Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Also, the PiSugar 3 functions as an external watchdog reset for the Raspberry Pi.

...

4G modem

If the Netrabrick lid loses communications with the internet, a 4G modem can be activated by the lid to notify about the communications failure.

...

Connecting the header cables to the PiSugar and RaspberryPi

Flashing the PiKVM image

image-20240814-175641.pngImage Added

  1. Download the latest DIY PiKVM image for the HDMI-CSI bridge for the RaspberryPi Zero 2W and sha hash.

  2. Validate the download image:

    Code Block
    PiKVM % shasum v2-hdmi-zero2w-latest.img.xz  
    cdb1bb899a72351a2da924ceb0675130d01e46ed  v2-hdmi-zero2w-latest.img.xz
    PiKVM % cat v2-hdmi-zero2w-latest.img.xz.sha1 
    cdb1bb899a72351a2da924ceb0675130d01e46ed%               
  3. Download the latest version of the DappNode ISO for Debian, attended, and note the sha1 hash.

  4. Download and install the Raspberry Pi imager.

    1. Run RPi Imager:

    2. Press NO FILTERING then CHOOSE OS and select Use custom image at bottom of the list:

    3. After clicking on this item, select the image file for PiKVM that you downloaded earlier then click CHOOSE STORAGE:

    4. Insert the memory card into the card reader. Choose the card reader from this list. Be careful and choose the right device:

    5. After choosing the memory card, press the WRITE button. Confirm the operation when you are asked about it:

  5. Mount the PiKVM memory card, and edit the filepikvm.txt. If you haven't enabled PiKVM yet, this file will contain a single line FIRST_BOOT=1.

...

  1. Unmount partition and insert the memory card on the Raspberry Pi Zero 2W. Power on the Netrabrick.

  2. Connect via ssh

    Code Block
    ssh -p 2001 root@192.168.0.86
    
    root@192.168.0.86's password: 
             _____ _  _  ____      ____  __
            |  __ (_)| |/ /\ \    / /  \/  |
            | |__) | | ' /  \ \  / /| \  / |
            |  ___/ ||  <    \ \/ / | |\/| |
            | |   | || . \    \  /  | |  | |
            |_|   |_||_|\_\    \/   |_|  |_|
    
        Welcome to PiKVM - The Open Source KVM over IP on Raspberry Pi
        ____________________________________________________________________________
    
        The root filesystem of PiKVM is mounted in the read-only mode by default.
        Use command "rw" to remount it in the RW-mode and "ro" to switch it back.
        If the filesystem is busy and doesn't switch to the RO-mode, use "reboot"
        to reboot the device, don't leave it in the RW-mode.
    
        Useful commands:
          * Preventing kernel messages in the console:  dmesg -n 1
          * Changing the Web UI password:  kvmd-htpasswd set admin
          * Changing the root password:    passwd
    
        Links:
          * Official website:  https://pikvm.org
          * Documentation:     https://docs.pikvm.org
          * Auth & 2FA:        https://docs.pikvm.org/auth
          * Networking:        https://wiki.archlinux.org/title/systemd-networkd

  3. Change the root password and web admin password

    Code Block
    [root@pikvm ~]# rw
    + mount -o remount,rw /
    + mount -o remount,rw /boot
    + set +x
    === PiKVM is in Read-Write mode ===
    [root@pikvm ~]# passwd root
    New password: 
    Retype new password: 
    passwd: password updated successfully
    [root@pikvm ~]# kvmd-htpasswd set admin
    Password: 
    Repeat: 
    
    # Note: Users logged in with this username will stay logged in.
    # To invalidate their cookies you need to restart kvmd & kvmd-nginx:
    #    systemctl restart kvmd kvmd-nginx
    # Be careful, this will break your connection to the PiKVM
    # and may affect the GPIO relays state. Also don't forget to edit
    # the files /etc/kvmd/{vncpasswd,ipmipasswd} and restart
    # the corresponding services kvmd-vnc & kvmd-ipmi if necessary.
  4. Activate 2FA authentication with your favorite authenticator app:

    Code Block
    [root@pikvm ~]# kvmd-totp init
  5. Connect via browser to the PiKVM address: 192.168.0.86. (Accept the unsecured connection, as we have not yet added a SSL certificate) using password

Attaching the lid and connecting external cables

NUC - Netrabrick NUClid cabling

...

