...
Connecting the header cables to the PiSugar and RaspberryPi
Flashing the PiKVM image
Download the latest DIY PiKVM image for the HDMI-CSI bridge for the RaspberryPi Zero 2W and sha hash.
Validate the download image:
Code Block PiKVM % shasum v2-hdmi-zero2w-latest.img.xz cdb1bb899a72351a2da924ceb0675130d01e46ed v2-hdmi-zero2w-latest.img.xz PiKVM % cat v2-hdmi-zero2w-latest.img.xz.sha1 cdb1bb899a72351a2da924ceb0675130d01e46ed%
Download the latest version of the DappNode ISO for Debian, attended, and note the sha1 hash.
Download and install the Raspberry Pi imager.
Run RPi Imager:
Press NO FILTERING then CHOOSE OS and select Use custom image at bottom of the list:
After clicking on this item, select the image file for PiKVM that you downloaded earlier then click CHOOSE STORAGE:
Insert the memory card into the card reader. Choose the card reader from this list. Be careful and choose the right device:
After choosing the memory card, press the WRITE button. Confirm the operation when you are asked about it:
Mount the PiKVM memory card, and edit the file
pikvm.txt
. If you haven't enabled PiKVM yet, this file will contain a single lineFIRST_BOOT=1
.
...
Update the repo
Code Block [root@pikvm pisugar-archlinux]# rw + mount -o remount,rw / + mount -o remount,rw /boot + set +x === PiKVM is in Read-Write mode === [root@pikvm pisugar-archlinux]# sudo pacman -Syy :: Synchronizing package databases... core 239.0 KiB 79.1 KiB/s 00:03 [###################################] 100% extra 9.0 MiB 414 KiB/s 00:22 [###################################] 100% community 45.0 B 121 B/s 00:00 [###################################] 100% alarm 94.8 KiB 243 KiB/s 00:00 [###################################] 100% aur 9.3 KiB 12.1 KiB/s 00:01 [###################################] 100% pikvm 10.7 KiB 3.00 KiB/s 00:04 [###################################] 100%
Install wireguard
Code Block [root@pikvm pisugar-archlinux]# pacman -S wireguard-tools resolving dependencies... looking for conflicting packages... Packages (1) wireguard-tools-1.0.20210914-2 Total Download Size: 0.08 MiB Total Installed Size: 0.22 MiB :: Proceed with installation? [Y/n] Y :: Retrieving packages... wireguard-tools-1.0.20210914-... 80.4 KiB 45.4 KiB/s 00:02 [###################################] 100% (1/1) checking keys in keyring [###################################] 100% (1/1) checking package integrity [###################################] 100% (1/1) loading package files [###################################] 100% (1/1) checking for file conflicts [###################################] 100% (1/1) checking available disk space [###################################] 100% :: Processing package changes... (1/1) installing wireguard-tools [###################################] 100% Optional dependencies for wireguard-tools openresolv: for DNS functionality [installed] sudo: elevate privileges [installed] :: Running post-transaction hooks... (1/2) Reloading system manager configuration... (2/2) Arming ConditionNeedsUpdate...
Create private and public keys
Code Block wg genkey | tee privatekey | wg pubkey > publickey
Create the config file
Now you can configure the server, just add a new file called/etc/wireguard/wg0.conf
. Insert the following configuration lines and replace the<server-private-key>
placeholder with the previously generated private key.You need to insert a private IP address for the<server-ip-address>
that doesn't interfere with another subnet. Next, replace the<public-interface>
with your interface the server should listen on for incoming connections.Code Block vi /etc/wireguard/wg0.conf [Interface] PrivateKey=<server-private-key> Address=<server-ip-address>/<subnet> SaveConfig=Address = 10.99.0.1 #SaveConfig = true PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o <public-interface>wlan0 -j MASQUERADE; PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o <public-interface>wlan0 -j MASQUERADE; ListenPort = 5182051821 PrivateKey = <server-private-key> [Peer] PublicKey = <client-public-key> AllowedIPs = 10.99.0.2/32
Configure the wireguard client
Now, we need to configure the client. Create a new file called/etc/wireguard/wg0.conf
. Insert the following configuration lines and replace the<client-private-key>
placeholder with the previously generated private key.You need to insert a private IP address for the
<client-ip-address>
in the same subnet like the server's IP address. Next, replace the<server-public-key>
with the generated servers public key. And also replace<server-public-ip-address>
with the IP address where the server listens for incoming connections.Note that if you set the AllowedIPs to
0.0.0.0/0
the client will route ALL traffic through the VPN tunnel. That means, even if the client will access the public internet, this will break out on the server-side. If you don't want route all traffic through the tunnel, you need to replace this with the target IP addresses or networks. [Interface] PrivateKeyCode Block
<client-ip-address>/<subnet> SaveConfig = trueCode Block [Interface] PrivateKey = <client-private-key> ListenPort = 51821 Address =
5182010.99.0.2/32 [Peer] PublicKey = <server-public-key> AllowedIPs = 10.99.0.0/24 Endpoint = <server-public-ip-address>:
AllowedIPs51821
0.0.0.0/0PersistentKeepalive =
30
Open ports (UDP) for wireguard on your router.
