Fj Graf

Author: fjgraf

  • sshfs

    For an easy way to obtain temporary access to a directory in a remote location using the sshfs command just type in your terminal:

    sshfs remote_user@ip_address:/path_to_dir path_to_local_dir

    Make sure you have have already created the local directory to mount the remote directory, that you have the credentials of the remote user and all necessary permissions.

    For example:

    sshfs admin@192.168.1.130:/media/backup ~/nfs

    Now in your local file manager you will have access to the remote directory for the current session. Performance may be reduced with this method in contrast with other alternatives like a network file system setup but for managing small files it’s just perfect if you prefer to have a single secure connection to a remote location without having to use to much the terminal.

    NOTE: If you are a local non root user, you need to make sure to create the folder where you want to mount the remote disk somewhere in your home folder so you can have access to it either with CLI or a file explorer.

    To disconnect:

    fusermount -u /path/to/mount/point

  • Configure passwordless authentication

    Server Side

    1- In this scenario we are going to install an ssh server and configuring it so that it only accepts certificates to log in.

    sudo apt-get install openssh-server

    2- In the Remote Server: Ensure that password based ssh login is allowed in the ssh server configuration before copying your public key.. Edit the ssh configuration file after you have a working certificate based authentication. You should skip this step for now:

    sudo nano /etc/ssh/sshd_config

    Set the following options:

    PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
KbdInteractiveAuthentication no

    Save and exit the file.

    sudo systemctl reload/restart sshd
    or
    sudo service ssh restart

    Client Side

    sudo apt-get install openssh-client

    Navigate to /home/.ssh

    3- Generate an SSH key pair (if you don\’t already have one. This command generates an RSA key pair with 4096 bits.

    ssh-keygen -t rsa -b 4096

    Or you can generate the more modern version with this command:

    ssh-keygen -t ed25519 -a 100 -f .ssh/testkey

    Give it a meaningful name and provide a password (optional)

    Add Your SSH Key to the SSH Agent: You need to add a new identity using your SSH private key to the SSH agent with the following command:

    ssh-add ~/.ssh/id_rsa (NOT the id_rsa.pub!)

    Ensure SSH Agent is Running: ssh-copy-id relies on an SSH agent to manage your keys. If you need to stop it, type eval \”$(ssh-agent -k)\”

    eval "$(ssh-agent -s)"
Or
eval $(ssh-agent -s)

    OPTIONAL: Make sure that ssh-agent is running and that will it start at system boot in your local session and adding a desired private key:

    nano ~/.bashrc

    4- Add the following line at the end of the file :

    eval "$(ssh-agent -s)"
ssh-add PATH_TO_YOUR_PRIVATE_KEY

    To check if the SSH agent is running, you can use the ssh-add command with the -l option. If the ssh agent is running and has loaded any keys, you will see a list of the loaded key fingerprints. Open a terminal and run the following command:

    ssh-add -l

    Another way to check if the SSH agent is running, is to list the environment variables related to SSH.

    If the SSH agent is running, this command will print the path to the SSH agent socket. If it\’s not running, the command will produce no output. Run the following command:

    echo $SSH_AUTH_SOCK

    You can also see if ssh agent is running by showing it\’s PID.

    echo $SSH_AGENT_PID
    • There is another way to load the identities beside running the ssh agent and that is by creating a file named config inside the .ssh folder with the following information per server you want to connect to. The identities configured will be loaded at the time to try to connect via ssh.
    Host server
       Hostname server_ip_address
       User remote_user
       IdentityFile /home/local_user/.ssh/identity_file

    5- Make sure that ssh password authentication on your remote server is enabled. You\’ll need to copy your public key to the remote server using ssh-copy-id:

    ssh-copy-id -i /path/to/id_rsa.pub admin@remote_server_ip

    You are going to be prompted to type the password of your remote user to accept the public key.

    6- Once that\’s done, log in and if all goes well, you will connect to the remote machine without a password.

    ssh admin@remote_server_ip

    Now you can disable password authentication in the remote machine in step 2 .

  • Resize OpenWRT partition

    After OpenWrt installation on a 8GB sd card I noticed that I only had 104 MB of disk space left for future software installation. The file system was only using a fraction of the 8GB so I needed to expand the size of the partition as well as for the file system.

    Boot up your openwrt device and perform the following steps from CLI.

    First of all and just to be safe, remove all external disks attached.