Identifier

...

Header

...

8

...

COM Header

...

9

Install and configure Wireguard

Info

For more detailed instructions for arch linux, and wireguard install in general.

  1. Update the repo

    Code Block
    [root@pikvm pisugar-archlinux]# rw
    + mount -o remount,rw /
    + mount -o remount,rw /boot
    + set +x
    === PiKVM is in Read-Write mode ===
    [root@pikvm pisugar-archlinux]# sudo pacman -Syy
    :: Synchronizing package databases...
     core                               239.0 KiB  79.1 KiB/s 00:03 [###################################] 100%
     extra                                9.0 MiB   414 KiB/s 00:22 [###################################] 100%
     community                           45.0   B   121   B/s 00:00 [###################################] 100%
     alarm                               94.8 KiB   243 KiB/s 00:00 [###################################] 100%
     aur                                  9.3 KiB  12.1 KiB/s 00:01 [###################################] 100%
     pikvm                               10.7 KiB  3.00 KiB/s 00:04 [###################################] 100%
  2. Install wireguard

    Code Block
    [root@pikvm pisugar-archlinux]# pacman -S wireguard-tools
    resolving dependencies...
    looking for conflicting packages...
    
    Packages (1) wireguard-tools-1.0.20210914-2
    
    Total Download Size:   0.08 MiB
    Total Installed Size:  0.22 MiB
    
    :: Proceed with installation? [Y/n] Y
    :: Retrieving packages...
     wireguard-tools-1.0.20210914-...    80.4 KiB  45.4 KiB/s 00:02 [###################################] 100%
    (1/1) checking keys in keyring                                  [###################################] 100%
    (1/1) checking package integrity                                [###################################] 100%
    (1/1) loading package files                                     [###################################] 100%
    (1/1) checking for file conflicts                               [###################################] 100%
    (1/1) checking available disk space                             [###################################] 100%
    :: Processing package changes...
    (1/1) installing wireguard-tools                                [###################################] 100%
    Optional dependencies for wireguard-tools
        openresolv: for DNS functionality [installed]
        sudo: elevate privileges [installed]
    :: Running post-transaction hooks...
    (1/2) Reloading system manager configuration...
    (2/2) Arming ConditionNeedsUpdate...
    
  3. Create private and public keys

    Code Block
    wg genkey | tee privatekey | wg pubkey > publickey
  4. Create the config file
    Now you can configure the server, just add a new file called /etc/wireguard/wg0.conf. Insert the following configuration lines and replace the <server-private-key> placeholder with the previously generated private key.

  5. Code Block
    vi /etc/wireguard/wg0.conf
    
    [Interface]
    Address = 10.99.0.1
    #SaveConfig = true
    PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
    PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o wlan0 -j MASQUERADE
    ListenPort = 51821
    PrivateKey = <server-private-key>
    
    [Peer]
    PublicKey = <client-public-key>
    AllowedIPs = 10.99.0.2/32
  6. Configure the wireguard client

    Now, we need to configure the client. Create a new file called /etc/wireguard/wg0.conf. Insert the following configuration lines and replace the <client-private-key> placeholder with the previously generated private key.

    Next, replace the <server-public-key> with the generated servers public key. And also replace <server-public-ip-address> with the IP address where the server listens for incoming connections.

    Code Block
    [Interface]
    PrivateKey = <client-private-key>
    ListenPort = 51821
    Address = 10.99.0.2/32
    
    [Peer]
    PublicKey = <server-public-key>
    AllowedIPs = 10.99.0.0/24
    Endpoint = <server-public-ip-address>:51821
    PersistentKeepalive = 30

  7. Open ports (UDP) for wireguard on your router.

  8. Start and test
    enable the wg0 interface with the following command

  9. Code Block
    wg-quick up wg0
    [#] ip link add wg0 type wireguard
    [#] wg setconf wg0 /dev/fd/63
    [#] ip -4 address add 10.99.0.1/24 dev wg0
    [#] ip link set mtu 1420 up dev wg0
    [#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE;

    You can check the status of the connection with this command.

