APC Back-UPS XS 650CI & apcupsd

Installation

aptitude install apcupsd

Configuration

In the default /etc/apcupsd/apcupsd.conf disable the DEVICE entry in line 90:

# DEVICE /dev/ttyS0

Restart daemon systemctl restart apcupsd and check working connection with apcaccess status.

Usage

  • Reset battery date with apctest (stop apcupsd before) with View/Change battery date
  • Change alarm behaviour with apctest (stop apcupsd before) with View/Change alarm behavior
  • Replacement battery type: APCRBC110

Backup with rsnapshot

Backup concept

A backup server which can be woken via wake-on-lan will pull data from live severs via rsnapshot . Waking, creating a backup, and shutting down will be done from a specific live server.

Key generation and automated login

First create an SSH key which will authorize the backup server against the live servers: On the backup server run ssh-keygen -b 4096 -f backup_auth. The generated file backup_auth.pub has to be appended to /root/.ssh/authorized_keys to enable automated login. Later we will limit commands availabe to rsync only for safety reasons. Check that the clients /etc/ssh/sshd_config sets PermitRootLogin without-password so that a first connection test from the backup server can succeed. Do this vice-versa for the live server which will later control the backup server.

Rsnapshot

Run aptitude install rsnapshot and modify /etc/rsnapshot.conf to at least (see comments in config file for explanations):

snapshot_root <path>
no_create_root 1
cmd_ssh /usr/bin/ssh
retain ...
ssh_args -i /root/.ssh/backup_auth

# live server directories
backup root@server.local:/etc/ ./
backup root@server.local:/home/ ./
[...]

Limiting rights of automated login

Extract rrsync (restricted rsync) from rsync scripts: gunzip /usr/share/doc/rsync/scripts/rrsync.gz -c > /usr/local/bin/rrsync and make it executable chmod +x /usr/local/bin/rrsync. The backup auth key can now be restricted in /root/.ssh/authorized_keys. Prepend the entry with command="/usr/local/bin/rrsync -ro /" which limits access with this key to just this command. Additionnally limiting measures can be implemented by adding further restrictions after command:

command="/usr/local/bin/rrsync -ro /",no-pty,no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-user-rc ssh-rsa ...

Additionally change PermitRootLogin in /etc/ssh/sshd_config to forced-commands-only.

Automation

Waking the backup server

wakeonlan [...]

Creating backups

ssh -i <keyfile> rsnapshot [...]

Keyfile should authenticate the live server against the backup server.

Shutting the backup server down

ssh -i <keyfile> /sbin/ethtool -s eth0 wol g
ssh -i <keyfile> /sbin/shutdown -h -t 1

Setting up vsftpd for Brother ADS-1100W

Setup vsftpd

Run aptitude install vsftpd and modify /etc/vsftpd.conf:

listen=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
write_enable=YES
anonymous_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_root=/data/ftp

Create target folder with mkdir -p /data/ftp/incoming and change incoming folder rights (basedir is left as only readable for anonymous):
chown ftp.ftp /data/ftp/incoming

Setup Brother ADS-1100W

Create FTP-Profiles using username anonymous and an arbitrary password (empty password did not work). Set incoming as target folder. The scan folder can be shared via Samba by adding a section for the target folder in /etc/samba/smb.conf:

[scans]
   comment = Scans
   path = /data/ftp/incoming
   force user = ftp
   force group = ftp
   read only = No

Smartmontools + hdparm

Installation

aptitude install hdparm smartmontools

Configuration

Since Debian 9, hdparm is not run during system startup anymore. Thus, a custom systemd service has to be created in /etc/systemd/system/rc-local.service:

[Unit]
Description=/etc/rc.local
ConditionPathExists=/etc/rc.local

[Service]
Type=forking
ExecStart=/etc/rc.local start
TimeoutSec=0
StandardOutput=tty
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target"

Create a dummy /etc/rc.local:

