This section explains why we need decentralized computing devices and the problems the Netrabrick resolves.

1980: Do we value design?

2000: Do we value open-source?

2020: Do we value decentralization?

Phase I: The atomization:

Phase II: Centralization

Phase III: Decentralization

This section describes the installation and configuration of the Netrabrick™.

A Netrabrick is a combination of the following technologies:

Small form-factor PC (NUC)
Out-of-band Management
Ubuntu base instance
IoT data collector
backup NAS
DappNode
VPN
home automation data
Other web3 services

Small form-factor PC (NUC)

This is the initial NUC configuration: https://simplynuc.com/product/cbm1r5rb/

It may be overblown for the Netrabrick requirements:

Internally, the NUC has two USB 2.0 Headers and one serial header.

For audio:

Up to 7.1 surround via HDMI
Front audio: mic in / line out

This document contains the technical specifications, including header diagrams for internal USB, serial, and reset jumpers.

Out-of-band management

The Netrabrick runs critical services. As such, insuring uptime is supreme. To enable remote monitoring and access to the Netrabrick, an additional NUC lid (Netrabrick lid) was designed to provide out-of-band management services.

Essentially, if the Netrabrick crashes, and nobody is physically near the device to reboot or repair, this out-of-band management facility allows us to access the netrabrick remotely, power-off and power-on, reinstall or reconfigure as if we were sitting at the keyboard in front of the Netrabrick.

This is accomplished by a combination of various technologies:

Raspberry Pi Zero 2W

A Raspberry Pi Zero 2W is hardwired to the Netrabrick device.

HDMI Adapter

Geekworm Raspberry Pi HDMI to CS1-2 C229 Adapter board.

PiKVM

PiKVM is the software that is installed on the Raspberry Pi.

PiSugar

The PiSugar 3 provides uninterrupted power (UPS) to the Netrabrick lid components. This way, even if the Netrabrick server loses power, or needs to be rebooted, the Netrabrick lid will remain online long enough to provide a power-outage notification.

Also, the PiSugar 3 functions as an external watchdog reset for the Raspberry Pi.

4G modem

If the Netrabrick lid loses communications with the internet, a 4G modem can be activated by the lid to notify about the communications failure.

Setup Steps

3D print the Netrabrick lid cover.
Attach the lid components
Connect the headers cables to the PiSugar and Raspberry Pi.
Flash the PiKVM image onto a the Raspberry Pi Zero W 2.
Install the SD card in the Raspberry Pi
Attach the lid, and connect the HDMI - CS1 adapter cable

Printing the Netrabrick lid cover

Attaching the Netrabrick lid components

Open the Netrabrick by removing the four bottom screws:

Be careful to not disconnect or break the SATA drive cable connection:

0AD2D467-FD4C-4AA8-B5FA-809715479C41-20240406-164331.jpeg

Connecting the header cables to the PiSugar and RaspberryPi

Flashing the PiKVM image

Download the latest DIY PiKVM image for the HDMI-CSI bridge for the RaspberryPi Zero 2W and sha hash.

Validate the download image:

PiKVM % shasum v2-hdmi-zero2w-latest.img.xz  
cdb1bb899a72351a2da924ceb0675130d01e46ed  v2-hdmi-zero2w-latest.img.xz
PiKVM % cat v2-hdmi-zero2w-latest.img.xz.sha1 
cdb1bb899a72351a2da924ceb0675130d01e46ed%

Download the latest version of the DappNode ISO for Debian, attended, and note the sha1 hash.
Download and install the Raspberry Pi imager.
1. Run RPi Imager:
2. Press NO FILTERING then CHOOSE OS and select Use custom image at bottom of the list:
3. After clicking on this item, select the image file for PiKVM that you downloaded earlier then click CHOOSE STORAGE:
4. Insert the memory card into the card reader. Choose the card reader from this list. Be careful and choose the right device:
5. After choosing the memory card, press the WRITE button. Confirm the operation when you are asked about it:
Mount the PiKVM memory card, and edit the filepikvm.txt. If you haven't enabled PiKVM yet, this file will contain a single line FIRST_BOOT=1.

WIFI_ESSID='mynet'
WIFI_PASSWD='p@s$$w0rd'
WIFI_ADDR=192.168.0.86/24
WIFI_DNS=8.8.8.8
WIFI_GW=192.168.0.1
SSH_PORT=2001

Note that backslash in the password should be escaped: \ should be written as \\.

If there was a string FIRST_BOOT=1 in the file, do not remove it. This is the trigger needed to initialize the OS at the first boot. On the contrary, if the file pikvm.txt does not exist, you should not add this line.

Unmount partition and insert the memory card on the Raspberry Pi Zero 2W. Power on the Netrabrick.