    Code Block
    [root@pikvm ~]# wg
    interface: wg0
      public key: K9aP9W9TW/bfdaGQA2fSFBZh6ZZy198Q=
      private key: (hidden)
      listening port: 51821
    [root@pikvm ~]# ifcongif -a 
    -bash: ifcongif: command not found
    [root@pikvm ~]# ifconfig -a
    lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
            inet 127.0.0.1  netmask 255.0.0.0
            inet6 ::1  prefixlen 128  scopeid 0x10<host>
            loop  txqueuelen 1000  (Local Loopback)
            RX packets 99  bytes 8158 (7.9 KiB)
            RX errors 0  dropped 0  overruns 0  frame 0
            TX packets 99  bytes 8158 (7.9 KiB)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
    
    wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1420
            inet 10.99.0.1  netmask 255.255.255.0  destination 10.99.0.1
            unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
            RX packets 0  bytes 0 (0.0 B)
            RX errors 0  dropped 0  overruns 0  frame 0
            TX packets 0  bytes 0 (0.0 B)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
    
    wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
            inet 192.168.0.2  netmask 255.255.255.0  broadcast 192.168.0.255
            inet6 fe80::e65f:1ff:fe87:f396  prefixlen 64  scopeid 0x20<link>
            ether e4:5f:01:87:f3:96  txqueuelen 1000  (Ethernet)
            RX packets 1505204  bytes 36789964 (35.0 MiB)
            RX errors 0  dropped 1224409  overruns 0  frame 0
            TX packets 110425  bytes 8452065 (8.0 MiB)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
  10. Configure auto-start

  11. Code Block
    [root@pikvm ~]# systemctl enable --now wg-quick@wg0
    Created symlink /etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service -> /usr/lib/systemd/system/wg-quick@.service.

Install and configure Lets Encrypt Certificates for the PiKVM

By installing and configuring a Let’s Encrypt Certificate, we can enable validated SSL connections to the PiKVM web interface. To do this, we need a valid domain name. For this, we will register the following names:

Code Block
netrabrick.(bodega).openvino.org
pikvm.(bodega).openvino.org

Replacing (bodega) with the name of the winery…in this example Costaflores.

Currently, the registration of the DNS records for these domain entries is done manually, but eventually, the decentralized OpenVino Netrabricks will assume the DNS functions for the openvino.org domain and subdomains (and openvino.exchange).

1. Configure PST storage.

Code Block
[root@pikvm ~]# kvmd-pstrun -- true
--    INFO -- Opening PST session ...
--    INFO -- PST write is allowed: /var/lib/kvmd/pst/data
--    INFO -- Running the process ...
--    INFO -- Process finished: returncode=0
  1. Enable ports 80 and 443 from the internet to PiKVM (192.168.0.86 in this example).

  2. Request a new certificate

    Code Block
    [root@pikvm ~]# kvmd-certbot certonly_webroot --agree-tos -n --email cert@openvino.org -d pikvm.costaflores.openvino.org
    --    INFO -- Opening PST session ...
    --    INFO -- PST write is allowed: /var/lib/kvmd/pst/data
    --    INFO -- Running the process ...
    + mkdir -p /var/lib/kvmd/pst/data/certbot/runroot
    + chown -R kvmd-certbot: /var/lib/kvmd/pst/data/certbot/runroot/..
    --    INFO -- Process finished: returncode=0
    --    INFO -- Opening PST session ...
    --    INFO -- PST write is allowed: /var/lib/kvmd/pst/data
    --    INFO -- Running the process ...
    Saving debug log to /var/lib/kvmd/pst/data/certbot/runroot/logs/letsencrypt.log
    Requesting a certificate for pikvm.costaflores.openvino.org
    Hook 'deploy-hook' ran with error output:
     + chmod 755 /var/lib/kvmd/pst/data/certbot/runroot/config/archive /var/lib/kvmd/pst/data/certbot/runroot/config/live
     + chmod 640 /var/lib/kvmd/pst/data/certbot/runroot/config/live/pikvm.costaflores.openvino.org/privkey.pem
    
    Successfully received certificate.
    Certificate is saved at: /var/lib/kvmd/pst/data/certbot/runroot/config/live/pikvm.costaflores.openvino.org/fullchain.pem
    Key is saved at:         /var/lib/kvmd/pst/data/certbot/runroot/config/live/pikvm.costaflores.openvino.org/privkey.pem
    This certificate expires on 2024-07-14.
    These files will be updated when the certificate renews.
    
