Obtaining SSL Encryption Certificates for Apache on Arch Linux

This has been an issue for me for quite some time. I have been trying to get SSL working and get valid certificates so that I could secure a few things and offer better security. Additionally, these days, having secure http is an added benefit. Most web-based server functions prefer the use of https over http for the extra security as well. Here is how I got SSL and the proper encryption installed on Arch Linux with Apache. First, Install what you need (assuming that you already have LAMP stack.

$ yaourt -S certbot certbot-apache acme-tiny letsencrypt-cli openssl

Next, you need to obtain the certificates. Also, I port forwarded 80 and 443 through the router to the server. This would be a good time to make sure that port forward is good or else this won’t work properly.

# certbot certonly --email your.email@address.com --webroot -w /srv/http/site1/ -d www.website.com

If you have received the congratulations message, then you should have certificates in the designated folder. (Mine were located in /etc/letsencrypt/live/inject.run/fullchain.pem). Now we have to activate/use the certificates through Apache. Edit <strong>/etc/httpd/conf/httpd.conf</strong> and uncomment the following (I use <strong>nano</strong> and <strong>ctrl+w</strong> to search):

LoadModule ssl_module modules/mod_ssl.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
Include conf/extra/httpd-ssl.conf

and, while you’re in httpd.conf, search for <u>Listen 80</u> and add <u>Listen 443</u> right below that line. Now, this might seem like a duplication of effort, but it was the only way I got this to work:

In /etc/httpd/conf/extra/httpd-ssl.conf, find the <strong>Virtual Host Context</strong> section, and add your VirtualHost server information as follows:

DocumentRoot "/srv/http/site1"
ServerName site1.com:443
ServerAdmin YOUR.EMAIL@ADDRESS.COM
ErrorLog "/var/log/httpd/error_log"
TransferLog "/var/log/httpd/access_log"

SSLEngine on
SSLCertificateFile "/etc/letsencrypt/live/site1/fullchain.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/site1/privkey.pem"

#SSLCertificateChainFile "/etc/letsencrypt/live/site1/chain.pem"
#SSLCACertificatePath "/etc/httpd/conf/ssl.crt"
#SSLCACertificateFile "/etc/httpd/conf/ssl.crt/ca-bundle.crt"

Note, the only two files you have to reference from your certificates are fullchain and privkey. And, the last thing before you restart all of your services is to add a separate VirtualServer in your httpdvhosts.conf file. Edit:  <strong>/etc/httpd/conf/extra/httpd-vhost.conf</strong> and add a second VirtualHost for the same website but with <strong>*:443</strong> instead of <strong>*:80</strong>. Additionally, you are going to need to add your certificate information as well. Look below as an example:

ServerName www.site1.com

OTHER OPTIONS FOR VHOST HERE IF NEEDED

SSLEngine on
SSLCertificateFile "/etc/letsencrypt/live/site1/fullchain.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/site1/privkey.pem"

Notice I added the SSL stuff in the second VirtualHost entry. Now, if you chose, you can remove everything from the non-encrypted VirtualHost and add the following line below the ServerName to redirect all traffic to secure connections.

Redirect / https://www.site1.com/

Hopefully, this helps get your SSL encryption working.

Home Assistant with Node-Red on Arch Linux (Part 1)

Running Hassio from a Raspberry Pi is really interesting, but after a short while the gap of capabilities was presented when realized everything I would want to automate was on the home server. While some people might find it nice to have a Raspberry Pi doing automation, there are a lot of scripts that I’d like to run from within Arch Linux. Things like ps4-waker or restarting specific system services. Regardless of my uses, I figured keeping track of this would be beneficial to someone.

Home Assistant:

Let’s get a few things set up before we dive into the installation. First, if you have the latest and greatest version of nodejs, you might want to concider switching the the stable release. I found great success with “community/nodejs-lts-boron 6.14.3-1”. You can install with:

$ sudo pacman -S nodejs-lts-boron

You will need a web server installed and working properly. (I am using nginx, but Apache should work just fine).

The AUR has a version of Home Assistant however, it isn’t updated as frequent and might be missing some of the latest (and desirable) features. I decided to not use this version and installed Home Assistant with pip. You will need to install python and python-pip.

$ sudo pacman -S python python-pip
$ sudo pip install homeassistant

Before launching Home Assistant, it would be beneficial to create a user and set some privileges.

$ sudo useradd -r -s /bin/nologin hassio

Create the working directory for Home Assistant and set the permissions.

