Brother ADS-1100W FTP-Scanning setup

This document scanner can send documents directly to an FTP-Server. Install vsftp via aptitude install vsftpd and set /etc/vsftpd.conf as following:

listen=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
write_enable=YES
anonymous_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_root=/data/ftp

This enables anonymous uploading for everyone! Create /data/ftp/incoming and chown it to ftp.ftp. Add the following section in /etc/samba/smb.conf to enable easy access to Windows clients:

[scans]
   comment = Scans
   path = /data/ftp/incoming
   force user = ftp
   force group = ftp
   read only = No

APC Back-UPS XS 650CI & apcupsd

Installation

aptitude install apcupsd

Configuration

In the default /etc/apcupsd/apcupsd.conf disable the DEVICE entry in line 90:

# DEVICE /dev/ttyS0

Restart daemon systemctl restart apcupsd and check working connection with apcaccess status.

Usage

  • Reset battery date with apctest (stop apcupsd before) with View/Change battery date
  • Change alarm behaviour with apctest (stop apcupsd before) with View/Change alarm behavior
  • Replacement battery type: APCRBC110

Backup with rsnapshot

Backup concept

A backup server which can be woken via wake-on-lan will pull data from live servers via rsnapshot . Waking, creating a backup, and shutting down will be done from a specific live server.

Key generation and automated login

First create an SSH key which will authorize the backup server against the live servers: On the backup server run ssh-keygen -b 4096 -f backup_auth. The generated file backup_auth.pub has to be appended to /root/.ssh/authorized_keys to enable automated login. Later we will limit commands availabe to rsync only for safety reasons. Check that the clients /etc/ssh/sshd_config sets PermitRootLogin without-password so that a first connection test from the backup server can succeed. Do this vice-versa for the live server which will later control the backup server.

Rsnapshot

Run aptitude install rsnapshot and modify /etc/rsnapshot.conf to at least (see comments in config file for explanations):

snapshot_root <path>
no_create_root 1
cmd_ssh /usr/bin/ssh
retain ...
ssh_args -i /root/.ssh/backup_auth

# live server directories
backup root@server.local:/etc/ ./
backup root@server.local:/home/ ./
[...]

Limiting rights of automated login

Extract (Debian 8/9) or copy (Debian 10) rrsync (restricted rsync) from /usr/share/doc/rsync/scripts to /usr/local/bin/rrsync and make it executable. The backup auth key can now be restricted in /root/.ssh/authorized_keys. Prepend the entry with command="/usr/local/bin/rrsync -ro /" which limits access with this key to just this command. Additionally limiting measures can be implemented by adding further restrictions after command:

command="/usr/local/bin/rrsync -ro /",no-pty,no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-user-rc ssh-rsa ...

Additionally change PermitRootLogin in /etc/ssh/sshd_config to forced-commands-only.

Automation

Waking the backup server

wakeonlan [...]

Creating backups

ssh -i <keyfile> rsnapshot [...]

Keyfile should authenticate the live server against the backup server.

Shutting the backup server down

ssh -i <keyfile> /sbin/ethtool -s eth0 wol g
ssh -i <keyfile> /sbin/shutdown -h -t 1

Setting up vsftpd for Brother ADS-1100W

Setup vsftpd

Run aptitude install vsftpd and modify /etc/vsftpd.conf:

listen=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
write_enable=YES
anonymous_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_root=/data/ftp

Create target folder with mkdir -p /data/ftp/incoming and change incoming folder rights (basedir is left as only readable for anonymous):
chown ftp.ftp /data/ftp/incoming

Setup Brother ADS-1100W

Create FTP-Profiles using username anonymous and an arbitrary password (empty password did not work). Set incoming as target folder. The scan folder can be shared via Samba by adding a section for the target folder in /etc/samba/smb.conf:

[scans]
   comment = Scans
   path = /data/ftp/incoming
   force user = ftp
   force group = ftp
   read only = No

Smartmontools + hdparm

Installation

aptitude install hdparm smartmontools

Configuration

Since Debian 9, hdparm is not run during system startup anymore. Thus, a custom systemd service has to be created in /etc/systemd/system/rc-local.service:

[Unit]
Description=/etc/rc.local
ConditionPathExists=/etc/rc.local

[Service]
Type=forking
ExecStart=/etc/rc.local start
TimeoutSec=0
StandardOutput=tty
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target"

Create a dummy /etc/rc.local:

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

exit 0

Make it runnable and enable the systemd service:

chmod +x /etc/rc.local
systemctl enable rc-local
systemctl status rc-local.service

To check health status of all disks change the DEVICESCAN line in /etc/smartd.conf to the following based on an articel in c’t 17/2011, p178:

DEVICESCAN -a -n standby -m root -M test -o on -S on -s (S/../.././0|L/../../6/0)

Description of used options:

-a: equivalent to -H, -f, -t, -l selftest, -l error, -C 197, -U 198
-n: nocheck when in given powermode
-m: send warning email to ADD
-M: email-behaviour
-o: automatic offline tests
-S: attribute autosave
-s: start self-test when type/date matches regex

Letting smartd checking on the drives every 12h is sufficient for private use, so change /etc/default/smartmontools to:

start_smartd=yes
smartd_opts="--interval=43200"

Lighttpd

Installation

aptitude install lighttpd

Configuration

Adapt /var/www/html/index.html and add a favicon.ico there as well.