Connect via ssh

ssh -p 2001 root@192.168.0.86

root@192.168.0.86's password: 
         _____ _  _  ____      ____  __
        |  __ (_)| |/ /\ \    / /  \/  |
        | |__) | | ' /  \ \  / /| \  / |
        |  ___/ ||  <    \ \/ / | |\/| |
        | |   | || . \    \  /  | |  | |
        |_|   |_||_|\_\    \/   |_|  |_|

    Welcome to PiKVM - The Open Source KVM over IP on Raspberry Pi
    ____________________________________________________________________________

    The root filesystem of PiKVM is mounted in the read-only mode by default.
    Use command "rw" to remount it in the RW-mode and "ro" to switch it back.
    If the filesystem is busy and doesn't switch to the RO-mode, use "reboot"
    to reboot the device, don't leave it in the RW-mode.

    Useful commands:
      * Preventing kernel messages in the console:  dmesg -n 1
      * Changing the Web UI password:  kvmd-htpasswd set admin
      * Changing the root password:    passwd

    Links:
      * Official website:  https://pikvm.org
      * Documentation:     https://docs.pikvm.org
      * Auth & 2FA:        https://docs.pikvm.org/auth
      * Networking:        https://wiki.archlinux.org/title/systemd-networkd

Change the root password and web admin password

[root@pikvm ~]# rw
+ mount -o remount,rw /
+ mount -o remount,rw /boot
+ set +x
=== PiKVM is in Read-Write mode ===
[root@pikvm ~]# passwd root
New password: 
Retype new password: 
passwd: password updated successfully
[root@pikvm ~]# kvmd-htpasswd set admin
Password: 
Repeat: 

# Note: Users logged in with this username will stay logged in.
# To invalidate their cookies you need to restart kvmd & kvmd-nginx:
#    systemctl restart kvmd kvmd-nginx
# Be careful, this will break your connection to the PiKVM
# and may affect the GPIO relays state. Also don't forget to edit
# the files /etc/kvmd/{vncpasswd,ipmipasswd} and restart
# the corresponding services kvmd-vnc & kvmd-ipmi if necessary.

Activate 2FA authentication with your favorite authenticator app:
```
[root@pikvm ~]# kvmd-totp init
```
Connect via browser to the PiKVM address: 192.168.0.86. (Accept the unsecured connection, as we have not yet added a SSL certificate) using password

Install and configure Wireguard

For more detailed instructions for arch linux, and wireguard install in general.

Update the repo

[root@pikvm pisugar-archlinux]# rw
+ mount -o remount,rw /
+ mount -o remount,rw /boot
+ set +x
=== PiKVM is in Read-Write mode ===
[root@pikvm pisugar-archlinux]# sudo pacman -Syy
:: Synchronizing package databases...
 core                               239.0 KiB  79.1 KiB/s 00:03 [###################################] 100%
 extra                                9.0 MiB   414 KiB/s 00:22 [###################################] 100%
 community                           45.0   B   121   B/s 00:00 [###################################] 100%
 alarm                               94.8 KiB   243 KiB/s 00:00 [###################################] 100%
 aur                                  9.3 KiB  12.1 KiB/s 00:01 [###################################] 100%
 pikvm                               10.7 KiB  3.00 KiB/s 00:04 [###################################] 100%

Install wireguard

[root@pikvm pisugar-archlinux]# pacman -S wireguard-tools
resolving dependencies...
looking for conflicting packages...

Packages (1) wireguard-tools-1.0.20210914-2

Total Download Size:   0.08 MiB
Total Installed Size:  0.22 MiB

:: Proceed with installation? [Y/n] Y
:: Retrieving packages...
 wireguard-tools-1.0.20210914-...    80.4 KiB  45.4 KiB/s 00:02 [###################################] 100%
(1/1) checking keys in keyring                                  [###################################] 100%
(1/1) checking package integrity                                [###################################] 100%
(1/1) loading package files                                     [###################################] 100%
(1/1) checking for file conflicts                               [###################################] 100%
(1/1) checking available disk space                             [###################################] 100%
:: Processing package changes...
(1/1) installing wireguard-tools                                [###################################] 100%
Optional dependencies for wireguard-tools
    openresolv: for DNS functionality [installed]
    sudo: elevate privileges [installed]
:: Running post-transaction hooks...
(1/2) Reloading system manager configuration...
(2/2) Arming ConditionNeedsUpdate...

