Alpine Linux - User contributions [en]

Classic install or sys mode on Raspberry Pi

2024-04-18T18:45:58Z

Maestro-jiggiE: can't mv /boot documents if the directory doesn't exist. created instructions on how to create it then move them.

{{TOC right}}

A how-to for classic ("sys mode") installation.

This method works with a desktop PC under Ubuntu and other Linuxes.

= Preparation =

[https://alpinelinux.org/downloads/ Download] the Alpine for Raspberry Pi tarball. Use the [[Raspberry_Pi#Compability_list|compatibility list]] when choosing image/file to download.
'''Sha256''' and '''GPG''' links appear next to the link to check the download.

Create an MBR partition table with two partitions on an 8 GB (or larger) class 10 sd-card:
* First one, a '''fat16''' type, of 256MB. You may have to set <code>boot</code> and <code>lba</code> flags
* The second one, an '''ext4''' type, occupying the remaining space on the media

Eject and re-insert your SD card to ensure recognition of all the partitions.

Go into the first partition ('''fat16''').

Untar the archive with {{pkg|tar|arch=}}:
tar zxvf ~/Download/alpine-rpi-{{AlpineLatest}}-armhf.tar.gz

If using the UART is required, add a file named <code>usercfg.txt</code> into the partition containing the following single line:

enable_uart=1

For headless use, you can add the following parameters to maximize available memory (32 megs is required for the rpi bootloader):

gpu_mem=32

to enable audio support:

dtparam=audio=on

Eject the SD card properly. Insert it into the Raspberry Pi. Plug in a usb keyboard as well as the HDMI and network cables. Power on.

When the command prompt displays, log in as root. (no password)

== OSX Preparation: creating a FAT16 partition on microSD ==

To create a FAT16 partition with OSX, use the diskutil program and a USB microSD card reader (I used an older version of this: https://www.bestbuy.com/site/insignia-usb-3-0-memory-card-reader/5787406.p?skuId=5787406).

Put the microSD card in the reader. Connect the reader to a USB port and type <code>ls -1 /Volumes</code> in a terminal. Note the name of the microSD volume; for example, VOL1 in the output below:
$ ls -1 /Volumes
Macintosh HD
Preboot
VOL1
$

Unmount the reader. Disconnect it and re-run <code>ls -1 /Volumes</code>. Verify the microSD volume name is no longer listed, then re-insert the USB reader.

Find the mount point of your microSD volume. For example, disk3 in the output below:
$ diskutil list VOL1
/dev/disk3 (external, physical):
#: TYPE NAME SIZE IDENTIFIER
0: FDisk_partition_scheme *31.4 GB disk3
1: DOS_FAT_16 VOL1 256.0 MB disk3s1
2: Linux 30.0 GB disk3s2
3: Linux_Swap 1.2 GB disk3s3
$

(For help with the diskutil command, type <code>diskutil</code> to list all command verbs. For help on a specific verb, add the verb. For example, <code>diskutil partitionDisk</code>)

Destroy all the existing partitions on the microSD card and create two new ones:
# a 256MB, FAT16, DOS-compatible partition and
# a free space gap for the rest of the card

$ diskutil partitionDisk disk3 MBR "MS-DOS FAT16" VOL1 256MB "Free Space" VOL2 R
Started partitioning on disk3
Unmounting disk
Creating the partition map
Waiting for partitions to activate
Formatting disk3s1 as MS-DOS (FAT16) with name VOL1
512 bytes per physical sector
/dev/rdisk3s1: 499472 sectors in 62434 FAT16 clusters (4096 bytes/cluster)
bps=512 spc=8 res=1 nft=2 rde=512 mid=0xf8 spf=244 spt=32 hds=32 hid=2 drv=0x80 bsec=500000
Mounting disk
Finished partitioning on disk3
/dev/disk3 (external, physical):
#: TYPE NAME SIZE IDENTIFIER
0: FDisk_partition_scheme *31.4 GB disk3
1: DOS_FAT_16 VOL1 256.0 MB disk3s1
$

Change your current working directory to the new FAT16 partition then continue with the untar instruction in the parent prep section.

$ cd /Volumes/VOL1/

= Installation =

Execute the following commands. Make sure there is an internet connection available otherwise setting up the apk mirrors will fail.

setup-alpine

Set the keyboard map, the timezone, how to connect to the network ('''dhcp''' is the best method), say '''none''' at <code>save config</code> and <code>save cache</code>.

apk update

If the extra space in the sd card was left empty, a partition must be created now:

apk add {{pkg|cfdisk|arch=*}} {{pkg|e2fsprogs|arch=*}} # or the tool of your choice
cfdisk /dev/mmcblk0 # create the new partition with the free space
mkfs.ext4 /dev/mmcblk0p2 # create the ext4 filesystem in the new partition

Raspberry Pi has no hardware clock, so synchronize with an ntp server:

apk add {{pkg|chrony|arch=a*}}
service chronyd restart

{{warning | 22 June 2021 - There is a bug in Alpine 3.12.x and older that causes setup-disk to fail on ext4 mounts on Raspberry Pi. The work around is marked in the instructions below. <br />{{Issue|12353}} }}

mount /dev/mmcblk0p2 /mnt # The second partition, in ext4 format, where Alpine Linux is installing in sys mode
export FORCE_BOOTFS=1 # work around for issue 12353
setup-disk -m sys /mnt
mount -o remount,rw /media/mmcblk0p1 # An update in the first partition is required for the next reboot.

You may get some warning about syslinux when you run setup-disk. You can safely ignore this.

== Update boot partition (keep alpine-rpi* image layout) ==
Clean up the boot folder in the first partition to drop unused files:

rm -f /media/mmcblk0p1/boot/*
cd /mnt # We are in the second partition
rm boot/boot # Drop the unused symbolic link

Move the image and initramfs for Alpine Linux into the right place:

mv boot/* /media/mmcblk0p1/boot/
rm -Rf boot
mkdir media/mmcblk0p1 # It's the mount point for the first partition on the next reboot

Don't worry about the error when you execute the following:

ln -s media/mmcblk0p1/boot boot

== Update boot partition (keep system partition/setup-alpine layout) ==
It turns out that the system partition created by setup-alpine has a working boot layout. To keep this, perform the following steps '''instead''' of the steps in the previous chapter.

Clean up the boot / first partition to drop unused files:

rm -f /media/mmcblk0p1/*
cd /mnt # We are in the second partition
rm boot/boot # Drop the unused symbolink link

Move the boot folder created by setup-alpine into the right place:

cd /media/mmcblk0p1
mkdir boot
cd ..
cd boot
mv boot/* /media/mmcblk0p1/
cd ..
rm -Rf boot
mkdir media/mmcblk0p1 **# It's the mount point for the first partition on the next reboot**

Don't worry about the error when you execute the following:

ln -s media/mmcblk0p1 boot

== End of update boot partition - continue here in both cases ==

Update <code>/etc/fstab</code>:

echo "/dev/mmcblk0p1 /media/mmcblk0p1 vfat defaults 0 0" >> etc/fstab
sed -i '/cdrom/d' etc/fstab # Of course, you don't have any cdrom or floppy on the Raspberry Pi
sed -i '/floppy/d' etc/fstab
cd /media/mmcblk0p1

If you want to activate the edge repository:
sed -i '/edge/s/^#//' etc/apk/repositories # But enable the repository for community if you want vim, mc, php, apache, nginx, etc.

For the next boot, indicate that the root filesystem is on the second partition. If the cmdline.txt file
contains a line that starts with <code>/root</code>, then use sed:

sed -i 's/$/ root=\/dev\/mmcblk0p2 /' /media/mmcblk0p1/cmdline.txt
reboot

That works on '''Raspberry Pi 3B''' and '''1B''', but if you have the '''1B''' version, you'll need to be very, very patient (several tens of minutes).

If a hard disk is connected via '''usb''', you can replace the <code>/dev/mmcblk0p2</code> above with <code>/dev/sda1</code>, for example.

If you don't want to use '''sed''', you can use the nano editor instead, after executing the following command:

apk add {{pkg|nano|arch=a*}}

= Post-installation =

See the [[Raspberry_Pi#Post_Installation]] for common post-installation steps.

Additionally, the following may be of value on a sys mode installation:

If you want a cool editor ({{Pkg|vim}}), a file manager ({{Pkg|mc}}), and to determine which tasks are running and which services are starting on boot ({{Pkg|htop}}), install the packages with this command:

apk add {{pkg|vim|arch=a*}} {{pkg|mc|arch=a*}} {{pkg|htop|arch=a*}}

The '''RPI 3B''' has wifi on board. To start the service for the encrypted key using wpa2 protocol:

apk add {{pkg|wpa_supplicant|arch=a*}}
rc-update add wpa_supplicant boot
service wpa_supplicant start
setup-interfaces
Replace the IP address by dhcp for all the interfaces if necessary; select the SSID network for wifi, add the password.
ip addr # to find the IP address for all interfaces

If you want to connect to your RPI via <code>ssh</code>, an additional user (''foo'') and the {{Pkg|sudo|arch=*}} package are required because it's forbidden to connect as root:

apk add sudo
adduser foo
adduser foo wheel
visudo

Uncomment line #82 with <code>wheel ALL=(ALL) ALL</code>. If {{Pkg|vim}} is installed, save the changes by typing '''Esc :x'''

= Troubleshooting =

Following the preparation instructions for setting up the boot partition as outlined, using the armv7 image (3.10.3), my rpi2 would not even boot, and I was trapped at the dreaded rainbow screen, with the green led blinking a few times in a row, repeatedly.

