forest

forest is an Acer Aspire V5-123 netbook that I got for free from a great friend and turned into an Alpine server. It is the successor of mountain, and is intended to have just as many services as mountain, but with twice as much processing power, and twice as less power usage and heat.

After I decided to shut my French blog down on 2024-11-10 and switch my home Internet connection to LTE only, it no longer needs to operate continuously, so I only run it for special operations where I want a small Linux machine to run for a while without wasting too much electricity.

Specifications

Manufacturing date: 2014-04-02
Acquisition date: 2022-06-09T13:00Z
Model ID: 12102G50nkk
CPU: AMD E1-2100 APU at 1 GHz
RAM: 2GB DDR3, up to 4GB supported
GPU: ATI Radeon HD 8210
11.6" 1366×768 LCD screen
500GB SATA HDD
- Original disk unknown.
- Current disk: HGST Travelstar Z7K500 (HTS725050B7E630)
Sanyo AL12B32 4-cell Li-ion battery
- Now using a random brand new unofficial battery
- Original battery:
  - Design capacity: 2500 mAh
  - Design minimum voltage: 14.8V
  - Current capacity: 0 mAh
  - Current voltage: ~5V
Atheros AR8171 Gigabit Ethernet
Atheros AR9565 WLAN adapter (802.11b/g/n and Bluetooth 4.0)
2 USB 2.0 ports, 1 USB 3.0 port
1 HDMI port, 1 VGA port
Chicony Electronics Co. Ltd HD Webcam
Built-in microphone
SD card reader
Maximum power: 40W

Places it went to

It might be a server, but it still might go places for various reasons!

Grenoble
- Place Victor Hugo
  - Tested it on one out of 10 power plugs that were left there, unlocked, available for everyone.
- My desk
  - Set it up as my home server
- On a shelf
  - Became my home server

Services

My French blog (to be moved from mountain)
LAN-only CUPS server for a Seiko RP-D10 thermal printer
LAN-only Samba server for my Windows ThinkPads, for network shares and network printing
Syncthing device which hosts all of my shares at once for Linux and Android devices
Wireguard server (to be set up)

Server setup

Those are the notes I was supposed to make for mountain really, but never got around to actually do.

Base setup

Run setup-alpine
Use fr-oss as the keyboard variant
Set forest as the hostname
Configure wlan0 and eth0 with DHCP
Use chrony as the NTP server
Create a non-root user
Use openssh as the SSH server
Use the sda disk as an lvm physical volume and install Alpine on it (select sys)
Use f to auto-detect the fastest mirror
Reboot once prompted, disconnect the USB key
Login and enable the community repo (doas vi /etc/apk/repositories)
doas apk add --update vim figlet htop byobu pciutils zsh doas-sudo-shim curl linux-firmware-amd-ucode tree neofetch git sudo mkdir /home/lucidiot sudo chown lucidiot:lucidiot /home/lucidiot
Edit the /etc/motd with a :r!figlet -f smslant forest

  sed -i /lucidiot/s/ash/zsh/ /etc/passwd
  byobu-enable
  neofetch # btw i use alpine

SSH

Edit /etc/ssh/sshd_config
- Disable PasswordAuthentication
- Disable PermitRootLogin
- Disable KbdInteractiveAuthentication
sudo rc-service sshd reload

Syncthing

  sudo apk add syncthing
  sudo rc-service syncthing start
  sudo rc-update add syncthing
  sudo vim /var/lib/syncthing/.config/syncthing/config.xml

Set the <address> in the <gui> to the local IP of this machine, 192.168.1.xxx
sudo rc-service syncthing restart
Open the Syncthing GUI at http://<ip address>:8384/
Open the GUI settings
Use the Set Folder Defaults and Set Device Defaults to set your defaults.
Enable some file versioning to let the server do some sort of backups…
Under GUI, configure a username and password and enable HTTPS.
Save, load the https:// version of the site and login.
Remove the default share.
Open Syncthing on other devices, add forest to it, and share anything you want with it.
Accept all the devices and shares and get sync’d!

