Raspberry PI Stratum 2 NTP server

I had a spare Raspberry Pi Model B sitting around not doing anything, so I decided to set it up as a Stratum 2 NTP server. Since I didn't have a GPS breakout or Pi hat I pointed it to five Stratum 1 sources.

1. Setting up the Raspberry Pi

Download and install Raspbian to the SD card:

sudo dd bs=1m if=2017-07-05-raspbian-jessie-lite.img of=/dev/disk2

If you don't want to have to plug the Pi into a monitor and want a headless system from the beginning, follow my guide here to enable SSH from the SD card. Then login using the default Pi user and run raspi-config to complete the initial setup.

sudo raspi-config
sudo apt-get update ; sudo apt-get upgrade

Part of hardening the Pi is to setup a new user and give it sudo privileges. Then you'll want to remove the Pi user after it is verified that the account has super user privileges. (There have been a few times that I haven't verified sudo of the new account and had to start over).

sudo useradd jeffrey -s /bin/bash -m -G adm,sudo

sudo passwd jeffrey

Log out and log back in as the new user you setup and remove the default pi user:

sudo userdel pi

sudo rm -rf /home/pi

2. Configuring NTP

NTP is already installed by default in Raspbian Jessie, you'll want to pick at least 3 different NTP servers for accurate measurements, 5 is even better. This list is a good resource to pick your servers from, just be sure to pick the ones listed as Open and not Restricted Access otherwise the ntp query won't work.

Edit the ntp.conf file 

sudo nano /etc/ntp.conf

Make the changes that are bold from my ntp.conf file provided for reference:

# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help

driftfile /var/lib/ntp/ntp.drift

# Enable this if you want statistics to be logged.

#statsdir /var/log/ntpstats/

statistics loopstats peerstats clockstats

filegen loopstats file loopstats type day enable

filegen peerstats file peerstats type day enable

filegen clockstats file clockstats type day enable

# You do need to talk to an NTP server or two (or three).

#server ntp.your-provider.example

server time.nc7j.com

server time-a.timefreq.bldrdoc.gov

server t1.timegps.net

server t2.timegps.net

server timekeeper.isi.edu

# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will

# pick a different set every time it starts up.  Please consider joining the

# pool: <http://www.pool.ntp.org/join.html>

#0.debian.pool.ntp.org

#1.debian.pool.ntp.org

#2.debian.pool.ntp.org

#3.debian.pool.ntp.org

# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for

# details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>

# might also be helpful.

#

# Note that "restrict" applies to both servers and clients, so a configuration

# that might be intended to block requests from certain clients could also end

# up blocking replies from your own upstream servers.

# By default, exchange time with everybody, but don't allow configuration.

restrict -4 default kod notrap nomodify nopeer noquery

restrict -6 default kod notrap nomodify nopeer noquery

# Local users may interrogate the ntp server more closely.

restrict 127.0.0.1

restrict ::1

# Clients from this (example!) subnet have unlimited access, but only if

# cryptographically authenticated.

#restrict 192.168.123.0 mask 255.255.255.0 notrust

restrict 192.168.1.0 mask 255.255.255.0

# If you want to provide time to your local subnet, change the next line.

# (Again, the address is an example only.)

#broadcast 192.168.123.255

broadcast 192.168.1.255

# If you want to listen to time broadcasts on your local subnet, de-comment the

# next lines.  Please do this only if you trust everybody on the network!

#disable auth

#broadcastclient

Save the file and restart NTP:

sudo /etc/init.d/ntp restart

Test the config and be sure that everything is working by querying the NTP servers listed with:

ntpq -pn

The output should look similar to this:

This lists the IP addresses of the NTP servers you have configured in the ntp.conf file and where they are getting the time from. With this being Stratum 2, the ones listed are Stratum 1 and are receiving measurements from GPS or NIST.

To finish, you'll need to point your clients to the new name or IP of the Raspberry Pi to sync the clock.

NextCloud 12 on the Raspberry Pi

Awhile back I got a 1TB USB drive from Western Digital that is designed for use with a Raspberry Pi and never completely set it up so it just sat in a box. Lately, I have been revisiting projects that I had never completed and this was one of them. I decided to use the drive for a NextCloud setup and a Raspberry Pi 2. There are guides out there for Ngnix (like this one), which I tried and was unsuccessful on completing the setup. After attempting an Ngnix setup, I decided to go with Apache2 instead.