Start and test
enable the wg0 interface with the following commandCode Block wg-quick up wg0 [#] ip link wg0
You can check the status of the connection with this command.
Code Block wg
Next, you need to add the client to the server configuration file. Otherwise, the tunnel will not be established. Replace the
<client-public-key>
with the clients generated public key and the<client-ip-address>
with the client's IP address on the wg0 interface.Code Block wg set wg0 peer <client-public-key> allowed-ips <client-ip-address>/32
Now you can enable the wg0 interface on the server.
Code Block wg-quick up wg0
Code Block wg
Configure auto-start
Install and configure Lets Encrypt Certificates for the PiKVM
Configuring PiSugar
Add a pisugar user to the PiKVM (Raspberry Pi):
Connect via ssh to the PiKVM device.
Add a pisugar user:
add wg0 type wireguard [#] wg setconf wg0 /dev/fd/63 [#] ip -4 address add 10.99.0.1/24 dev wg0 [#] ip link set mtu 1420 up dev wg0 [#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE;
You can check the status of the connection with this command.
Code Block [root@pikvm ~]#
...
wg interface: wg0 public key: K9aP9W9TW/bfdaGQA2fSFBZh6ZZy198Q=
...
Add pisugar to /etc/sudoers
Download latest
pisugar-archlinux_<version>_all.tar.gz
from https://github.com/PiSugar/pisugar-power-manager-rs/releases
Code Block |
---|
su - pisugar
tar -xvf pisugar-archlinux_<version>_all.tar.gz |
Edit the PKBUILD to support the RPi Zero 2W:
...
private key: (hidden) listening port: 51821 [root@pikvm ~]# ifcongif -a -bash: ifcongif: command not found [root@pikvm ~]# ifconfig -a lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 99 bytes 8158 (7.9 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 99 bytes 8158 (7.9 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1420 inet 10.99.0.1 netmask 255.255.255.0 destination 10.99.0.1 unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.0.2 netmask 255.255.255.0 broadcast 192.168.0.255 inet6 fe80::e65f:1ff:fe87:f396 prefixlen 64 scopeid 0x20<link> ether e4:5f:01:87:f3:96 txqueuelen 1000 (Ethernet) RX packets 1505204 bytes 36789964 (35.0 MiB) RX errors 0 dropped 1224409 overruns 0 frame 0 TX packets 110425 bytes 8452065 (8.0 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Configure auto-start
Code Block [root@pikvm ~]# systemctl enable --now wg-quick@wg0 Created symlink /etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service -> /usr/lib/systemd/system/wg-quick@.service.
Install and configure Lets Encrypt Certificates for the PiKVM
By installing and configuring a Let’s Encrypt Certificate, we can enable validated SSL connections to the PiKVM web interface. To do this, we need a valid domain name. For this, we will register the following names:
Code Block |
---|
netrabrick.(bodega).openvino.org
pikvm.(bodega).openvino.org |
Replacing (bodega) with the name of the winery…in this example Costaflores.
Currently, the registration of the DNS records for these domain entries is done manually, but eventually, the decentralized OpenVino Netrabricks will assume the DNS functions for the openvino.org domain and subdomains (and openvino.exchange).
1. Configure PST storage.
Code Block |
---|
[root@pikvm ~]# kvmd-pstrun -- true
-- INFO -- Opening PST session ...
-- INFO -- PST write is allowed: /var/lib/kvmd/pst/data
-- INFO -- Running the process ...
-- INFO -- Process finished: returncode=0 |
Enable ports 80 and 443 from the internet to PiKVM (192.168.0.86 in this example).
