File server
The Fileserver allows all clients connected to the internal Network to access documentation and multimedia files. A raspberry pi 2 powers the fileserver and is connected to at least one harddisk using a USB to SATA connector. The contents of the harddisk are encrypted so we do not have to worry what happens to the disk when it cannot be accessed anymore.
Setup
- Prepare a sd-card with the raspian base image
- Connect a raspberry to the network
- Connect the disk(s) to the raspberry using USB-SATA adapters
- Configure the gateway to give the raspberry a fixed IP and the local name 'file' based on its mac-address
When the raspberry boots, it should get the configured IP-address (192.168.1.32) in our case and is ready to be configured using ssh: ssh pi@file
. Now we setup some users. This depends on the type of fileserver you want to build. We use 'core' for members and 'workaway' for guests that are visiting for a longer time.
Install Software
Next we need to install some software. As the system should serve files to any PC in the network we install samba and for the disk encryption cryptsetup.
sudo apt-get install samba cryptsetup
For easy administration tmux dstat htop mc
is installed as well.
Then we add a user 'echo' to the system and configure a long password together with authorized keys and add the user to the sudoers file. Then we disable the 'pi' user.
Now we create a directory /data
with the desired shares and set root ownership to those directories. Add a file 'HARDISK_NOT_MOUNTED' in every share, so that users see that something is wrong when the pi rebooted.
Now we need to partition the disk (or use LVM). When LVM is used, the following commands are slightly different.
Prepare Disk
fdisk /dev/sda
Create a partition for every group of files: core, workaway, public, media and choose the size wisely as changing it afterwards is not easy.
Be aware, we use /dev/sda here, check dmesg for the actual device name, otherwise you partition and format the wrong device and you lose all your data!
/dev/sda1 100G core /dev/sda2 100G workaway /dev/sda3 200G public /dev/sda4 1.6T media
When the partitions are ready, we need to run cryptsetup luksFormat for each device and provide a passphrase. Store the passphrase in a secure location that you can access when the fileserver needs a reboot.
$ cryptsetup luksFormat /dev/sda1 WARNING! ======== This will overwrite data on /dev/sda1 irrevocably. Are you sure? (Type uppercase yes): YES Enter passphrase: Verify passphrase:
Repeat this for all partitions.
Then create a script in /data that contains a line for each partition:
/data/unlock_disk.sh
#!/bin/bash echo 'to unlock you need passwords stored on rh' echo 'run identity file to get the passphrases for cpublic, ccore, cworkaway and cmedia' echo 'the unlock will take multiple minutes' echo '---' echo 'core' cryptsetup luksOpen /dev/sda1 ccore echo 'workaway' cryptsetup luksOpen /dev/sda2 cworkaway echo 'public' cryptsetup luksOpen /dev/sda3 cpublic echo 'media' cryptsetup luksOpen /dev/sda4 cmedia
Make the script executable and run it as root. It will ask you for the passphrases and create devices in /dev/mapper
.
Now we need to format the devices with a filesystem and set options that unlock all available space on the disk.