After the initial setup of the Raspberry Pi, Raspbian Jessie, and a little hardening:

sudo apt-get update

sudo apt-get upgrade

1. Install Apache

The first thing to do is to setup a LAMP server using Apache, MariaDB, and PHP5. Start with installing Apache

sudo apt-get install apache2

Then add a line to the /etc/apache2/apache2.conf file to suppress a warning when checking the Apache configuration. 

sudo nano /etc/apache2/apache2.conf

and add:

ServerName server_domain_or_IP

Test the configuration with:

sudo apache2ctl configtest

All you should see in the output is:

Output

Syntax OK

Then restart Apache with the command:

sudo systemctl restart apache2

2. Install MySQL

Again using apt, we can install the MySQL server and client package.

sudo apt-get install mysql-server mysql-client

During the install, you will be asked to enter the root password for MySQL, choose a strong password and write it down somewhere. You'll need it later to setup the NextCloud database and user. Afterwards, you'll need to run a simple security script to complete the installation

mysql_secure_installation

This will go through and allow you to remove sample databases and users and configure the database server with password policies, etc.

3. Install PHP

PHP is the driver behind NextCloud and allows for the dynamic creation of pages based on scripts that queries the MySQL database. Using apt, we'll install all the necessary packages for PHP5

sudo apt-get install php5 lipapache2-mod-php php5-mcrypt php-apc php-pear \

php-xml-parser php5-cgi php5-cli php5-common php5-curl php5-dev php5-memcache \ php5-mysql php5-gd php5-imagick php5-intl

Edit the Apache dir.conf file to modify the way it serves files in the directory, having it check for an index.php file before an index.html

sudo nano /etc/apache2/mods-enabled/dir.conf

The file should look like this before saving

<IfModule mod_dir.c>

    DirectoryIndex index.php index.html index.cgi index.pl index.xhtml index.htm

</IfModule>

Restart the Apache service again and then test the php configuration

sudo systemctl restart apache2

In the docroot (/var/www/html) create a new info.php file and paste the following php snippet

sudo nano /var/www/html/info.php

<?php phpinfo(); ?>

Navigate to http://your_server_IP_address/info.php and you should see the PHP config of the server. If everything is okay, remove the info.php file

sudo rm /var/www/html/info.php

If you choose to use PHP7, you'll have to enable the testing repo by editing /etc/apt/sources.list and adding this to the end of the file:

deb http://mirrordirector.raspbian.org/raspbian/ stretch main contrib non-free rpi

And then create the file /etc/apt/preferences and add the following to enable the Jessie repo by default

Package: *

Pin: release n=jessie

Pin-Priority: 600

Update the package list

sudo apt-get update

Install PHP7 packages

sudo apt-get install -t stretch php7.0 php7.0-bz2 php7.0-cli php7.0-curl \

php7.0-fpm php7.0-gd php7.0-intl php7.0-json php7.0-mbstring php7.0-mcrypt \

php7.0-mysql php7.0-opcache php7.0-xml php7.0-zip php-apcu php-pear

4. Install NextCloud

Download the latest release of NextCloud from https://download.nextcloud.com/server/releases/

cd /tmp

curl -LO https://download.nextcloud.com/server/releases/nextcloud-12.0.1.tar.bz2

It is optional, but highly recommended to check the integrity of the archive file

curl -LO https://download.nextcloud.com/server/releases/nextcloud-12.0.1.tar.bz2.sha256

shasum -a 256 -c nextcloud-12.0.1.tar.bz2.sha256 < nextcloud-12.0.1.tar.bz2

The output should look similar to 

Output

nextcloud-10.0.1.tar.bz2: OK

Remove the sha256 checksum file

rm nextcloud-12.0.1.tar.bz2.sha256

Unzip the archive in the /tmp directory. This contains all the install scripts to complete the installation. It will then need to be placed in the Apache docroot directory /var/www/

sudo tar -C /var/www -xvjf /tmp/nextcloud-12.0.1.tar.bz2

This places all the files in /var/www/nextcloud directory. Since the archive is not specific to any Linux distro the permissions are not correct. This will need to be fixed and from the guide at DigitalOcean there is a great bash script that will fix this. In the temp directory create a new file. 

nano /tmp/nextcloud.sh

Paste the following into the file:

#!/bin/bash

ocpath='/var/www/nextcloud'

htuser='www-data'

htgroup='www-data'

rootuser='root'

printf "Creating possible missing Directories\n"

mkdir -p $ocpath/data

mkdir -p $ocpath/assets

mkdir -p $ocpath/updater

printf "chmod Files and Directories\n"

find ${ocpath}/ -type f -print0 | xargs -0 chmod 0640

find ${ocpath}/ -type d -print0 | xargs -0 chmod 0750

chmod 755 ${ocpath}

printf "chown Directories\n"

chown -R ${rootuser}:${htgroup} ${ocpath}/

chown -R ${htuser}:${htgroup} ${ocpath}/apps/

chown -R ${htuser}:${htgroup} ${ocpath}/assets/

chown -R ${htuser}:${htgroup} ${ocpath}/config/

chown -R ${htuser}:${htgroup} ${ocpath}/data/

chown -R ${htuser}:${htgroup} ${ocpath}/themes/

chown -R ${htuser}:${htgroup} ${ocpath}/updater/

chmod +x ${ocpath}/occ

printf "chmod/chown .htaccess\n"

