This is a very rough tutorial for myself when setting up the "NAS" on Raspi4. Don't copy all steps if you want RAID on the NAS (for the moment)
-
Burn the image of Raspberry Pi onto the card. Follow this guide
-
Edit the Wifi / SSH / password etc
-
Install mDNS
avahi-daemon
. Remeber to enable the lines withpublish-workstation=yes
in the
/etc/avahi/avahi-daemon.conf
file so that the hostname is searchable in the LAN (limited by the DNS of router) -
Modify hostname
sudo hostnamectl set-hostname <HOSTNAME>
-
Now try to ssh into the raspberry pi by
ssh ubuntu@<HOSTNAME>.local
Since I'm not having several disks of same size, I just want to use single HDD as device. Disk encryption will be added on top of it.
- Create a new partition table and partition using
fdisk
- Setup the LUKS container of the partition using
sudo cryptsetup luksFormat /dev/sd?x
- (Optional) Add key using an key file
The keyfile can be a random file.sudo cryptsetup luksAddKey /dev/sd?x /path/to/keyfile
- Test if the keys are added
You should see 2 key slots (1 passphrase + 1 keyfile)sudo cryptsetup luksDump /dev/sd?x
- Test if the key file works
The keyfile has to be an absolute path name. Now a new mapped device should appear assudo cryptsetup luksOpen /dev/sd?x <nickname> --key-file=<path/to/keyfile>
/dev/mapper/<nickname>
- Now format the LUKS container into desired file system, e.g.
ext4
bysudo mkfs.ext4 /dev/mapper/<nickname>
- Test the mount and write into encrypted file system.
Trysudo mkdir /media/<mountpoint> sudo mount /dev/mapper/<nickname> /media/<mountpoint>
dd
to write into a test file. (still need thesudo
now) - Now everything is fine
sudo umount /media/<mountpoint> sudo cryptsetup luksClose <nickname>
- Raspberry Pi may lose connection to the HDD if power management is bad, and the HDD will no longer be found under a fixed
/dev/sd?x
location. In this case, try to find the UUID of the partition as a permanant marker. Runsudo blkid
to find the UUID of the desired partition, such as:
The string starting with/dev/sda1: UUID="e2a416f5-cefa-4ad1-910b-c833305baaf4" TYPE="crypto_LUKS" PARTUUID="c3e8465b-e343-f04a-984b-9b7590bdf9fb"
e2a4
will be the identifier of the partition. - Edit the
/etc/crypttab
to add the following line:
The keyfile need to have mod 400 so only root can access.<nickname> UUID=<e2a4....> </abs/path/to/key> luks
- Edit the
/etc/fstab
to add the following line:/dev/mapper/<nickname> /media/<mountpoint> ext4 user,auto 0 2
- Now test if the automount by running
sudo mount -av
- From now on the default permission on the mountpoint will be 755. So it is important to create a samba or afp user for later use.
- Remember to backup your key file to another safer location. If you remove the first key slot (passphrase) on the LUKS container, only the key file can unencrypt it.
- Optionally you may want to backup the LUKS header.
- Install
samba
usingsudo apt install samba
. Could be already in-box when used Ubuntu-server version - Edit the file
/etc/samba/smb.conf
to contain sections of customized share, e.g.
[My Share]
comment = NAS
path = /media/xxx/yyy
read only = no
browsable = yes
It is adviced that the path is a subfolder instead of the root path of your partition mount point to disable unwanted deletion of folders. 3. Create a new user by
sudo adduser <samba-user-name>
You will be prompted to set the login password for this user. 4. Make sure the new user is not a sudoer. Check the output of
groups <samba-user-name>
and it is not inside root
or adm
groups.
5. Now assign a special user who will be mainly accessing the samba share.
sudo smbpasswd -a <samba-user-name>
which will prompt the new SAMBA password for the samba user. Make sure the passwords for steps 3 and 5 are different.
6. For each share /media/xxx/yyy
, change the owner to the new samba user and assign mask at least stricter than 755
sudo chown -R <samba-user-name>:<samba-user-group> /media/xxx/yyy
sudo chmod -R 755 /media/xxx/yyy
Now you should be able to connect to the samba server on the client machine with read-write access.
Practically, AFP protocal provides no superior performance of read/write speed as compared with samba when the client machine is running macOS. However, you may want to use the AFP protocal if you're interested in enabling Time Machine backup.
- Install
afpd
vianetatalk
sudo apt install netatalk
- (Optional) Unlike
smbd
,afpd
uses the default system-wide user authentication. You can create another user specifically for the AFP service using thesudo adduser <afp-user-name>
command. - Edit the
/etc/netatalk/afp.conf
to something like following:
Which starts a shared called "Time Machine" under the folder name "/media/mountpoint/Time Machine" (no escape for space!) and with only one allowed user and maximum volume size is 500 GB.[Time Machine] path = /media/mountpoint/Time Machine time machine = yes vol size limit = 500000 valid users = afp-user-name
- You can force
afpd
to take new config file by sending theSIGHUP
signal to theafpd
processsudo pkill -s 1 afpd
- Don't forget to
chown
the path to your afp user!
Now you can mount the AFP share on macOS and set the "Time Machine" share as the backup point.