Server:Server Status

Hacking the HiWonder MasterPi!

For Lucas' birthday, he got a HiWonder MasterPi robotic arm. He wanted to learn to code and wanted a robotic arm, so this is the one I found. It's a VERY cool product, however out of the box it had a LOT of issues. We did NOT get the included RaspberryPi, meaning we had to get and provision one ourselves (we got a 4b, and I strongly recommend this over a 5 as a python package is not yet built for the 5), and it was a mess out of the box. I googled a lot, but didn't find a lot of resources about this product, so I figured I would make a guide to help other people who want to go on this journey.

IMPORTANT NOTE: it's impossible to get to the sdcard of the pi once it's assembled, so do all the pi provisioning first. At least get it onto the internet so you can ssh/vnc into it later.

Read more »

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Proxmox VE and ZFS over iSCSI on TrueNAS Scale: My steps to make it work.

This was originally posted Here but I'm cross-posting it to my site for preservation and self-reliance.

I found a lot of searching and testing with people struggling on this, but I was able to make this work. I wanted to document my exact steps in the hope it helps someone else. I have a VM povisioned, working, with snapshots and migrations.

First, on TrueNAS Scale, I have a ZFS dataset with a bunch of space. Initially I wanted to create a zvol under it and limit the space for VM's, but interestingly this doesn't work, you get the error "parent is not a filesystem." I dunno, but mapping it directly to the dataset works, so keep that in mind; either make it's own dataset or expect your vm drives to be in the root of the dataset next to other storage. Record the exact name of the dataset for later, visible under "Path" in the details for the dataset.

Then, go to Shares, Block (iSCSI). Most of my config was sourced from here https://www.truenas.com/blog/iscsi-shares-on-truenas-freenas/ If you go through the Wizard, give the share a "Name", the extent type is "Device", The device should be your dataset which will be in the dropdown, the sharing platform should be "Modern OS: Extent block size 4k, TPC enabled, no Xen compat mode, SSD speed". I created the target outside of this wizard which you can see about just below.

Read more »

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

OpenLDAP, Kerberos and SASL – My Experience In The Homelab

I previously posted my experiences setting up OpenLDAP on Ubuntu Server, using my own custom schema. This whole ordeal is for a couple of reasons...I wanted to learn about openLDAP and how schema works, and I wanted to eventually create something akin to "Active Directory" from my home that wasn't just "use Samba" or "use FreeIPA." I don't have anything against Samba, but it feels like using Samba is trying to acheive Microsoft functionality with Microsoft compatibility, and I don't need Microsoft compatibility, so I wanted to do it without. I have no Microsoft devices in my ecosystem and have no plans to add any. I don't have anything against FreeIPA either, but their docs target rpm distros and I tend to live in deb land, and I found the initial install frustrating unless I switched platforms...it felt like lock-in. There are other solutions and this is a problem that has been solved other ways but with shortcomings, but I wanted to really do something "from scratch" so I share this not as a recommendation, but as a start-to-finish resource with some nuggets of wisdom that may help someone else whose journey brushes up against parts of mine.

When I started, I was just authenticating web services like nextcloud, jellyfin, SAML, etc. Tying those into openLDAP was very easy and has worked very well for a long time. Now though, I want to use Kerberos for Linux PAM authentication as I am about to spin up a bunch of small servers (I got a new hypervisor and am redoing a lot of infrastructure, I don't want different credential stores all over the place). Because of this, I'm bolting on MIT Kerberos as my network authentication provider; that being said, getting OpenLDAP and Kerberos to work together and only use 1 password was not intuitive. Kerberos will use LDAP as it's database, and authentication will happen through SASL. Ultimately, requests will go to openLDAP, then depending on the account, the password will either be validated in OpenLDAP for web users, or it will defer to SASL for users doing both web/PAM stuff, which will then authenticate against the Kerberos passoword it stores in LDAP. Circular much?

Here is the vision, to help you see what I'm working towards. Ultimately I have about 20 users, all of which might access web services like nextcloud, but 4 core users which will actually log into computers. One of those 4 (me) has sudo rights on any computer. All 20 users should be able to log into nextcloud, jellyfin, etc without issue, and for now I'm managing password resets if they come to my house (I had previously used phpldapadmin for password resets, but that was struggling on php7+ when I last tried). For the internal users, they will be able to sit at ANY computer and log in using their same username and password. If an web only user tries to sit and log into a computer, the'll get username not found. If any of the 3 non-sudo users tries sudo, they'll get an unauthorized error. If my account tries sudo, I can become root. I can handle password resets for the internal users via kpasswd or kadmin.local.

Read more »

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Improving the Motorola Blink Baby Monitor/Camera (Part…6?!?)

After all this time...why am I still working on this? The cameras are dead, Motorola shut down the monitoreverywhere service, so the cameras are dead! You can't register them, or join to cameras remotely, right?

Well, they still work on the LAN, so if they're already on the wifi, you can use them as little RTSP streams. The problem is...I want to change my SSID's, and there's no way to rejoin to wifi without the app connecting with the (now offline) monitoreverywhere service.

Enter crazy old Joe. I had a Titanium Backup of the apk and my config from an android device I don't even have anymore. I was able to extract this and decompile it to learn how the app handles registration, then emulate that. First, from previous research, when you factory reset a camera it broadcasts a "Camera-######" SSID when you can connect to as it's open. You'll get a 192.168.2.# address, and the camera will be "192.168.2.1". From there, you can start performing operations on the camera, for example, If you go here in a web browser: http://192.168.2.1/?action=command&command=enable_telnet You will then be able to telnet to the camera.

Read more »

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

My experience/guide setting up OpenLDAP for PC/webapp authentication on Ubuntu 20.04.

This was originally posted Here but I'm cross-posting it to my site for preservation and self-reliance.

I've been experimenting with user and account management solutions for my home lab, and I was looking for something that could manage posix users and web users. I wanted something with group management and OU hierarchies that sort of follow what you would use in Active Directory. I found a lot of issues with some of the more well recommended solutions out there:

Read more »

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -