Xanatos

As I did become a father I thought more about privacy and did not want that photos of my child are getting uploaded to a cloud system. This did force me to disable all the picture cloud backup systems on my phone. Those chances where made 3 years in the past. But since I still did need a reliable solution to backup data from my mobile phone I start using Syncting earlier this year after I learned about it. The nice thing about Syncthing is that it always sends data encrypted and tries to use your local network. So I installed the software and my phone syncs with my main pc and my notebook. This does add some backup but since both of those devices are always online stuff could happen all the time. So I do need an additional sync point, which is some kind of a data storage I can turn of.

Lucky me my wife got a new notebook and I can reuse her old Lenovo ThinkPad T510 for this purpose.

What's The Plan

So the idea is to create a minimal server with a administration user for installing and managaging software. The system should automatically connect to the wifi. There should be an ssh server running, allowing the administrator user to log in for updates and configuration. The last requirement is syncthing with it's own user and home directory to prevent mistakes, this should also start automatically on system boot without any login required. The user should only be used to managed the file acces rights, but it will still need a home directory for storing the data.

To make this a little bit of a challenge to me and learn more about Linux I do not want to use the install script and configure everything myself instead.

The Installation

As every story related to computers does start we need to get it up and running, this was a real issue. But let's start at the beginning.

I did create the boot stick with the newest Arch Linux iso and validated the signature. After that i wrote the iso to the stick creating a bootable one via MultiWrite. I plugged in the stick, booted the notebook and started the installer, the first thing I noticed where a block of errors popping up every 2 – 5 seconds.

usb 1-1-port3: Cannot enable. Maybe the USB cable is bad?
usb 1-1.3: device descripto read/8, error -32

Seemed like one of the usb ports is kinda broken and the device tried to assign an address to is but failes every time. So I started to search for an solution to disable this port preventing the message to be thrown, sadly I could not find anything and after ~30 minutes. So I decided to try the installation with the error present.

In the process I learned that this is most likely a kernel error. I also got my assumption confirmed that this is most likely an issue with one of the usb ports.

First of all I did connect successfuly to my wifi network. The message still been shown every few seconds, preventing me from reading the commands I write. After that I partitioned the disk

• 200 mb boot /boot
• 20 gb root /
• 8 gb swap [SWAP]
• All the rest for home /home

Somehow I got this working even with the error annoying the hell out of me. I formatted the partitions with ext4 and swap, after that I mounted them. The next step was starting the installation script via pacman base base-devel linux linux-firmware While I waited, I continued searching for a solution on how to disable the usb ports later on. This did result in finding this post and I bookmarked it for later use. I created the fstab and checked it, the error still did not stop and I already was another 30 minutes in the process.

As as sidenote: It is really difficult to write commands if you cannot check them.

I switched to my newly installed system arch-chroot /mnt and did some post installation steps

• Change the region
• Set the correct locale
• Set the correct keyboard layout
• Set the machine name

After that only two steps where still to be done, creating the grub bootloader and add a root password. So I downloaded grub and tried to install the configuration via grub-install --target=i386-pc /dev/sda, but this resulted in an error because there is no space left on boot. I checked the disks usage via df just to notice my boot partition is already used 100%. My Linux knowledge is still limited so the only solution I did came up with is to fix my mistake by starting the installation again. So I unmounted everything and rebooted the system.

As a reminder, you should really the recommendations of the arch install wiki. They do recommenend ~1GB for the boot partition, so this was surely preventable.

After the installed showed up again welcoming me with errors spamming my screen I decided to use the installation script, hoping that it will somehow supress the errors. Reconnecting the wifi was easy, after that I was ready to start the installation via archinstall. The error where still present, but if I navigate the menus up and down it redraws the screen, clearing the message in the process. This approach helped me to get a installation done and prevent some frustration. Sadly I could not fullfil my goal to install it without the script but I wasn't ready to fight against the system once again.

I configured the mirrors, changed the root password, preselected sshd for installation. Then I partitioned the disk via best effort seleting the option to split root and home. Added the hostname, selected an audio profile and added the networkmanager for auto wifi connection later on. As a text editor I added neovim, I quickly checked if the installer will create a swap and smashed the install button.

It did started, while the errors still showed up in the process, preventing any reading what happens right now. So I crossed my fingers and hoped for the best. There was a small chance that it will be gone after booting into the system for the first time.

The First Real System Boot

As the screen turned black I still crossed my fingers hoping for the best, grub started and loaded the kernel, I was greeted by a login shell. I waited a few seconds for the error to reappear, but nothing happend, the error was gone, properly writing to some system log. But at least I can continue the installation and read my commands, which will be helpful.

