# nano /boot/firmware/config.txt

kernel=kernel8.img

# sudo apt update
# sudo apt install snapd
# sudo snap install snapd
# sudo snap install nextcloud
# sudo /snap/bin/nextcloud.enable-https lets-encrypt
# sudo /snap/bin/nextcloud.occ maintenance:repair --include-expensive
# sudo /snap/bin/nextcloud.occ background:cron
# apt install syncthing
# systemctl enable syncthing@pi-nas.service
# systemctl start syncthing@pi-nas.service
# nano /usr/lib/systemd/system/syncthing@.service

Group=users
UMask=0002

# apt install proftpd
# nano /etc/proftpd/proftpd.conf

# Force all uploads to be owned by pi-nas user
<IfModule mod_ifsession.c>
  <IfUser user1>
    <Directory /volume1/user1>
      Umask 022
      AllowOverwrite on
      UserOwner pi-nas
      GroupOwner users
    </Directory>
  </IfUser>
  <IfUser user2>
    <Directory /volume1/user2>
      Umask 022
      AllowOverwrite on
      UserOwner pi-nas
      GroupOwner users
    </Directory>
  </IfUser>
</IfModule>

# apt update
# apt install git python3-pip python3-venv
# useradd -r -m -d /var/lib/radicale -s /bin/bash radicale
# mkdir /etc/radicale
# nano /etc/radicale/radicale.conf

[server]
# Bind to all IP addresses (0.0.0.0) instead of just localhost
hosts = 0.0.0.0:5232
[auth]
type = htpasswd
htpasswd_filename = /etc/radicale/users
htpasswd_encryption = bcrypt
[storage]
filesystem_folder = /var/lib/radicale/collections
[web]
type = radicale_infcloud

# htpasswd -c -B /etc/radicale/users yourusername
# htpasswd -B /etc/radicale/users anotheruser
# ufw allow 5232/tcp
# ufw reload
# su radicale
$ cd ~
$ python3 -m venv venv
$ source venv/bin/activate
$ pip install radicale bcrypt git+https://github.com/Unrud/RadicaleInfCloud.git
$ radicale --config /etc/radicale/radicale.conf

http://your-server-ip:5232/

$ exit
# nano /etc/systemd/system/radicale.service

[Unit]
Description=Radicale CalDAV and CardDAV Server
After=network.target
[Service]
User=radicale
Group=radicale
ExecStart=/var/lib/radicale/venv/bin/radicale --config /etc/radicale/radicale.conf
WorkingDirectory=/var/lib/radicale
Restart=on-failure
LimitNOFILE=4096
[Install]
WantedBy=multi-user.target

# systemctl daemon-reload
# systemctl enable radicale
# systemctl start radicale
# systemctl status radicale

# apt install apache2 certbot python3-certbot-apache
# nano /etc/apache2/sites-available/radicale.conf

<VirtualHost *:80>
  ServerName your_domain.com
  ProxyPass / http://localhost:5232/
  ProxyPassReverse / http://localhost:5232/
</VirtualHost>

# ufw allow 80/tcp
# ufw allow 443/tcp
# ufw reload
# certbot --apache -d your_domain.com

https://your_domain.com

# sudo systemctl status certbot.timer
# sudo certbot renew --dry-run

Webmin Setup

The simplest and best way to get Webmin is to use automatic webmin-setup-repo.sh script to configure repositories on your RHEL or Debian derivative systems. It can be done in two easy steps:

$curl -o webmin-setup-repo.sh https://raw.githubusercontent.com/webmin/webmin/master/webmin-setup-repo.sh
sudo sh webmin-setup-repo.sh

This script will automatically setup our repository and install our GPG keys on your system, and provide webmin package for installation and easy upgrades in the future.

Install

If Webmin repository was setup using our webmin-setup-repo.sh as described above then Webmin can be installed as easy as:

$ sudo apt-get install webmin --install-recommends

Access

Open ports for both Webmin and Freeswitch.

