(Part 2/2) Creating A Home NAS and Do-it-All Linux Server on the BACE-3000

The second and final part of this post outlines specific software-related configurations that had to occur on the server-side in order to get everything set up and running. Please note that I am mostly going to emphasize on specific issues that I encountered here and refer you to the excellent DIY articles accordingly throughout this process.

workflow.jpg

NOTE: this setup is not intended to act as a publicly-facing server; it is for a home-office server and my security practices (locally restricted SSH with default password authentication, not setting up SSL for NextCloud) reflect that! The only way to gain outside access to the network is through the openVPN service that I have restricted only to my family members’ devices.

OTHER NOTE: If you are using the same enclosure as mine, you WILL experience frequent, unwarranted kernel errors and disconnects due to the UAS kernel module. Disable it for your enclosure and connected hard drives by following these steps from matt_symes in this forum post (you need to get your enclosure’s productID and vendorID) and uthis unfortunately restricts you to USB 2.0 speeds – consider using another enclosure or a perhaps a different Linux Distro with a kernel that’s not 4.4 – if this matters to you)

(C) Install Linux on Server (Ubuntu 16.04 LTS Server Edition) on the BACE-3000

On another computer (running Fedora, of course) I downloaded the Ubuntu 16.04 LTS ISO to my hard drive and copied it to an empty, FAT32-formatted USB drive with dd:

sudo dd if=<imageName.iso> of=/dev/sd<X> bs=4M

Do not specify a number in place of <X>; it must only represent the drive number. To avoid using drive letter that corresponds to anything other than your USB drive, I always like to check my drive letter using fdisk:

sudo fdisk -l

During the installation wizard I enabled encryption by default on the OS partition (see step (E) for further rationale/details). I didn’t run into any major challenges throughout the installation process, apart from the OS not being able to configure my wireless connection during the initial setup wizard. As a result, I had to modify the /etc/network/interfaces file to read:

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto enp3s0
iface enp3s0 inet dhcp

Then bringing the interface up and down:

sudo ifdown enp3s0 && sudo ifup -v enp3s0

After doing a system update the wireless card (wlp2s0) was recognized after installing and I was able to modify /etc/network/interfaces and wpa-supplicant appropriately to connect the system to my wireless network. The debian wiki has a great article on how to set this up.

(D) Enable SSH server

After ensuring that openssh-server was installed, I was happy with default settings that allowed local network access to the server. I am using username/password authentication by default as the SSH-port is not being forwarded on my router (not publicly facing). That being said, public key authentication is awesome and is fairly straightforward to set up if you need it (i.e. for publicly facing servers or a local network).

(E) Data Encryption

Encrypting the entirety of the enclosure was important to me because my other users (family members) do intend to store sensitive data (e.g. banking information/business plans/etc.) on the enclosure and would like to ensure that there is piece of mind with respect to mitigating the potential for property/identity theft. In addition, all of the linux-based clients that will be relying on the server for cloud-storage via NextCloud are also encrypted. I used LUKS for setting up encryption and formatting my NAS drives on the enclosure. The reference that I used was this cyberciti article, which also gives a fantastic overview of block device vs. filesystem level encryption. Ensure that the cryptsetup command line program is installed on your system.

E1: Format the drive as a LUKS partition.

sudo cryptsetup -yv luksFormat /dev/sd<X>

As always, use fdisk to determine which of the hard drives belong to the enclosure as indicated by <X>. Follow the on-screen prompts and ensure that your LUKS passphrase (your decryption password) is strong.

E2: Open your newly created encrypted drive and map it to a name

sudo cryptsetup luksOpen /dev/sd<X> <mapName>

This command decrypts your filesystem and the decrypted device is mapped to /dev/mapper/<mapName>, which you can treat just like any other /dev/sd<X> device in terms of mounting or formatting. I use simple names for <mapName>, like NASdrive1

E3: Create your filesystem.

Before mounting the mapped device, format it with a filesystem. For it’s stability and reliability and my low concern over performance, I formatted the drive with the EXT4 filesystem:

sudo mkfs.ext4 /dev/mapper/<mapName>

E4: Use luksClose to remove the device mapping and clean everything up:

sudo cryptsetup luksClose <mapName>

E5: Repeat steps E1-E4 for the number of drives you intend to use as NAS.

E6: Manually Mounting and Unmounting Your Encrypted Drives:

This can be done after server startup by entering the following sequence of commands. I will use /dev/sdb as my encrypted device, a folder named mountpointDir as my mountpoint directory and NASdrive as my map name for simplicity. You will need your passphrase in order to decrypt your drive(s):

sudo cryptsetup luksOpen /dev/sdb NASdrive
sudo mount /dev/mapper/NASdrive ~/mountpointDir
sudo chown ankit:ankit ~/mountpointDir

The chown command is necessary to set read/write permissions on the mounted device.