MariaDB

Install and start MariaDB:

sudo apk add mariadb mariadb-client
sudo rc-service mariadb setup
sudo rc-service mariadb start

Run the setup wizard: sudo mariadb-secure-installation
Keep passwordless access for root without UNIX socket so you can do sudo mariadb
Disallow remote login
Remove anonymous users and the test database
Run INSTALL SONAME 'auth_ed25519'; on the database
Start on boot: sudo rc-update add mariadb default

PHP

Install PHP: sudo apk add php81-fpm

Edit /etc/php81/php-fpm.d/www.conf:

group = nginx
listen = /run/php-fpm81/php.sock
listen.user = nobody
listen.group = nginx

Start PHP: sudo rc-service php-fpm81 start
Start on boot: sudo rc-update add php-fpm81 default

Brainshit

sudo mkdir -p /var/www/brainshit.fr
Upload Brainshit source code to /var/www/brainshit.fr/
sudo chown -R root:nginx /var/www/brainshit.fr
Install dependencies: sudo apk add certbot-nginx php81-mbstring php81-mysqli php81-session
Edit nginx config: sudo vim /etc/nginx/http.d/default.conf

Carry over Let’s Encrypt config and certs and DB dump from the previous server:

ssh mountain
sudo tar czf letsencrypt.tar.gz /etc/letsencrypt
sudo mariadb-dump -p brainshit > brainshit.sql
^D

scp mountain:letsencrypt.tar.gz mountain:brainshit.sql forest:

ssh forest
sudo mariadb -e 'CREATE DATABASE brainshit;'
sudo mariadb -p brainshit < brainshit.sql
sudo mariadb -e "CREATE USER brainshit@localhost IDENTIFIED BY '$PASSWORD';"
sudo mariadb -e 'REVOKE ALL PRIVILEGES, GRANT OPTION FROM brainshit@localhost'
sudo mariadb -e 'GRANT SELECT, INSERT, UPDATE, DELETE ON brainshit.* TO brainshit@localhost'
cd /
sudo tar xf ~/letsencrypt.tar.gz
cd ~
rm letsencrypt.tar.gz brainshit.sql

Edit /var/www/brainshit.fr/config.inc.php to set the database credentials
Start nginx: sudo rc-service nginx start
Start nginx on boot: sudo rc-update add nginx default

Caddy

Failed attempt at setting up Caddy instead of nginx:

sudo apk add caddy
sudo mkdir -p /var/log/caddy
sudo chown caddy:caddy /var/log/caddy
sudo chown -R root:caddy /var/www/brainshit.fr

Edit /etc/php81/php-fpm.d/www.conf:

group = caddy
listen = /run/php-fpm81/php.sock
listen.user = nobody
listen.group = caddy

Edit /etc/caddy/Caddyfile
Start Caddy: sudo rc-service caddy start
Start Caddy on boot: sudo rc-update add caddy default

CUPS

A CUPS server to print on a SII RP-D10 thermal printer, also advertised over SMB.

Build the driver:

sudo apk add build-base cups cups-filters cups-dev cups-filters-dev libjpeg libpng tiff ghostscript eudev
wget https://www.seiko-instruments.de/fileadmin/user_upload/CUPSFilter_Ver.1.2.0.zip
unzip CUPSFilter_Ver.1.2.0.zip
cd CUPSFilter_Ver.1.2.0
tar xf sii_mlt_cups-1.2.0.tar.gz
cd sii_mlt_cups-1.2.0
sudo mkdir /usr/lib/cups/filter
./configure # ignore the error on stamp-h1
make
sudo make install
sudo apk del cups-dev cups-filters-dev build-base
cd ../..
rm -rf CUPSFilter_Ver.1.2.0