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

exit 0

Make it runnable and enable the systemd service:

chmod +x /etc/rc.local
systemctl enable rc-local
systemctl status rc-local.service

To check health status of all disks change the DEVICESCAN line in /etc/smartd.conf to the following based on an articel in c’t 17/2011, p178:

DEVICESCAN -a -n standby -m root -M test -o on -S on -s (S/../.././0|L/../../6/0)

Description of used options:

-a: equivalent to -H, -f, -t, -l selftest, -l error, -C 197, -U 198
-n: nocheck when in given powermode
-m: send warning email to ADD
-M: email-behaviour
-o: automatic offline tests
-S: attribute autosave
-s: start self-test when type/date matches regex

Letting smartd checking on the drives every 12h is sufficient for private use, so change /etc/default/smartmontools to:

start_smartd=yes
smartd_opts="--interval=43200"

Lighttpd

Installation

aptitude install lighttpd

Configuration

Adapt /var/www/html/index.html and add a favicon.ico there as well.

SSL

Adapt certificate paths in /etc/lighttpd/conf-available/10-ssl.conf and add the server name:

# /usr/share/doc/lighttpd/ssl.txt

# check against https://www.ssllabs.com/ssltest/ for issues

$SERVER["socket"] == "0.0.0.0:443" {
        ssl.engine  = "enable"
        ssl.pemfile = "/etc/letsencrypt/live/domain.example/cert+privkey.pem"
        ssl.ca-file = "/etc/letsencrypt/live/domain.example/fullchain.pem"
        server.name = "domain.example"

        ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
        ssl.honor-cipher-order = "enable"
}

Additionally redirect by default to https by creating /etc/lighttpd/conf-available/10-http-https-redirect.conf:

$HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" {
        url.redirect = (".*" => "https://%0$0")
    }
}

Activate the redirection by running lighty-enable-mod http-https-redirect and reloading lighttpd.

Webmail: roundcube + sqlite3 + lighttpd

A small footprint solution for webmail is using roundcube in conjunction with sqlite3 and lighttpd. The order of installing PHP packaches is important as otherwise we end up with Apache dependencies.

apt-get install lighttpd php-cgi php

Because of https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898040 installing roundcube needs some help to work correctly. Install roundcube while also getting low priority questions. Choose default answers where applicable but don’t select any https serverto be configured.

DEBIAN_PRIORITY=low apt-get install dbconfig-sqlite3 roundcube-core roundcube-sqlite3

Manually enable roundcube in lighttpd with

ln -s /etc/roundcube/lighttpd.conf /etc/lighttpd/conf-available/50-roundcube.conf
lighty-enable-mod roundcube fastcgi fastcgi-php

Session timeout can be configured in /etc/roundcube/defaults.inc.php via

// Session lifetime in minutes
$config['session_lifetime'] = 360;

Setting attachment sizes in /etc/php/7.0/cgi/php.ini

upload_max_filesize = 20M
post_max_size = 30M

Surveillance cameras

Surveillance cameras can be captured using ffmpeg wrapped in a script:

#!/bin/bash

set -e

if [ -z "$1" ]; then
  echo "Usage: $0 duration stream acodec destdir prefix"
  exit -1
fi

ffmpeg -t $1 -i $2 -acodec $3 -vcodec copy -y $4/${5}_$(date +\%F-\%T | sed 's/:/_/g' ).mp4

Calling it from cron every hour which will generate timestamped files in /data/cctv prefixed with cam1 and a duration of little more than an hour:

5 * * * * cctv_record.sh 3900 rtsp://camera.example.domain/live.sdp mp2 /data/cctv cam1

Additionally disk space needs to be monitored and old recordings removed as required.

Time lapse videos can be created by getting an image regularly and saving it with timestamp info. The actual video can be done via ffmpeg.