The rpi2 I had appears to require '''fat32''' for the boot partition, NOT '''fat16''' as suggested in the instructions. Use linux fdisk to set the boot partition type as "c" (for fat32/lba) amd set the '''lba''' and '''boot''' flags for the partition as suggested. Create the boot partition filesystem as fat32 with:

mkdosfs -F 32 /dev/sdX1

Mount and unpacke the tarball to that, and everything should work as documented after the prep instructions.

After booting, you may find less system memory available than you expect. Currently the Pi requires a minimum of 32 megs of memory for the gpu, to boot unless you have the cut down boot loader installed, in which case you can use 16. However, you may find more gpu memory is still being used, even if you configure it for less, if you enable audio or camera support. To find out how your system is actually split:

{{Note|Directions below are for Alpine versions older than 3.18... Help wanted: Is there something equivalent in current versions?}}
apk add {{pkg|raspberrypi|arch=*|branch=v3.17}}
/opt/vc/bin/vcgencmd get_mem gpu
/opt/vc/bin/vcgencmd get_mem arm

= See also =

* [[Raspberry Pi]]
* [[Raspberry Pi 3 - Setting Up Bluetooth]]
* [[Raspberry Pi 3 - Configuring it as wireless access point -AP Mode]]
* [[Linux Router with VPN on a Raspberry Pi]]

[[Category:Installation]]
[[category: Raspberry]]

Raspberry Pi 4 - Persistent system acting as a NAS and Time Machine

2024-04-18T03:14:31Z

Maestro-jiggiE: just one "cd .." is needed in order to run "diskutil eject /dev/disk2"

== Tinker, Tailor, Raspberry Pi ==

I went ahead and got myself a Raspberry Pi 4B with 4GB RAM, which I intend to use as a job scheduling server, only to find out that the suggested OS, Raspberry Pi OS, is 32-bit. Fortunately, the Linux distro Alpine, which I’ve grown very fond of lately, is available for Raspberry Pi as aarch64, meaning it’s both 64-bit kernel and userland. Unfortunately the distro is currently, as of version 3.12, not set up for persistent storage and is more of a live playground. Gathering bits and pieces from various guides online, this can however be remedied with some tinkering. On this page you will find how to set up a persistent 64-bit OS on the Raspberry Pi, share a USB attached disk, while also adding some interesting software.

If you go ahead and buy the Pi 4, note that it has micro-HDMI ports. I thought they were mini, for which I already had cabling, but alas, another adapter had to be purchased. Also, when attaching a USB disk it is better if it is externally powered. The Pi can however power newer external SSD drives that have low power consumption. I tried with a magnetic disk based one powered over USB first, but it behaved somewhat strangely. With that said, let’s go ahead and look at how to get yourself a shiny tiny new server.

=== Tinkering for Persistence ===

After downloading the v3.12 tarball from Alpine on my macOS, it’s time to set up the SDHC card for the Pi. I actually borrowed my old hand-me-down MacBook Air that I gave to my daughter a few years ago, since it has a built-in card reader, as opposed to my newer Air. The Pi boots off a FAT32 partition, but we want the system to reside in an ext4 partition later, so we will start by reserving a small portion of the card for the boot partition. This is done using Terminal in macOS with the following commands.

diskutil list
diskutil partitionDisk /dev/disk2 MBR "FAT32" ALP 256MB "Free Space" SYS R
sudo fdisk -e /dev/disk2
> f 1
> w
> exit

The tarball should have decompressed once it hit your download folder. If not, use the option “xvzf” for tar.

cd /Volumes/ALP
tar xvf ~/Downloads/alpine-rpi-3.12.0-aarch64.tar
nano usercfg.txt

The newly created file usercfg.txt should contain the following:

enable_uart=1
gpu_mem=32
disable_overscan=1

The least amount of memory for headless is 32MB. The UART thing is beyond me, but seems to be a recommended setting. Removing overscan gives you more screen estate. If you intend to use this as a desktop computer rather than a headless server you probably want to allot more memory to the GPU and enable sound. Full specification for options can be found on the official Raspberry Pi homepage.

After that we just need to make sure the card is not busy, so we change to a safe directory and thereafter eject the card (making sure that any pending writes are finalized).

cd ..
diskutil eject /dev/disk2

Put the SDHC card in the Pi and boot. Login with “root” as username and no password. This presumes that you have connected everything else, such as a keyboard and monitor.

setup-alpine

During setup, select your keymap, hostname, etc, as desired. However, when asked where to store configs, type “none”, and the same for the apk cache directory. If you want to follow this guide to the point, you should also select “chrony” as the NTP client. The most important part here though is to get your network up and running. A full description of the setup programs can be found on the Alpine homepage.

apk update
apk upgrade
apk add cfdisk
cfdisk /dev/mmcblk0

In cfdisk, select “Free space” and the option “New”. It will suggest using the entire available space, so just press enter, then select the option “primary”, followed by “Write”. Type “yes” to write the partition table to disk, then select “Quit”.

apk add e2fsprogs
mkfs.ext4 /dev/mmcblk0p2
mount /dev/mmcblk0p2 /mnt
setup-disk -m sys /mnt
mount -o remount,rw /media/mmcblk0p1

Ignore the warnings about extlinux. This and the following trick was found in the Alpine Wiki, but in some confusing order.

rm -f /media/mmcblk0p1/boot/*
cd /mnt
rm boot/boot
mv boot/* /media/mmcblk0p1/boot/
rm -Rf boot
mkdir media/mmcblk0p1
ln -s media/mmcblk0p1/boot boot

Now the mountpoints need fixing, so run:

apk add nano
nano etc/fstab

If you prefer some other editor (since people tend to become religious about these things) then feel free to use whatever makes you feel better than nano. Add the following line:

/dev/mmcblk0p1 /media/mmcblk0p1 vfat defaults 0 0

Now the kernel needs to know where the root filesystem is.

nano /media/mmcblk0p1/cmdline.txt

Append the following at the end of the one and only line in the file:

root=/dev/mmcblk0p2

After exiting nano, it’s safe to reboot, so:

reboot

After rebooting, login using “root” as username, and the password you selected during setup-alpine earlier. Now you have a persistent system and everything that is done will stick, as opposed to how the original distro was configured.

=== Tailoring for Remote Access ===

OpenSSH should already be installed, but it will not allow remote root login. We will initially relax this constraint. Last in this article is a section on hardening where we again disallow root login. If you intend to have this box accessible from the Internet I strongly advice on hardening the Pi.

nano /etc/ssh/sshd_config

Uncomment and change the line (about 30 lines down) with PermitRootLogin to:

PermitRootLogin yes

Then restart the service:

rc-service sshd restart

Now you should be able to ssh to your Pi. The following steps are easier when you can cut and paste things into a terminal window. Feeling lucky? Then now is a good time to disconnect your keyboard and monitor.

=== Keeping the Time ===

If you selected chrony as your NTP client it may take a long time for it to actually correct the clock. Since the Pi does not have a hardware clock, it’s necessary to have time corrected at boot time, so we will change the configuration such that the clock is set if it is more than 60 seconds off during the first 10 lookups.

nano /etc/chrony/chrony.conf

Add the following line at the bottom of the file.

makestep 60 10

Check the date, restart the service, and check the (now hopefully corrected) date again.

date
rc-service chronyd restart
date

Having the correct time is a good thing, particularly when building a job scheduling server.

=== Silencing the Fan ===

Together with the Pi I also bought a fan, the Pimoroni Fan Shim. According to reviews it is one of the better ways to cool your Pi, but it’s still too soon for me to have an opinion. Unless controller software is installed, it will always run at full speed. It’s not noisy, but still noticeable sitting a metric meter from the Pi. Again, some tinkering will be needed since the controller software needs some prerequisites installed. We lost nano between reboots, so we will go ahead and add it again.

apk update
apk upgrade
apk add nano

Other software we need is in the “community” repositories of Alpine. In order to active that repository we need to edit a file:

nano /etc/apk/repositories

Uncomment the second line (ending in v3.12/community), exit, then install the necessary packages.

apk update
apk add git bash python3 python3-dev py3-pip py3-wheel build-base

After those prerequisites are in place, install the fan shim software using:

git clone https://github.com/pimoroni/fanshim-python
cd fanshim-python
./install.sh
apk add py3-psutil
cd examples
./install-service.sh

The last script will fail with “systemctl: command not found”, since Alpine uses OpenRC as its init system, and not systemd which this script presumes. We will instead write our own startup script:

nano /etc/init.d/fanshim

This new file should have the following contents:

#!/sbin/openrc-run
name="fanshim"
command="/usr/bin/python3 /root/fanshim-python/examples/automatic.py"
command_args="--on-threshold 65 --off-threshold 55 --delay 2"
pidfile="/var/run/$SVCNAME.pid"
command_background="yes"

There are a lot of interesting options for fanshim that you can explore, like tuning it’s RGB led. Now we want this to run at boot time, so add it the the default runlevel, then start it.

rc-update add fanshim default
rc-service fanshim start

Enjoy the silence!

