Hux Blog

Protecting the Server

2026-02-16T07:13:00+01:00

The server we are setting up needs to be protected. My goal is to open as little as ports as possible. Specially, I would prefer that most services use http i.e. port 80 and to be secure https (port 443).

To achieve this goal, we need a certificate proving that our server is what it prenteds to be. This make be a big mess with certifying authorities but fortunately, there letsencrypt that provides 3-month long certificates but there are bots to renew them.

Requirement

Doing this require (1) a domain name, celled thereafter $DOMAIN and (2) to open port 80 of your box. With FreeBox, we need to pass in full-stack mode (from the customer configuration page).

The configuration of the port retargetting:

Destination IP: 192.$SERVER
Source IP: all
Protocol: TCP
Port range: 80-80
Port destination: 80

Setting up the certificate

First, we install the bot:

sudo apt install certbot python3-certbot-apache

And we can run it:

$ sudo certbot --apache -d $DOMAIN

It will install itself in the Apache 2 configuration files

Redirecting port 443

In orerto access your web pages at address: http://$DOMAIN, you have to redirect port 443 in your preferred box:

Destination IP: 192.$SERVER
Source IP: all
Protocol: TCP
Port range: 443-443
Port destination: 443

Final Words

It is important that all this software is free (from freedom) but not free (for price). Peoples are implementing it and maintaining convenient websites as letsencrypt. From time to time, it could helpfull to donate to organization supporting them. In this case,

RaspberryPi storage

2026-02-12T21:59:00+01:00

My Raspberry Pi 2 uses its SD-Card as main storage for the OS and the user data, usually called home directory. This won't be enough for the data I want to put (service web sites, PIM, saving, photos, movies, etc).

So I need another storage and I buy an external disk (everal Gb or less Tb) and connect to my Raspberry Pi with very cheap hard disk connector and USB-A connection to the Raspberry Pi. The total is not very expensive and will make my data independent from the OS. If I need to change it, just disconnect, install a new OS and reconnect it.

First, I need to format it in order to using it as a classic hard disk. With my USB adapter, I can just connect to my lap/desktop and use a GUI tool to do it like gparted.

Select the disk in list.
Create a partition table.
Create a partition formatted as ext4 to benefit all Linux capacities (ownership, access right, robustness, etc).
Something important, assign a label to retrieve easily in our EHome server.
Run the application (it will take a few minutes).
Unmount the USB disk and connect to our EHome server.

In my case, I create two partitions: * label SERV to put my server data, * label SAVE to use this partition as backup.

Now we have to mount the disk. The different disk partitions corresponds to device /dev/sda1, /dev/sda2, ...

Create a directory of name $PART for mounting a partition.

$ sudo mkdir /$PART

Add an entry (as root) to the fstab

$ sudo echo "LABEL=$PART /$PART ext4 defaults 0 2" >> /etc/fstab

Mount the partition.

$ sudo mount /$PART

Now, the partition can visited and changed as any other partition.

$ cd /$PART
$ ls

It is also ready to get home directories of users, server data, etc.

LDAP Server

2022-12-19T11:33:00+01:00

After a long break, I come back to my home server with, finally,a working version of LDAP, tadam! It is so much complex, such a mess but I finally get a working version of my LDAP and I will explain now how.

All along the presentation below, I will use the following variables:

$PASSWD -- LDAP administrator password,
$DOMAIN -- LDAP domain (dot-separated words)
$DC_DOMAIN -- LDAP domain as a comma-separated list with dc= components.

For example, if the domain is server.domain.fr, the DC form is dc=server,dc=domain,dc=fr.

Just to recall, LDAP is a server providing user information and authentification where you can record the member of the family and use it with different servers.

Installing the server

First, we have to install the LDAP server, slapd:

sudo apt install slapd ldap-utils

Then, I we have to configure the server with:

sudo dpkg-reconfigure slapd

Where you have to type the domain, the administrator password. For organizition, I also use the domain name.

Then, we have to set up LDAP the database structure and populate it with groups and user. This is very painful and was not able to find a completely satisfying solution.

Consequently, I installed my own tool based on Python and ldap3 library. This tools if freely available in EHome.

Installing and using ehome-user.py

Install the following dependencies:

$ sudo apt install python3-ldap3 git

git here is required to fetch ehome sources as below:

$ https://framagit.org/casse/ehome.git

And to use the command, a good idea is to put it on the path:

$ export PATH=$PATH:$PWD/ehome/command

Now, we are able to set up the LDAP database structure:

$ ehome-user.py --init

It will ask for the LDAP domain (dot-separated) and for administator password. After that, the administator password will not be asked anymore. [sssd] services = nss, pam config_file_version = 2 domains = LDAP

[domain/LDAP]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap

ldap_uri = ldap://localhost
ldap_search_base = $DOMAIN

ldap_default_bind_dn = cn=admin,$DOMAIN
ldap_default_authtok = $LDAP_PASSWORD

cache_credentials = true
enumerate = false

ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt

The configuration of ehome-user.py is stored in $HOME/.config/ehome/ldap.ini. Just edit it with your preferred editor.

Then you can declare your groups with:

$ ehome-user.py --add-group

And user with:

$ ehome-user.py --add-user

During this operation, ehome-user.py has to create directories for users so that your password will be asked.

A user has to belong to a group so a group has to be created before users. ehome-user.py provides a bunch of functions to manage the LDAP server. to get the list of these options, just type:

$ ehome-user.py -h

Connecting LDAP with Linux authentification

Here starts the tricky part. Maybe, one day, I will group all this in a command...

The most modern way to do this is to use sssd, so we install it:

$ sudo apt install sssd libpam-sss libnss-sss ldap-utils

In order to authenticate with LDAP, a secure communication based has to be set up and first a key has to be generated:

$ sudo openssl req -new -x509 -nodes -days 365 -out /etc/ssl/certs/ldap.crt -keyout /etc/ssl/private/ldap.key
$ sudo chown openldap:openldap /etc/ssl/private/ldap.key
$ sudo chmod 600 /etc/ssl/private/ldap.key

The two last lines ensures that slapd can access theis key but this it not enough as the directory /etc/ssl/private can only be accessed by members of group ssl-cert. So we have to add LDAP server user, openldap, to this group:

$ sudo usermod -aG ssl-cert openldap

This seems to be a defect of Ubuntu but in the meantime it will be fixed, we have to do it.

Now, we have to configure LDAP for secured connection. We have to create file tls.ldif with the content below:

dn: cn=config
changetype: modify
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap.key
-
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/ldap.crt

Finally, we restart slapd.

$ sudo systemctl restart slapd

Now, we have to configure by creating the file sssd.conf and typing inside:

[sssd]
services = nss, pam
config_file_version = 2
domains = LDAP

[domain/LDAP]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap

ldap_uri = ldap://localhost
ldap_search_base = $DC_DOMAIN

ldap_default_bind_dn = cn=admin,$DC_DOMAIN
ldap_default_authtok = $PASSWORD

cache_credentials = true
enumerate = false

ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt

Beware: Of the use of $DC_DOMAIN and $PASSWORD defined at the head of the document.

Then we copy this file at right place and make it secure as it contains the **LDAP administrator password:

$ sudo cp sssd.conf /etc/sssd
$ sudo chmod 600 /etc/sssd/sssd.conf

And we restart sssd:

$ sudo systemctl enable sssd
$ sudo systemctl restart sssd

Modify finally nsswitch.conf and change it to look like:

passwd:         files systemd sss
group:          files systemd sss
shadow:         files sss```

Then, we can log with an LDAP user:

$ su - $USER

Final Notes

I finally give up with ldapcherry as it does not fullfil my needs and specially with the creation of the Posix user home directories. But maybe, it was not its goal.

References

LDAP

Non-PHP LDAP Managers:

LdapCherry (Python)

PAM (Linux authentification) * PAM

Lists

2022-12-19T08:44:00+01:00

This page is not really a page blog but provides miscellenaous lists that are useful to set up EHome.

The list of configuration files:

/etc/radicale/config -- PIM server
/etc/systemd/system/radicale.service -- PIM server

The list of data directories and files:

/var/lib/radicale/collections -- PIM server
/var/www/html -- web server

The list of installed packages:

apache2 (apt)
pi (apt)
python3 (apt)

The login of created user/group for the servers:

radicale (PIM server)

Installing my PIM Server

2022-12-18T19:29:00+01:00

Package installation

Radicale is a free Python-based PIM server. We need first to have Python 3.5 (at least) and PIP installed:

$ sudo apt install python3
$ sudo apt install pi

Then we can install Radicale:

$ pip install --upgrade radicale

Server side

We will install Radicale as a service. So we need first to create a dedicated user:

sudo useradd --system --user-group --home-dir / --shell /sbin/nologin radicale

Then create the data directory and fix the rights accordingly and protect the content from illegal access:

sudo mkdir -p /var/lib/radicale/collections
sudo chown -R radicale:radicale /var/lib/radicale/collections
sudo chmod -R o= /var/lib/radicale/collections

Then we have to create the user database:

$ sudo htpasswd -c /etc/radicale/passwd ehome
New password:
Re-type password:

Notice that this authentification way (based on local password file) will not be definitive: I aim really to have a central authentification system for Ehome, basically LDAP.

Now, we can fist configure the service. Create the file /etc/radicale/config:

[server]
hosts = 0.0.0.0:5232, [::]:5232

[auth]
type = htpasswd
htpasswd_filename = /etc/radicale/passwd
htpasswd_encryption = md5

[storage]
filesystem_folder = /var/lib/radicale/collections

And then record the service to systemd Create the file /etc/systemd/system/radicale.service:

[Unit]
Description=A simple CalDAV (calendar) and CardDAV (contact) server
After=network.target
Requires=network.target

[Service]
ExecStart=/usr/bin/env python3 -m radicale
Restart=on-failure
User=radicale
# Deny other users access to the calendar data
UMask=0027
# Optional security settings
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
NoNewPrivileges=true
ReadWritePaths=/var/lib/radicale/collections

[Install]
WantedBy=multi-user.target

It is now time to start the service:

$ sudo  systemctl enable radicale
$ sudo systemctl start radicale
$ sudo systemctl status radicale

Client side

You have first to create calendars and address books on the Radicale rough interface:

$ xdg-open http://ehome:5232

Notice that you have to add a port redirection on your Internet box in order to access Radicale outside your local server. As I do not enabled full-stack on my FreeBox server, I redirected the port 5232 to 50001.

Then you can choose your preferred calendar/address book browser (Gnome Evolution for me) and to open the corresponding calendar/address book.

Switch to Calendar view:

Select New Calendar.
Select CalDAVfor type.
Enter http://EHOME.freeboxos.fr:50001 in URL.
Enter your user name in User.
Select your calendar from the list of available calendars by clicking on Lookup calendars.
Finally click on Validate.

Switch to Address book view:

Select New address book.
Select CardDAVfor type.
Enter http://EHOME.freeboxos.fr:50001 in URL.
Enter your user name in User.
Select your calendar from the list of available calendars by clicking on Lookup address books.
Finally click on Validate.

Finally, I tried with my Android client. I used OpenSync application. It worked very fine: the only trap is that you have to provide calendar/contact access by hand. In my Android version (pretty old), I had to long click on the OpenSyncicon to open and menu and select Authorization Granting.

The configuration is pretty simple. It asks for:

URL: http://EHOME.freeboxos.fr:50001,
user name,
password.

And now calendars and contacts are available on standard Android applications.

Radicale seems to provide to me all I was looking for but it remains a shortcoming: how to share calendars between users? As far as I understand, Radicale, this is supported neither by plugin, nor by the application itself. This might require some development on my side.

Opening Ehome to the World

2022-12-18T18:31:00+01:00

Ok now it is time to open my EHome to the world: mainly to make a bridge between my Internet box (a FreeBox Revolution) and the internet. We have to:

Install an HTTPD server on EHome.
Redirect port from the Freebox to the port 80 of EHome.
Publish some content.

Installing Apache2

Very straigh-forward, we will use the default configuration that is perfect (optimization later):

$ ssh ehome
$ apt install apache2

That's it. Disconnecting, we can check wether the HTTPD server is answering:

$ xdg-open http://ehome

And we should get the default Apache2 connection page:

It works!

Redirecting the ports

I suppose that today, all internet boxes supports port direction. With the Freebox, it remains an issue : while we do not configure the account as Full stack, we can only redirect ports above 49531. In the mean time, I will redirect port 50 000 to port 80 (HTTP) of Ehome.

The final redirection configuration is:

Destination IP: 192.168.1.3 (EHome)
Source IP: all
Protocol: TCP
Port range: 50000-50000
Port destination: 80

For the host name, I guess it depends on the Internet provided option. With Free, we can have domain name as EHOME.freeboxos.fr. So I can connect now to my HTTP server with:

$ xdg-open http://EHOME.freeboxos.fr:50000

And I should get the same default Apache2 page.

Publish my Blog

I wrote this text with Pelican. So, once the pages generated and ready for deployment:

$ pelican content -s publishconf.py

It remains to send files to EHome web server:

$ rsync -avc --delete output/ ehome:/var/www/html/

And I can try my first extern publication of this blog:

$ xdg-open http://EHOME.freeboxos.fr:50000

And all works fine.

My next step. Try to run (Radicale)[https://radicale.org/v3.html] the server of Calendars and Contacts.

Publishing a website out of /var/www

You can store different website served by the same Apach2 server and at different position than /var/www. This is specially convenient as, with Raspberry Pi, the size of root directory / is limited. On my installation, most of my data is stored on an external disk /serve/www.

If the site is stored in /serve/www/$MYSITE, then you provide access throught URL http://localhost/$MYSITE bny adding to /etc/apache2/sites-enabled/000-default.confthe lines:

    Alias /$MYSITE /serve/www/$MYSITE
    <Directory /serve/www/$MYSITE>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>

Just before the line </VirtualHost>.

References

Information about Full-stack Free Box

Restarting my Raspberry Pi

2022-10-05T22:05:00+02:00

This is the second version of this article after a long break ( Life is not a long quiet river ).

Ok, first I to give life back to my old Raspberry Pi 3B+.

I will use an image for Ubuntu Server 64-bit. Why? For a lot of reasons:

Debian packaging and distribution is very robust.
More packages are often available on Ubuntu.
I'm used with Ubuntu-like distribution.

I think one could get mostly the same result with other main stream distributions.

All installation details can be found here. But it does not start well, I do not have rpi-imageron my old Linux Mint. I get it from Raspberry Pi website.

Then I can install

$ rpi-imager

And configure according to the downloaded image. Before writing to the SD-Card, click on the gear, specially to configure default login (named thereafter LOGIN), password and activation of ssh server (I do not want to use a screen with my RPi, only a pure server). It will take about 10 minutes.

First boot:

I connect my RPi to one of my switch on my Free LAN,
I power it up.
LEDs blinks and the RPi boots.
From my browser, I move to my network monitoring page provided by Free's router and find a new device named ubuntu and retrieve its IP address, ADDR thereafter.
I ping it: seems to be alive.
I try my first connection and all works well.
I use Free's monitor page to assign the right name, ehome, and a fix the IP ADDR to my server, 192.168.1.3 for example. Select this address depening your home router configuration. In the following, I will call it ADDR.

IP address 192.168.1.2 is already used by my pretty old Banana Pi server used as a printer and file server. Why not using it? Its OS is very old and I'm not sure that Banana Pi is still actively developed.

Hint: as we will use several fixed information like LOGIN, ADDR, etc. a good practice to gather this information in a note file (a) to not forget them and (b) to quicly retrieve them.

Next step, put a public key in .ssh to avoid retyping the password:

scp id_rsa.pub LOGIN@ADDR
Then I connect: ssh LOGIN@ADDR
Type the password.
And copy the public at the right place: cat id_rsa.pub >> .ssh/authorized_keys.
Disconnect.
Reconnect with ssh LOGIN@ADDR and no password is asked.

Finally, I upgrade my packages with the last version:

sudo apt upgrade

And, after lots of minutes, my server is ready to run. I take advantage of this time to add an entry to my /ets/hosts file for an easier access to my server:

ADDR ehome

Birth of a Project

2022-10-03T20:29:00+02:00

It's decided, I'm fed up with Google and equivalent commercial of emails and other PIMs (Personnal Info Managers). I need to share calendars, contacts, etc with my family and Google solution seemed to be promising. In fact, it perfectly worked for several years but, since one year, I encounter some problems with my local clients.

Since the support of Thunderbird is discontinued, I cannot use Lightning anymore. So I migrate to Evolution (I'm currently using Linux Mint distribution with Gnome desktop). A great piece of software I used long time ago and that I give up as it was not following evolution (specially to use Google solution). All seems to work nicely until July. Then I switched to a more up-to-date version of Evolution using Flatpak and it worked like a charm. But today again, connections to Google fail unexpectedly and I have no other solution than using the web interface to access my emails, my agenda and my contacts and I feel I reached the breakpoint: I definitively need a more sustainable solution my personnal information.

I was not very confortable with Google's solution but a good point was it was working. Now, I want a long-term and open source solution and this blog aims to present my action to set up an open source to this problem, perhaps to help other user to get their freedom with their personnal information data. Not sure this process will be successful but I will try my best.

First, I want my solution to be hosted at home (to have complete control on my personnal data):

first, I have a Raspberry Pi to use as a lower power server,
the Linux distribution will be one Debian or derived,
a fixed IP ensured by my internet provided (Free in France).

I have to explorer the different alternative:

for email server,
for PIM server,
for authentification (presumably LDAP).

And for this blog, I will use Pelican because I like (1) static website generator, (2) text tools and (3) Python that runs almost everywhere.