SSL

Adapt certificate paths in /etc/lighttpd/conf-available/10-ssl.conf and add the server name:

# /usr/share/doc/lighttpd/ssl.txt

# check against https://www.ssllabs.com/ssltest/ for issues

$SERVER["socket"] == "0.0.0.0:443" {
        ssl.engine  = "enable"
        ssl.pemfile = "/etc/letsencrypt/live/domain.example/cert+privkey.pem"
        ssl.ca-file = "/etc/letsencrypt/live/domain.example/fullchain.pem"
        server.name = "domain.example"

        ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
        ssl.honor-cipher-order = "enable"
}

Enable SSL with lighty-enable-mod ssl and restart the service.

Additionally redirect by default to https by creating /etc/lighttpd/conf-available/10-http-https-redirect.conf:

$HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" {
        url.redirect = (".*" => "https://%0$0")
    }
}

Activate the redirection by running lighty-enable-mod http-https-redirect and reloading lighttpd.

Webmail: roundcube + sqlite3 + lighttpd

Installation

A small footprint solution for webmail is using roundcube in conjunction with sqlite3 and lighttpd. The order of installing PHP packaches is important as otherwise we end up with Apache dependencies.

apt-get install lighttpd php-cgi php

Debian 9: Because of https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898040 installing roundcube needs some help to work correctly. Install roundcube while also getting low priority questions. Choose default answers where applicable but don’t select any https serverto be configured.

DEBIAN_PRIORITY=low apt-get install dbconfig-sqlite3 roundcube-core roundcube-sqlite3

Manually enable roundcube in lighttpd with

ln -s /etc/roundcube/lighttpd.conf /etc/lighttpd/conf-available/50-roundcube.conf
lighty-enable-mod roundcube fastcgi fastcgi-php

Debian 10: The bugfix was included for this release so we can install easily via aptitude install dbconfig-sqlite3 roundcube-sqlite3 roundcube.

Configuration

Session timeout can be configured in /etc/roundcube/defaults.inc.php via

// Session lifetime in minutes
$config['session_lifetime'] = 360;

Default host can be configured in /etc/roundcube/config.inc.php:

$config['default_host'] = array("localhost");

Debian 10: Set smtp_user and smtp_pass to empty strings, this was the default setting previously but OpenSMPTD does not authenticate on the loopback device!

$config['smtp_user'] = '';
$config['smtp_pass'] = '';

Setting attachment sizes in /etc/php/7.*/cgi/php.ini

upload_max_filesize = 20M
post_max_size = 30M

Roundcube user settings are stored in /var/lib/dbconfig-common/sqlite3/roundcube (see /etc/dbconfig-common/roundcube.conf)

Surveillance cameras

Surveillance cameras can be captured using ffmpeg wrapped in a script:

#!/bin/bash

set -e

if [ -z "$1" ]; then
  echo "Usage: $0 duration stream acodec destdir prefix"
  exit -1
fi

ffmpeg -t $1 -i $2 -acodec $3 -vcodec copy -y $4/${5}_$(date +\%F-\%T | sed 's/:/_/g' ).mp4

Calling it from cron every hour which will generate timestamped files in /data/cctv prefixed with cam1 and a duration of little more than an hour:

5 * * * * cctv_record.sh 3900 rtsp://camera.example.domain/live.sdp mp2 /data/cctv cam1

Additionally disk space needs to be monitored and old recordings removed as required.

Time lapse videos can be created by getting an image regularly and saving it with timestamp info. The actual video can be done via ffmpeg.

Samba

Installation

aptitude install samba

Configuration

Changes in default smb.conf:

  • [global]
    • interfaces = 127.0.0.0/8 192.168.33.32/27
    • bind interfaces only = yes
  • [homes]
    • read only = no
    • create mask = 0600
  • remove [printers] & [print$] sections (printers will be handled via cups)

Add own sections as needed:

[section_name]
   comment = Section description
   path = /what/to/share
   read only = Yes/No

Example for public read only share for e.g. to be used by OpenELEC:

[public_read_only]
   comment = Section description
   path = /what/to/share
   read only = Yes
   guest ok = Yes

User management

smbpasswd -a username # will ask for SMB password
smbpasswd -e username # enables this user

VDR

Installation

The aim is to setup a headless VDR backend which:

  • provides content via VNSI to an OpenElec client
  • provides a web interface for live viewing and programming
  • provides EPG searching
aptitude install vdr vdr-plugin-vnsiserver vdr-plugin-live vdr-plugin-streamdev-server vdr-plugin-epgsearch

Configuration

Main configuration is located in /etc/vdr/conf.d/00-vdr.conf. Add -l 2 to reduce log spamming and specify --video= to the actual recordings location. Remove --lirc to avoid log spamming. Add --filesize=100G to split recordings into 100GB chunks.

Streaming has to be allowed for the local network in /etc/vdr/plugins/streamdevhosts.conf by adding the local subnet, e.g. 192.168.33.32/27.

The web frontend listens by default on all interfaces, this can be changed in /etc/vdr/conf.d/50-live.conf by using multiple --ip lines so that it only listens internally:

--ip=192.168.33.33
--ip=127.0.0.1

The VNSI plugin provides a default config for allowed hosts which has to be adapted in /etc/vdr/plugins/vnsiserver/allowed_hosts.conf.

Backup

Following files are relevant for backing up timers and channels:

/var/lib/vdr/channels.conf
/var/lib/vdr/timers.conf
/var/lib/vdr/plugins/epgsearch/epgsearch.conf
/var/lib/vdr/plugins/epgsearch/epgsearchdone.data
/var/lib/vdr/plugins/epgsearch/timersdone.conf