Posts on Subutux

Dell Xps 15 9510

Wed, 08 Jun 2022 22:06:32 +0200

Setup

Connect

iwctl

device list
station  scan
station  get-networks
station

ping google.com

Date and Time

timedatectl set-ntp true
timedatectl status

Set timezone

ln -sf /usr/share/zoneinfo/Europe/Brussels /etc/localtime

Sync the hardware clock

date
hwclock --systohc

Disk

Format the disk with gdisk, creating 2 partitions:

p1: 1GB / EFI
p2: Rest / Linux Crypt

Formatting

Create the EFI Fs

mkfs.fat -F 32 -n EFI /dev/nvme0n1p1

Crypt

cryptsetup luksFormat /dev/nvme0n1p2
cryptsetup open /dev/nvme0n1p2 arch
lsblk

Btrfs

mkfs.btrfs /dev/mapper/arch
mount /dev/mapper/arch /mnt
ls /mnt
btrfs  subvolume create /mnt/@
btrfs  subvolume create /mnt/@home
btrfs  subvolume create /mnt/@var
btrfs  subvolume create /mnt/@swap
btrfs  subvolume create /mnt/@pacman
btrfs  subvolume create /mnt/@vms
umount /mnt

Mount the subvolumes to their respective places

mount -o noatime,compress=zstd,ssd,discard=async,space_cache=v2,subvol=@ /dev/mapper/arch /mnt
mkdir /mnt/{boot,home,var,swap,var/cache/pacman/pkg,vms,swap}
mkdir -p /mnt/{boot,home,var,swap,vms,swap}
mount -o noatime,compress=zstd,ssd,discard=async,space_cache=v2,subvol=@home /dev/mapper/arch /mnt/home
mount -o noatime,compress=zstd,ssd,discard=async,space_cache=v2,subvol=@var /dev/mapper/arch /mnt/var
mkdir -p /mnt/var/cache/pacman/pkg
mount -o noatime,compress=zstd,ssd,discard=async,space_cache=v2,subvol=@pacman /dev/mapper/arch /mnt/var/cache/pacman/pkg
mount -o noatime,nodatacow,ssd,discard=async,space_cache=v2,subvol=@vms /dev/mapper/arch /mnt/vms
mount -o noatime,compress=zstd,ssd,discard=async,space_cache=v2,subvol=@swap /dev/mapper/arch /mnt/swap
mount /dev/nvme0n1p1 /mnt/boot

Install the base system

pacstrap /mnt base linux linux-firmware git vim btrfs-progs

genfstab -U /mnt >> /mnt/etc/fstab

Tip: Now is a good time to backup your history file back onto the USB you’ve booted with. This prevents you form manually re-entering all the mount commands again in case you do need to boot again from the install media. Just copy the history.txt file back to /root/.zsh_history and open a new tty with Alt+Left
 mkdir /usb
 mount /dev/sda1 /usb
 cp .zsh_history /usb/history.txt

Chroot!

arch-chroot /mnt

Mosquitto Bridge With Ssl

Sun, 16 Jan 2022 21:34:43 +0100

Recently one of my homeservers went haywire with a constant load of +- 80 in 1/5/15. Unrelated to this, buit it seems there is an issue with my local vaultwarden instance.

But this got me thinking. What if my local mqtt server goes down..

I am running a local mosquitto server on my OpenWRT router (A Mikrotik 750Gr3) to support my growing love for home automation. Normally this should be quite stable, but I had issues with OpenWRT in the past. Won’t it be nice to have a bridge as backup, so in the event that my mqtt server acts up, I can switch to that one, without losing any data.

Setting up an MQTT server

Using your favourite package manager, you can install mosquitto, an mqtt server.

Because this server will be running on a separate network, SSL is a must. Setting this up with LetsEncrypt and DNS auth is quite easy.

Certificates

I Already have a dns challenge setup for other domains, so reusing this. Maybe I’ll document this in the future.

certbot certonly --preferred-challenges dns --authenticator dns-hetzner --dns-hetzner-credentials /etc/letsencrypt/hetzner.ini -d mqtt.server.domain

Configuration

I like to keep my configurations quite clean. Luckly, Mosquitto supports splitting up the confgiration files by setting the configuration parameter include_dir and point it to a sensable path, like /etc/mosquitto/conf.d/.

Then, I created 3 files in that directory:

0-security.conf
10-listener-localhost.conf
20-listener-public-mqtt.server.domain-ssl.conf

Where 0-security.conf contains the configured security and authentication sections, disallowing anonymous access and specifing the password file:

# =================================================================
# Security
# =================================================================

# If set, only clients that have a matching prefix on their
# clientid will be allowed to connect to the broker. By default,
# all clients may connect.
# For example, setting "secure-" here would mean a client "secure-
# client" could connect but another with clientid "mqtt" couldn't.
#clientid_prefixes

# Boolean value that determines whether clients that connect
# without providing a username are allowed to connect. If set to
# false then a password file should be created (see the
# password_file option) to control authenticated client access.
#
# Defaults to true if no other security options are set. If `password_file` or
# `psk_file` is set, or if an authentication plugin is loaded which implements
# username/password or TLS-PSK checks, then `allow_anonymous` defaults to
# false.
#
#allow_anonymous true
allow_anonymous false

# -----------------------------------------------------------------
# Default authentication and topic access control
# -----------------------------------------------------------------

# Control access to the broker using a password file. This file can be
# generated using the mosquitto_passwd utility. If TLS support is not compiled
# into mosquitto (it is recommended that TLS support should be included) then
# plain text passwords are used, in which case the file should be a text file
# with lines in the format:
# username:password
# The password (and colon) may be omitted if desired, although this
# offers very little in the way of security.
#
# See the TLS client require_certificate and use_identity_as_username options
# for alternative authentication options. If an auth_plugin is used as well as
# password_file, the auth_plugin check will be made first.
#password_file
password_file /etc/mosquitto/passwd

10-listener-localhost.conf contains a localhost listener, handy for debugging:

listener 1883 localhost

and at last 20-listener-public-mqtt.server.domain-ssl.conf containting the public listener, with ssl configured:

listener 1883
protocol mqtt
certfile /etc/letsencrypt/live/mqtt.server.domain/cert.pem
cafile /etc/letsencrypt/live/mqtt.server.domain/chain.pem
keyfile /etc/letsencrypt/live/mqtt.server.domain/privkey.pem

So far, so good.

Let’s quickly configure the renew_hook for certbot to give mosquitto a kick when the cert is renewed:

echo "renew_hook = systemctl restart mosquitto" >> /etc/letsencrypt/renewal/mqtt.server.domain.conf

Bridging

Now, we need to configure the local mosquitto on my router to bridge with the remote one.

I’m using the LuCi configuration page here to setup the bridge which generates the following configuration file:

# mosquitto.conf file generated from UCI config.
log_dest syslog
port 1883

listener 1888
protocol mqtt


# Bridge connection from UCI section
connection mqtt.subutux.be
address mqtt.server.domain:1883
notifications true
remote_password long-password-here
remote_username username
start_type automatic
topic # out 2
try_private true
bridge_capath /etc/ssl/certs # This one is important

First, I didn’t know that mosquitto only initiates an ssl connection if you specify bridge_cafile or bridge_capath man page.

So i point bridge_capath to my router’s global certificate store.

But, I kept receiving log messages signalling that there is still something wrong. My lets encrypt certificate doesn’t seem to be validated. 😕

Looking into /etc/ssl/certs it only contained one certificate. After installing the package ca-certificates in OpenWRT, The connection became active and and all my mqtt topics where (one-way) synchronized!