Edit /etc/cups/cupsd.conf:
- Add Listen 192.168.1.xxx:631
- Add Allow All on every location
- Add AutoPurgeJobs yes
- Add PreserveJobFiles no

sudo addgroup lucidiot lpadmin
sudo rc-service cupsd start
sudo rc-update add cupsd default

lsusb to find out which is the bus and device of the printer
udevadm info -p $(udevadm info -q path -n /dev/bus/usb/<bus>/<device>)
look for the PRODUCT:
echo 'SUBSYSTEM=usb;PRODUCT=619/127/106;.* root:lp 660 */lib/mdev/usbdev' | sudo tee -a /etc/mdev.conf
plug or unplug+replug the printer
lpinfo -v to find out the usb:// path

lpadmin -p thermal -E -v usb://SII/RP-D10 -P /usr/share/cups/model/sii_rpfg10_80.ppd
lpadmin -p thermal -o PageSize=X72MMY1000MM -o CutTiming=Document -o BlankImage=nonfeed
lpoptions -d thermal

Samba

  sudo apk add samba-server samba-common-tools acl

Edit /etc/samba/smb.conf:
- Set global.workgroup to CYBRECLUSTER
- Set global.server string to Forest Sector
- Set global.hosts allow to 192.168.1. 127.
- Set global.wins support to yes
- Set global.use sendfile to yes
- Set global.server min protocol to NT1
- Set global.ntlm auth to yes
- Set global.log file to /var/log/samba/log.%m
- Disable the default [homes] share
- Set the path for the printer share to /var/spool/samba
- Add a new share:
```
[stuff]
    comment = Local Stuff
    path = /var/lib/samba/stuff
    valid users = lucidiot
    public = no
    writable = yes
    printable = no
```

sudo mkdir /var/lib/samba/stuff /var/spool/samba
sudo setfacl -R -m u:lucidiot:rwx /var/lib/samba/stuff /var/spool/samba
sudo smbpasswd -a lucidiot
sudo rc-service samba start
sudo rc-update add samba

Wireguard

sudo apk add wireguard-tools

Actually set up Wireguard

iptables

Set up iptables (guide by durrendal)

msmtp

sudo apk add msmtp

Edit /etc/msmtprc:

account default
host <SMTP server hostname>
port <SMTP port>
tls on
tls_starttls off
auth on
user <SMTP username>
passwordeval <command to get password>
# less safe alternative
password <plaintext password>
from <From address>
allow_from_override off
syslog on
aliases /etc/msmtp_aliases

echo 'default: <destination address>' > /etc/msmtp_aliases
echo 'set sendmail="/usr/bin/msmtp"' > /etc/mail.rc

“Monitoring”

Add the amazing alertwrapper script:

mkdir -p ~/bin
cat >~/bin/alertwrapper <<<EOF
#!/bin/sh -e
output="$(mktemp)"
trap "rm -f \"$output\"" EXIT

notify () {
  { echo "Subject: $*"; echo; cat "$output"; } | msmtp lucidiot
  exit 1
}

job_name="$1"
shift

sh -c "$@" 2>&1 >"$output" || notify "Job $job_name failed!"
grep -q '[^[:space:]]' "$output" && notify "Job $job_name returned some output"
EOF

Setup your crontab with some checks:

*/10 * * * * /home/lucidiot/bin/alertwrapper cpu_over_80C 'test $(</sys/class/thermal/thermal_zone0/temp) -le 80000'
42 * * * * /home/lucidiot/bin/alertwrapper curl_brainshit 'curl -s --fail https://brainshit.fr | grep -qi rss'
40 * * * * /home/lucidiot/bin/alertwrapper openrc 'rc-status -f ini | grep -v -e '"'"'^\['"'"' -e '"'"'=\s*started'"'"' || true'

SMART

sudo apk add smartmontools
sudo rc-service smartd start
sudo rc-update add smartd

Add a new alert to the crontab:

44 * * * * /home/lucidiot/bin/alertwrapper smart 'smartctl --json --health /dev/sda | jq -e .smart_status.passed >/dev/null'

~lucidiot's wiki