Create private and public keys

wg genkey | tee privatekey | wg pubkey > publickey

Create the config file
Now you can configure the server, just add a new file called /etc/wireguard/wg0.conf. Insert the following configuration lines and replace the <server-private-key> placeholder with the previously generated private key.

vi /etc/wireguard/wg0.conf

[Interface]
Address = 10.99.0.1
#SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o wlan0 -j MASQUERADE
ListenPort = 51821
PrivateKey = <server-private-key>

[Peer]
PublicKey = <client-public-key>
AllowedIPs = 10.99.0.2/32

Configure the wireguard client

Now, we need to configure the client. Create a new file called /etc/wireguard/wg0.conf. Insert the following configuration lines and replace the <client-private-key> placeholder with the previously generated private key.
Next, replace the <server-public-key> with the generated servers public key. And also replace <server-public-ip-address> with the IP address where the server listens for incoming connections.
```
[Interface]
PrivateKey = <client-private-key>
ListenPort = 51821
Address = 10.99.0.2/32

[Peer]
PublicKey = <server-public-key>
AllowedIPs = 10.99.0.0/24
Endpoint = <server-public-ip-address>:51821
PersistentKeepalive = 30
```
Open ports (UDP) for wireguard on your router.
Start and test
enable the wg0 interface with the following command

wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.99.0.1/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE;

You can check the status of the connection with this command.

[root@pikvm ~]# wg
interface: wg0
  public key: K9aP9W9TW/bfdaGQA2fSFBZh6ZZy198Q=
  private key: (hidden)
  listening port: 51821
[root@pikvm ~]# ifcongif -a 
-bash: ifcongif: command not found
[root@pikvm ~]# ifconfig -a
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 99  bytes 8158 (7.9 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 99  bytes 8158 (7.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1420
        inet 10.99.0.1  netmask 255.255.255.0  destination 10.99.0.1
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.2  netmask 255.255.255.0  broadcast 192.168.0.255
        inet6 fe80::e65f:1ff:fe87:f396  prefixlen 64  scopeid 0x20<link>
        ether e4:5f:01:87:f3:96  txqueuelen 1000  (Ethernet)
        RX packets 1505204  bytes 36789964 (35.0 MiB)
        RX errors 0  dropped 1224409  overruns 0  frame 0
        TX packets 110425  bytes 8452065 (8.0 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Configure auto-start

[root@pikvm ~]# systemctl enable --now wg-quick@wg0
Created symlink /etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service -> /usr/lib/systemd/system/wg-quick@.service.

Install and configure Lets Encrypt Certificates for the PiKVM

Configuring PiSugar

Add a pisugar user to the PiKVM (Raspberry Pi):

Connect via ssh to the PiKVM device.
Add a pisugar user:

[root@pikvm ~]# rw         
+ mount -o remount,rw /
+ mount -o remount,rw /boot
+ set +x
=== PiKVM is in Read-Write mode ===

useradd --system -s /usr/bin/bash pisugar
usermod -d /opt/pisugar -m pisugar
passwd pisugar

Add pisugar to /etc/sudoers
Download latest pisugar-archlinux_<version>_all.tar.gz from https://github.com/PiSugar/pisugar-power-manager-rs/releases

su - pisugar
tar -xvf pisugar-archlinux_<version>_all.tar.gz

Edit the PKBUILD to support the RPi Zero 2W:
```
arch=('arm' 'armhf' 'aarch64' 'x86_64')
```

Attaching the lid and connecting external cables

NUC - Netrabrick NUClid cabling

Identifier	Header
8	COM Header
9	USB2 Header
10	Front Panel Header

COM header

Use of this header is not really necessary, but it could be connected to the Raspberry Pi used by PiKVM to provide a serial terminal login access to the server.

Pin	RS232 signal	Connection
1	DCD	Empty
2	RXD	RPi GPIO14 (UART TX)
3	TXD	RPi GPIO15 (UART RX)
4	DTR	Empty
5	GND	Rpi GND
6	DSR	Empty
7	RTS	Empty
8	CTS	Empty
9	RI#	Empty
10	Empty	Empty

NUC USB2.0 header

The USB2.0 header is essential for providing keyboard and mouse HID access from the PiKVM instance on the Raspberry Pi to the server. Also, this header provides power to the SugarPi3, which in turn, powers the PiKVM Raspberry Pi.

Notice that VCC (5v) is NOT provided to the MicroUSB connection on the Raspberry Pi. This is the equivalent of blocking the VCC pin, as described here.

Pin	USB Signal	Connection
1	VCC	Pin 8 (5v in) on SugarPi3
2	VCC	Current connector to power fan?
3	USB0-	MicroUSB cable USB- (green)
4	USB1-	Empty
5	USB0+	MicroUSB cable USB+ (white)
6	USB1+	Empty
7	GND	Pin 1 on SugarPi 3 (next to Pin 8) AND USB ground (black)
8	GND	Current ground connector to fan?
9	No Connect	Empty
10	Empty	Empty

Check dmesg and lsusb on both the Netrabrick and the Raspberry Pi to see if the USB connection is working.