E7: Automatically Decrypting and Mounting Your Encrypted Drives:

Although it is important to understand the sequence of commands in order to manually decrypt, mount and set permissions, it is much more efficient to automatically decrypt the drive(s) at startup. In addition, instead of referencing our hard drives as /dev/sd<X>, I found that on my BACE-3000, <X> kept changing the drive it represented, and I was getting errors at startup. This taught me the importance of using UUIDs to reference hardware that should be handled/mounted at startup. Let’s begin:

E7-1: Find out what the UUID of your harddrives are by using the fdisk and ls commands. Save your UUIDs and mappings to a text file or your clipboard for later reference.

sudo fdisk -l   (this will help us find the appropriate /dev/sd<X>)
ls -l /dev/disk/by-uuid/ (this is a directory listing which will show which UUIDS map to which /dev/sd<X>)

E7-2: Generate and use a key-file that can decrypt your LUKS device. Refer to the “Create a Key to Unlock the Volume” section on this article; essentially, you are creating a totally random file (I’m naming it “keyfile” using “dd” that you will allow to be used to unlock your device. The totally random file should be stored in someplace on your OS-partition that you remember (ensure that the OS-partition itself is also encrypted so nobody can have access to the key! – but you were smart and enabled encryption on your OS-partition during the Linux installation set-up wizard ;)). The two main commands are:

sudo dd if=/dev/urandom of=/etc/keyfile (create the key)

sudo crypsetup -v luksAddKey /dev/sd<X> /etc/keyfile

In addition to the above commands, I used the luksAddKey command on my second encrypted harddrive, but used the same keyfile as I did for the first drive to keep things simple.

E7-3: Create Your Mountpoints with Permissions (instead of using chown everytime you mount your encrypted device). I accomplished this by creating the directory /media/<username>/, creating subdirectories representing my mountpoints, then enforcing permissions on these subdirectories so that when mounted I had full read-write access to the encrypted disks (I’m going to use my username in in place of <username> and NASDrive1 instead of <mountpointFolder> for simplicity:

sudo mkdir /media/ankit/NASDrive1
sudo chown ankit:ankit /media/ankit/NASDrive1

This only needs to be done once for each drive (i.e. since I had two drives I repeated the above two commands my second encrypted drive, NASdrive2.

E7-4 Finally, edit the /etc/crypttab and /etc/fstab files to automount your encrypted drives. You’re going to need the appropriate UUIDs from step E7-1:

Edit /etc/crypttab and add your appropriate decryption entries (bolded):

# <target name> <source device> <key file> <options># <target name> <source device> <key file> <options>
cryptswap1 UUID=e<redacted>20 /dev/urandom swap,offset=1024,cipher=aes-xts-plain64
<mapName> UUID=a3<redacted>e4 /etc/keyfile luks

As you can see, cryptswap1 is my OS-partition which was already included in the crypttab file when I set up encryption during the Ubuntu server installation wizard. You need to add your encrypted drives. The first column represents the <mapName> I referred to, enter the UUID and the path to your keyfile as next lines, then luks as the encryption type. Now that you’ve set up auto-decryption, mount your drives to the appropriate mountpoints by adding these new lines to /etc/fstab:

/dev/mapper/<mapName> /media/<username>/<mountpointFolder> ext4 defaults 0 2

Save these files and reboot your machine. You should now see that your encrypted disk is fully decrypted and you as a user have write access to it in the /media/<username>/<mountpointFolder> directory.

(F,G,H) Install LAMP-stack, openVPN and NextCloud on your Server

After getting around the hump of setting up encrypted devices, it’s time to use openVPN and NextCloud. DigitalOcean has put out some excellent guides to get this set up which I used:

F: Install LAMP Stack  ;  G: Install openVPNH: Install NextCloud

When setting up NextCloud, I did not use SSL in my configuration and I used a directory on my encrypted external hard drive as the main storage directory for nextcloud. There are some permission issues to doing this, however – permissions must be granted for the www-data user on the server to access the directory you created for NextCloud to store data, for example if you can create a a directory on your external media:

 mkdir /media/<username>/<mountpointFolder>/NEXTCLOUDDATA

However you need to adjust permissions:

sudo chown www-data:www-data /media/<username>/<mountpointFolder>/NEXTCLOUDDATA

and proceed through the rest of the NextCloud set-up as per digitalocean’s guide.

(I – J) Set up your Samba Shares and PLEX

After you’ve gone through the joys (?) of setting up decryption, openVPN and LAMP-server applications, setting up Samba shares are relatively straightforward. I chose this instead of NFS because some of my server’s clients run Windows. PLEX is also very easy to install.

Additional Tweaks

You can apply that linux sticker, you’ve earned it.

You can also think about running a cron-job (see my previous post with the Raspberry Pi fridge monitor for an example with cron) which uses the rsync command to periodically create a backup of your NextCloud data folder (or anything else you want to back-up) somewhere else. In my case, my rsync cron-job copies parts of my first NAS drive to my second NAS drive for storage.

Advertisements