Yocto based xeoma server running on a Raspberry Pi 4.
TODOS
- remove the multimedia/graphics/unused layers/recipes/packages
- ssl/tls configs
- change ip tables xeoma server range to just the single ip, doesn't need to be a range
- use a config file with env var for path instead of all the individual vars
- use local time server or see if RTC will fit in the case
- disable bluetooth
- update
/etc/systemd/system.conf
, enable watchdog https://raspberrypi.stackexchange.com/questions/108080/watchdog-on-the-rpi4
other opts for systemd unit
-connectioninfoport <p>
-sslconnection
-webaddr <addr>
- Raspberry Pi 4
- Argon ONE M.2 Case
- Replacement fan: RDK cooler, 5V, 0.13A, 30x30x10mm, model RA03010HD5
- See also this thread for other fans
- SHCHV LD3007MS's work ok too
- Argon ONE M.2 Expansion Board
- 5V 3A USB-C Power Supply
- Samsung 32GB EVO Plus Class 10 Micro SDHC
- Kingston A400 240G Internal SSD M.2 2280 SA400M8/240G
wget https://felenasoft.com/xeoma/downloads/xeoma_linux64.tgz
tar xf xeoma_linux64.tgz
mv xeoma.app $HOME/bin/xeoma
xeoma -client
Client wrapper script:
#!/usr/bin/env bash
# file: $HOME/bin/xeoma-client
set -e
xeoma -noscan -noscanptzandaudio -uselocaltime -client xeoma.home:8897
exit 0
- Bitbake config in local.conf
- securetty configured to only allow root login from
ttyAMA0
(UART1, GPIO 14/15) inshadow-securetty_%.bbappend
- iptables.rules configured at build-time using environment variables in
iptables_%.bbappend
- sysctl.conf settings in
procps_%.bbappend
- Image packages in rpilinux-image.bb
- Xeoma recipe in xeoma.bb
- Systemd unit in xeoma.service
- Udev rule for the Senselock USB license key in 99-xeoma-usb-key.rules
- Unit checks existence/permissions of the storage drive
/mnt/xeoma
- Depends on
mnt-xeoma.mount
- Argon ONE M.2 fan controller recipe in argonone.bb
- A Rust port of the
argononed.py
service in argon1.sh - Source git repo: rpi4-argon-fan-controller
- Systemd unit in argononed.service
- Default config.toml
- A Rust port of the
- Custom
config.txt
andcmdline.txt
in bcm2711-bootfiles (bcm2835-bootfiles.bbappend
) - sshd_config setup in
openssh_%.bbappend
sshd_config
only allows userme
via pki
me
user setup in ssh-user.bb- Env var
SSH_AUTH_KEYS_ME_USER
gets copied to rootfs/home/me/.ssh/authorized_keys
in ssh-user.bb - fstab in
base-files_3.0.14.bbappend
- Assumes disk is
/dev/sda
, ext4 partion/dev/sda1
- Mount point
/mnt/xeoma
- Cache
-archivecache
in/mnt/xeoma/cache
- Data
-programdir
in/mnt/xeoma/data
- Assumes disk is
Setup environment:
# Used to sed replace variables in the iptables.rules file
export IPTABLES_XEOMA_RTSP_UDP_ALLOW_PORT_RANGE=12345:434545
export IPTABLES_XEOMA_RTSP_ALLOW_IP_RANGE=a.b.c.d-a.b.c.e
export IPTABLES_XEOMA_SERVER_ALLOW_PORT_RANGE=12345:434545
export IPTABLES_XEOMA_SERVER_ALLOW_IP_RANGE=a.b.c.d-a.b.c.e
export IPTABLES_XEOMA_HTTPS_ALLOW_IP_RANGE=a.b.c.d-a.b.c.e
export IPTABLES_ICMP_ALLOW_IP_RANGE=a.b.c.d-a.b.c.e
export IPTABLES_SSH_ALLOW_CIDR=a.b.c.d/e
export IPTABLES_ROUTER_IP=a.b.c.d
export IPTABLES_VPN_CIDR=a.b.c.d/e
export BB_ENV_EXTRAWHITE="$BB_ENV_EXTRAWHITE IPTABLES_XEOMA_RTSP_UDP_ALLOW_PORT_RANGE IPTABLES_XEOMA_RTSP_ALLOW_IP_RANGE IPTABLES_XEOMA_SERVER_ALLOW_PORT_RANGE IPTABLES_XEOMA_SERVER_ALLOW_IP_RANGE IPTABLES_XEOMA_HTTPS_ALLOW_IP_RANGE IPTABLES_ICMP_ALLOW_IP_RANGE IPTABLES_SSH_ALLOW_CIDR IPTABLES_ROUTER_IP IPTABLES_VPN_CIDR"
# Used to setup `me` user keys for ssh
export SSH_AUTH_KEYS_ME_USER="/path/to/authorized_keys"
export BB_ENV_EXTRAWHITE="$BB_ENV_EXTRAWHITE SSH_AUTH_KEYS_ME_USER"
./setup
./build
Find the image files:
bitbake -e rpilinux-image | grep ^DEPLOY_DIR_IMAGE
# dtb
cd /path/to/build/tmp/deploy/images/raspberrypi4-64/
cp bcm2711-rpi-4-b.dtb /media/card/BOOT/
# firmware
cd /path/to/build/tmp/deploy/images/raspberrypi4-64/bcm2711-bootfiles
cp -a ./* /media/card/BOOT/
# kernel
cp Image /media/card/BOOT/kernel_rpilinux.img
# rootfs
cd /media/card/ROOT/
sudo tar -xjf /path/tobuild/tmp/deploy/images/raspberrypi4-64/rpilinux-image-raspberrypi4-64.tar.bz2
- Change the
root
password, default isroot
passwd
- Setup archive mount permissions
mkdir -p /mnt/xeoma/data chmod 0700 /mnt/xeoma/data mkdir -p /mnt/xeoma/cache chmod 0700 /mnt/xeoma/cache # Could also use 800:800 for running on the build host chown -R xeoma:xeoma /mnt/xeoma chmod 0700 /mnt/xeoma
- Set
xeoma
server admin passwordsystemctl stop xeoma xeoma -programdir /mnt/xeoma/data -setpassword ... chown -R xeoma:xeoma /mnt/xeoma/data systemctl start xeoma
- Format the USB3 SSD (if needed)
TODO ext4 mkfs stuff
- Temporarily disable
iptables
(if needed)systemctl stop iptables iptables -F && iptables -P INPUT ACCEPT && iptables -P OUTPUT ACCEPT && iptables -P FORWARD ACCEPT iptables-restore /etc/iptables/iptables.rules systemctl start iptables iptables -L -n -v
- Check the services
systemctl status
- Check time/date/NTP
timedatectl status