=== Adding and Sharing a Disk ===

Some of files we will be transferring are going to be quite large. It would also be neat to be able to access files easily from the Finder in macOS, so I am adding a USB3 connected hard disk with 4TB storage. What follows will be very similar to setting up a NAS, and in fact, the way I fell in love with Alpine was by building my own NAS from scratch (with the minor differences being more disks and using zfs).

First we need to change the filesystem. The disk comes formatted as FAT32, which is very poorly suited for a networked disk. Samba, which is what we will be using for sharing, more or less requires a filesystem that supports extended attributes. After plugging in the drive, we will therefore repartition the drive and format it to ext4.

cfdisk /dev/sda

Using cfdisk, delete any existing partitions and create one new partition. It should become “Linux filesystem” by default. Don’t forget to “Write” before “Quit”. Then format it:

mkfs.ext4 /dev/sda1

Now we need to add autofs to get automatic mounting. This package is in edge/testing though, so we need to enable that branch and repository, but still have main and community take preference. This can be done by labelling a repository.

nano /etc/apk/repositories

Change the line with the testing repository (last line in my file) to the following. Note that yours will have some server.from.setup/path depending on what you selected in setup-alpine. You only uncomment and add the @testing label in other words.

@testing http://<server.from.setup/path>/edge/testing

Now autofs can be installed from the labelled repo.

apk add autofs@testing

Note that dependencies are still pulled from main/community to the extent it is possible. In order to configure autofs, first:

nano /etc/autofs/auto.master

Add the following line after the uncommented line starting with /misc. It will also disconnect the hard disk after 5 minutes to save energy:

/- /etc/autofs/auto.hdd --timeout=300

Then create this new config file:

nano /etc/autofs/auto.hdd

Add the the following line to the empty file.

/hdd -fstype=ext4 :/dev/sda1

Now, the user pi needs to be created.

adduser pi
smbpasswd -a pi

Select desirable passwords for the pi user. The latter one will later be stored in the macOS keychain and therefore easy to forget, so make note of it somewhere.

Add autofs to startup and start it now. Change the ownership of /hdd to pi.

rc-update add autofs default
rc-service autofs start
chown -R pi.pi /hdd

With that in place (disk can be accessed through /hdd) it is time to set up the sharing. For this we will use samba and avahi for network discovery.

apk add samba avahi dbus
nano /etc/samba/smb.cfg

Now, this is what my entire smb.cfg file looks like, with all the tweaks to get stuff running well from macOS.

[global]
create mask = 0664
directory mask = 0775
veto files = /.DS_Store/lost+found/
delete veto files = true
nt acl support = no
inherit acls = yes
ea support = yes
security = user
passdb backend = tdbsam
map to guest = Bad User
vfs objects = catia fruit streams_xattr recycle
acl_xattr:ignore system acls = yes
recycle:repository = .recycle
recycle:keeptree = yes
recycle:versions = yes
fruit:aapl = yes
fruit:metadata = stream
fruit:model = MacSamba
fruit:veto_appledouble = yes
fruit:posix_rename = yes
fruit:zero_file_id = yes
fruit:wipe_intentionally_left_blank_rfork = yes
fruit:delete_empty_adfiles = yes
server max protocol = SMB3
server min protocol = SMB2
workgroup = WORKGROUP
server string = NAS
server role = standalone server
dns proxy = no
[Harddisk]
comment = Raspberry Pi Removable Harddisk
path = /hdd
browseable = yes
writable = yes
spotlight = yes
valid users = pi
fruit:resource = xattr
fruit:time machine = yes
fruit:advertise_fullsync = true

Those last two lines can be removed if you are not interested in using the disk as a Time Machine backup for your Apple devices. I will likely not use it, but since this is how I configured my NAS and it was a hassle to figure out how to get it working I thought I’d leave it here for reference. Doesn’t hurt to keep it there in any way.

Let us also configure the avahi-daemon, by creating a config file for the samba service. Avahi will announce the server using Bonjour, making them easily recognizable from macOS (where they automagically show up in the Finder).

nano /etc/avahi/services/samba.service

This new file should have the following contents:

<?xml version="1.0" standalone='no'?>
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
<name replace-wildcards="yes">%h</name>
<service>
<type>_smb._tcp</type>
<port>445</port>
</service>
<service>
<type>_device-info._tcp</type>
<port>0</port>
<txt-record>model=RackMac</txt-record>
</service>
<service>
<type>_adisk._tcp</type>
<txt-record>sys=waMa=0,adVF=0x100</txt-record>
<txt-record>dk0=adVN=HDD,adVF=0x82</txt-record>
</service>
</service-group>

Not that the txt-record containing adVN=HDD can be removed if you are not interested in using the disk as a Time Machine backup. Still, leaving it won’t hurt.

Finally, it’s time to add samba and avahi to the startup and start the services.

rc-update add samba default
rc-update add avahi-daemon default
rc-service samba start
rc-service avahi-daemon start

The disk should now be visible from macOS. Remember to click “Connect as…” and enter “pi” as the username and your selected smbpasswd from earlier. Check the box “Remember this password in my keychain” for quicker access next time. Sometimes, due to a bug in Catalina, you may get “The original item cannot be found” when accessing the remote disk. If that happens, force quit Finder, and you should be good to go again. If anyone knows of any other fix to this issue, let me know!

=== Automation ===

Now, this server will be used as a job server. Some of the jobs running will need the psql command from PostgreSQL and some others will be R jobs. Let’s install both, or whatever you need to satisfy your desires. You can skip this step for now if you are undecided about what to run or just need basic services like the built-in shell scripting.

apk add R postgresql

In order to automate these jobs, we will be using Cronicle. It depends on node.js so we need to install the prerequisites. It’s run script is fetched using curl, so it will also need to be installed.

apk add nodejs npm curl

The installation is done as follows (it is a oneliner even if it looks broken here).

curl -s https://raw.githubusercontent.com/jhuckaby/Cronicle/master/bin/install.js | node

I want to use standard ports, so I need to change the config slightly.

nano /opt/cronicle/conf/config.json

Change base_app_url from port 3012 to 80. Much further down, change http_port from 3012 to 80, and https_port from 3013 to 443. If you want mails to be sent, change smtp_hostname in the beginning of the file to the mail relay you are using. After that an initialization script needs to be run.

/opt/cronicle/bin/control.sh setup

Now we just need to get it running at boot time. This is, however, a service that we do not want to “kill” using a PID, so we are going to enable local scripts that start and stop the service in a controlled manner instead.

rc-update add local default
nano /etc/local.d/cronicle.start

This new file should have the following line in it:

/opt/cronicle/bin/control.sh start

Now we need to create a stop file as well:

nano /etc/local.d/cronicle.stop

This file should have the contents:

/opt/cronicle/bin/control.sh stop

In order for the local script daemon to run these, they need to be executable.

chmod +x /etc/local.d/cronicle.*

With that, let’s secure things.

=== Hardening ===

Now that most configuring is done, it’s time to harden the Pi. First we will install a firewall with some basic login protection using the builtin ‘limit’ in iptables. Assuming you are in the 192.168.1.0/24 range, which was set during setup-alpine, the following should be run. Only clients on the local network are allowed access to shared folders.

apk add ufw@testing
rc-update add ufw default
ufw allow 22
ufw limit 22/tcp
ufw allow 80
ufw allow 443
ufw allow from 192.168.1.0/24 to any app CIFS
ufw allow Bonjour

With the rules in place, it’s time to disallow root login over ssh, and make sure that only fresh protocols are used.

nano /etc/ssh/sshd_config

Change the line that previously said yes to no, and add the other lines at the bottom of the file (borrowed from this security site):

PermitRootLogin no
PrintMotd no
Protocol 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

After that, enable ufw and restart sshd. Note that if something goes wrong here you will need to plug in a monitor and keyboard again to login locally and fix things.

ufw enable
rc-service sshd restart

Now is a good time to reboot and reconnect to check that everything is working.

reboot

With root not being able to login, you will instead login as “pi”. It is possible for this user to (temporarily, until exit) elevate privileges by the following command:

su

Another option is to use sudo, but I will leave it like this for now, and go ahead with setting up some jobs. That’s a story for another article though.

I hope this guide has been of help. It should be of use for anyone tinkering with Alpine on their Raspberries, and likely some parts for those running other Linux flavors on different hardware as well.

Raspberry Pi 4 - Persistent system acting as a NAS and Time Machine

2024-04-17T04:38:20Z

Maestro-jiggiE: add ".." to cd command and another one to get to home directory

== Tinker, Tailor, Raspberry Pi ==

I went ahead and got myself a Raspberry Pi 4B with 4GB RAM, which I intend to use as a job scheduling server, only to find out that the suggested OS, Raspberry Pi OS, is 32-bit. Fortunately, the Linux distro Alpine, which I’ve grown very fond of lately, is available for Raspberry Pi as aarch64, meaning it’s both 64-bit kernel and userland. Unfortunately the distro is currently, as of version 3.12, not set up for persistent storage and is more of a live playground. Gathering bits and pieces from various guides online, this can however be remedied with some tinkering. On this page you will find how to set up a persistent 64-bit OS on the Raspberry Pi, share a USB attached disk, while also adding some interesting software.

