr/setup.conf. Change MaxVideoFileSize to 100000 to split recordings into 100GB chunks.
Streaming has to be allowed for the local network in /etc/vdr/plugins/streamdevhosts.conf by adding the local subnet, e.g. 192.168.33.32/27.
The web frontend listens by default on all interfaces, this can be changed in /etc/vdr/conf.d/50-live.conf by using multiple --ip lines so that it only listens internally:
--ip=192.168.33.33 --ip=127.0.0.1
The VNSI plugin provides a default config for allowed hosts which has to be adapted in /etc/vdr/plugins/vnsiserver/allowed_hosts.conf.
Following files are relevant for backing up timers and channels:
/var/lib/vdr/channels.conf /var/lib/vdr/timers.conf /var/lib/vdr/plugins/epgsearch/epgsearch.conf /var/lib/vdr/plugins/epgsearch/epgsearchdone.data /var/lib/vdr/plugins/epgsearch/timersdone.conf
aptitude install opensmtpd
The main config resides in /etc/smtpd.conf. In this case it enables authenticated users to relay to several smart hosts depending on the sender of the email. Thus, users can send from with their non-local adresses and OpenSMTPD knows where to forward it:
# This is the smtpd server system-wide configuration file. # See smtpd.conf(5) for more information. # Certificates for SSL and TLS pki domain.example certificate "/etc/letsencrypt/live/domain.example/cert.pem" pki domain.example key "/etc/letsencrypt/live/domain.example/privkey.pem" # Accept local mail listen on localhost listen on 192.168.33.33 # Accept external mail when authenticated over a secure channel, authenticated user are considered local! listen on 192.168.33.33 smtps pki domain.example auth # SSL listen on 192.168.2.254 smtps pki domain.example auth # TLS #listen on 192.168.2.254 port 465 tls pki domain.example auth # If you edit the file, you have to run "smtpctl update table aliases" table aliases file:/etc/aliases # Forward mail for local accounts to their inbox accept for local alias deliver to mda "/usr/lib/dovecot/dovecot-lda -k" accept from source 192.168.33.33/27 for local alias deliver to mda "/usr/lib/dovecot/dovecot-lda -k" # Table for smtp-auth credentials, has to be created with "makemap /etc/smtpd_auth" table smtp_auth_db db:/etc/smtpd_auth.db # Accept mail from known mail accounts and forward them to their respective smarthosts using smtp-auth accept from local sender some_user@mailprovider.example for any relay via tls+auth://some_user_mailprovider@mailprovider.example auth accept for any relay
Authorization data is located in /etc/smtpd_auth:
some_user_mailprovider username:password
After changing it the database has to be updated via makemap /etc/smtpd_auth. Authorization databases need to be readable by the user opensmtpd and should be protected from other users:
chmod 600 /etc/smtpd.conf /etc/smtpd_auth* chown root.root /etc/smtpd.conf /etc/smtpd_auth chown opensmtpd.opensmtpd /etc/smtpd_auth.db
/etc/aliases had to be updated to redirect root mails to an actual user.