Request a new certificate
Code Block [root@pikvm ~]# kvmd-certbot certonly_webroot --agree-tos -n --email cert@openvino.org -d pikvm.costaflores.openvino.org -- INFO -- Opening PST session ... -- INFO -- PST write is allowed: /var/lib/kvmd/pst/data -- INFO -- Running the process ... + mkdir -p /var/lib/kvmd/pst/data/certbot/runroot + chown -R kvmd-certbot: /var/lib/kvmd/pst/data/certbot/runroot/.. -- INFO -- Process finished: returncode=0 -- INFO -- Opening PST session ... -- INFO -- PST write is allowed: /var/lib/kvmd/pst/data -- INFO -- Running the process ... Saving debug log to /var/lib/kvmd/pst/data/certbot/runroot/logs/letsencrypt.log Requesting a certificate for pikvm.costaflores.openvino.org Hook 'deploy-hook' ran with error output: + chmod 755 /var/lib/kvmd/pst/data/certbot/runroot/config/archive /var/lib/kvmd/pst/data/certbot/runroot/config/live + chmod 640 /var/lib/kvmd/pst/data/certbot/runroot/config/live/pikvm.costaflores.openvino.org/privkey.pem Successfully received certificate. Certificate is saved at: /var/lib/kvmd/pst/data/certbot/runroot/config/live/pikvm.costaflores.openvino.org/fullchain.pem Key is saved at: /var/lib/kvmd/pst/data/certbot/runroot/config/live/pikvm.costaflores.openvino.org/privkey.pem This certificate expires on 2024-07-14. These files will be updated when the certificate renews. NEXT STEPS: - The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- INFO -- Process finished: returncode=0
Deactive port mapping from the internet to PiVKM on :80 and :443
Test renewing certs
Code Block [root@pikvm ~]# kvmd-certbot renew --force-renewal Saving debug log to /tmp/kvmd-certbot/runroot/logs/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /tmp/kvmd-certbot/runroot/config/renewal/pikvm.costaflores.openvino.org.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Renewing an existing certificate for pikvm.costaflores.openvino.org - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations, all renewals succeeded: /tmp/kvmd-certbot/runroot/config/live/pikvm.costaflores.openvino.org/fullchain.pem (success) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- INFO -- Opening PST session ... -- INFO -- PST write is allowed: /var/lib/kvmd/pst/data -- INFO -- Running the process ... + rm -rf /var/lib/kvmd/pst/data/certbot/runroot.new + cp -a /tmp/kvmd-certbot/runroot/. /var/lib/kvmd/pst/data/certbot/runroot.new + rm /var/lib/kvmd/pst/data/certbot/runroot.new/updated + chmod 755 /var/lib/kvmd/pst/data/certbot/runroot.new/config/archive /var/lib/kvmd/pst/data/certbot/runroot.new/config/live + chmod 640 /var/lib/kvmd/pst/data/certbot/runroot.new/config/archive/pikvm.costaflores.openvino.org/privkey1.pem /var/lib/kvmd/pst/data/certbot/runroot.new/config/archive/pikvm.costaflores.openvino.org/privkey2.pem /var/lib/kvmd/pst/data/certbot/runroot.new/config/archive/pikvm.costaflores.openvino.org/privkey3.pem + sed -s -i -e 's| = /tmp/kvmd-certbot/runroot/| = /var/lib/kvmd/pst/data/certbot/runroot/|g' /var/lib/kvmd/pst/data/certbot/runroot.new/config/renewal/pikvm.costaflores.openvino.org.conf + rm -rf /var/lib/kvmd/pst/data/certbot/runroot.new/logs/letsencrypt.log.1 /var/lib/kvmd/pst/data/certbot/runroot.new/config/csr /var/lib/kvmd/pst/data/certbot/runroot.new/config/keys + sync + kvmd-helper-swapfiles /var/lib/kvmd/pst/data/certbot/runroot.new /var/lib/kvmd/pst/data/certbot/runroot + rm -rf /var/lib/kvmd/pst/data/certbot/runroot.new -- INFO -- Process finished: returncode=0
Automate cert renewal
Code Block [root@pikvm ~]# systemctl enable --now kvmd-certbot.timer Created symlink /etc/systemd/system/timers.target.wants/kvmd-certbot.timer -> /usr/lib/systemd/system/kvmd-certbot.timer.
Configuring PiSugar
Add a pisugar user to the PiKVM (Raspberry Pi):
Connect via ssh to the PiKVM device.
Add a pisugar user:
Code Block |
---|
[root@pikvm ~]# rw
+ mount -o remount,rw /
+ mount -o remount,rw /boot
+ set +x
=== PiKVM is in Read-Write mode ===
useradd --system -s /usr/bin/bash pisugar
usermod -d /opt/pisugar -m pisugar
passwd pisugar |
Add pisugar to /etc/sudoers
Download latest
pisugar-archlinux_<version>_all.tar.gz
from https://github.com/PiSugar/pisugar-power-manager-rs/releases
Code Block |
---|
su - pisugar
tar -xvf pisugar-archlinux_<version>_all.tar.gz |
Edit the PKBUILD to support the RPi Zero 2W:
Code Block arch=('arm' 'armhf' 'aarch64' 'x86_64')
Attaching the lid and connecting external cables
...