$ mkfs.ext4 /dev/mapper/ccore $ tune2fs /dev/mapper -r0
When the devices are formatted they can be added to the fstab. The noauto is important, otherwise the pi will not boot and drop into a shell - bad thing if you do not have a keyboard and a screen attached:
/dev/mapper/cpublic /data/public ext4 defaults,noauto 0 0 /dev/mapper/ccore /data/core ext4 defaults,noauto 0 0 /dev/mapper/cworkaway /data/workaway ext4 defaults,noauto 0 0 /dev/mapper/cmedia /data/media ext4 defaults,noauto 0 0
Then create a script in /data that contains a line for each partition:
/data/mount_disk.sh
#!/bin/bash mount /dev/mapper/public mount /dev/mapper/ccore mount /dev/mapper/cworkaway mount /dev/mapper/cmedia
Run the script and see that the filesystems are mounted. Check that they are mounted and correct the ownership for the directories in /data with chmod and chown:
root@file:~# mount /dev/mapper/cmedia on /data/media type ext4 (rw,relatime,data=ordered) /dev/mapper/ccore on /data/core type ext4 (rw,relatime,data=ordered) /dev/mapper/cworkaway on /data/workaway type ext4 (rw,relatime,data=ordered) /dev/mapper/cpublic on /data/public type ext4 (rw,relatime,data=ordered) root@file:~# ls -la /data total 32 drwxrwxrwx 6 nobody nogroup 4096 Oct 3 09:01 . drwxr-xr-x 4 core core 4096 Oct 3 09:19 core drwxr-xr-x 6 nobody nogroup 4096 Oct 2 13:34 media -rwxr-x--- 1 root root 115 Oct 3 09:01 mount_disk.sh drwxrwxrwx 4 nobody nogroup 4096 Oct 3 09:25 public -rwxr-x--- 1 root root 413 Oct 3 09:01 unlock_disk.sh drwxr-xr-x 3 workaway workaway 4096 Oct 3 08:57 workaway
Samba
Now it is time to configure samba, open the file /etc/samba/smb.conf
and add the following entries:
[public] comment = Files accessible to all local and remote users path = /data/public browseable = yes writeable = yes guest ok = yes [workaway] comment = Files that are available for users that workaway path = /data/workaway browseable = yes writeable = yes valid users = workaway, core force group = workaway create mask = 0770 directory mask = 0770 [core] comment = Files that are availabel for instructed users only path = /data/core browseable = yes writeable = yes valid users = @core force group = core create mask = 0700 directory mask = 0700 [media] comment = Files that make audio or video signals, you cannot upload anything, use public share and inform core member. path = /data/media browseable = yes read only = yes guest ok = yes
you should also change the workgroup at the top of the file to 'ecohackerfarm'.
The last step is to set passwords for the users core and workaway:
smbpasswd -a core smbpasswd -a workaway
Test
Put a file test.txt
into each directory in data and ensure its ownership matches (eg /data/workaway/test should be rw for the workaway group).
Check using a client-system (eg osx) and connect to the server. Connect with no credentials (guest) and check that you cannot use the shares workaway and core, but you can see the testfile in media (but cannot change anything) and you see the file in public (and you can change it). Repeat this for the workaway and the core user.
When everything is done you should reboot the system to see that the service is comming up nicely. After the reboot the shares are available but the clients should only see the HARDDISK_NOT_MOUNTED
message. Login and execute the scripts /data/unlock_disk.sh
providing the disk-passphrases and /data/mount_disk.sh
. Now the clients should see the test.txt again.
Populate with Data
Transfer of data to the PI using wifi can be quite slow. If you plan to put a Terrabyte of learning material on it, consider plugging the disk into a real pc with SATA as you will need a 10th of the time:
WIFI: 1MB/s -> 3.6GB/h, the terrabyte will take 277h to copy SATA: 100MB/s -> 360GB/h, the terrabyte will take about 3 hours to copy
Publish
Now your visitors and workaways need to know that there is a fileserver and what to do with it. Write a enduser documentation of about half a page and put it on the wiki and print it out.
Costs
For the described installation you need a raspberry pi 2+, a USB-SATA adapter and a harddisk. The costs in 2016 were: 35EUR for the PI, 20EUR for the USB-SATA and 71EUR for the 2TB disk. The system uses about 5W of electrical energy and needs to be always on.
Fileserver
This hackerspace provides a fileserver when you connect to the echo-vpn
network. It its name is file
and it has the ip-address 192.168.1.32
. It provides media files and public storage for everyone and stores documents only accessible for workaways and the core members.
Windows
- Open Explorer
- Browse network
- find 'echohackerfarm' and 'file'
- connect to the share you want
OSX
- Open Finder
- Select Connect to Server
- Enter
smb://file
- select the share you want
Ubuntu
- Open Files
- Select Connect to Server
- Enter
smb://file
- select the share you want
As workaway, upload any files (photos, documents or similar) you want to share with other workaways or the core-team into the workaway share. Upload any file you want to share with the whole world to the public share.