If you go ahead and buy the Pi 4, note that it has micro-HDMI ports. I thought they were mini, for which I already had cabling, but alas, another adapter had to be purchased. Also, when attaching a USB disk it is better if it is externally powered. The Pi can however power newer external SSD drives that have low power consumption. I tried with a magnetic disk based one powered over USB first, but it behaved somewhat strangely. With that said, let’s go ahead and look at how to get yourself a shiny tiny new server.

=== Tinkering for Persistence ===

After downloading the v3.12 tarball from Alpine on my macOS, it’s time to set up the SDHC card for the Pi. I actually borrowed my old hand-me-down MacBook Air that I gave to my daughter a few years ago, since it has a built-in card reader, as opposed to my newer Air. The Pi boots off a FAT32 partition, but we want the system to reside in an ext4 partition later, so we will start by reserving a small portion of the card for the boot partition. This is done using Terminal in macOS with the following commands.

diskutil list
diskutil partitionDisk /dev/disk2 MBR "FAT32" ALP 256MB "Free Space" SYS R
sudo fdisk -e /dev/disk2
> f 1
> w
> exit

The tarball should have decompressed once it hit your download folder. If not, use the option “xvzf” for tar.

cd /Volumes/ALP
tar xvf ~/Downloads/alpine-rpi-3.12.0-aarch64.tar
nano usercfg.txt

The newly created file usercfg.txt should contain the following:

enable_uart=1
gpu_mem=32
disable_overscan=1

The least amount of memory for headless is 32MB. The UART thing is beyond me, but seems to be a recommended setting. Removing overscan gives you more screen estate. If you intend to use this as a desktop computer rather than a headless server you probably want to allot more memory to the GPU and enable sound. Full specification for options can be found on the official Raspberry Pi homepage.

After that we just need to make sure the card is not busy, so we change to a safe directory and thereafter eject the card (making sure that any pending writes are finalized).

cd ..
cd ..
diskutil eject /dev/disk2

Put the SDHC card in the Pi and boot. Login with “root” as username and no password. This presumes that you have connected everything else, such as a keyboard and monitor.

setup-alpine

During setup, select your keymap, hostname, etc, as desired. However, when asked where to store configs, type “none”, and the same for the apk cache directory. If you want to follow this guide to the point, you should also select “chrony” as the NTP client. The most important part here though is to get your network up and running. A full description of the setup programs can be found on the Alpine homepage.

apk update
apk upgrade
apk add cfdisk
cfdisk /dev/mmcblk0

In cfdisk, select “Free space” and the option “New”. It will suggest using the entire available space, so just press enter, then select the option “primary”, followed by “Write”. Type “yes” to write the partition table to disk, then select “Quit”.

apk add e2fsprogs
mkfs.ext4 /dev/mmcblk0p2
mount /dev/mmcblk0p2 /mnt
setup-disk -m sys /mnt
mount -o remount,rw /media/mmcblk0p1

Ignore the warnings about extlinux. This and the following trick was found in the Alpine Wiki, but in some confusing order.

rm -f /media/mmcblk0p1/boot/*
cd /mnt
rm boot/boot
mv boot/* /media/mmcblk0p1/boot/
rm -Rf boot
mkdir media/mmcblk0p1
ln -s media/mmcblk0p1/boot boot

Now the mountpoints need fixing, so run:

apk add nano
nano etc/fstab

If you prefer some other editor (since people tend to become religious about these things) then feel free to use whatever makes you feel better than nano. Add the following line:

/dev/mmcblk0p1 /media/mmcblk0p1 vfat defaults 0 0

Now the kernel needs to know where the root filesystem is.

nano /media/mmcblk0p1/cmdline.txt

Append the following at the end of the one and only line in the file:

root=/dev/mmcblk0p2

After exiting nano, it’s safe to reboot, so:

reboot

After rebooting, login using “root” as username, and the password you selected during setup-alpine earlier. Now you have a persistent system and everything that is done will stick, as opposed to how the original distro was configured.

=== Tailoring for Remote Access ===

OpenSSH should already be installed, but it will not allow remote root login. We will initially relax this constraint. Last in this article is a section on hardening where we again disallow root login. If you intend to have this box accessible from the Internet I strongly advice on hardening the Pi.

nano /etc/ssh/sshd_config

Uncomment and change the line (about 30 lines down) with PermitRootLogin to:

PermitRootLogin yes

Then restart the service:

rc-service sshd restart

Now you should be able to ssh to your Pi. The following steps are easier when you can cut and paste things into a terminal window. Feeling lucky? Then now is a good time to disconnect your keyboard and monitor.

=== Keeping the Time ===

If you selected chrony as your NTP client it may take a long time for it to actually correct the clock. Since the Pi does not have a hardware clock, it’s necessary to have time corrected at boot time, so we will change the configuration such that the clock is set if it is more than 60 seconds off during the first 10 lookups.

nano /etc/chrony/chrony.conf

Add the following line at the bottom of the file.

makestep 60 10

Check the date, restart the service, and check the (now hopefully corrected) date again.

date
rc-service chronyd restart
date

Having the correct time is a good thing, particularly when building a job scheduling server.

=== Silencing the Fan ===

Together with the Pi I also bought a fan, the Pimoroni Fan Shim. According to reviews it is one of the better ways to cool your Pi, but it’s still too soon for me to have an opinion. Unless controller software is installed, it will always run at full speed. It’s not noisy, but still noticeable sitting a metric meter from the Pi. Again, some tinkering will be needed since the controller software needs some prerequisites installed. We lost nano between reboots, so we will go ahead and add it again.

apk update
apk upgrade
apk add nano

Other software we need is in the “community” repositories of Alpine. In order to active that repository we need to edit a file:

nano /etc/apk/repositories

Uncomment the second line (ending in v3.12/community), exit, then install the necessary packages.

apk update
apk add git bash python3 python3-dev py3-pip py3-wheel build-base

After those prerequisites are in place, install the fan shim software using:

git clone https://github.com/pimoroni/fanshim-python
cd fanshim-python
./install.sh
apk add py3-psutil
cd examples
./install-service.sh

The last script will fail with “systemctl: command not found”, since Alpine uses OpenRC as its init system, and not systemd which this script presumes. We will instead write our own startup script:

nano /etc/init.d/fanshim

This new file should have the following contents:

#!/sbin/openrc-run
name="fanshim"
command="/usr/bin/python3 /root/fanshim-python/examples/automatic.py"
command_args="--on-threshold 65 --off-threshold 55 --delay 2"
pidfile="/var/run/$SVCNAME.pid"
command_background="yes"

There are a lot of interesting options for fanshim that you can explore, like tuning it’s RGB led. Now we want this to run at boot time, so add it the the default runlevel, then start it.

rc-update add fanshim default
rc-service fanshim start

Enjoy the silence!

=== Adding and Sharing a Disk ===

Some of files we will be transferring are going to be quite large. It would also be neat to be able to access files easily from the Finder in macOS, so I am adding a USB3 connected hard disk with 4TB storage. What follows will be very similar to setting up a NAS, and in fact, the way I fell in love with Alpine was by building my own NAS from scratch (with the minor differences being more disks and using zfs).

First we need to change the filesystem. The disk comes formatted as FAT32, which is very poorly suited for a networked disk. Samba, which is what we will be using for sharing, more or less requires a filesystem that supports extended attributes. After plugging in the drive, we will therefore repartition the drive and format it to ext4.

cfdisk /dev/sda

Using cfdisk, delete any existing partitions and create one new partition. It should become “Linux filesystem” by default. Don’t forget to “Write” before “Quit”. Then format it:

mkfs.ext4 /dev/sda1

Now we need to add autofs to get automatic mounting. This package is in edge/testing though, so we need to enable that branch and repository, but still have main and community take preference. This can be done by labelling a repository.

nano /etc/apk/repositories

Change the line with the testing repository (last line in my file) to the following. Note that yours will have some server.from.setup/path depending on what you selected in setup-alpine. You only uncomment and add the @testing label in other words.

@testing http://<server.from.setup/path>/edge/testing

Now autofs can be installed from the labelled repo.

apk add autofs@testing

Note that dependencies are still pulled from main/community to the extent it is possible. In order to configure autofs, first:

nano /etc/autofs/auto.master

Add the following line after the uncommented line starting with /misc. It will also disconnect the hard disk after 5 minutes to save energy:

/- /etc/autofs/auto.hdd --timeout=300

Then create this new config file:

nano /etc/autofs/auto.hdd

Add the the following line to the empty file.

/hdd -fstype=ext4 :/dev/sda1

Now, the user pi needs to be created.

adduser pi
smbpasswd -a pi

Select desirable passwords for the pi user. The latter one will later be stored in the macOS keychain and therefore easy to forget, so make note of it somewhere.

Add autofs to startup and start it now. Change the ownership of /hdd to pi.

rc-update add autofs default
rc-service autofs start
chown -R pi.pi /hdd

With that in place (disk can be accessed through /hdd) it is time to set up the sharing. For this we will use samba and avahi for network discovery.

apk add samba avahi dbus
nano /etc/samba/smb.cfg

Now, this is what my entire smb.cfg file looks like, with all the tweaks to get stuff running well from macOS.