if [ -f ${ocpath}/.htaccess ]

 then

  chmod 0644 ${ocpath}/.htaccess

  chown ${rootuser}:${htgroup} ${ocpath}/.htaccess

fi

if [ -f ${ocpath}/data/.htaccess ]

 then

  chmod 0644 ${ocpath}/data/.htaccess

  chown ${rootuser}:${htgroup} ${ocpath}/data/.htaccess

fi

Run it with the bash command

sudo bash /tmp/nextcloud.sh

The output should look like this

Creating possible missing Directories

chmod Files and Directories

chown Directories

chmod/chown .htaccess

Next we need to create a new site configuration for NextCloud in the /etc/apache2/sites-available directory:

sudo nano /etc/apache2/sites-available/nextcloud.conf

Paste the following into the file:

Alias /nextcloud "/var/www/nextcloud/"

<Directory /var/www/nextcloud/>

    Options +FollowSymlinks

    AllowOverride All

    <IfModule mod_dav.c>

        Dav off

    </IfModule>

    SetEnv HOME /var/www/nextcloud

    SetEnv HTTP_HOME /var/www/nextcloud

</Directory>

Save and exit, then enable the new site with

sudo a2ensite nextcloud

Additionally enable the mod_rewrite Apache module. This is required for Nextcloud to properly function.

sudo a2enmod rewrite

Next step is to create the MySQL database. This can be done with the mysql-client and logging in with the root password

mysql -u root -p

CREATE DATABASE nextcloud;

GRANT ALL ON nextcloud.* to 'nextcloud'@'localhost' IDENTIFIED BY 'password';

FLUSH PRIVILEGES;

With the database configured, you can exit the mysql cli and finish configuring NextCloud by going to the Raspberry Pi's IP or server name in a web browser

http://server_domain_or_IP/nextcloud

The NextCloud setup page should display, similar to the image below. From here you can complete the setup entering an admin username, password and the database account that was created earlier, as well as the folder for where you want to store the data.

Enjoy! This replicates the function of Dropbox or Google Drive, but giving you full control of your data. If you would like to expand on the core features of NextCloud, check out and install plugins using Nextcloud's app store.

Install Chef Client on Raspberry Pi

Chef is a great source for managing nodes (mostly for hundreds ... if not thousands), but also works great for managing a two or three in a home lab. This is going to go over installing the Chef Client on a Raspberry Pi 2 or 3 with the Raspbian OS, based off a post of a tutorial on the install found here. At the time of writing this, I am using Raspbian Jessie and Ruby 2.3.4. source code. There may be new versions out there, but these are the ones that worked for me. 

On the console of the Raspberry Pi, log in elevate privileges to the root because most of the commands that need to be run require super user rights.

sudo su

Update the package list from the official Raspbian repository

apt-get update

Install some prerequisites to compile Ruby from source. (These packages may already be installed depending on the version of Raspbian you are using, there is no harm in running the command if that is the case).

apt-get install gcc make libssl-dev

Once that is complete, download the Ruby source code from here. As noted earlier, the version I am using is 2.3.4, but there could be a newer version. When the download is complete, extract the archive to /usr/src to compile.

cd /tmp

wget https://cache.ruby-lang.org/pub/ruby/2.3/ruby-2.3.4.tar.gz

tar -xvzf ruby-2.3.4.tar.gz

cp -r ruby-2.3.4 /usr/src/

Prepare the compile with configure, ignoring the features that are not needed. This command is formatted across two lines. This may take up to ten minutes, depending on the SD card and the Pi model you have.

./configure --enable-shared --disable-install-doc \

--disable-install-rdoc --disable-install-capi

Compile the source with make

make -j4 ; make install

Using the -j4 flag with make uses multi-thread the execution, utilizing each of the Pi's processors. Grab a cup of coffee, or take a break... because it can take up to thirty minutes to complete. When the compile is complete, we can install the Chef Client using gem.

gem install chef

This process can take up to another thirty minutes to complete. Once it finishes you can verify it was installed with 

chef-client --version

Exit from the root console and move on to the final step.

exit

Finally, the last step is to configure the node to your Chef server with the knife bootstrap command. Replace username and password with your credentials, and the chef server and node too will be different.

knife bootstrap srv-chef.home.lab -N srv-pi.home.lab -x {user} -P {password}

It is normal to see some errors in the bootstrap command because the ARM client is not part of the official Chef repo. But when it completes, if you have Chef Manage installed you can view more detailed information about the Raspberry Pi or alternatively you can use knife to show more information about the node on your Chef server 

knife client show srv-pi