    Install software (preferably via Luci):

    opkg lsblk parted resize2fs tune2fs

    Now lets gather information about block devices:
    lsblk
    sda                   179:0    0 8G   0 disk   
    ├─sda1                179:1    0   16M   0 part
    ├─sda2               179:2    0   104M  0 part /  

    Now lets enter to parted and Resize Partition

    parted
p
Number  Start   End     Size    Type      File system  Flags
1      33.6M   50.3MB  16.8MB  primary   ext2         boot
2      67.1MB  104MB   104MB   primary

resizepart 2 8GB #Decide how much you want to expand according to sd card capacity
q

    Resizing the file system

    Remount root as read only:

    mount -o remount,ro /

    Remove reserved GDT blocks:

    tune2fs -O^resize_inode /dev/sda2

    Fix part, answer yes to all. This will remove GDT blocks remnants.

    fsck.ext4 /dev/sda2

    Now reboot, log back in again and then resize the partition:

    Expand root filesystem

    resize2fs -f /dev/sda2
    To apply changes, reboot  the system again and finish.

    Sources

    https://openwrt.org/docs/guide-user/installation/installation_methods/sd_card#fn

    https://openwrt.org/docs/guide-user/installation/openwrt_x86#resizing_filesystem

    https://openwrt.org/toh/friendlyarm/nanopi_r4s_v1#installation

  • Install Debian on RaspberryPi 3B+

    Go to https://raspi.debian.net/ and download the appropriate image file. I\’m going for this one: 20230612_raspi_3_bookworm.img.xz.

    Decompress the image:

    xz -d path/to/.img

    Copy image file to sdcard:

    sudo dd if=/path/to/.img of=/dev/sdx bs=4M status=progress conv=sync

    Insert the sdcard into your raspberrypi and start it up. First time run will get you prompted to user root without a password so you must give it a password right after login. Remote root login is disabled by default so in order to ssh into the raspberrypi create an admin account give it sudo privileges.\n\n\n\n

    Configure as root server-side

    Create a password for your root account

    passwd

    Update the system

    apt update && apt upgrade -y

    Create an admin account and provide a password

    adduser admin

    Install dependencies

    apt install sudo openssh-server

    Give sudo privileges to user admin by navigating to /etc/sudoers.d/ and either edit the README file or create a new file. Add the following line at the end of the file:\n\n\n\n

    admin ALL=(ALL:ALL) ALL

    Another way to setup sudo on a user is to add that user to the sudo group (you need to be root to do that).

    usermod -aG sudo admin

    Reboot the system and leave the raspberrypi without logging in locally with the root or admin accounts. From now on you should be able to log in remotely with your user admin and continue with further configurations.

    Take note of the ip address of your raspberrypi.

    ip a

    Configuration client-side

    Install open ssh client package.

    sudo apt install openssh-client

    Connect via ssh in your terminal.

    ssh admin@raspberrypi_ip_address

    Now you should be able to log in remotely with the admin account and continue with further configurations!

  • TOR Relay

    Recently I installed debian on a raspberrypi using a very minimalist version to maximize the usability of the raspberry pi 3B+ as it\’s limited in resources with only 1 Gb of RAM.
    as a good test for this board and also give a hand to the tor project.

    Install packges

    sudo apt install wget gpg apt-transport-https apt-config-auto-update unattended-upgrades apt-listchanges

    Configure unattended upgrades

    Edit file /etc/apt/apt.conf.d/50unattended-upgrades. Comment with // every line starting like this from:
    //Unattended-Upgrade::Origins-Pattern {
    to its end curly bracket
    //}
    Then add these lines following the commented section:

    Unattended-Upgrade::Allowed-Origins {\n \"${distro_id}:${distro_codename}-security\";\n \"TorProject:${distro_codename}\";\n };\n Unattended-Upgrade::Package-Blacklist {\n };

    Edit file /etc/apt/apt.conf.d/20auto-upgrades and add:

    APT::Periodic::Update-Package-Lists \"1\";
APT::Periodic::Unattended-Upgrade \"1\";
APT::Periodic::Autocleaninterval \"5\";
APT::Periodic::verbose \"1\";

    Test the unattended upgrades:

    sudo unattended-upgrades -d

    Configure Tor repositories

    2. Create a new file in /etc/apt/sources.list.d/ named tor.list. Add the following entries:

    deb     [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org bookworm main\ndeb-src [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org bookworm main

    Then add the gpg key used to sign the packages
    Must be executed with root account as sudo might not work. Type exit once the command has finished working.

    su -
    sudo wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null

    Install Tor

    sudo apt install tor deb.torproject.org-keyring

    Edit Tor configuration by editing the /etc/tor/torrc file and add the following lines:
    To test Tor for 1 month I\’ll assign 500 GB/month and check daily how its behaving the tor relay on my raspberry pi.

    Nickname    myNiceRelay  # Change \"myNiceRelay\" to something you like\nContactInfo your@e-mail  # Write your e-mail and be aware it will be published\nORPort      443          # You might use a different port, should you want to\nExitRelay   0\nSocksPort   0\n\n## BANDWIDTH\n## The config below has a maximum of 500GB (up/down) per month, starting on the 1st at midnight\nAccountingMax 500 GB\nAccountingStart month 1 0:00\n\n## MONITORING\nControlPort 9051\nCookieAuthentication 1\n
    sudo systemctl enable tor && sudo systemctl restart tor

    Verify it\’s running and enabled

    sudo systemctl status tor

    htop shows overall little resources consumption

    Optional

    Install nyx (sudo apt install nyx) to have a visual depiction of what\’s happening in your recently installed Tor relay.

