Skip to content

Instantly share code, notes, and snippets.

@alchem0x2A

alchem0x2A/simple-nas-raspi.md

Last active April 14, 2023 14:53
Show Gist options
  • Save alchem0x2A/7507ac9350b3ca4440f57fe6dc32a24e to your computer and use it in GitHub Desktop.
Save alchem0x2A/7507ac9350b3ca4440f57fe6dc32a24e to your computer and use it in GitHub Desktop.
Download ZIP
NAS on Raspberrypi with Ubuntu Server 20.04
Raw
simple-nas-raspi.md

This is a very rough tutorial for myself when setting up the "NAS" on Raspi4. Don't copy all steps if you want RAID on the NAS (for the moment)

Network setting part

  1. Burn the image of Raspberry Pi onto the card. Follow this guide

  2. Edit the Wifi / SSH / password etc

  3. Install mDNS avahi-daemon. Remeber to enable the lines with

       publish-workstation=yes

    in the /etc/avahi/avahi-daemon.conf file so that the hostname is searchable in the LAN (limited by the DNS of router)

  4. Modify hostname

    sudo hostnamectl set-hostname <HOSTNAME>

  5. Now try to ssh into the raspberry pi by

    ssh ubuntu@<HOSTNAME>.local

Disk setup

Since I'm not having several disks of same size, I just want to use single HDD as device. Disk encryption will be added on top of it.

  1. Create a new partition table and partition using fdisk
  2. Setup the LUKS container of the partition using 
    sudo cryptsetup luksFormat /dev/sd?x
  3. (Optional) Add key using an key file 
    sudo cryptsetup luksAddKey /dev/sd?x /path/to/keyfile
    The keyfile can be a random file.
  4. Test if the keys are added 
    sudo cryptsetup luksDump /dev/sd?x
    You should see 2 key slots (1 passphrase + 1 keyfile)
  5. Test if the key file works 
    sudo cryptsetup luksOpen /dev/sd?x <nickname> --key-file=<path/to/keyfile>
    The keyfile has to be an absolute path name. Now a new mapped device should appear as /dev/mapper/<nickname>
  6. Now format the LUKS container into desired file system, e.g. ext4 by 
    sudo mkfs.ext4 /dev/mapper/<nickname>
  7. Test the mount and write into encrypted file system. 
    sudo mkdir /media/<mountpoint>
sudo mount /dev/mapper/<nickname> /media/<mountpoint>
    Try dd to write into a test file. (still need the sudo now)
  8. Now everything is fine 
    sudo umount /media/<mountpoint>
sudo cryptsetup luksClose <nickname>

Automount and share settings

  1. Raspberry Pi may lose connection to the HDD if power management is bad, and the HDD will no longer be found under a fixed /dev/sd?x location. In this case, try to find the UUID of the partition as a permanant marker. Run sudo blkid to find the UUID of the desired partition, such as: 
    /dev/sda1: UUID="e2a416f5-cefa-4ad1-910b-c833305baaf4" TYPE="crypto_LUKS" PARTUUID="c3e8465b-e343-f04a-984b-9b7590bdf9fb"
    The string starting with e2a4 will be the identifier of the partition.
  2. Edit the /etc/crypttab to add the following line: 
    <nickname> UUID=<e2a4....> </abs/path/to/key> luks
    The keyfile need to have mod 400 so only root can access.
  3. Edit the /etc/fstab to add the following line: 
    /dev/mapper/<nickname> /media/<mountpoint> ext4 user,auto 0 2
  4. Now test if the automount by running 
    sudo mount -av
  5. From now on the default permission on the mountpoint will be 755. So it is important to create a samba or afp user for later use.

Safety concerns

  1. Remember to backup your key file to another safer location. If you remove the first key slot (passphrase) on the LUKS container, only the key file can unencrypt it.
  2. Optionally you may want to backup the LUKS header.

Setup Samba and AFP

Samba

  1. Install samba using sudo apt install samba. Could be already in-box when used Ubuntu-server version
  2. Edit the file /etc/samba/smb.conf to contain sections of customized share, e.g.
[My Share]
   comment = NAS
   path = /media/xxx/yyy
   read only = no
   browsable = yes

It is adviced that the path is a subfolder instead of the root path of your partition mount point to disable unwanted deletion of folders. 3. Create a new user by

sudo adduser <samba-user-name>

You will be prompted to set the login password for this user. 4. Make sure the new user is not a sudoer. Check the output of

groups <samba-user-name>

and it is not inside root or adm groups. 5. Now assign a special user who will be mainly accessing the samba share.

sudo smbpasswd -a <samba-user-name>

which will prompt the new SAMBA password for the samba user. Make sure the passwords for steps 3 and 5 are different. 6. For each share /media/xxx/yyy, change the owner to the new samba user and assign mask at least stricter than 755

sudo chown -R <samba-user-name>:<samba-user-group> /media/xxx/yyy
sudo chmod -R 755 /media/xxx/yyy

Now you should be able to connect to the samba server on the client machine with read-write access.

AFP

Practically, AFP protocal provides no superior performance of read/write speed as compared with samba when the client machine is running macOS. However, you may want to use the AFP protocal if you're interested in enabling Time Machine backup.

  1. Install afpd via netatalk 
    sudo apt install netatalk
  2. (Optional) Unlike smbd, afpd uses the default system-wide user authentication. You can create another user specifically for the AFP service using the sudo adduser <afp-user-name> command.
  3. Edit the /etc/netatalk/afp.conf to something like following: 
    [Time Machine]
path = /media/mountpoint/Time Machine
time machine = yes
vol size limit = 500000
valid users = afp-user-name
    Which starts a shared called "Time Machine" under the folder name "/media/mountpoint/Time Machine" (no escape for space!) and with only one allowed user and maximum volume size is 500 GB.
  4. You can force afpd to take new config file by sending the SIGHUP signal to the afpd process 
    sudo pkill -s 1 afpd
  5. Don't forget to chown the path to your afp user!

Now you can mount the AFP share on macOS and set the "Time Machine" share as the backup point.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment