Kategorien
Software

Nextcloud with an RPi

To complete my home network, I installed Nextcloud with an RPi.

The bigger vision is to get independent of the big companies, specifically from the US companies.

Let’s see which services I will provide with my own cloud, options are:

  • Files
  • Contacts
  • Calendar
  • Photos

It’s quite easy to use a package specifically built for the RPi called Nextcloudpi.

Nextcloud with an RPi

However, it does not run in a docker container, as the providers stopped creating an image. On the other hand, you can adjust much more on the LAMP system itself.

I just followed https://help.nextcloud.com/t/raspberry-pi-4-booting-from-usb-device-no-microsd/126320 and https://help.nextcloud.com/t/how-to-access-nextcloudpi-first-time-activation/126309 for the setup.

After that, everything was running locally already.

It became tricky with accessing the nextcloud server from outside my local network, as I had to configure the Reverse Proxy (NPM) accordingly.

The prerequisite is that you have configured a domain and routed that to the Dynamic DNS server.

At the NPM side the configuration looks like that:

Proxy Host:

  • Scheme: http
  • Cache Assets: On
  • Block Common Exploits: On
  • Websockets Support: On

SSL Certificate:

  • Force SSL: On
  • HTTP/2 Support: On
  • HSTS Enabled: On
  • HSTS Subdomains: Off

Advanced:

location / {
    proxy_pass http://yourIP_of_the_Nextcloud;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
  }

location /.well-known/carddav {
    return 301 $scheme://$host/remote.php/dav;
}

location /.well-known/caldav {
    return 301 $scheme://$host/remote.php/dav;
}

location ^~ /.well-known {
    return 301 $scheme://$host/index.php$uri;
}
proxy_hide_header Upgrade;

At nextcloudpi configure the following parameters:

nc-trusted-domains
nc-trusted-proxies

Very important is also to switch off the Force SSL at the Nextcloudpi configuration!

This means we are now terminating the SSL at the Reverse Proxy (NPM), as usual. The communication between the Reverse Proxy and the Nextcloud server runs via http.

Kategorien
Software

Installing RPis with MQTT in Home Assistant

To add RPis to the Home Assistant, we are installing on each RPi a Python script as a daemon that sends data via MQTT messages to the MQTT Broker installed on the Home Assistant.

Unfortunately, if your Home Assistant is also running on an RPi but based on HAOSS, you can not use that approach. Later more to that.

First, install the MQTT Integration on the Home Assistant.

Adding RPis to the Home Assistant

Just make sure that the automatic detection of MQTT devices is still enabled.

Then go to System / Add-Ons / Mosquitto Broker. Make sure it’s started while booting.

Under Configuration, add a username and a password. The YAML Code looks like this:

logins:
  - username: username
    password: password
require_certificate: false
certfile: fullchain.pem
keyfile: privkey.pem
customize:
  active: false
  folder: mosquitto

Now, let’s go to the RPi that we want to control. We need to install the script there. This includes the daemon that sends the MQTT messages to the Home Assistant.

Perform all the steps mentioned in https://github.com/ironsheep/RPi-Reporter-MQTT2HA-Daemon/blob/master/README.md

In the config.ini file, configure at least the following parameters:

hostname = 192.xx.yyy.zz
sensor_name = rpi-5
username = MQTT-UserName
password = MQTT-Password

Ironsheep did a great job. Thank you very much!

As soon as everything is set up and you see the data in your Home Assistant, you can also use the custom card that ironsheep compiled.

https://github.com/ironsheep/lovelace-rpi-monitor-card

Further options can be configured based on https://thesmarthomejourney.com/2021/11/15/monitoring-raspberry-pi-with-ha/

Also very nice are the mini graph cards, checkout https://github.com/kalkih/mini-graph-card

If you have your Home Assistant running on an RPi you can setup Monitoring via that approach https://www.youtube.com/watch?v=WcmxI06TAuI&t=1696s

Kategorien
Software

Self-hosted Bitwarden Password Manager

Another RPi application is a self-hosted Bitwarden Password Manager.

The advantages of that solution are:

  • You own your data, as it’s not in the cloud
  • Reduced risk that your passwords get stolen
  • Passwords are synced over all your devices

What you need is:

  • RPi
  • Docker installed
  • NPM Nginx Proxy Manager
  • Subdomain configured

I installed it based on the following setup guide: https://pimylifeup.com/raspberry-pi-bitwarden

Self-hosted Bitwarden Password Manager

Just make sure that you configure the container with the correct ports without the IP Address, like 

sudo docker run -d --name bitwarden \
    --restart=always \
    -v /bw-data/:/data/ \
    -p 8080:80 \
    -p 3012:3012 \
    vaultwarden/server:latest

You need a domain configured at your DNS provider with a CNAME entry like 

bitwarden.example.de

If you are using a Dynamic DNS Provider, route the traffic there.

