IoT server installation and setup
After my server had twice a new installation made necessary by a hardware defect of the system hard drive. The backup was already several weeks old and therefore had to be extensively reconfigured, I decided to change my complete setup on Ansible. In conjunction with Vagrant, even the possibility to automatically test updates beforehand in a VM.
In short, it is automated smarthome server setup, which gives you access to a 100% pre-installed and configured system virtually at the touch of a button. In conjunction with Vagrant even gives the opportunity to test the whole in a virtual machine.
The required Ansible scripts and the Vagrant script can be obtained and tested under the following url.
Just clone, install Vagrant and run:
How it works
Vagrant will create a virtual machine if it does not exists or will start a already existing virtual machine. At the end it will run the ansible script inside to install and configure the system. Later you can also run the ansible script by yourself to apply updates if you made changes to the configuration. If anything goes wrong in case of an error (Most of the cases are network issues where an external server are not reachable) ansible can continue at any point. Just rerun the script. In my case, I use Vagrant to test everything and call ansible directly on my production machine.
One thing you should keep in mind. You must be more strict if you make changes to your system. You should never configure your system directly. All changes should happen inside the ansible configurations and ansible applies them to the server. There are 2 place where you should take a look. The first one is the config folder. It contains variables for usernames, password, file pathes, ports etc. The second one is the role folder. It contains ansible roles which contains the logic how to setup and install individual parts.
Below is a list of all services which are deployed. All required files are either downloaded automatically or are part of the Ansible project.
My access to the home network is implemented via OpenVPN. In addition, a second VPN is set up with a friend which is used to synchronize my backups, as well as a cloud “playground”.
Cron Script cloudy.sh
This script wraps all my CRON jobs and logs all calls to the systemd journal. If an error occurs, it also sends a message to the root user. Originally, the real reason for the script was the ability to allocate a reasonable mail subject which makes it easier to create better filter rules for GMail.
Several cron jobs are set up to, e.g. mirror my data partition on my Raid system, backing up databases, cleaning up databases or downloading the picture of the day (POTD).
As an SSH server OpenSSH is used. In this setup, the permitted users or IPs are explicitly configured.
As a firewall, I use the firewalld to control which IP networks and services are allowed.
Mainly it is used to realize my mobile access. For this I use a public registered domain name, which however resolves to 127.0.0.1. My own DNS, on the other hand, “overwrites” the entry and resolves to the correct server. i.e. I have to either be directly in my network or be connected via VPN to access my domain name. In order to use my Handyapps (openhab, nextcloud etc) I must either be at home or start the VPN. The latter I have comfortably achieved by an OpenVPN Shortcut shortcut on my homescreen.
The mail system serves to forward all mails to the user root or postmaster to a google account. The advantage is that all further services only need to be sent to the user root.
MDADM is for RAID monitoring and error notification.
SMARTD is used for hard disk hardware monitoring and error notification.
Used to provide a friend with a data container for his encrypted backups in the previously mentioned second VPN.
One of my outdoor cameras sends motion pictures that are stored here. They are stored for 2 days and then deleted. The FTP Server is so far drawn that only this camera is allowed to interact via FTP.
ClamAV is a malware and antivirus program.
PHP and a variety of modules
Ant is a build tool and is used for Jython.
The Apache webserver acts as a proxy for all externally available web services. The advantage is that access management can be centralized via Apache.
Apache Web UI
A rudimentary web interface to reach all services.
MySQL is a SQL database.
phpMyAdmin is a web interface to manage MySQL.
Elasticsearch is a NoSQL database. Used to save all messages of the system centrally and later expand them. More about this under chapters Fluentd and Kibana.
Kibana is a web interface to conveniently search log messages in Elasticsearch.
Redis is a memory database to accelerate Nextcloud.
Nextcloud is a web-based cloud solution for files, contacts, appointments, etc.
Additionally I use the news plugin as my main newsfetcher. This brings me from different sources every day from about 300 messages, which I can then read on my phone, tablet or the desktop. Being centrally noticed what I have already read.
Furthermore, I also use the Keeweb plugin which allows me a platform and cross-device password management.
Netdata is used for server monitoring. It notifies or warns of a “not normal” server behavior. In my case, it measures and monitors every second about 2000 values on my server.
I use Grafana to visualize my InfluxDB data. They can either be accessed directly via the Web UI or embedded in the relevant places in my openHAB sitemap.
Mosquitto is an MQTT broker which is required for communication with my Roomba vacuum cleaner robot.
VControld is a service to communicate with my heating. It is needed for my openHAB heating control.
In short, openHAB serves to control my different systems (KNX, radio, USB, serial, network etc) via “bindings”. Using a rules engine, even complex control scenarios can be mapped. Data can be recorded, logged and graphically processed. The whole is visualized either via a web interface or via Android / iOS apps. In addition, there is also a REST API to the system.
It’s almost the heart of my IOT solution.
Small collection of scripts which I need for further functionalities. There are e.g. a weather fetcher which pulls data for later visualization in Habpanel. Furthermore, it contains CLI Script with the help of which I can generate all InfluxDB Timeseries from my MySQL data.
openHAB Wall mounted Display
A Habpanel based web UI for tablets.
Alexa Skill for my home automation.
Fluentd is a logfile collector that generalizes the Systemd, Apache and openHAB logs and stores them in Elasticsearch. All other services already send their data to the systemd log ins are already covered.
In addition, I monitor http status codes like 404 or 500 to generate custom log levels.
Elastalert is my central error monitoring. It periodically checks Elasticsearch for log messages of level ERROR or WARN, groups them and notifies me by mail.
Cloudsync is my own backup solution which works similar to rsync. This, however, completely devious.