    Sources

    https://support.torproject.org/apt/tor-deb-repo/

    https://community.torproject.org/relay/setup/guard/debian-ubuntu/updates/

    https://www.youtube.com/watch?v=tBnJRraXDc0\n

  • Automated folders backup

    This is a very simple way to back up folders in an incremental way and it can be tweaked slightly to make more or less copies while at the same time keeping a defined number of copies on disk, It starts by creating one copy of one or more folders and saves it in its unique folder named after the time and date of the day. The day after, it creates a second copy and the next day the same and so on. By the sixth day it will make a another copy but the script will also remove the oldest copy from disk. So you will always have a predefined number of copies on disk at all times (in this example it’s 5). If for any reason the admin executes the script manually this script won’t delete the oldest two folders but only the single oldest so keep that in mind. Another thing is that the websites_backup.service file has the last 2 lines commented. This is made on purpose due to that initially my idea was run the script once if the system reboots but this will accumulate unnecessary copies and probably make your disk run out of space if not paying attention.I kept the lines there just to remind myself of that.

    I’m using this script to keep copies of my websites. These are full folder copies.

    websites_backup.sh

    #!/bin/bash

SOURCE_DIR="/var/www/*"
BACKUP_DIR="/media/backup/websites_backups"
LOG_FILE="/home/admin/CUSTOM_SERVER_SCRIPTS/backup.log"
DATE=$(date +"%Y-%m-%d_%H-%M-%S")
NUMBER_OF_BACKUPS="5"

        {
                echo "Websites Backup Script execution started at: $(date)"
                mkdir -p "$BACKUP_DIR/$DATE"
                cp -ra $SOURCE_DIR "$BACKUP_DIR/$DATE"
                echo "Copying all contents of /var/www/ folder to /media/backup/websites_backups"
                echo "Websites Backups completed at: $(date)"
                OLDEST_FOLDER=$(ls -t1 "$BACKUP_DIR" | tail -n +$((NUMBER_OF_BACKUPS+1)))
                if [ -n "$OLDEST_FOLDER" ]; then
                        rm -rf "$BACKUP_DIR/$OLDEST_FOLDER"
                        echo "Deleted oldest backup folder, no more than 3 backups allowed."
                fi
        } >> "$LOG_FILE" 2>&1  # Redirecting both stdout and stderr to the log file

    Using cp -ra will copy everything (including hidden files) and preserve all attributes as well.

    websites_backup.service

    To automate this process, a service file can be saved in /etc/systemd/system 

    [Unit]
Description=Backup process for websites in /var/www/ folder.
After=network-online.target

[Service]
Type=simple
ExecStart=/home/admin/CUSTOM_SERVER_SCRIPTS/websites_backup_script/websites_backup.sh
Restart=on-failure
StartLimitInterval=0

# Running this script during system boot has been disabled.
# Uncomment if you want it enabled. Keep in mind space storage management.
#[Install]
#WantedBy=multi-user.target

    Lets enable the service and to verify it’s running properly by typing:

    sudo systemctl enable websites_backup.service
    sudo systemctl status websites_backup.service

    websites_backup.timer

    [Unit]
Description=websites_backup.service Timer

[Timer]
OnCalendar=*-*-* 7:00:00
AccuracySec=1h
RandomizedDelaySec=30m
Persistent=true

[Install]
WantedBy=timers.target

    Optional: Set OnCalendar=Mon 7:00:00 for weekly backup.

    This timer will trigger the execution of the websites_backup.service file that will run the websites_backup.sh script. This process will be repeated everyday at 7AM, it will also be triggered within 1 hour of the expected time of execution and an extra 30 mins max randomized execution time to avoid eventual processes spikes (if any). I believe it’s good practice to add randomized execution just in case you forget and decide to create a lot of services starting at the same time.

    In the near future I’d like to expand the functionality by also keeping 3 weekly copies at all times.

  • Editing image files

    So I decided to start adding images to this blog and I found two probably the best (prove me wrong) website for ai generated images and two (or three) pretty neat commands in my debian that are probably going to be the only ones I will ever use from now on when working with images.

    I’m no expert so I need easy to use tools just to get the job done quickly to upload images to this website and with minimum effort (I am shameless).

    https://zoo.replicate.dev

    Thanks to this website and the geniuses behind this open source project.

    So as a test, i will upload an image previously downloaded from their website. But before that, I will modify it to reduce its size to save space and make it more suitable as featured image.

    The first tool is exiftool that shows the metadata of the image.

