Yocto based xeoma server running on a Raspberry Pi 4.

TODOS

• remove the multimedia/graphics/unused layers/recipes/packages
• ssl/tls configs
• change ip tables xeoma server range to just the single ip, doesn't need to be a range
• use a config file with env var for path instead of all the individual vars
• use local time server or see if RTC will fit in the case
• disable bluetooth
• update /etc/systemd/system.conf, enable watchdog https://raspberrypi.stackexchange.com/questions/108080/watchdog-on-the-rpi4

other opts for systemd unit

-connectioninfoport <p>
-sslconnection
-webaddr <addr>

• Raspberry Pi 4
• Argon ONE M.2 Case
  • Replacement fan: RDK cooler, 5V, 0.13A, 30x30x10mm, model RA03010HD5
  • See also this thread for other fans
  • SHCHV LD3007MS's work ok too
• Argon ONE M.2 Expansion Board
• 5V 3A USB-C Power Supply
• Samsung 32GB EVO Plus Class 10 Micro SDHC
• Kingston A400 240G Internal SSD M.2 2280 SA400M8/240G

wget https://felenasoft.com/xeoma/downloads/xeoma_linux64.tgz
tar xf xeoma_linux64.tgz
mv xeoma.app $HOME/bin/xeoma

xeoma -client

Client wrapper script:

#!/usr/bin/env bash
# file: $HOME/bin/xeoma-client
set -e
xeoma -noscan -noscanptzandaudio -uselocaltime -client xeoma.home:8897
exit 0

• Bitbake config in local.conf
• securetty configured to only allow root login from ttyAMA0 (UART1, GPIO 14/15) in shadow-securetty_%.bbappend
• iptables.rules configured at build-time using environment variables in iptables_%.bbappend
• sysctl.conf settings in procps_%.bbappend
• Image packages in rpilinux-image.bb
• Xeoma recipe in xeoma.bb
  • Systemd unit in xeoma.service
  • Udev rule for the Senselock USB license key in 99-xeoma-usb-key.rules
  • Unit checks existence/permissions of the storage drive /mnt/xeoma
  • Depends on mnt-xeoma.mount
• Argon ONE M.2 fan controller recipe in argonone.bb
  • A Rust port of the argononed.py service in argon1.sh
  • Source git repo: rpi4-argon-fan-controller
  • Systemd unit in argononed.service
  • Default config.toml
• Custom config.txt and cmdline.txt in bcm2711-bootfiles (bcm2835-bootfiles.bbappend)
• sshd_config setup in openssh_%.bbappend
  • sshd_config only allows user me via pki
• me user setup in ssh-user.bb
• Env var SSH_AUTH_KEYS_ME_USER gets copied to rootfs /home/me/.ssh/authorized_keys in ssh-user.bb
• fstab in base-files_3.0.14.bbappend
  • Assumes disk is /dev/sda, ext4 partion /dev/sda1
  • Mount point /mnt/xeoma
  • Cache -archivecache in /mnt/xeoma/cache
  • Data -programdir in /mnt/xeoma/data

Setup environment:

# Used to sed replace variables in the iptables.rules file
export IPTABLES_XEOMA_RTSP_UDP_ALLOW_PORT_RANGE=12345:434545
export IPTABLES_XEOMA_RTSP_ALLOW_IP_RANGE=a.b.c.d-a.b.c.e
export IPTABLES_XEOMA_SERVER_ALLOW_PORT_RANGE=12345:434545
export IPTABLES_XEOMA_SERVER_ALLOW_IP_RANGE=a.b.c.d-a.b.c.e
export IPTABLES_XEOMA_HTTPS_ALLOW_IP_RANGE=a.b.c.d-a.b.c.e
export IPTABLES_ICMP_ALLOW_IP_RANGE=a.b.c.d-a.b.c.e
export IPTABLES_SSH_ALLOW_CIDR=a.b.c.d/e
export IPTABLES_ROUTER_IP=a.b.c.d
export IPTABLES_VPN_CIDR=a.b.c.d/e

export BB_ENV_EXTRAWHITE="$BB_ENV_EXTRAWHITE IPTABLES_XEOMA_RTSP_UDP_ALLOW_PORT_RANGE IPTABLES_XEOMA_RTSP_ALLOW_IP_RANGE IPTABLES_XEOMA_SERVER_ALLOW_PORT_RANGE IPTABLES_XEOMA_SERVER_ALLOW_IP_RANGE IPTABLES_XEOMA_HTTPS_ALLOW_IP_RANGE IPTABLES_ICMP_ALLOW_IP_RANGE IPTABLES_SSH_ALLOW_CIDR IPTABLES_ROUTER_IP IPTABLES_VPN_CIDR"

# Used to setup `me` user keys for ssh
export SSH_AUTH_KEYS_ME_USER="/path/to/authorized_keys"
export BB_ENV_EXTRAWHITE="$BB_ENV_EXTRAWHITE SSH_AUTH_KEYS_ME_USER"

./setup

./build

Find the image files:

bitbake -e rpilinux-image | grep ^DEPLOY_DIR_IMAGE

# dtb
cd /path/to/build/tmp/deploy/images/raspberrypi4-64/
cp bcm2711-rpi-4-b.dtb /media/card/BOOT/

# firmware
cd /path/to/build/tmp/deploy/images/raspberrypi4-64/bcm2711-bootfiles
cp -a ./* /media/card/BOOT/

# kernel
cp Image /media/card/BOOT/kernel_rpilinux.img

# rootfs
cd /media/card/ROOT/
sudo tar -xjf /path/tobuild/tmp/deploy/images/raspberrypi4-64/rpilinux-image-raspberrypi4-64.tar.bz2

• Change the root password, default is root

  passwd

• Setup archive mount permissions

  mkdir -p /mnt/xeoma/data
  chmod 0700 /mnt/xeoma/data
  
  mkdir -p /mnt/xeoma/cache
  chmod 0700 /mnt/xeoma/cache
  
  # Could also use 800:800 for running on the build host
  chown -R xeoma:xeoma /mnt/xeoma
  chmod 0700 /mnt/xeoma

• Set xeoma server admin password

  systemctl stop xeoma
  xeoma -programdir /mnt/xeoma/data -setpassword ...
  chown -R xeoma:xeoma /mnt/xeoma/data
  systemctl start xeoma

• Format the USB3 SSD (if needed)

  TODO ext4 mkfs stuff

• Temporarily disable iptables (if needed)

  systemctl stop iptables
  iptables -F && iptables -P INPUT ACCEPT && iptables -P OUTPUT ACCEPT && iptables -P FORWARD ACCEPT
  
  iptables-restore /etc/iptables/iptables.rules
  systemctl start iptables
  iptables -L -n -v

• Check the services

  systemctl status

• Check time/date/NTP

  timedatectl status

• Linux Hardening
• Xeoma Downloads
• Xeoma Linux Article
• Xeoma Manual