$ ufw allow 10000/tcp
$ ufw allow 3478:3479/udp
$ ufw allow 5060
$ ufw allow 5080
$ ufw allow 8021/tcp
$ ufw allow 16384:32768/udp

After successful Webmin installation, you can access its interface by entering https://<Your-Server-IP>:10000 in your browser..

Freeswitch Setup

$curl -sSL https://freeswitch.org/fsget | bash -s [Personal Access Token] release install
$ sudo apt install freeswitch-mod-flite fail2ban

Fail2ban Setup

Fail2ban’s jail.conf file contains a standard configuration for FreeSWITCH.

From Standard jail.conf

[shd] <-- Make sure that this section is empty.

[freeswitch]
enabled  = true
port     = 5060,5061
action_  = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"]
           %(default/action_)s[name=%(__name__)s-udp, protocol="udp"]
logpath  = /var/log/freeswitch/freeswitch.log
filter   = freeswitch-ip

/etc/fail2ban/filter.d/freeswitch-ip.conf

# Fail2Ban configuration file
[Definition]
failregex = \[WARNING\] sofia_reg.c:\d+ Can't find user \[.*@\d+.\d+.\d+.\d+\] from <HOST>
ignoreregex =

Add the following line to the [DEFAULT] section of /etc/fail2ban/paths-debian.conf:

sshd_backend = systemd

In Webmin, go to Networking > Fail2ban Intrusion Detector and click on Filter Action Jails. Click on Freeswitch in the list and change ‘Check for log file updates using‘ to systemd and click on the ‘Save’ button.

Usage

To check the status of fail2ban:

$ systemctl status fail2ban.service

To check the IP addresses that were blocked:

$ fail2ban-client banned

Resources

https://webmin.com/download/

https://developer.signalwire.com/freeswitch/FreeSWITCH-Explained/Installation/Linux/Debian_67240088#about

https://developer.signalwire.com/freeswitch/FreeSWITCH-Explained/Security/Fail2Ban_1049236/

https://github.com/fail2ban/fail2ban/issues/3567

https://stackoverflow.com/questions/3561289/what-ports-does-freeswitch-need-open

Create the user who should run the service, or choose an existing one.(Skip if your distribution package already installs these files, see above.) From git location copy the syncthing@.service file into the load path of the system instance. On Debian 12, the path of the file is ‘/usr/lib/systemd/system’. I also added the following lines to the [Service] section of the file:

Group=users
UMask=0002

The umask only works when ‘Ignore Permissions’ is enabled for the folder. Enable and start the service. Replace “myuser” with the actual Syncthing user after the @:

$ sudo systemctl enable syncthing@myuser.service
$ sudo systemctl start syncthing@myuser.service

Reference

https://docs.syncthing.net/users/autostart.html

IMAPdump, requires OpenSSL to be installed. Install it using the following command:

$ sudo apt install openssl

The IO::Socket::SSL Perl module is also required. First, install using the following command:

$ sudo perl -MCPAN -e shell

Then enter the following command from within the cpan shell:

cpan[1]> install IO::Socket::SSL

Now IMAPdump should run without errors. You can download it from https://github.com/andrewnimmo/rick-sanders-imap-tools.

This article assumes that you have all of your files in the /volume1 folder. In order to be able to access these files from within Nextcloud’s External Storage app, you will need to add the following line in /etc/fstab:

/volume1 /mnt/volume1 none bind

Also, until Redis packages are made to take advantage of the larger page size of the Raspberry Pi 5, we will have to add the following line to /boot/firmware/config.txt:

kernel=kernel8.img

Now install nextcloud using the following commands:

$ sudo apt install snapd
$ sudo snap install snapd
$ sudo snap install nextcloud

You should now be able to access the Nextcloud installer by entering the Pi’s IP address in a browser on the same network. If you want to install an SSL certificate then use the following command:

$ sudo /snap/bin/nextcloud.enable-https lets-encrypt

You will be asked to provide an email address and the domain name to be used. You will need to add the following lines to the config.php file for Nextcloud. This file should be located in /var/snap/nextcloud/current/nextcloud/config/config.php.

'overwritehost' => 'example.com',
'overwriteprotocol' => 'https',
'trusted_domains' => 
array (
  0 => 'example.com',
),

Now you should be able to access Nextcloud using your domain name. If you need to run the OCC command, use the following:

$ sudo /snap/bin/nextcloud.occ COMMAND

References

https://help.nextcloud.com/t/redis-crashing-on-startup-after-swapping-rpi4-8gb-with-rpi5-8gb/182242

https://snapcraft.io/install/nextcloud/debian

https://github.com/nextcloud-snap/nextcloud-snap/wiki/Nextcloud-snap-step-by-step/38e0ac1ceb23a990f10471546b95e2f04f060314

Use the following to set up Nextcloud in a Docker Container:

version: '3.9'
services:
  mariadb:
    image: mariadb:latest
    container_name: Nextcloud-DB
    security_opt:
      - no-new-privileges:true
    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW --innodb-read-only-compressed=OFF
    environment:
      - PUID=1000
      - PGID=1000
      - MYSQL_ROOT_PASSWORD=[PASSWORD]
      - MYSQL_PASSWORD=[PASSWORD]
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
      - TZ=America/Los_Angeles
    volumes:
      - /volume1/docker/nextcloud/mariadb:/config
    restart: on-failure:5

  redis:
    image: redis:latest
    container_name: Nextcloud-REDIS
    hostname: nextcloudredis
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping || exit 1"]
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=America/Los_Angeles
    volumes:
      - /volume1/docker/nextcloud/redis:/data:rw
    restart: on-failure:5

  nextcloud:
    image: nextcloud:latest
    container_name: Nextcloud
    ports:
      - 9333:80
    depends_on:
      mariadb:
        condition: service_started
      redis:
        condition: service_healthy
    healthcheck:
      test: curl -f http://localhost:80/ || exit 1
    environment:
      - REDIS_HOST=nextcloudredis
      - NEXTCLOUD_TRUSTED_DOMAINS=[DOMAIN] 10.0.1.9
      - TRUSTED_PROXIES=[DOMAIN] 10.0.1.9
      - OVERWRITEHOST=[DOMAIN]
      - OVERWRITEPROTOCOL=https
      - MYSQL_PASSWORD=[PASSWORD]
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
      - MYSQL_HOST=mariadb
    volumes:
      - /volume1/docker/nextcloud/html:/var/www/html:rw
      - /volume1/docker/nextcloud/custom_apps:/var/www/html/custom_apps:rw
      - /volume1/docker/nextcloud/config:/var/www/html/config:rw
      - /volume1/docker/nextcloud/data:/var/www/html/data:rw
      - /volume1/docker/nextcloud/themes:/var/www/html/themes:rw
    restart: on-failure:5

  cron:
    image: nextcloud:apache
    container_name: Nextcloud-CRON
    restart: always
    volumes:
      - /volume1/docker/nextcloud/config:/var/www/html/config:rw
      - /volume1/docker/nextcloud/html:/var/www/html:rw
      - /volume1/docker/nextcloud/custom_apps:/var/www/html/custom_apps:rw
      - /volume1/docker/nextcloud/data:/var/www/html/data:rw
    entrypoint: /cron.sh
    depends_on:
      mariadb:
        condition: service_started
      redis:
        condition: service_started

  proxy:
    image: 'jc21/nginx-proxy-manager:latest'
    container_name: Nextcloud-PROXY
    restart: unless-stopped
    ports:
      - '80:80'
      - '81:81'
      - '443:443'
    volumes:
      - /volume1/docker/nextcloud/proxy/data:/data
      - /volume1/docker/nextcloud/proxy/letsencrypt:/etc/letsencrypt

Source

https://github.com/docker/awesome-compose/tree/master/nextcloud-redis-mariadb

I have my raspberry pi 5 hooked up to an nvme via pcie. When I pull up raspi-config the only options are to boot nvme first or sd first. However I need an option to boot usb first followed by nvme. The case I’m using doesn’t provide access to the micro sd card slot.