    :~/server_images$ exiftool creepypplonajet.png

    ExifTool Version Number         : 12.16
File Name                       : creepypiconajet.png
Directory                       : .
File Size                       : 879 KiB
File Modification Date/Time     : 2023:11:04 04:49:15-04:00
File Access Date/Time           : 2023:11:04 04:49:15-04:00
File Inode Change Date/Time     : 2023:11:04 04:49:15-04:00
File Permissions                : rw-r--r--
File Type                       : PNG
File Type Extension             : png
MIME Type                       : image/png
Image Width                     : 768
Image Height                    : 768
Bit Depth                       : 8
Color Type                      : RGB
Compression                     : Deflate/Inflate
Filter                          : Adaptive
Interlace                       : Noninterlaced
Image Size                      : 768x768
Megapixels                      : 0.590

    Then we have identify and convert… yep pretty simple named commands. Both identify and convert commands are part of the ImageMagick package and it’s supposed to be widely used and very popular.

    identify well.. identifies the images and convert well… converts them! I love the straightforwardness

    :~/server_images$ identify creepyppplonajet.png  
creepyppplonajet.png PNG 768x768 768x768+0+0 8-bit sRGB 900046B 0.000u 0:00.000

    ls -lh

    -rw-r–r– 1 root root 879K Nov  4 04:49 creepypplonajet.png

    It’s a 768×768 image and 879 kilobytes. lets shrink it with convert by setting the pixel size.

    :~/server_images$ convert image.png -resize 200x200 image_small.png

    Your can also reduce (change) the size by choosing a percentage. In this case the image is reduced by 50%.

    :~/server_images$ convert image.png -resize 50% image_small.png
    After
    Before

    From 2.2 MB to 540 Kb

    Not bad at all and the possibilities are many in terms of efficiency managing large volumes of images and the capabilities of these tools.

    I’m juts going to make a brief pause to this post here and keep editing in the near feature to post more functionalities of the convert tool. In the meantime I’m publishing this post anyways!

    New edit: https://zoo.replicate.dev is not working as open as it was before. A good alternative is https://deepai.org.

  • Install Nextcloud – Apache

    1. Prerequisites

    In this example we assume that there is already a webserver with ssl enabled running on your server and you have configured a subdomain to be used by nextcloud in your DNS service provider. If your site is example.com, you can create a subdomain nc.example.com to access to it. If you prefer not to have a subdomain, you will have to point the nextcloud’s root folder in the configuration file of your main site.

    • Server: You need a server (VPS, dedicated server, or local server) running a Linux distribution (e.g., Ubuntu, CentOS, Debian).
    • Web Server: Apache should be installed and running.
    • PHP: Ensure PHP is installed (Nextcloud requires PHP 7.1 or higher) and php-gd, php-curl, php-xml, php-mbstring, php-zip.
    • Other optional but very useful packages, fail2ban and a front end firewall manager like ufw.
    sudo apt install certbot python3-certbot-apache wget

    Apache modules for enhanced security and for php integration

    sudo apt install libapache2-mod-php libapache2-mod-security2

    Certbot will provide the certificate for your website’s subdomain while python3-certbot-apache will facilitate the installation of the certificate in your system by integrating apache in the installation process. It will add the necessary lines where the certificates can be accessed into the nc.examle.conf file in folder sites-available and deploy the certificate, among other things

    2. Install Nextcloud Server Community edition

    https://download.nextcloud.com/server/releases/latest.zip

    Step 1: Unzip latest.zip to /var/www. I like to name those kind of folders as the name of the website they are holding in so you should rename it as example.com.

    Step 2: Set the correct permissions:

    sudo chown -R www-data:www-data /var/www/html/nc.example.com

    OPTIONAL INSTALL

    Alternatively, you can download the zip file and decompress the folder named nextcloud into your /var/www folder like so:

    Download the zip file to your home folder:

    wget https://download.nextcloud.com/server/releases/latest.zip

    Decompress:

    sudo unzip latest.zip -d /var/www/

    Rename folder according to the settings in your web server:

    mv /var/www/nextcloud /var/www/nc.example.com

    Set permissions to the www-data user

    Go to your ip address or domain setup for nextcloud after you had created an database user and the database itself.

    sudo chown -R www-data:www-data /var/www/nc.example.com

    3. Configure Apache for Nextcloud

    • Step 1: Enable necessary Apache modules:
    sudo a2enmod rewrite headers env dir mime ssl
    sudo systemctl restart apache2

    Step 2: Create a new Apache configuration file for Nextcloud:

    sudo nano /etc/apache2/sites-available/nc.example.com.conf

    Add the following configuration (modify paths if necessary):

    apache

    <VirtualHost *:80>
    ServerName nc.example.com
    Redirect permanent / https://nc.example.com/
</VirtualHost>

#########################################################

<IfModule mod_ssl.c>
        <VirtualHost *:443>
                ServerName nc.RootDomain
                DocumentRoot /var/www/nc.example.com

# NextCloud folder directives
                <Directory /var/www/nc.example.com/>
                        Options +FollowSymlinks
                        AllowOverride All
                        Require all granted
                        Satisfy Any
                </Directory>

# Certificates
                SSLEngine on
                SSLCertificateFile /etc/letsencrypt/live/nc.example.com/cert.pem
                SSLCertificateKeyFile /etc/letsencrypt/live/nc.example.com/privkey.pem

# logging
                ErrorLog ${APACHE_LOG_DIR}/nc.example.com_error.log
                CustomLog ${APACHE_LOG_DIR}/nc.example.com_access.log combined

# Reverse Proxy Directives. End edit appropriately before uncommenting.
#               <Location />
#                       ProxyPass http://localhost:50000/
#                       ProxyPassReverse http://localhost:50000/
#                       ProxyPreserveHost On
#                       RequestHeader set X-Forwarded-Proto "https"
#                       RequestHeader set X-Forwarded-Port "443"
#               </Location>

        </VirtualHost>
</IfModule>

    I’ve left some reverse proxy directives in the config file. Those are not going to be executed as long as they have the # at the beginning of the line. Remove them if you want.

    Once the config file is done and you are planing to have the nextcloud website in a subdomain, get the appropriate certificate with this command:

    sudo certbot certonly --webroot -w /var/www/example.com -d nc.example.com

    Step 3: Enable the Nextcloud site and restart Apache:

    sudo a2ensite nc.example.com
    sudo systemctl restart apache2

    4. If your plan is to use it for LAN only…

    <VirtualHost LAN_IP_ADDRESS:80>
    ServerAdmin admin@example.com
    ServerName nextcloud.example.com

    DocumentRoot /var/www/nextcloud

    <Directory /var/www/nextcloud>
        Options +FollowSymlinks
        AllowOverride All

        Require local
        # If you want to allow access from specific LAN IP ranges, use:
        # Require ip 192.168.1.0/24
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/nextcloud_error.log
    CustomLog ${APACHE_LOG_DIR}/nextcloud_access.log combined
</VirtualHost>

    5. Using MySQL/MariaDB Command Line:

    The pre final step is to create a database for nextcloud. Download the appropriate packages if you dont have them already installed on your system. A secure installation of mariadb must have been already performed. I also prefer to name the database the same as the website from whic it receives the data.

    1. Access MySQL/MariaDB:bash

    mysql -u root -p

    Create a Database:

    CREATE DATABASE nc.example.com;

    Replace nc.example.com with the name you want for your Nextcloud database.

    Create a Database User:

    CREATE USER 'nextcloud_user'@'localhost' IDENTIFIED BY 'your_password';

    Replace nextcloud_user with the desired username and your_password with a strong password.

    Grant Permissions:

    GRANT ALL PRIVILEGES ON nc.example.com.* TO 'nextcloud_user'@'localhost';

    FLUSH PRIVILEGES;

    EXIT;

    Ensure to replace nc.example.com and nextcloud_user with your actual database name and username.

    6. Finalize Installation

    • Step 1: Open your web browser and navigate to http://nc.example.com/
    • Step 2: Follow the on-screen instructions to complete the Nextcloud setup.

  • Motion – Video recording and stream

    Ensure that your camera is being recognized by the system.

    Install video4linux utilities

    sudo apt install v4l-utils

    List devices (cameras)

    v4l2-ctl --list-devices

    The output should be something like this:

    HD Web Camera: HD Web Camera (usb-0000:00:14.0-4): /dev/video0 /dev/video1 /dev/media0

    For detailed information on a specific device:

    v4l2-ctl -d /dev/video0 --all

    To list the resolutions supported by your camera (2 ways):

    v4l2-ctl --list-formats-ext

    Or

    ffmpeg -f v4l2 -list_formats all -i /dev/video0

    Another way is to list the video devices available in /dev

    ls /dev/video*

    If you have only one camera, the device should show up as /dev/video0 in your system.

    Or with dmesg (it will print errors if any are found):

    dmesg | grep -i camera

    If there is necessary to update the camera’s firmware run:

    sudo apt install fwupd
sudo fwupdmgr refresh
sudo fwupdmgr get-updates
sudo fwupdmgr update

    Install motion

    sudo apt-get install motion

    Test Mode should give a early hint if motion can handle your camera. Type the following command and if the output is suspended (active) then motion is getting video from the camera.

    sudo motion -s

    Configure Motion system files

    There is a chance that motion won’t create log and lib directories so verify if /var/log/motion and /var/bin/motion folders actually exist so you must create them and set change the directories and files ownership to the motion user:

    chown -R motion:motion /etc/motion
chown -R motion:motion /var/log/motion
chown -R motion:motion /var/lib/motion