[global]
create mask = 0664
directory mask = 0775
veto files = /.DS_Store/lost+found/
delete veto files = true
nt acl support = no
inherit acls = yes
ea support = yes
security = user
passdb backend = tdbsam
map to guest = Bad User
vfs objects = catia fruit streams_xattr recycle
acl_xattr:ignore system acls = yes
recycle:repository = .recycle
recycle:keeptree = yes
recycle:versions = yes
fruit:aapl = yes
fruit:metadata = stream
fruit:model = MacSamba
fruit:veto_appledouble = yes
fruit:posix_rename = yes
fruit:zero_file_id = yes
fruit:wipe_intentionally_left_blank_rfork = yes
fruit:delete_empty_adfiles = yes
server max protocol = SMB3
server min protocol = SMB2
workgroup = WORKGROUP
server string = NAS
server role = standalone server
dns proxy = no
[Harddisk]
comment = Raspberry Pi Removable Harddisk
path = /hdd
browseable = yes
writable = yes
spotlight = yes
valid users = pi
fruit:resource = xattr
fruit:time machine = yes
fruit:advertise_fullsync = true

Those last two lines can be removed if you are not interested in using the disk as a Time Machine backup for your Apple devices. I will likely not use it, but since this is how I configured my NAS and it was a hassle to figure out how to get it working I thought I’d leave it here for reference. Doesn’t hurt to keep it there in any way.

Let us also configure the avahi-daemon, by creating a config file for the samba service. Avahi will announce the server using Bonjour, making them easily recognizable from macOS (where they automagically show up in the Finder).

nano /etc/avahi/services/samba.service

This new file should have the following contents:

<?xml version="1.0" standalone='no'?>
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
<name replace-wildcards="yes">%h</name>
<service>
<type>_smb._tcp</type>
<port>445</port>
</service>
<service>
<type>_device-info._tcp</type>
<port>0</port>
<txt-record>model=RackMac</txt-record>
</service>
<service>
<type>_adisk._tcp</type>
<txt-record>sys=waMa=0,adVF=0x100</txt-record>
<txt-record>dk0=adVN=HDD,adVF=0x82</txt-record>
</service>
</service-group>

Not that the txt-record containing adVN=HDD can be removed if you are not interested in using the disk as a Time Machine backup. Still, leaving it won’t hurt.

Finally, it’s time to add samba and avahi to the startup and start the services.

rc-update add samba default
rc-update add avahi-daemon default
rc-service samba start
rc-service avahi-daemon start

The disk should now be visible from macOS. Remember to click “Connect as…” and enter “pi” as the username and your selected smbpasswd from earlier. Check the box “Remember this password in my keychain” for quicker access next time. Sometimes, due to a bug in Catalina, you may get “The original item cannot be found” when accessing the remote disk. If that happens, force quit Finder, and you should be good to go again. If anyone knows of any other fix to this issue, let me know!

=== Automation ===

Now, this server will be used as a job server. Some of the jobs running will need the psql command from PostgreSQL and some others will be R jobs. Let’s install both, or whatever you need to satisfy your desires. You can skip this step for now if you are undecided about what to run or just need basic services like the built-in shell scripting.

apk add R postgresql

In order to automate these jobs, we will be using Cronicle. It depends on node.js so we need to install the prerequisites. It’s run script is fetched using curl, so it will also need to be installed.

apk add nodejs npm curl

The installation is done as follows (it is a oneliner even if it looks broken here).

curl -s https://raw.githubusercontent.com/jhuckaby/Cronicle/master/bin/install.js | node

I want to use standard ports, so I need to change the config slightly.

nano /opt/cronicle/conf/config.json

Change base_app_url from port 3012 to 80. Much further down, change http_port from 3012 to 80, and https_port from 3013 to 443. If you want mails to be sent, change smtp_hostname in the beginning of the file to the mail relay you are using. After that an initialization script needs to be run.

/opt/cronicle/bin/control.sh setup

Now we just need to get it running at boot time. This is, however, a service that we do not want to “kill” using a PID, so we are going to enable local scripts that start and stop the service in a controlled manner instead.

rc-update add local default
nano /etc/local.d/cronicle.start

This new file should have the following line in it:

/opt/cronicle/bin/control.sh start

Now we need to create a stop file as well:

nano /etc/local.d/cronicle.stop

This file should have the contents:

/opt/cronicle/bin/control.sh stop

In order for the local script daemon to run these, they need to be executable.

chmod +x /etc/local.d/cronicle.*

With that, let’s secure things.

=== Hardening ===

Now that most configuring is done, it’s time to harden the Pi. First we will install a firewall with some basic login protection using the builtin ‘limit’ in iptables. Assuming you are in the 192.168.1.0/24 range, which was set during setup-alpine, the following should be run. Only clients on the local network are allowed access to shared folders.

apk add ufw@testing
rc-update add ufw default
ufw allow 22
ufw limit 22/tcp
ufw allow 80
ufw allow 443
ufw allow from 192.168.1.0/24 to any app CIFS
ufw allow Bonjour

With the rules in place, it’s time to disallow root login over ssh, and make sure that only fresh protocols are used.

nano /etc/ssh/sshd_config

Change the line that previously said yes to no, and add the other lines at the bottom of the file (borrowed from this security site):

PermitRootLogin no
PrintMotd no
Protocol 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

After that, enable ufw and restart sshd. Note that if something goes wrong here you will need to plug in a monitor and keyboard again to login locally and fix things.

ufw enable
rc-service sshd restart

Now is a good time to reboot and reconnect to check that everything is working.

reboot

With root not being able to login, you will instead login as “pi”. It is possible for this user to (temporarily, until exit) elevate privileges by the following command:

su

Another option is to use sudo, but I will leave it like this for now, and go ahead with setting up some jobs. That’s a story for another article though.

I hope this guide has been of help. It should be of use for anyone tinkering with Alpine on their Raspberries, and likely some parts for those running other Linux flavors on different hardware as well.

Raspberry Pi 4 - Persistent system acting as a NAS and Time Machine

2024-04-17T04:30:43Z

Maestro-jiggiE: usercfg.txt file is non-existence when using latest tar file for alpine-rpi-3.19.1-aarch64. Need to manually create it then edit it.

== Tinker, Tailor, Raspberry Pi ==

I went ahead and got myself a Raspberry Pi 4B with 4GB RAM, which I intend to use as a job scheduling server, only to find out that the suggested OS, Raspberry Pi OS, is 32-bit. Fortunately, the Linux distro Alpine, which I’ve grown very fond of lately, is available for Raspberry Pi as aarch64, meaning it’s both 64-bit kernel and userland. Unfortunately the distro is currently, as of version 3.12, not set up for persistent storage and is more of a live playground. Gathering bits and pieces from various guides online, that can be remedied with some tinkering. On this page you will find how to set up a persistent 64-bit OS on the Raspberry Pi, share a USB attached disk, as well as some interesting software.

Note: the Pi 4 has micro-HDMI ports. I thought they were mini, for which I already had cabling, but alas, another adapter had to be purchased. Also, when attaching a USB disk it is better if it is externally powered. The Pi can however power newer external SSD drives that have low power consumption. I tried with a USB powered magnetic disk drive, but it behaved somewhat strangely. With that said, let’s look at how to get yourself a shiny, tiny, new server.

=== Tinkering for Persistence ===

After downloading the Alpine v3.12 tarball, the next step is to set up the SDHC card for the Pi. I borrowed a MacBook Air, since it has a built-in card reader. The Pi boots off a FAT32 partition, but ultimately, we want the system to reside in an ext4 partition. We'll start by reserving a small portion of the card for the boot partition. This is done using Terminal in macOS with the following commands.

diskutil list
sudo diskutil partitionDisk disk2 MBR FREE SYS R FAT32 ALP 256MB
sudo fdisk -e /dev/disk2
> f 1
> w
> exit

The tarball should have decompressed once it hit your download folder. If not, use the option “xvzf” for tar.

cd /Volumes/ALP
tar xvf ~/Downloads/alpine-rpi-3.12.0-aarch64.tar
touch usercfg.txt
nano usercfg.txt

The newly created file usercfg.txt should contain the following:

enable_uart=1
gpu_mem=32
disable_overscan=1

The smallest amount of memory for a headless install is 32MB. Removing overscan gives you more usable screen area. If you intend to use this as a desktop computer rather than a headless server, you probably want to allocate more memory to the GPU and enable sound. Full specifications for options can be found on the official Raspberry Pi homepage.