Pin | Header | Function | Connection |
---|---|---|---|
1 | HD_LED | HD_PWR | Connect to RPi, pin (red) |
3 | HD_Active | Connect to RPi, pin 22 (red) | |
2 | PWR_LED | PWR LED+ | Connect to Front Panel LED |
4 | PWR LED- | ||
5 | RESET | GND | Connect to RPi, pin (red) |
7 | RST BTN | Connect to RPi, pin 27 (red) | |
6 | PW_ON | PWR BTN | Connect to Front Panel Button |
8 | GND | ||
9 | No Connect | +5V | No connect |
10 | Empty | Empty | Empty |
This is how ATX wiring between the server and Raspberry Pi are instrumented:
As described here:
With this part, you will be able to remotely turn on, turn off and restart your computer!
x4 MOSFET relays OMRON G3VM-61A1 or OMRON G3VM-61AY1.
Don't use random relay modules or random optocouplers! Some of these may not be sensitive enough for the Raspberry Pi, some others may be low-level controlled. Either use relays that are activated by a high logic level, or follow the design provided and buy an OMRON. See details here.x4 390 Ohm resistors (see here for alternatives).
2x 4.7 kOhm resistors.
x10+ dupont wires male-male.
x1 a breadboard.
various wires for the breadboard.
USB connections
The lsusb command should report the different connected USB devices:
...
Device
...
lsusb report
...
LoRA dongle (connection to Vinduino)
...
Cypress Semiconductor Corp. USB-UART LP
...
RT-SDR (connection to weather station)
...
Realtek Semiconductor Corp. RTL2838 DVB-T
...
PiKVM
...
Linux Foundation Multifunction Composite Gadget
...
PWR_LED | PWR LED+ | Connect to Front Panel LED | |
4 | PWR LED- | ||
5 | RESET | GND | Connect to RPi, pin (red) |
7 | RST BTN | Connect to RPi, pin 27 (red) | |
6 | PW_ON | PWR BTN | Connect to Front Panel Button |
8 | GND | ||
9 | No Connect | +5V | No connect |
10 | Empty | Empty | Empty |
This is how ATX wiring between the server and Raspberry Pi are instrumented:
As described here:
With this part, you will be able to remotely turn on, turn off and restart your computer!
x4 MOSFET relays OMRON G3VM-61A1 or OMRON G3VM-61AY1.
Don't use random relay modules or random optocouplers! Some of these may not be sensitive enough for the Raspberry Pi, some others may be low-level controlled. Either use relays that are activated by a high logic level, or follow the design provided and buy an OMRON. See details here.x4 390 Ohm resistors (see here for alternatives).
2x 4.7 kOhm resistors.
x10+ dupont wires male-male.
x1 a breadboard.
various wires for the breadboard.
USB connections
The lsusb command should report the different connected USB devices:
Device | lsusb report |
---|---|
LoRA dongle (connection to Vinduino) |
|
RT-SDR (connection to weather station) |
|
PiKVM |
|
Code Block |
---|
mtb@netrabrick:~$ lsusb Bus 005 Device 001: ID 1d6b:00020003 Linux Foundation 23.0 root hub |
Dappnode base instance
This section describes the steps involved for installing the Dappnode Linux base instance (bare metal install).
backup NAS
Time machine backup for MacOS devices
First we'll install samba
Code Block |
---|
sudo apt install samba |
Add a samba user
Code Block |
---|
sudo smbpasswd -a mtb
sudo usermod -g users mtb
vi /etc/samba/smb.conf |
Configure samba
Code Block |
---|
[global]
workgroup = openvino
min protocol = SMB2
# security
security = user
passdb backend = tdbsam
map to guest = Bad User
# mac Support
spotlight = yes
vfs objects = acl_xattr catia fruit streams_xattr
fruit:aapl = yes
fruit:time machine = yes
#NetShares
[volumes]
comment = Time Machine
path = /timecapsule
valid users = @users
browsable = yes
writable = yes
read only = no
create mask = 0644
directory mask = 0755 |
Adjust permissions
Code Block |
---|
chmod 777 /timecapsule
chown root:users /timecapsule/ |
Restart samba
Code Block |
---|
service smbd restart |
Connect to the samba server from MacOS finder
Go > Connect to server...
.
...
Bus 004 Device 004: ID 1d6b:0104 Linux Foundation Multifunction Composite Gadget
Bus 004 Device 003: ID 05e3:0610 Genesys Logic, Inc. Hub
Bus 004 Device 002: ID 8087:0029 Intel Corp. AX200 Bluetooth
Bus 004 Device 005: ID 0bda:2838 Realtek Semiconductor Corp. RTL2838 DVB-T
Bus 004 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 003 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 002 Device 008: ID 04b4:0003 Cypress Semiconductor Corp. USB-UART LP
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub |
Dappnode base instance
This section describes the steps involved for installing the Dappnode Linux base instance (bare metal install).
backup NAS
Use the Netrabrick as a local backup device.
Time machine backup for MacOS devices
FOAM.space anchor node
Dappnode
...