    Configure /etc/motion/motion.conf

    Check the following github repo for the full motion.conf file if you wish all options. If not follow the next steps with the default config file.

    https://gist.github.com/richardhawthorn/72db3366d9824a3ed85de852bdb5ce0f

    sudo nano /etc/motion/motion.conf

    Depending on your system, the daemon mode should be off due to that motion would be running as a systemd service.

    daemon off 
# Restrict to localhost
webcontrol_localhost off
# HTTP control interface (default on port 8080)
webcontrol_port 8080
# Start streaming server on port 8081
stream_port 8081
# Stream quality and settings
stream_quality 100
stream_motion on
stream_maxrate 100
stream_localhost off
# IP camera configuration
stream_localhost off
stream_preview_scale 0.2
stream_preview_new_name on
video_device /dev/video0
target_dir /tmp/motion
output_pictures on

# Other motion configuration options
# See /usr/share/doc/motion/examples/motion-dist.conf.gz for additional options
# Set the settings as needed for your camera and network environment.

    Restart motion service:

    sudo systemctl restart motion

    You should be able to see the live stream at http://ip_address:8080. It’s good practice to use ports above 50000 so lets change that in the config file for both webcontrol and the stream.

    If not, you can check via “systemctl status motion” for errors or in the log at /var/log/motion/motion.log. You can also check if motion is running and listening on 8080 and 8081 with ss:

    sudo ss -tunap | grep motion
sudo ss -tunap | grep 51081

    If you find network problems, check your firewall configuration and open ports 8080 and 8081 if necessary.

    Setting up a password to the live stream

    Change the following options in /etc/motion/motion.conf. Type of configuration options to allow via the webcontrol (default port 8080). 2 is for advanced web configuration.

    webcontrol_parms 2

    The authentication method for the webcontrol. 1 is basic (user and password). Authentication string for the webcontrol. Syntax is username:password and you must remove the “;” (semicolon) to uncomment the line. Notice that the username is not a system user. Just make up a username to perform login inside the file.

    webcontrol_auth_method 1
webcontrol_authentication someuser:pass

    Let’s do the same for webstream

    stream_auth_method 1
stream_authentication someuser:pass
    sudo restart motion.service

    Your camera live feed should be available at your_local_ip:port and this time you will have to provide the user and password you have setup in the config file.

    Setup ssl-https with a self-signed certificate

    Install openssl if is not present on your system.

    sudo apt install openssl

    Create the key, csr, crt, and pem files. In the example below, the validity period is 2 years. Create a certs folder in /etc/motion. cd into the folder and type:

    sudo openssl genrsa -out /etc/motion/certs/motion.key 4096sudo openssl req -new -key /etc/motion/certs/motion.key -out /etc/motion/certs/motion.csr
sudo openssl x509 -req -in /etc/motion/certs/motion.csr -signkey /etc/motion/certs/motion.key -out /etc/motion/certs/motion.crt -days 730
sudo cat /etc/motion/certs/motion.crt /etc/motion/certs/motion.key > /etc/motion/certs/motion.pem

    Change ownership of the folder and all four created files to the motion user:

    sudo chown -R motion:motion /etc/motion/certs

    Configure motion.conf file again to add the paths to the crt and key files already created and don’t forget to remove the semicolons.

    # Use ssl / tls for the webcontrol
webcontrol_tls on
# Use ssl / tls for stream.
stream_tls on

# Full path and file name of the certificate file for tls
webcontrol_cert /etc/ssl/motion/certs/motion.crt

# Full path and file name of the key file for tls
webcontrol_key /etc/motion/certs/motion.key

# Use ssl / tls for stream.
stream_tls on
    sudo systemctl restart motion

    Remember to configure port forward in your router and to open the ports in your system to successfully receive connections. Your camera should be availabe at your_public_ip:port

    Optional configuration for apache server

    If you wish to have the live stream available over the internet you will have to setup a virtual host in apache. In this example the live feed is available in a subdomain of my main site.

    The following extra modules for a proxy pass configuration need to be enabled.

    sudo a2enmod headers proxy proxy_http

    Create a new file in /etc/apache/sites-available/cam.yoursite.com.conf. Make sure you already have the required certificates from lets encrypt to your subdomain. Motion will not handle the certificates but rather apache. You must comment the lines with the path to other certificate and private key if you have been using them in motion.conf. The example here is using port 51081.

    <VirtualHost *:443>
    ServerName cam.yoursite.

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/cam.yoursite.com/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/cam.yoursite.com/privkey.pem

    <Location />
        # Motion feed address
        ProxyPass http://localhost:51081/
        ProxyPassReverse http://localhost:51081/
        ProxyPreserveHost On
        RequestHeader set X-Forwarded-Proto "https"
        RequestHeader set X-Forwarded-Port "443"
    </Location>
</VirtualHost>

    Enable the new site and restart apache.

    sudo a2ensite cam.yoursite.com.conf
sudo service apache2 restart

    You should be able to view the live video stream with SSL by typing https://cam.yoursite.com and to access. I’ve left webcontrol only available over the LAN. Ports redirection will be handled automatically.