After that, you need to make sure the card is not busy. Change to a safe directory then eject the card (making sure that any pending writes are finalized).

cd
diskutil eject /dev/disk2

Put the SDHC card in the Pi and boot. Login with “root” as username and no password. This presumes that you have connected everything else, e.g. a keyboard and monitor.

setup-alpine

During setup, select your keymap, hostname, etc, as desired. However, when asked where to store configs, type “none”, and the same for the apk cache directory. If you want to follow this guide to the point, you should also select “chrony” as the NTP client. The most important part here though is to get your network up and running. A full description of the setup programs can be found on the Alpine homepage.

apk update
apk upgrade
apk add cfdisk
cfdisk /dev/mmcblk0

In cfdisk, select “Free space” and the "New" option. It will suggest using the entire available space, so just press enter, then select the option "primary" followed by "Write". Type "yes" to write the partition table to disk, then select "Quit".

apk add e2fsprogs
mkfs.ext4 /dev/mmcblk0p2
mount /dev/mmcblk0p2 /mnt
export FORCE_BOOTFS=1 # work around for issue 12353
setup-disk -m sys /mnt
mount -o remount,rw /media/mmcblk0p1

Ignore the warnings about extlinux. This and the following trick was found in the Alpine Wiki, but in a confusing order.

rm -f /media/mmcblk0p1/boot/*
cd /mnt
rm boot/boot
mv boot/* /media/mmcblk0p1/boot/
rm -Rf boot
mkdir media/mmcblk0p1
ln -s media/mmcblk0p1/boot boot

Now the mountpoints need fixing, so run:

apk add nano
nano etc/fstab

If you prefer some other editor (since people tend to become religious about these things) feel free to use whatever you want. Add the following line:

/dev/mmcblk0p1 /media/mmcblk0p1 vfat defaults 0 0

Now the kernel needs to know where the root filesystem is.

nano /media/mmcblk0p1/cmdline.txt

Append the following at the end of the one and only line in the file:

root=/dev/mmcblk0p2

After exiting nano, reboot:

reboot

After rebooting, login using "root" as username, and the password you selected during setup-alpine earlier. Now you have a persistent system, as opposed to the way the original distro was configured.

=== Tailoring for Remote Access ===

OpenSSH should already be installed, but it will not allow remote root login. Initially, we'll relax this restriction. Last in this article is a section on hardening where we again disallow root login. If you intend to have this box accessible from the Internet, I strongly advise hardening the Pi.

nano /etc/ssh/sshd_config

Uncomment and change the line (about 30 lines down) with PermitRootLogin to:

PermitRootLogin yes

Then restart the service:

rc-service sshd restart

Now you should be able to ssh to your Pi. The following steps are easier when you can cut and paste things into a terminal window.

=== Keeping the Time ===

If you selected chrony as your NTP client, it may take a long time for it to correct the clock. Since the Pi does not have a hardware clock, it’s necessary to have the correct time at bootup. We'll change the configuration such that the clock gets set if it is more than 60 seconds off during the first 10 lookups.

nano /etc/chrony/chrony.conf

Add the following line at the bottom of the file.

makestep 60 10

Check the date, restart the service, and check the (now hopefully corrected) date again.

date
rc-service chronyd restart
date

Having the correct time is a good thing, particularly when building a job scheduling server.

=== Silencing the Fan ===

Together with the Pi, I also bought a fan, the Pimoroni Fan Shim. According to reviews it is one of the better ways to cool your Pi. Unless control software is installed, it runs at full speed. It’s not noisy, but still noticeable a meter from the Pi. Again, some tinkering will be needed since the control software needs some prerequisites installed. We lost nano between reboots, so we'll reinstall it.

apk update
apk upgrade
apk add nano

Other software we need is in the “community” repositories of Alpine. In order to activate that repository, we need to edit a file:

nano /etc/apk/repositories

Uncomment the second line (ending in v3.12/community), exit, then install the necessary packages.

apk update
apk add git bash python3 python3-dev py3-pip py3-wheel build-base

After those prerequisites are in place, install the fan shim software using:

git clone https://github.com/pimoroni/fanshim-python
cd fanshim-python
./install.sh
apk add py3-psutil
cd examples
./install-service.sh

The last script will fail with “systemctl: command not found”, since Alpine uses OpenRC as its init system, and not systemd which this script presumes.
We'll write our own startup script:

nano /etc/init.d/fanshim

The new file should have the following contents:

#!/sbin/openrc-run
name="fanshim"
command="/usr/bin/python3 /root/fanshim-python/examples/automatic.py"
command_args="--on-threshold 65 --off-threshold 55 --delay 2"
pidfile="/var/run/$SVCNAME.pid"
command_background="yes"

There are a lot of interesting options for fanshim you can explore, like tuning it’s RGB led. We want this to run at boot time, so add it the the default runlevel, then start it.

rc-update add fanshim default
rc-service fanshim start

Enjoy the silence!

=== Adding and Sharing a Disk ===

Some of files we'll be transferring are quite large. It would also be neat to be able to access files easily from the Finder in macOS, so I am adding a USB3 connected hard disk with 4TB storage. What follows will be very similar to setting up a NAS, and in fact, the way I fell in love with Alpine was by building my own NAS from scratch (with the minor differences being more disks and using zfs).

First we need to change the filesystem. The disk comes formatted as FAT32, which is very poorly suited for a network disk. Samba, which is what we will be using for sharing, more or less requires a filesystem that supports extended attributes. After plugging in the drive, we will repartition the drive and format it to ext4.

cfdisk /dev/sda

Using cfdisk, delete any existing partitions and create one new partition. It should become "Linux filesystem" by default. Don’t forget to "Write" before "Quit"ing. Next, format it:

mkfs.ext4 /dev/sda1

Now we need to add autofs to get automatic mounting. This package is in edge/testing though, so we need to enable that branch and repository, but still have main and community take preference. This can be done by labelling a repository.

nano /etc/apk/repositories

Change the line with the testing repository to the following. Note that yours will have some server.from.setup/path depending on what you selected in setup-alpine. You only uncomment and add the @testing label in other words.

@testing http://<server.from.setup/path>/edge/testing

Now autofs can be installed from the labelled repo.

apk add autofs@testing

Note that dependencies are still pulled from main/community to the extent it is possible. In order to configure autofs, first:

nano /etc/autofs/auto.master

Add the following line after the uncommented line starting with /misc. It will also disconnect the hard disk after 5 minutes to save energy:

/- /etc/autofs/auto.hdd --timeout=300

Then create this new config file:

nano /etc/autofs/auto.hdd

Add the the following line to the empty file.

/hdd -fstype=ext4 :/dev/sda1

Now, the user pi needs to be created.

adduser pi
smbpasswd -a pi

Select passwords for the pi user. The latter one will later be stored in the macOS keychain and therefore easy to forget, so make note of it somewhere.

Add autofs to startup and start it now. Change the ownership of /hdd to pi.

rc-update add autofs default
rc-service autofs start
chown -R pi.pi /hdd

With that in place (disk can be accessed through /hdd) it is time to set up the sharing. For this we will use samba and avahi for network discovery.

apk add samba avahi dbus
nano /etc/samba/smb.cfg

Now, this is what my entire smb.cfg file looks like, with all the tweaks to get stuff running well from macOS.

[global]
create mask = 0664
directory mask = 0775
veto files = /.DS_Store/lost+found/
delete veto files = true
nt acl support = no
inherit acls = yes
ea support = yes
security = user
passdb backend = tdbsam
map to guest = Bad User
vfs objects = catia fruit streams_xattr recycle
acl_xattr:ignore system acls = yes
recycle:repository = .recycle
recycle:keeptree = yes
recycle:versions = yes
fruit:aapl = yes
fruit:metadata = stream
fruit:model = MacSamba
fruit:veto_appledouble = yes
fruit:posix_rename = yes
fruit:zero_file_id = yes
fruit:wipe_intentionally_left_blank_rfork = yes
fruit:delete_empty_adfiles = yes
server max protocol = SMB3
server min protocol = SMB2
workgroup = WORKGROUP
server string = NAS
server role = standalone server
dns proxy = no
[Harddisk]
comment = Raspberry Pi Removable Harddisk
path = /hdd
browseable = yes
writable = yes
spotlight = yes
valid users = pi
fruit:resource = xattr
fruit:time machine = yes
fruit:advertise_fullsync = true

Those last two lines can be removed if you are not interested in using the disk as a Time Machine backup for your Apple devices. I will likely not use it, but since this is how I configured my NAS and it was a hassle to figure out how to get it working I thought I’d leave it here for reference. Doesn’t hurt to keep it there.

Let us also configure the avahi-daemon, by creating a config file for the samba service. Avahi will announce the server using Bonjour, making them easily recognizable from macOS (where they automagically show up in the Finder).

nano /etc/avahi/services/samba.service

This new file should have the following contents:

<?xml version="1.0" standalone='no'?>
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
<name replace-wildcards="yes">%h</name>
<service>
<type>_smb._tcp</type>
<port>445</port>
</service>
<service>
<type>_device-info._tcp</type>
<port>0</port>
<txt-record>model=RackMac</txt-record>
</service>
<service>
<type>_adisk._tcp</type>
<txt-record>sys=waMa=0,adVF=0x100</txt-record>
<txt-record>dk0=adVN=HDD,adVF=0x82</txt-record>
</service>
</service-group>

Not that the txt-record containing adVN=HDD can be removed if you are not interested in using the disk as a Time Machine backup. Still, leaving it won’t hurt.

Finally, it’s time to add samba and avahi to the startup, and start the services.

rc-update add samba default
rc-update add avahi-daemon default
rc-service samba start
rc-service avahi-daemon start

The disk should now be visible from macOS. Remember to click “Connect as…” and enter “pi” as the username and your selected smbpasswd from earlier. Check the box “Remember this password in my keychain” for quicker access next time. Sometimes, due to a bug in Catalina, you may get “The original item cannot be found” when accessing the remote disk. If that happens, force quit Finder, and you should be good to go again. If anyone knows of any other fix to this issue, let me know!

=== Automation ===

This server will be used as a job server. Some of the jobs running will need the psql command from PostgreSQL and some others will be R jobs. Let’s install both, or whatever you need to satisfy your desire. You can skip this step for now if you are undecided about what to run or just need basic services like the built-in shell scripting.

apk add R postgresql

In order to automate these jobs, we will be using Cronicle. It depends on node.js so we need to install the prerequisites. It’s run script is fetched using curl, so that will also need to be installed.

apk add nodejs npm curl

The installation is done as follows (it is a oneliner even if it looks broken here).

curl -s https://raw.githubusercontent.com/jhuckaby/Cronicle/master/bin/install.js | node

I want to use standard ports, so I had to change the config slightly.

nano /opt/cronicle/conf/config.json

Change base_app_url from port 3012 to 80. Much further down, change http_port from 3012 to 80, and https_port from 3013 to 443. If you want mail to be sent, change smtp_hostname at the beginning of the file to the mail relay you are using. After that, an initialization script needs to be run.

/opt/cronicle/bin/control.sh setup

We need to get it running at boot time. This is, however, a service that we do not want to “kill” using a PID, so we are going to enable local scripts that start and stop the service in a controlled manner instead.

rc-update add local default
nano /etc/local.d/cronicle.start

This new file should have the following line in it:

/opt/cronicle/bin/control.sh start

Now we need to create a stop file as well:

nano /etc/local.d/cronicle.stop

This file should have the contents:

/opt/cronicle/bin/control.sh stop

In order for the local script daemon to run these, they need to be executable.

chmod +x /etc/local.d/cronicle.*

With that, let’s secure things.

=== Hardening ===

Now that most configuring is done, it’s time to harden the Pi. First we will install a firewall with some basic login protection using the builtin 'limit' in iptables. Assuming you are in the 192.168.1.0/24 range, which was set during setup-alpine, the following should be run. Only clients on the local network are allowed access to shared folders.

apk add ufw@testing
rc-update add ufw default
ufw allow 22
ufw limit 22/tcp
ufw allow 80
ufw allow 443
ufw allow from 192.168.1.0/24 to any app CIFS
ufw allow Bonjour

With the rules in place, it’s time to disallow root login via ssh, and make sure only fresh protocols are used.

nano /etc/ssh/sshd_config

Change the line that previously said yes to no, and add the other lines at the bottom of the file (borrowed from this security site):

PermitRootLogin no
PrintMotd no
Protocol 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

After that, enable ufw and restart sshd. Note: if something goes wrong here, you will need to plug in a monitor and keyboard again to login locally and fix things.

ufw enable
rc-service sshd restart

Now is a good time to reboot and reconnect to check that everything is working.

reboot

With root not being able to login, you will instead login as "pi". It is possible for this user to (temporarily, until exit) elevate privileges with the following command:

su

Another option is to use sudo, but I will leave it like this for now, and go ahead with setting up some jobs. That’s a story for another article though.

I hope this guide has been of help. It should be of use for anyone tinkering with Alpine on their Raspberries, and likely some parts for those running other Linux flavors on different hardware as well.

[[Category:Raspberry]]

Raspberry Pi 4 - Persistent system acting as a NAS and Time Machine

2024-04-17T04:15:29Z

Maestro-jiggiE: the diskutil command needs to be run as sudo and the configuration provided did not work for me. However, after reformatting as edited above, my microsd card was formatted correctly.

== Tinker, Tailor, Raspberry Pi ==

I went ahead and got myself a Raspberry Pi 4B with 4GB RAM, which I intend to use as a job scheduling server, only to find out that the suggested OS, Raspberry Pi OS, is 32-bit. Fortunately, the Linux distro Alpine, which I’ve grown very fond of lately, is available for Raspberry Pi as aarch64, meaning it’s both 64-bit kernel and userland. Unfortunately the distro is currently, as of version 3.12, not set up for persistent storage and is more of a live playground. Gathering bits and pieces from various guides online, that can be remedied with some tinkering. On this page you will find how to set up a persistent 64-bit OS on the Raspberry Pi, share a USB attached disk, as well as some interesting software.

Note: the Pi 4 has micro-HDMI ports. I thought they were mini, for which I already had cabling, but alas, another adapter had to be purchased. Also, when attaching a USB disk it is better if it is externally powered. The Pi can however power newer external SSD drives that have low power consumption. I tried with a USB powered magnetic disk drive, but it behaved somewhat strangely. With that said, let’s look at how to get yourself a shiny, tiny, new server.

=== Tinkering for Persistence ===

After downloading the Alpine v3.12 tarball, the next step is to set up the SDHC card for the Pi. I borrowed a MacBook Air, since it has a built-in card reader. The Pi boots off a FAT32 partition, but ultimately, we want the system to reside in an ext4 partition. We'll start by reserving a small portion of the card for the boot partition. This is done using Terminal in macOS with the following commands.

diskutil list
sudo diskutil partitionDisk disk2 MBR FREE SYS R FAT32 ALP 256MB
sudo fdisk -e /dev/disk2
> f 1
> w
> exit

The tarball should have decompressed once it hit your download folder. If not, use the option “xvzf” for tar.

cd /Volumes/ALP
tar xvf ~/Downloads/alpine-rpi-3.12.0-aarch64.tar
nano usercfg.txt

The newly created file usercfg.txt should contain the following:

enable_uart=1
gpu_mem=32
disable_overscan=1

The smallest amount of memory for a headless install is 32MB. Removing overscan gives you more usable screen area. If you intend to use this as a desktop computer rather than a headless server, you probably want to allocate more memory to the GPU and enable sound. Full specifications for options can be found on the official Raspberry Pi homepage.

After that, you need to make sure the card is not busy. Change to a safe directory then eject the card (making sure that any pending writes are finalized).

cd
diskutil eject /dev/disk2

Put the SDHC card in the Pi and boot. Login with “root” as username and no password. This presumes that you have connected everything else, e.g. a keyboard and monitor.

setup-alpine

During setup, select your keymap, hostname, etc, as desired. However, when asked where to store configs, type “none”, and the same for the apk cache directory. If you want to follow this guide to the point, you should also select “chrony” as the NTP client. The most important part here though is to get your network up and running. A full description of the setup programs can be found on the Alpine homepage.

apk update
apk upgrade
apk add cfdisk
cfdisk /dev/mmcblk0

In cfdisk, select “Free space” and the "New" option. It will suggest using the entire available space, so just press enter, then select the option "primary" followed by "Write". Type "yes" to write the partition table to disk, then select "Quit".

apk add e2fsprogs
mkfs.ext4 /dev/mmcblk0p2
mount /dev/mmcblk0p2 /mnt
export FORCE_BOOTFS=1 # work around for issue 12353
setup-disk -m sys /mnt
mount -o remount,rw /media/mmcblk0p1

Ignore the warnings about extlinux. This and the following trick was found in the Alpine Wiki, but in a confusing order.

rm -f /media/mmcblk0p1/boot/*
cd /mnt
rm boot/boot
mv boot/* /media/mmcblk0p1/boot/
rm -Rf boot
mkdir media/mmcblk0p1
ln -s media/mmcblk0p1/boot boot

Now the mountpoints need fixing, so run:

apk add nano
nano etc/fstab

If you prefer some other editor (since people tend to become religious about these things) feel free to use whatever you want. Add the following line:

/dev/mmcblk0p1 /media/mmcblk0p1 vfat defaults 0 0

Now the kernel needs to know where the root filesystem is.

nano /media/mmcblk0p1/cmdline.txt

Append the following at the end of the one and only line in the file:

root=/dev/mmcblk0p2

After exiting nano, reboot:

reboot

After rebooting, login using "root" as username, and the password you selected during setup-alpine earlier. Now you have a persistent system, as opposed to the way the original distro was configured.

=== Tailoring for Remote Access ===

OpenSSH should already be installed, but it will not allow remote root login. Initially, we'll relax this restriction. Last in this article is a section on hardening where we again disallow root login. If you intend to have this box accessible from the Internet, I strongly advise hardening the Pi.

nano /etc/ssh/sshd_config

Uncomment and change the line (about 30 lines down) with PermitRootLogin to:

PermitRootLogin yes

Then restart the service:

rc-service sshd restart

Now you should be able to ssh to your Pi. The following steps are easier when you can cut and paste things into a terminal window.

=== Keeping the Time ===

If you selected chrony as your NTP client, it may take a long time for it to correct the clock. Since the Pi does not have a hardware clock, it’s necessary to have the correct time at bootup. We'll change the configuration such that the clock gets set if it is more than 60 seconds off during the first 10 lookups.

nano /etc/chrony/chrony.conf

Add the following line at the bottom of the file.

makestep 60 10

Check the date, restart the service, and check the (now hopefully corrected) date again.

date
rc-service chronyd restart
date

Having the correct time is a good thing, particularly when building a job scheduling server.