$ sudo mkdir /var/lib/hass
$ sudo chown hassio:hassio /var/lib/hass

Lastly, if you plan on having this start at boot, you need to create a system script that will start at boot. Following the Hassio guide, this startup script will get you started.

Save this in /etc/systemd/system/hassio.service

[Unit]
Description=Home Assistant Service
After=network.target

[Service]
User=hassio
Group=hass
Type=simple
ExecStart=/usr/bin/hass --config /var/lib/hass

[Install]
WantedBy=multi-user.target

Once you have the service created, then start your service and point your browser at servers IP address at port 8123.

$ sudo systemctl start hassio

For example:

  192.168.1.100:8123

One thing different from Hassio on the Raspberry Pi is that you will not have the Hassio option in the menu. This is okay, the biggest reason you would need this is for the ability to install plugins from their built-in app store. Everything you need can be installed from the AUR.

The last package that you will probably want to install and get working is the MQTT package. The package that works well with Home Assistant (and is available in their Hassio app store) is Mosquitto.

 $ sudo pacman -S mosquitto

Once installed, the service can be started with

$ sudo systemctl start mosquitto

If all is working well, then enable all of your services at boot:

$ sudo systemctl enable hassio
$ sudo systemctl enable mosquitto

Node-red:

Now that Home Assistant is running, the next phase is to get Node-red installed and running. This should be fairly simple as well. Node-red is available in the AUR, but this is another one of those packages that causes some problems when installing with the AUR.

I unstalled Node-red using npm.

$ sudo npm install -g --unsafe-perm node-red

This is another service that we’d like to start at boot. While some people would want to create separate users for each service, I believe that using the same user for all of the home automation services is completely acceptable. The following is a modified version from the Raspberry Pi’s node-red systemd service.

Save this in /etc/systemd/system/nodered.service

[Unit]
Description=Node-RED graphical event wiring tool.
Wants=network.target
Documentation=http://nodered.org/docs/hardware/raspberrypi.html

[Service]
Type=simple
User=hassio
Group=hass
Nice=5
Environment="NODE_OPTIONS=--max-old-space-size=128"
ExecStart=/usr/bin/env node-red-pi $NODE_OPTIONS $NODE_RED_OPTIONS
KillSignal=SIGINT
Restart=on-failure
SyslogIdentifier=Node-RED

[Install]
WantedBy=multi-user.target

Now, test the service out and if everything is working correctly, then enable this service for boot.

$ sudo systemctl enable nodered

That’s it for the first part. The next piece will be configuring Home Assistant and setting up Home Assistant to work with Google Home Assistant.

NoMachine Streaming

For about a month, I tried looking for a simple solution to steam my Steam desktop from Linux to Android.  There were a lot of options, but most involved upgrading my video card or investing in some end-user software that was unclear on what it offered.   Moonlight required an Nvidia GTX line graphics card and it was unclear on whether Linux to Android was supported.  VNC was entirely too slow and didn’t offer any near-real-time solution.  It was extremely laggy once I launched Steam big picture mode.

I had stumbled across an article that discussed the streaming benefits of using NoMachine/FreeNX.  While I tried using FreeNX first, it was outdated and didn’t offer as many features as NoMachine.  I decided to try NoMachine and, to my surprise, it worked very well.  One of the perks, it automatically attached itself to a current running X session, so out of the box, I launched it and after logging in, it went right to my existing session of Steam big screen in desktop mode.

If you are looking for a solution to stream from Arch Linux to Android, NoMachine is the solution.  Simply install nomachine from the AUR.

$ yaourt -S nomachine

Once installed, start the nxserver service.

# systemctl start nxserver

The last thing you need is to install the NoMachine app on your android device and you are all set.

One of the best features is; it operates on port 4000, so if you port forward that, then you’ll be able to log into your steam box from anywhere (given you have access to your IP address or have dynamic DNS).

Bash: Clean Movie Folder

Here is another script to help clean up movie folders.  Until recently, I preferred having all of my movies in the same directory.  After switching to Plex Media Server, I soon realized that Plex downloads fanart and other related movie files.  The issue is that all of these additional files were also in the main movie directory.  The following script went through and created a sub-directory for each movie name and then the second half moved the files into their respective folder.

$ for i in `find . -maxdepth 1 -type f -printf '%f\n' |sed "s/^\(.*\)\..*$/\1/"`; do mkdir $i; done
$ for i in `find . -maxdepth 1 -type f -printf '%f\n' |sed "s/^\(.*\)\..*$/\1/"`; do mv $i* $i; done