Samba

Installation

aptitude install samba

Configuration

Changes in default smb.conf:

  • [global]
    • interfaces = 127.0.0.0/8 192.168.33.32/27
    • bind interfaces only = yes
  • [homes]
    • read only = no
    • create mask = 0600
  • remove [printers] & [print$] sections (printers will be handled via cups)

Add own sections as needed:

[section_name]
   comment = Section description
   path = /what/to/share
   read only = Yes/No

User management

smbpasswd -a username # will ask for SMB password
smbpasswd -e username # enables this user

VDR

Installation

The aim is to setup a headless VDR backend which:

  • provides content via VNSI to an OpenElec client
  • provides a web interface for live viewing and programming
  • provides EPG searching
aptitude install vdr vdr-plugin-vnsiserver vdr-plugin-live vdr-plugin-streamdev-server vdr-plugin-epgsearch

Configuration

Main configuration is located in /etc/vdr/conf.d/00-vdr.conf. Add -l 2 to reduce log spamming and specify --video= to the actual recordings location. Afterwards restart vdr to let it create a default /etc/vdr/setup.conf. Change MaxVideoFileSize to 100000 to split recordings into 100GB chunks.

Streaming has to be allowed for the local network in /etc/vdr/plugins/streamdevhosts.conf by adding the local subnet, e.g. 192.168.33.32/27.

The web frontend listens by default on all interfaces, this can be changed in /etc/vdr/conf.d/50-live.conf by using multiple --ip lines so that it only listens internally:

--ip=192.168.33.33
--ip=127.0.0.1

The VNSI plugin provides a default config for allowed hosts which has to be adapted in /etc/vdr/plugins/vnsiserver/allowed_hosts.conf.

Backup

Following files are relevant for backing up timers and channels:

/var/lib/vdr/channels.conf
/var/lib/vdr/timers.conf
/var/lib/vdr/plugins/epgsearch/epgsearch.conf
/var/lib/vdr/plugins/epgsearch/epgsearchdone.data
/var/lib/vdr/plugins/epgsearch/timersdone.conf

OpenSMTPD with sender dependent smart hosts

Installation

aptitude install opensmtpd

Configuration

The main config resides in /etc/smtpd.conf. In this case it enables authenticated users to relay to several smart hosts depending on the sender of the email. Thus, users can send from with their non-local adresses and OpenSMTPD knows where to forward it:

# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.

# Certificates for SSL and TLS
pki domain.example certificate "/etc/letsencrypt/live/domain.example/cert.pem"
pki domain.example key "/etc/letsencrypt/live/domain.example/privkey.pem"

# Accept local mail
listen on localhost
listen on 192.168.33.33

# Accept external mail when authenticated over a secure channel, authenticated user are considered local!
listen on 192.168.33.33 smtps pki domain.example auth

# SSL
listen on 192.168.2.254 smtps pki domain.example auth

# TLS
#listen on 192.168.2.254 port 465 tls pki domain.example auth

# If you edit the file, you have to run "smtpctl update table aliases"
table aliases file:/etc/aliases

# Forward mail for local accounts to their inbox
accept for local alias  deliver to mda "/usr/lib/dovecot/dovecot-lda -k"
accept from source 192.168.33.33/27 for local alias  deliver to mda "/usr/lib/dovecot/dovecot-lda -k"

# Table for smtp-auth credentials, has to be created with "makemap /etc/smtpd_auth"
table smtp_auth_db db:/etc/smtpd_auth.db

# Accept mail from known mail accounts and forward them to their respective smarthosts using smtp-auth
accept from local sender some_user@mailprovider.example for any relay via tls+auth://some_user_mailprovider@mailprovider.example auth


accept for any relay

Authorization data is located in /etc/smtpd_auth:

some_user_mailprovider username:password

After changing it the database has to be updated via makemap /etc/smtpd_auth. Authorization databases need to be readable by the user opensmtpd and should be protected from other users:

chmod 600 /etc/smtpd.conf /etc/smtpd_auth*
chown root.root /etc/smtpd.conf /etc/smtpd_auth
chown opensmtpd.opensmtpd /etc/smtpd_auth.db

/etc/aliases had to be updated to redirect root mails to an actual user.