Red Box

Create your own reliable cloud server.

• Use a metal box and paint it in your favorite color. (I used an old storage controller)
• Hobbycolor plate that resists to at least 75 C
• Raspberry pi 3
• Micro SD card (I used 16GB but you can use any size >= 4GB)
• USB hub with an external power jack
• Usb to sata adapters
• Disk drives
• Network cable + network wall socket
• Wires + power input jack
• Bolts recovered from old computer's serial or vga port
• Usb ports recovered from old computer

Raspberry pi is attached to the hobbycolor plate with bolts from vga port.

Disks are attached with regular bolts on the back.

• Power input jack connects to both recovered usb ports.

First usb (behind all the wires in front left) is used as a power source, only red and black wires are used and connected to the power input jack. First usb cable in this port provides power for the pi, the second usb cable provides power to the USB hub.

Second usb (the one in the back - useful for connecting additional devices) has red and black connected directly to the power input, while the white and green of each port is connected to an usb cable recovered from some old mouse (the white ones directly connected to pi)

• Lan cable connects the external network wall socket to the raspberry pi LAN port.

• Disks are connected via usb to sata adapters to the external powered USB hub (bigger capacity disks require more power and we do not want to make pi unstable) , which is connected in one of the pi ports.

• Install the Operating System

Use Centos 7 for arm for higher security. (http://mirror.centos.org/altarch/7/isos/armhfp/); tested: CentOS-Userland-7-armv7hl-Minimal-1611-RaspberryPi3.img.xz, tutorial here: https://wiki.centos.org/SpecialInterestGroup/AltA...

Put the image on the micro sd card from you Linux computer (for windows check: https://www.raspberrypi.org/documentation/install...

xzcat CentOS-Userland-7-armv7hl-Minimal-1611-RaspberryPi3.img.xz | sudo dd of=$/path/to/sd/card status=progress bs=4M

root password : centos

use nmtui to configure network and set a static ip address

• Setup the disks

Create one partition on each disk (is better to be a little smaller than the entire disk - let's say 1GB smaller - different disks of the same capacity - ex: wd vs toshiba - have different sizes :) ). This way you will be safe if you need to replace one of the disks

Create a btrfs raid 1 filesystem on your disks

mkfs.btrfs -d raid1 -m raid1 /dev/sda1 /dev/sdb1

btrfs filesystem label /dev/sda1 rpi3

Mount the filesystem using autofs (prevents non booting of pi if something goes wrong with the disks)

yum install -y autofs

append the fllowing to /etc/auto.master:

/- /etc/auto.ext-usb --timeout=300

Create /etc/auto.ext-usb with the content:

/srv -fstype=auto,compress=lzo,noatime :/dev/disk/by-label/rpi3

service autofs restart

ls /srv, df -h, confirm that it is mounted

• Install owncloud

Prerequisites (apache, php, mariadb):

yum install -y httpd;yum install -y mod_ssl; yum install -y mariadb-server; yum install -y php*

Install owncloud 9 which is compatible with php54 that comes with centos7, a good tutorial for that:

http://download.owncloud.org/download/repositories...

After owncloud is up and running, move data dir from the default location to the new drives (/srv)

service httpd stop

edit /var/www/html/owncloud/config/config.php and make this change:

'datadirectory' => '/srv/owncloud/data',

mkdir /srv/owncloud; mv /var/www/html/owncloud/data /srv/owncloud && chown -R apache:apache /srv/owncloud/data/

service httpd start

You can install owncloud desktop client on linux / windows and for phones I use foldersync

• Enable and configure SELinux
  

  (working version is: selinux-policy-3.13.1-166.el7.5.noarch, selinux-policy-targeted-3.13.1-166.el7.5.noarch)

make sure you are not updating that policy (in /etc/yum.conf append: exclude = selinux-policy*)

restorecon -Rv /

/boot/cmdline.txt should contain: selinux=1 security=selinux enforcing=1

/etc/sysconfig/selinux should contain: SELINUX=enforcing and SELINUXTYPE=targeted

reboot

Make the following settings after reboot:

yum install -y policycoreutils-python

semange fcontext -a -t httpd_sys_rw_content_t /srv/owncloud(/.*)?

setsebool -P httpd_builtin_scripting=1; setsebool -P httpd_can_network_connect=1; setsebool -P httpd_enable_cgi=1; setsebool -P httpd_graceful_shutdown=1

if you encounter any issues put sd card into another computer and modify cmdline.txt to have: selinux=0

• Secure your box

Change root password

Create yourself a user (adduser -s /bin/bash "me") and set a strong password ( passwd "me")

configure sshd to listen on another port and do NOT allow root logins

In /etc/ssh/sshd_config, set Port

(let's say 2222), PermitRootLogin no

Tell SELinux and firewalld about yout intentions:

semanage port -a -t ssh_port_t -p tcp 2222

service firewalld start && systemctl enable firewalld.service

firewall-cmd --permanent --add-port 2222/tcp

firewall-cmd --reload

service sshd restart

• Make it public

On your internet router forward this ports to your static ip set in first step: 80, 443, 2222.

Setup DDNS on your router so you can access your box from anywhere.

• Fine tuning

Set apache to 5 procs as memory is low:

/etc/httpd/conf.modules.d/00-mpm.conf

LoadModule mpm_prefork_module modules/mod_mpm_prefork.so

StartServers 5

MinSpareServers 5

MaxSpareServers 5

ServerLimit 5

MaxClients 5

MaxRequestsPerChild 3000

service httpd restart

Setup cron to weekly scrub the disks and make a snapshot each night (in /etc/crontab)

01 02 * * 6 root btrfs scrub start /srv
01 01 * * * root /usr/sbin/btrfs subvolume snapshot -r /srv /srv/@$(printf "\%s" $(/bin/date +\%d\%b\%Y-\%k-\%M))

check from time to time the volume with: btrfs dev stats /srv

Use watchdog to automatically reset if it becomes unresponsive (raspberry pi3 has a hardware one):

yum install -y watchdog

/etc/watchdog.conf

watchdog-device = /dev/watchdog
watchdog-timeout = 15

interval = 1
logtick = 1 log-dir = /var/log/watchdog

realtime = yes
priority = 1

service watchdog start && systemctl enable watchdog.service