    Example of a simple motion.conf file. 

    # Rename this distribution example file to motion.conf
#
# This config file was generated by motion 4.5.1
# Documentation:  /usr/share/doc/motion/motion_guide.html
#
# This file contains only the basic configuration options to get a
# system working.  There are many more options available.  Please
# consult the documentation for the complete list of all options.
#

############################################################
# System control configuration parameters
############################################################

# Start in daemon (background) mode and release terminal.
daemon off

# Start in Setup-Mode, daemon disabled.
setup_mode off

# File to store the process ID.
; pid_file value

# File to write logs messages into.  If not defined stderr and syslog is used.
log_file /var/log/motion/motion.log

# Level of log messages [1..9] (EMG, ALR, CRT, ERR, WRN, NTC, INF, DBG, ALL).
log_level 6

# Target directory for pictures, snapshots and movies
#target_dir /var/lib/motion 
target_dir  /PATH/TO/YOUR/DESIRED/FOLDER

# Video device (e.g. /dev/video0) to be used for capturing.
video_device /dev/video0

# Parameters to control video device.  See motion_guide.html
; video_params YUYV

# The full URL of the network camera stream.
; netcam_url value

# Name of mmal camera (e.g. vc.ril.camera for pi camera).
; mmalcam_name value

# Camera control parameters (see raspivid/raspistill tool documentation)
; mmalcam_params value

############################################################
# Image Processing configuration parameters
############################################################

# Image width in pixels.
width 800

# Image height in pixels.
height 600

# Maximum number of frames to be captured per second.
framerate 60

# Rotate image this number of degrees. The rotation affects all saved images as
# well as movies. Valid values: 0 (default = no rotation), 90, 180 and 270.
rotate 0

# Text to be overlayed in the lower left corner of images
text_left Camera_1

# Text to be overlayed in the lower right corner of images.
text_right %Y-%m-%d\n%T-%q

# v4l2_palette allows one to choose preferable palette to be use by motion
# to capture from those supported by your videodevice. (default: 17)
# E.g. if your videodevice supports both V4L2_PIX_FMT_SBGGR8 and
# V4L2_PIX_FMT_MJPEG then motion will by default use V4L2_PIX_FMT_MJPEG.
# Setting v4l2_palette to 2 forces motion to use V4L2_PIX_FMT_SBGGR8
# instead.
#
# Values :
# V4l2 Option   FOURCC  v4l2_palette option
# V4L2_PIX_FMT_SN9C10X  S910    0
# V4L2_PIX_FMT_SBGGR16  BYR2    1
# V4L2_PIX_FMT_SBGGR8   BA81    2
# V4L2_PIX_FMT_SPCA561  S561    3
# V4L2_PIX_FMT_SGBRG8   GBRG    4
# V4L2_PIX_FMT_SGRBG8   GRBG    5
# V4L2_PIX_FMT_PAC207   P207    6
# V4L2_PIX_FMT_PJPG     PJPG    7
# V4L2_PIX_FMT_MJPEG    MJPG    8
# V4L2_PIX_FMT_JPEG     JPEG    9
# V4L2_PIX_FMT_RGB24    RGB3    10
# V4L2_PIX_FMT_SPCA501  S501    11
# V4L2_PIX_FMT_SPCA505  S505    12
# V4L2_PIX_FMT_SPCA508  S508    13
# V4L2_PIX_FMT_UYVY     UYVY    14
# V4L2_PIX_FMT_YUYV     YUYV    15
# V4L2_PIX_FMT_YUV422P  422P    16
# V4L2_PIX_FMT_YUV420   YU12    17
# V4L2_PIX_FMT_Y10      Y10     18
# V4L2_PIX_FMT_Y12      Y12     19
# V4L2_PIX_FMT_GREY     GREY    20
# v4l2_palette 17

############################################################
# Motion detection configuration parameters
############################################################

# Always save pictures and movies even if there was no motion.
emulate_motion off

# Threshold for number of changed pixels that triggers motion.
threshold 1500

# Noise threshold for the motion detection.
; noise_level 32

# Despeckle the image using (E/e)rode or (D/d)ilate or (l)abel.
despeckle_filter EedDl

# Number of images that must contain motion to trigger an event.
minimum_motion_frames 1

# Gap in seconds of no motion detected that triggers the end of an event.
event_gap 30

# The number of pre-captured (buffered) pictures from before motion.
pre_capture 3

# Number of frames to capture after motion is no longer detected.
post_capture 90

############################################################
# Script execution configuration parameters
############################################################