From lsusb on the Netrabrick you should see something similar to:

Bus 004 Device 005: ID 1d6b:0104 Linux Foundation Multifunction Composite Gadget

NUC Front Panel header

Connecting the NUC Front Panel header to the Raspberry Pi is necessary if want ATX power control from PiKVM.

Pin	Header	Function	Connection
1	HD_LED	HD_PWR	Connect to RPi, pin (red)
3	HD_LED	HD_Active	Connect to RPi, pin 22 (red)
2	PWR_LED	PWR LED+	Connect to Front Panel LED
4	PWR_LED	PWR LED-	Connect to Front Panel LED
5	RESET	GND	Connect to RPi, pin (red)
7	RESET	RST BTN	Connect to RPi, pin 27 (red)
6	PW_ON	PWR BTN	Connect to Front Panel Button
8	PW_ON	GND	Connect to Front Panel Button
9	No Connect	+5V	No connect
10	Empty	Empty	Empty

This is how ATX wiring between the server and Raspberry Pi are instrumented:

As described here:

With this part, you will be able to remotely turn on, turn off and restart your computer!

x4 MOSFET relays OMRON G3VM-61A1 or OMRON G3VM-61AY1.
Don't use random relay modules or random optocouplers! Some of these may not be sensitive enough for the Raspberry Pi, some others may be low-level controlled. Either use relays that are activated by a high logic level, or follow the design provided and buy an OMRON. See details here.
x4 390 Ohm resistors (see here for alternatives).
2x 4.7 kOhm resistors.
x10+ dupont wires male-male.
x1 a breadboard.
various wires for the breadboard.

USB connections

The lsusb command should report the different connected USB devices:

Device	lsusb report
LoRA dongle (connection to Vinduino)	`Cypress Semiconductor Corp. USB-UART LP`
RT-SDR (connection to weather station)	`Realtek Semiconductor Corp. RTL2838 DVB-T`
PiKVM	`Linux Foundation Multifunction Composite Gadget`

mtb@netrabrick:~$ lsusb
Bus 005 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 004 Device 004: ID 1d6b:0104 Linux Foundation Multifunction Composite Gadget
Bus 004 Device 003: ID 05e3:0610 Genesys Logic, Inc. Hub
Bus 004 Device 002: ID 8087:0029 Intel Corp. AX200 Bluetooth
Bus 004 Device 005: ID 0bda:2838 Realtek Semiconductor Corp. RTL2838 DVB-T
Bus 004 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 003 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 002 Device 008: ID 04b4:0003 Cypress Semiconductor Corp. USB-UART LP
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

Dappnode base instance

This section describes the steps involved for installing the Dappnode Linux base instance (bare metal install).

backup NAS

Time machine backup for MacOS devices

First we'll install samba

sudo apt install samba

Add a samba user

sudo smbpasswd -a mtb
sudo usermod -g users mtb
vi /etc/samba/smb.conf

Configure samba

[global]
workgroup = openvino
min protocol = SMB2

# security
security = user
passdb backend = tdbsam
map to guest = Bad User

# mac Support
spotlight = yes
vfs objects = acl_xattr catia fruit streams_xattr
fruit:aapl = yes
fruit:time machine = yes

#NetShares 

[volumes]
comment = Time Machine
path = /timecapsule
valid users = @users
browsable = yes
writable = yes
read only = no
create mask = 0644
directory mask = 0755

Adjust permissions

 chmod 777 /timecapsule
 chown root:users /timecapsule/

Restart samba

service smbd restart

Connect to the samba server from MacOS finder

Go > Connect to server....

Configure Time Machine

FOAM.space anchor node

Dappnode

From the dappnode documentation:

DAppNode connects the decentralized internet by allowing a user to conveniently host P2P clients in a truly decentralized way, and eliminates the reliance on third parties vulnerable to centralization. It also adds an extra layer of incentivization that helps spread adoption of the blockchain ecosystem and solves the problem of infrastructure centralization.

The Problem

Most nodes for public blockchains nowadays have a degree of architectural or/and political centralization. The first refers to the number of machines a system is made of, and the second concerns the ownership of such machines, Vitalik Buterin, 2017.

A first very common case is to host a node in a Virtual Private Server (VPS). This puts your node in the hands of a highly centralized company like Digital Ocean or Amazon, which could block and censor your access. Moreover, they could be hosting different nodes in the same machine, architecturally reducing decentralization too.

Another common case in the Ethereum blockchain is to connect through a node owned by Infura. While Infura's work on providing infrastructure for the network is a necessity at this stage, we can see how the ownership of a majority of nodes by the same company is a centralizing factor.

Installation

Install dappnode

Download the image from DAppNodeISO or build it from source, and configure as a flexVDI Media Storage image file.