=== Silencing the Fan ===

Together with the Pi, I also bought a fan, the Pimoroni Fan Shim. According to reviews it is one of the better ways to cool your Pi. Unless control software is installed, it runs at full speed. It’s not noisy, but still noticeable a meter from the Pi. Again, some tinkering will be needed since the control software needs some prerequisites installed. We lost nano between reboots, so we'll reinstall it.

apk update
apk upgrade
apk add nano

Other software we need is in the “community” repositories of Alpine. In order to activate that repository, we need to edit a file:

nano /etc/apk/repositories

Uncomment the second line (ending in v3.12/community), exit, then install the necessary packages.

apk update
apk add git bash python3 python3-dev py3-pip py3-wheel build-base

After those prerequisites are in place, install the fan shim software using:

git clone https://github.com/pimoroni/fanshim-python
cd fanshim-python
./install.sh
apk add py3-psutil
cd examples
./install-service.sh

The last script will fail with “systemctl: command not found”, since Alpine uses OpenRC as its init system, and not systemd which this script presumes.
We'll write our own startup script:

nano /etc/init.d/fanshim

The new file should have the following contents:

#!/sbin/openrc-run
name="fanshim"
command="/usr/bin/python3 /root/fanshim-python/examples/automatic.py"
command_args="--on-threshold 65 --off-threshold 55 --delay 2"
pidfile="/var/run/$SVCNAME.pid"
command_background="yes"

There are a lot of interesting options for fanshim you can explore, like tuning it’s RGB led. We want this to run at boot time, so add it the the default runlevel, then start it.

rc-update add fanshim default
rc-service fanshim start

Enjoy the silence!

=== Adding and Sharing a Disk ===

Some of files we'll be transferring are quite large. It would also be neat to be able to access files easily from the Finder in macOS, so I am adding a USB3 connected hard disk with 4TB storage. What follows will be very similar to setting up a NAS, and in fact, the way I fell in love with Alpine was by building my own NAS from scratch (with the minor differences being more disks and using zfs).

First we need to change the filesystem. The disk comes formatted as FAT32, which is very poorly suited for a network disk. Samba, which is what we will be using for sharing, more or less requires a filesystem that supports extended attributes. After plugging in the drive, we will repartition the drive and format it to ext4.

cfdisk /dev/sda

Using cfdisk, delete any existing partitions and create one new partition. It should become "Linux filesystem" by default. Don’t forget to "Write" before "Quit"ing. Next, format it:

mkfs.ext4 /dev/sda1

Now we need to add autofs to get automatic mounting. This package is in edge/testing though, so we need to enable that branch and repository, but still have main and community take preference. This can be done by labelling a repository.

nano /etc/apk/repositories

Change the line with the testing repository to the following. Note that yours will have some server.from.setup/path depending on what you selected in setup-alpine. You only uncomment and add the @testing label in other words.

@testing http://<server.from.setup/path>/edge/testing

Now autofs can be installed from the labelled repo.

apk add autofs@testing

Note that dependencies are still pulled from main/community to the extent it is possible. In order to configure autofs, first:

nano /etc/autofs/auto.master

Add the following line after the uncommented line starting with /misc. It will also disconnect the hard disk after 5 minutes to save energy:

/- /etc/autofs/auto.hdd --timeout=300

Then create this new config file:

nano /etc/autofs/auto.hdd

Add the the following line to the empty file.

/hdd -fstype=ext4 :/dev/sda1

Now, the user pi needs to be created.

adduser pi
smbpasswd -a pi

Select passwords for the pi user. The latter one will later be stored in the macOS keychain and therefore easy to forget, so make note of it somewhere.

Add autofs to startup and start it now. Change the ownership of /hdd to pi.

rc-update add autofs default
rc-service autofs start
chown -R pi.pi /hdd

With that in place (disk can be accessed through /hdd) it is time to set up the sharing. For this we will use samba and avahi for network discovery.

apk add samba avahi dbus
nano /etc/samba/smb.cfg

Now, this is what my entire smb.cfg file looks like, with all the tweaks to get stuff running well from macOS.

[global]
create mask = 0664
directory mask = 0775
veto files = /.DS_Store/lost+found/
delete veto files = true
nt acl support = no
inherit acls = yes
ea support = yes
security = user
passdb backend = tdbsam
map to guest = Bad User
vfs objects = catia fruit streams_xattr recycle
acl_xattr:ignore system acls = yes
recycle:repository = .recycle
recycle:keeptree = yes
recycle:versions = yes
fruit:aapl = yes
fruit:metadata = stream
fruit:model = MacSamba
fruit:veto_appledouble = yes
fruit:posix_rename = yes
fruit:zero_file_id = yes
fruit:wipe_intentionally_left_blank_rfork = yes
fruit:delete_empty_adfiles = yes
server max protocol = SMB3
server min protocol = SMB2
workgroup = WORKGROUP
server string = NAS
server role = standalone server
dns proxy = no
[Harddisk]
comment = Raspberry Pi Removable Harddisk
path = /hdd
browseable = yes
writable = yes
spotlight = yes
valid users = pi
fruit:resource = xattr
fruit:time machine = yes
fruit:advertise_fullsync = true

Those last two lines can be removed if you are not interested in using the disk as a Time Machine backup for your Apple devices. I will likely not use it, but since this is how I configured my NAS and it was a hassle to figure out how to get it working I thought I’d leave it here for reference. Doesn’t hurt to keep it there.

Let us also configure the avahi-daemon, by creating a config file for the samba service. Avahi will announce the server using Bonjour, making them easily recognizable from macOS (where they automagically show up in the Finder).

nano /etc/avahi/services/samba.service

This new file should have the following contents:

<?xml version="1.0" standalone='no'?>
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
<name replace-wildcards="yes">%h</name>
<service>
<type>_smb._tcp</type>
<port>445</port>
</service>
<service>
<type>_device-info._tcp</type>
<port>0</port>
<txt-record>model=RackMac</txt-record>
</service>
<service>
<type>_adisk._tcp</type>
<txt-record>sys=waMa=0,adVF=0x100</txt-record>
<txt-record>dk0=adVN=HDD,adVF=0x82</txt-record>
</service>
</service-group>

Not that the txt-record containing adVN=HDD can be removed if you are not interested in using the disk as a Time Machine backup. Still, leaving it won’t hurt.

Finally, it’s time to add samba and avahi to the startup, and start the services.

rc-update add samba default
rc-update add avahi-daemon default
rc-service samba start
rc-service avahi-daemon start

The disk should now be visible from macOS. Remember to click “Connect as…” and enter “pi” as the username and your selected smbpasswd from earlier. Check the box “Remember this password in my keychain” for quicker access next time. Sometimes, due to a bug in Catalina, you may get “The original item cannot be found” when accessing the remote disk. If that happens, force quit Finder, and you should be good to go again. If anyone knows of any other fix to this issue, let me know!

=== Automation ===

This server will be used as a job server. Some of the jobs running will need the psql command from PostgreSQL and some others will be R jobs. Let’s install both, or whatever you need to satisfy your desire. You can skip this step for now if you are undecided about what to run or just need basic services like the built-in shell scripting.

apk add R postgresql

In order to automate these jobs, we will be using Cronicle. It depends on node.js so we need to install the prerequisites. It’s run script is fetched using curl, so that will also need to be installed.

apk add nodejs npm curl

The installation is done as follows (it is a oneliner even if it looks broken here).

curl -s https://raw.githubusercontent.com/jhuckaby/Cronicle/master/bin/install.js | node

I want to use standard ports, so I had to change the config slightly.

nano /opt/cronicle/conf/config.json

Change base_app_url from port 3012 to 80. Much further down, change http_port from 3012 to 80, and https_port from 3013 to 443. If you want mail to be sent, change smtp_hostname at the beginning of the file to the mail relay you are using. After that, an initialization script needs to be run.

/opt/cronicle/bin/control.sh setup

We need to get it running at boot time. This is, however, a service that we do not want to “kill” using a PID, so we are going to enable local scripts that start and stop the service in a controlled manner instead.

rc-update add local default
nano /etc/local.d/cronicle.start

This new file should have the following line in it:

/opt/cronicle/bin/control.sh start

Now we need to create a stop file as well:

nano /etc/local.d/cronicle.stop

This file should have the contents:

/opt/cronicle/bin/control.sh stop

In order for the local script daemon to run these, they need to be executable.

chmod +x /etc/local.d/cronicle.*

With that, let’s secure things.

=== Hardening ===

Now that most configuring is done, it’s time to harden the Pi. First we will install a firewall with some basic login protection using the builtin 'limit' in iptables. Assuming you are in the 192.168.1.0/24 range, which was set during setup-alpine, the following should be run. Only clients on the local network are allowed access to shared folders.

apk add ufw@testing
rc-update add ufw default
ufw allow 22
ufw limit 22/tcp
ufw allow 80
ufw allow 443
ufw allow from 192.168.1.0/24 to any app CIFS
ufw allow Bonjour

With the rules in place, it’s time to disallow root login via ssh, and make sure only fresh protocols are used.

nano /etc/ssh/sshd_config

Change the line that previously said yes to no, and add the other lines at the bottom of the file (borrowed from this security site):

PermitRootLogin no
PrintMotd no
Protocol 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

After that, enable ufw and restart sshd. Note: if something goes wrong here, you will need to plug in a monitor and keyboard again to login locally and fix things.

ufw enable
rc-service sshd restart

Now is a good time to reboot and reconnect to check that everything is working.

reboot

With root not being able to login, you will instead login as "pi". It is possible for this user to (temporarily, until exit) elevate privileges with the following command:

su

Another option is to use sudo, but I will leave it like this for now, and go ahead with setting up some jobs. That’s a story for another article though.

I hope this guide has been of help. It should be of use for anyone tinkering with Alpine on their Raspberries, and likely some parts for those running other Linux flavors on different hardware as well.

[[Category:Raspberry]]