# Command to be executed when an event starts.
; on_event_start value

# Command to be executed when an event ends.
; on_event_end value

# Command to be executed when a movie file is closed.
; on_movie_end value

############################################################
# Picture output configuration parameters
############################################################

# Output pictures when motion is detected
picture_output off

# File name(without extension) for pictures relative to target directory
picture_filename %Y%m%d%H%M%S-%q

############################################################
# Movie output configuration parameters
############################################################

# Create movies of motion events.
movie_output on

# Maximum length of movie in seconds.
movie_max_time 60

# The encoding quality of the movie. (0=use bitrate. 1=worst quality, 100=best)
movie_quality 45

# Container/Codec to used for the movie. See motion_guide.html
movie_codec mkv

# File name(without extension) for movies relative to target directory
movie_filename %t-%v-%Y%m%d%H%M%S

############################################################
# Webcontrol configuration parameters
############################################################

# Port number used for the webcontrol.
webcontrol_port 51080

# Restrict webcontrol connections to the localhost.
webcontrol_localhost off

# Type of configuration options to allow via the webcontrol.
webcontrol_parms 2

# Set the authentication method (default: 0)
# 0 = disabled
# 1 = Basic authentication (username:password)
# 2 = MD5 digest (the safer authentication)
webcontrol_auth_method 1

# Authentication for the http based control. Syntax username:password
# Default: not defined (Disabled)
webcontrol_authentication user:pass

############################################################
# Live stream configuration parameters
############################################################

# The port number for the live stream.
stream_port 51081

# Restrict stream connections to the localhost.
stream_localhost off

# Set the authentication method (default: 0)
# 0 = disabled
# 1 = Basic authentication
# 2 = MD5 digest (the safer authentication)
stream_auth_method 1

# Authentication for the stream. Syntax username:password
# Default: not defined (Disabled)
stream_authentication user:pass

##############################################################
# Camera config files - One for each camera.
##############################################################
; camera /usr/etc/motion/camera1.conf
; camera /usr/etc/motion/camera2.conf
; camera /usr/etc/motion/camera3.conf
; camera /usr/etc/motion/camera4.conf

##############################################################
# Directory to read '.conf' files for cameras.
##############################################################
; camera_dir /usr/etc/motion/conf.d
  • Setup apache – wordpress (CLI only) for LAN

    Setup apache – wordpress (CLI only) for LAN

    sudo apt install apache2 mariadb-server php libapache2-mod-php php-mysql
    sudo apt-get install php php-mysql php-gd php-curl php-mbstring php-xml

    After installation, Apache should start automatically. To verify its status, use:

    sudo systemctl status apache2

    Secure MySQL/MariaDB: Run the security script to harden the database setup:

    sudo mysql_secure_installation

    And do not forget to save the root password for mariadb in a secure place!

    Create WordPress Database and User:

    Log in to the MySQL/MariaDB shell:

    sudo mysql -u root -p

    Create a new database, user, and grant privileges (replace placeholders with your preferred values):

    CREATE DATABASE wp_database;
CREATE USER 'wp_user'@'localhost' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON wp_database.* TO 'wp_user'@'localhost';
FLUSH PRIVILEGES;
EXIT;

    Download and Extract WordPress: Navigate to Apache’s web root directory: cd /var/www/html and extract the “wordpress” folder.

    sudo wget https://wordpress.org/latest.tar.gz
sudo tar -xzvf latest.tar.gz
sudo mv wordpress/* .
sudo rm -rf wordpress latest.tar.gz

    Configure WordPress:
    Make a copy of the sample config file in the root directory of wordpress and set it up by typing the details of wordPress database you previously configured. 

    sudo cp wp-config-sample.php wp-config.php
    sudo nano wp-config.php

    Fill in the database details (DB_NAME, DB_USER, DB_PASSWORD), and save the file.

    Ensure proper file permissions for WordPress:

    sudo chown -R www-data:www-data /var/www/wordpress
sudo chmod -R 755 /var/www/wordpress

    We can use the default apache file to manage incoming connections to port 80. Lets edit the contents to fit our purpose. You can create a new file if you wish to do so.

    sudo nano /etc/apache2/sites-available/000-default.conf
    <VirtualHost *:80>
	ServerName LAN-WP

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/wordpress

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

    Ensure that the DocumentRoot directive points to the WordPress directory.

    Lets enable the site by typing:

    sudo a2ensite 000-default.conf

    Restart the apache server

    sudo systemctl reload apache2

    Open a web browser and navigate to your server’s IP address or domain.
    Follow the WordPress installation prompts to complete the setup (e.g., select language, set up admin user, etc.).

    Complete Installation:

    Log in to the WordPress admin dashboard and start configuring your site. That should get WordPress up and running on your Debian server with Apache and MariaDB. Adjust configurations as needed and follow WordPress best practices for security and optimization.