I logged into the system, which was hard since the keyboard was configured wrongly. As I was logged in I fixed the keyboard and restarted. My next task was getting a internet connection because I noticed that it was missing. For some reason I though that the network manager will magically fix it right away, because I already configured it in the installer. So my next task was searching the internet how to connect to a wifi network.

Connecting To The Internet

With my limited knowledge this did take a long time to get working. I did properly a lot of really stupid stuff down the road.

So I went to the wiki which told me that I need either iw or wireless_tools to do this. So I started with the first option, I plugged in a network cable after realizing that package download will not work if there is no internet connection, obviously. I tried to connect my wifi just to be remembered that reading the documentation is really important, because iw does not support WPA2 as a protocol. So I installed the second option and checked the wiki while the installation was ongoing. I noticed on the wiki that WPA2 is also not supported, leading to an uninstall of both tools right away.

Alright so I have no clue how to connect to my wifi network, what a great start. After checking the installation guide again I remembered the tool I used while installing iwctl. Searching through the wiki I learned how to install the cli. I stuck a while getting the cli running casue I did neet to start the iw service, without it iwctl does not work. I established a connection and checked my ip via ip addr. Nothing was shown, back to the wiki, surly I forget to setup up a dhcp service so let's do this.

As mentioned by the documentation I created the following file

/etc/iwd/main.conf

[General]
EnableNetworkConfiguration=true

[Network]
RoutePriorityOffset=300
NameResolveService=systemd

Since I missspelled some settings multiple times and forgot to add the resolve service I needed multiple service restarts to get a working configuration. I unplugged the device and checked if everything was working, it did show up on my router and the system was pingable. So I restarted the system to validate the auto connect, the auto connection did work, but the device registerd with another name and guid. This would prevent me from setting up a static ip based on the router configuration. I tried to get a solution for this but failed.

At this moment I finally checked the wiki page for the networkmanager I installed, and learned that all the previous steps where unnecessery. To celebrate my new knowledge I disabled the iw service and deleted the tools I installed. Confident to fix it right away. I added the networkmanager service and configured the connection. After another reboot test, the system registered with the same guid, which allows me to use a static ip.

Setup SSH-Server And Users

After the network worked as planned I added the administration user. The administrator user was added to the wheel group and I enabled this group in the /etc/sudoers file. I also added a user for syncthing.

I added a password for both users and tried a login to verify that everything works as expected. The last test will be accessing the device via ssh, so I enabled and started the ssh server and switched to another machine for testing. The connection could be established this allows me to do the configuration left from my daily work machine.

Configure Syncthing And Final Tests

I logged in as the administrator user and installed syncthing, I read through the wiki how to enable the tool with a user context. Which is really simple as I learned, you just need to following command systemctl enable [email protected]. To check this I simply started the service by replacing enable with start => .systemctl start [email protected]

The next step was to configure the service itself, since this is done via a website running on the machine I needed a solution to access this. The Syncthing wiki does provide one, which possible is a little bit unsecure. But since this machine will never leave my home, this should be fine. To use this solution you simple change which ip addresses are getting accepted from localhost only to every address.

After those changes I could access the web frontend via other machine. To secure the service I added a user and password authentification. I added my other sync points to the server and started to share some folders.

As some files where transmitted I changed to my syncthing user and checked the files recieved. Everything looked good.

“Fixing” The Usb

As a workaround for the broken usb port I used the solution mentioned above and disabled the ports with the guide. This seems to work because previously on a reboot, I saw those error messages been shown on shutdown, after editing grub they where gone.

I might could have only disabled the broken one but to be honest I don't care. I was also already really frustrated because my 1 hour project took 2,5h already.

Some More Thoughts And Context

Security

First of all the most important information I need to share. This project is far from secure. I should have used some disk encryption or share the folders encrypted via syncthing. My current solution can easily be read by plugging in an arch install stick, mounting the home drive and stealing all the data. So do not use this approach if you really need to protect your files.

Still for my situation this solution should be enough. I will never move the device and since I only use this at home nobody will every touch it, besides me.

The Project

With this project I learned how important it is to really read the documentation. This does save a lot of time if done correctly ... Additional I learned how to connect to wifi and make configure auto connect.

I noticed that the device syncs really slow. This is not really an issue but annoys me. Still it seemed like this backup system was a good idea, I do have around ~130 GiB of data which need's to be synced. This is mostly data from my mobile device getting backed up and some old phone backups I exclusivly stored on a single 5+ year old HDD.

This solution created an additional sync point and limted the risk for data loss.

Still Missing

At the moment of speaking I did not install any firewall, this is the next step I need to do. Sure the device is somehow protected via the router but no firewall is always a bad idea.