I’ve tried finding the setting in raspi-config, but no luck.
I’ve tried changing the boot order manually by editing eeprom and this worked:

$ sudo rpi-eeprom-config --edit

BOOT_UART=1
POWER_OFF_ON_HALT=0
BOOT_ORDER=0xf164

Reference

https://forums.raspberrypi.com/viewtopic.php?t=366106

*IMPORTANT UPDATE*

The original instructions listed below were causing my system to randomly go into read-only mode. Use the following instructions instead:

1. Download usb-boot.zip and extract the file named mbr2gpt
2. Make the file mbr2gpt executable and run it from a system that didn’t boot off of the disk that you are about to convert. For example, if you booted to a USB flash, run ‘sudo mbr2gpt /dev/sdb’ if sdb is the disk that you would like to convert to GPT.

ORIGINAL INSTRUCTIONS (Only shown for informational purposes. DO NOT USE!)

The Pi will boot from a USB drive formatted with GPT. I took the following steps – there may be a better/more efficient way, but this works as a proof of concept:

1. Find out the size of your /boot partition, in sectors. If you’re currently booting from SD, “sudo fdisk -l /dev/mmcblk0p1” will tell you this; mine was 524288 sectors (with a sector size of 512 bytes).
2. Partition your USB drive using the GPT scheme in fdisk. This will erase everything on the drive, so make sure there’s nothing on there that you need.
3. Create a first partition at the beginning of the disk, and be sure it’s the same size in sectors as your existing boot partition.
4. Set the first partition’s type to “Microsoft basic data” (type number 11)
5. Create a partition for your root filesystem to live on, plus any other partitions you want.
6. Unmount your boot partition and use dd to copy it over: “sudo dd if=/dev/mmcblk0p1 of=/dev/sda1” Replace the partition names with your actual partitions if they differ.
7. Format your new root filesystem, ready to accept data, eg “mkfs.ext4 /dev/sda2” (assuming sda2 is your new root partition)
8. Copy across your existing filesystem:

$ sudo mkdir -p /mnt/new
$ sudo mount /dev/sda2 /mnt/new
$ sudo rsync -avHAX / /mnt/new/ --exclude=/boot --exclude=/mnt --exclude=/dev --exclude=/proc --exclude=/sys
$ sudo mkdir -p /mnt/new/{boot,mnt,dev,proc,sys}
$ sudo mount /dev/sda1 /mnt/new/boot

9. Edit /mnt/new/boot/cmdline.txt and change “root=/dev/mmcblk0p1” to “root=/dev/sda2”
10. Edit /mnt/new/etc/fstab and change the lines with /dev/mmcblk0* to use /dev/sda* instead.

The USB drive now contains a clone of your Pi filesystem – turn off the Pi, take out the SD card, and when you turn it back on it should boot up exactly as normal, except from your nice big new drive!

If you need to rename your Linux user, just issue the following commands after logging in as the root user:

# usermod -l <new-name> <old-name>
# usermod -d /home/<new-name> -m <new-name>
# groupmod -n <new-name> <old-name>

Reference

https://forums.raspberrypi.com/viewtopic.php?t=319435

https://forums.raspberrypi.com/viewtopic.php?t=196778

Preparing your Raspberry Pi for Proxmox

1. Our first task before installing Proxmox onto the Raspberry Pi is to update the package list cache and upgrade any out-of-date packages.

You can perform both tasks by using the following two commands within the terminal.

$ sudo apt update
$ sudo apt upgrade

2. Your next step is to ensure that curl is installed on your Pi. We will be using curl to grab the GPG key for the Proxmox ports repository that we will be relying on.

You can install this package by using the following command within the terminal.

$ sudo apt install curl

3. Before proceeding with this tutorial, you must set up your Raspberry Pi to use a static IP address.

The best way to do this is using DHCP reservation in your router. However, we have a guide that shows you how to do this through your Raspberry Pi if you don’t have access to your router. Continue reading →