It is also necessary to have SSL terminated, in this case, at the NPM Proxy Manager.

Configure the Proxy Host with the following parameter:

Details
IP: The IP Address of your server, e.g. 192.168.178.34
Forward Port: 8080
Block Common Exploits
Websockets Support

SSL
Force SSL
HTTP/2 Support
HSTS Enabled
HSTS Subdomains

Advanced
 location /admin {
  return 404;
  }

  location / {
    proxy_pass http://YOURIP:8080;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
  }
  
  location /notifications/hub {
    proxy_pass http://YOURIP:3012;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }
  
  location /notifications/hub/negotiate {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_pass http://YOURIP:8080;
  }

Refer also to https://vaultwarden.discourse.group/t/vaultwarden-and-nginx-proxy-manager/1307/17

Actually, we have installed vaultwarden now.

Now you should be able to set up a user and a vault.

Also consider setting up a backup solution, just take a look at

https://github.com/dani-garcia/vaultwarden/wiki/Backing-up-your-vault#examples and https://dizzytech.de/posts/backing_up_vaultwarden/

I’m using bruceforce with the following command:

docker run -d --restart=always --name vaultwarden-backup --volumes-from=bitwarden -e BACKUP_DIR=/myBackup -e TIMESTAMP=true -e DELETE_AFTER=30 -e TZ=CEST -v /bw-data/myBackup:/myBackup bruceforce/vaultwarden-backup

You should also accompany this with backing up the files on at least two different physical devices, either via rsync or FTP or rclone, best running via a cron job.

Restore

There is no automated restore process to prevent accidental data loss. So if you need to restore a backup, you need to do this manually by following the steps below (assuming your backups are located at ./backup/ and your vaultwarden data is located at /var/lib/docker/volumes/vaultwarden/_data/)

# Delete any existing sqlite3 files
rm /var/lib/docker/volumes/vaultwarden/_data/db.sqlite3*

# Extract the archive
# You may need to install xz first
tar -xJvf ./backup/data.tar.xz -C /var/lib/docker/volumes/vaultwarden/_data/
Kategorien
Software

WireGuard VPN

Wow, how easy is it to set up a WireGuard VPN with the Raspberry Pi!

I can now cover the following use cases:

  1. Access all the devices of my local network (router, RPis, drives, etc.) from abroad
  2. Access German streaming services like ARD, ZDF, … from abroad

Getting there was not so easy. First, I had the idea of using the FritzBox’s VPN. But it turned out that the FritzBox only supports IPSec, and Android bigger than V11 does not support that. So, I decided to go for another solution.

I also had an RPi4 lying around after I had upgraded my website to the RPi5.

So I installed the Raspberry PI OS (64-BIT) on the RPi4.

State-of-the-art installations are based on docker.

So, I was installing docker and docker-compose.

Everything is based on https://pimylifeup.com/wireguard-docker/
(Many thanks!)

WireGuard VPN
WireGuard

Setting up the clients was also super easy.

On the mobile, I did it with a QR scan; on the laptop, I was exporting the config.

The advantages of this docker container/image are:

  • Managing the Clients via a GUI including QR Code
  • Gateway configured for accessing the Internet via your router

Kategorien
Blog Software

Login into WordPress no longer possible

Once, the automatic Backup of my WordPress site stopped working. Then, I tried to login to WordPress, but it was no longer possible.

Then I realized that my Backup device was Google Drive, which is quite big. So this might not be the root cause of the problem.

I started with the usual searches, e.g. the problem was probably with some Plugins. But all the actions didn’t work out.

As I have set up WordPress via Docker Containers, I was testing the staging WordPress system. That worked.

So I looked at the Docker setup, purging images, volumes, stopping containers, etc. No change.

Then I found that the inodes were at 100%. That was the problem. First, I found that some versions of docker had a problem generating dangling inodes. No success.

The following commands helped me find out, where the inodes/Files were generated.

# find the 50 directories with the biggest file count
find /var/lib/docker -xdev -printf '%h\n' | sort | uniq -c | sort -rn | head -50

# get the file storage usage
df -h

# get the inode usage
df -hi

# get the number of inodes in a directory
du --inodes -d 1

Finally, we found that in the following directory were over 7 million files:

/var/lib/docker/volumes/wp_production_wordpress0/_data/cache

This folder is generated by my Caching WordPress Plugin W3 Total Cache, and it seems that this folder is never purged.

After deleting the files in this folder, everything worked well again.

Maybe I create a corn job, deleting that folder once a week.

Logrotate

As I was just busy with fixing, I also configured the logrotate via docker, as I first thought, that too many log files were generated.

The following pages helped:

https://opvizor.com/blog/prevent-docker-host-to-run-out-of-disk-space

https://docs.docker.com/engine/logging/configure

https://signoz.io/blog/docker-log-rotation

https://techkluster.com/docker/questions-docker/how-to-clear-docker-cache