    NEXT STEPS:
    - The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    If you like Certbot, please consider supporting our work by:
     * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
     * Donating to EFF:                    https://eff.org/donate-le
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    --    INFO -- Process finished: returncode=0
    
  3. Deactive port mapping from the internet to PiVKM on :80 and :443

  4. Test renewing certs

    Code Block
    [root@pikvm ~]# kvmd-certbot renew --force-renewal
    Saving debug log to /tmp/kvmd-certbot/runroot/logs/letsencrypt.log
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Processing
    /tmp/kvmd-certbot/runroot/config/renewal/pikvm.costaflores.openvino.org.conf
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Renewing an existing certificate for pikvm.costaflores.openvino.org
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Congratulations, all renewals succeeded: 
      /tmp/kvmd-certbot/runroot/config/live/pikvm.costaflores.openvino.org/fullchain.pem (success)
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    --    INFO -- Opening PST session ...
    --    INFO -- PST write is allowed: /var/lib/kvmd/pst/data
    --    INFO -- Running the process ...
    + rm -rf /var/lib/kvmd/pst/data/certbot/runroot.new
    + cp -a /tmp/kvmd-certbot/runroot/. /var/lib/kvmd/pst/data/certbot/runroot.new
    + rm /var/lib/kvmd/pst/data/certbot/runroot.new/updated
    + chmod 755 /var/lib/kvmd/pst/data/certbot/runroot.new/config/archive /var/lib/kvmd/pst/data/certbot/runroot.new/config/live
    + chmod 640 /var/lib/kvmd/pst/data/certbot/runroot.new/config/archive/pikvm.costaflores.openvino.org/privkey1.pem /var/lib/kvmd/pst/data/certbot/runroot.new/config/archive/pikvm.costaflores.openvino.org/privkey2.pem /var/lib/kvmd/pst/data/certbot/runroot.new/config/archive/pikvm.costaflores.openvino.org/privkey3.pem
    + sed -s -i -e 's| = /tmp/kvmd-certbot/runroot/| = /var/lib/kvmd/pst/data/certbot/runroot/|g' /var/lib/kvmd/pst/data/certbot/runroot.new/config/renewal/pikvm.costaflores.openvino.org.conf
    + rm -rf /var/lib/kvmd/pst/data/certbot/runroot.new/logs/letsencrypt.log.1 /var/lib/kvmd/pst/data/certbot/runroot.new/config/csr /var/lib/kvmd/pst/data/certbot/runroot.new/config/keys
    + sync
    + kvmd-helper-swapfiles /var/lib/kvmd/pst/data/certbot/runroot.new /var/lib/kvmd/pst/data/certbot/runroot
    + rm -rf /var/lib/kvmd/pst/data/certbot/runroot.new
    --    INFO -- Process finished: returncode=0
    
  5. Automate cert renewal

    Code Block
    [root@pikvm ~]# systemctl enable --now kvmd-certbot.timer
    Created symlink /etc/systemd/system/timers.target.wants/kvmd-certbot.timer -> /usr/lib/systemd/system/kvmd-certbot.timer.

Configuring PiSugar

Add a pisugar user to the PiKVM (Raspberry Pi):

  1. Connect via ssh to the PiKVM device.

  2. Add a pisugar user:

Code Block
[root@pikvm ~]# rw         
+ mount -o remount,rw /
+ mount -o remount,rw /boot
+ set +x
=== PiKVM is in Read-Write mode ===

useradd --system -s /usr/bin/bash pisugar
usermod -d /opt/pisugar -m pisugar
passwd pisugar
  1. Add pisugar to /etc/sudoers

  2. Download latest pisugar-archlinux_<version>_all.tar.gz from https://github.com/PiSugar/pisugar-power-manager-rs/releases

Code Block
su - pisugar
tar -xvf pisugar-archlinux_<version>_all.tar.gz
  1. Edit the PKBUILD to support the RPi Zero 2W:

    Code Block
    arch=('arm' 'armhf' 'aarch64' 'x86_64')

Attaching the lid and connecting external cables

NUC - Netrabrick NUClid cabling

...

Identifier

Header

8

COM Header

9

USB2 Header

10

Front Panel Header

...

Pin

USB Signal

Connection

1

VCC

Pin 8 (5v in) on SugarPi3

2

VCC

Current connector to power fan?

3

USB0-

MicroUSB cable USB- (green)

4

USB1-

Empty

5

USB0+

MicroUSB cable USB+ (white)

6

USB1+

Empty

7

GND

Pin 1 on SugarPi 3 (next to Pin 8) AND USB ground (black)

8

GND

Current ground connector to fan?

9

No Connect

Empty

10

Empty

EmptyEmpty

Info

Check dmesg and lsusb on both the Netrabrick and the Raspberry Pi to see if the USB connection is working.

From lsusb on the Netrabrick you should see something similar to:

Bus 004 Device 005: ID 1d6b:0104 Linux Foundation Multifunction Composite Gadget

NUC Front Panel header

Connecting the NUC Front Panel header to the Raspberry Pi is necessary if want ATX power control from PiKVM.

...

  • x4 MOSFET relays OMRON G3VM-61A1 or OMRON G3VM-61AY1.
    Don't use random relay modules or random optocouplers! Some of these may not be sensitive enough for the Raspberry Pi, some others may be low-level controlled. Either use relays that are activated by a high logic level, or follow the design provided and buy an OMRON. See details here.

  • x4 390 Ohm resistors (see here for alternatives).

  • 2x 4.7 kOhm resistors.

  • x10+ dupont wires male-male.

  • x1 a breadboard.

  • various wires for the breadboard.

Dappnode base instance

This section describes the steps involved for installing the Dappnode Linux base instance (bare metal install).

backup NAS

Time machine backup for MacOS devices

First we'll install samba

Code Block
sudo apt install samba

Add a samba user

Code Block
sudo smbpasswd -a mtb
sudo usermod -g users mtb
vi /etc/samba/smb.conf

Configure samba

Code Block
[global]
workgroup = openvino
min protocol = SMB2

# security
security = user
passdb backend = tdbsam
map to guest = Bad User

# mac Support
spotlight = yes
vfs objects = acl_xattr catia fruit streams_xattr
fruit:aapl = yes
fruit:time machine = yes

#NetShares 

[volumes]
comment = Time Machine
path = /timecapsule
valid users = @users
browsable = yes
writable = yes
read only = no
create mask = 0644
directory mask = 0755

Adjust permissions

Code Block
 chmod 777 /timecapsule
 chown root:users /timecapsule/

Restart samba

Code Block
service smbd restart

Connect to the samba server from MacOS finder

Go > Connect to server....

...

USB connections

The lsusb command should report the different connected USB devices:

Device

lsusb report

LoRA dongle (connection to Vinduino)

Cypress Semiconductor Corp. USB-UART LP

RT-SDR (connection to weather station)

Realtek Semiconductor Corp. RTL2838 DVB-T

PiKVM

Linux Foundation Multifunction Composite Gadget

Code Block
mtb@netrabrick:~$ lsusb
Bus 005 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 004 Device 004: ID 1d6b:0104 Linux Foundation Multifunction Composite Gadget
Bus 004 Device 003: ID 05e3:0610 Genesys Logic, Inc. Hub
Bus 004 Device 002: ID 8087:0029 Intel Corp. AX200 Bluetooth
Bus 004 Device 005: ID 0bda:2838 Realtek Semiconductor Corp. RTL2838 DVB-T
Bus 004 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 003 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 002 Device 008: ID 04b4:0003 Cypress Semiconductor Corp. USB-UART LP
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

Dappnode base instance

This section describes the steps involved for installing the Dappnode Linux base instance (bare metal install).

backup NAS

Use the Netrabrick as a local backup device.

Time machine backup for MacOS devices

FOAM.space anchor node

Dappnode

...