Roaming Secure Scuttlebutt pub

These are my notes on building a portable, battery powered, Raspberry Pi-based WLAN Access Point that also serves as a Secure Scuttlebutt Pub server. It also has a light-weight web server that contains instructions for new users on how SSB works and has copies of the binary files for the Patchwork SSB client (Mac, Linux and Windows). It will act as a captive portal to easily redirect the user to the guide.

The device itself will not be connected to the internet and it will not sync with other SSB pub-instances. It is meant for physically close, local users only. Admin will use a simple script to remotely pull backups of the .ssb user with scp (secure copy).

Hardware list

  • Raspberry Pi 3 Rev-B (has a built-in WLAN)
  • Real-time clock for RPi (AdaFruit makes a decent one, see CF8523 RTC)
  • MoPi Power controller (if we lose USB-power, the battery pack will continue for a while and then gracefully shutdown the Pi.)
  • Industrial grade microSD card. (Money no object?) with the latest Raspbian Stretch installed.
  • A case big enough to house the MoPi and RTC “hats”. Haven't found one yet…

TODO

  • Test the setup with DNSMASQ instead of isc-dhcp-server. DNSMASQ gives you the ability to force the DNS queries to all return the RPi's IP address (by using “address=/#/192.168.220.1” in the config).
  • Add security measures - instruct the user to change the password, setup ssh, import ssh-keys, lock down the ports with iptables
  • Create backup process for the .ssb. Ideally the admin just connects to wlan0 pulls a copy of .ssb via scp or similar.
  • Check for bugs in the process - for example we may need to disable dhcpd.service so that it won't fight with isc-dhcp-server. It is also likely that there are unnecessary steps - I need to check if Debian stretch uses all those .conf files anymore?
  • Add more verbose comments to the process, explain each config line in detail, link to the relevant articles or man-pages for more information.
  • Guide for getting and installing the Raspbian Stretch image
  • Setup MoPi power HAT
  • Solar power and backup battery with MoPi
  • Ascii Cinema for the setup phases
  • Figure out what happens when a pub blocks a user - are the related posts and blobs deleted from the database? (GDPR compatibility). What happens when a user forges a message?
  • How does the Network Key work in ssb (e.g. what Decent did)? Could the key be derived from anything, say a binary file that only the group members know about?

Step 1: basic setup of a new RPi device

Connect the Rpi to a physical network via Ethernet. We need to install all the applications early before we start messing with the network settings.

Lets install the needed software

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install hostapd isc-dhcp-server iptables-persistent screen tmux 
sudo apt-get install autotools-dev automake
sudo apt-get install npm nodejs-legacy lighttpd

Respond “yes” to both screens during the iptables-persistent installation.

Note: If you experience time-outs during the apt-get installation processes, try running:

apt-get --fix-missing
... then run the installations again ... and finally re-run
apt-get update

We will start our journey by editing the isc-dhcp-server's configuration

sudo nano /etc/dhcp/dhcpd.conf

Add hash mark (#) in front of these two lines:

option domain-name "example.org";
option domain-name-servers ns1.example.org, ns2.example.org;

Remove hash mark (#) from the line:

#authoritative;

Add these lines to the end of the file:

subnet 192.168.220.0 netmask 255.255.255.0 {
      range 192.168.220.10 192.168.220.50;
      option broadcast-address 192.168.220.255;
      option routers 192.168.220.1;
      default-lease-time 600;
      max-lease-time 7200;
      option domain-name "local";
      option domain-name-servers 8.8.8.8, 8.8.4.4;
}

Define what interfaces isc-dhcp-server needs to serve

sudo nano /etc/default/isc-dhcp-server

Change line

INTERFACESv4=""

to

INTERFACESv4="wlan0"

Lets define the network interfaces and setup a static IP address for wlan0

sudo nano  /etc/network/interfaces

Comment out (i.e. add the hash (#) mark in front of them) existing configuration and add the new config to the end:

auto eth0
auto lo
iface lo inet loopback
iface eth0 inet dhcp
allow-hotplug wlan0
auto wlan0
iface wlan0 inet static
	address 192.168.220.1
	netmask 255.255.255.0
	network 192.168.220.0
	broadcast 192.168.220.255

We don't want to wait for the reboot, so lets push the static IP to wlan0 already now

sudo ifconfig wlan0 192.168.220.1

Lets move on to configuring the hostapd for the WLAN access point

sudo nano /etc/hostapd/hostapd.conf

Insert these lines:

interface=wlan0
ssid=Pi_AP
hw_mode=g
channel=6
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=Raspberry   # CHANGE ME!
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
wpa_group_rekey=86400
ieee80211n=1

We need to tell hostapd where to find the configuration

sudo nano /etc/default/hostapd

Replace line:

#DAEMON_CONF=""

with line:

DAEMON_CONF="/etc/hostapd/hostapd.conf"

We need to do the same also here:

sudo nano /etc/init.d/hostapd

Replace line:

DAEMON_CONF=

with line:

DAEMON_CONF=/etc/hostapd/hostapd.conf

Configuration completed! Lets see if the services come up

Run commands:

 sudo service hostapd start
 sudo service isc-dhcp-server start
 sudo update-rc.d hostapd enable
 sudo update-rc.d isc-dhcp-server enable 

All good? Lets reboot

sudo reboot

Check system status with:

sudo systemctl status hostapd.service
sudo systemctl status isc-dhcp-server.service

Step 2: install scuttlebot via npm

Install scuttlebot pub software via npm

But first we need to fix a missing link between /usr/bin/nodejs and /usr/bin/node, if we don't the installation will fail.

apt-get install nodejs-legacy

… alternative you could achieve the same with

sudo ln -s /usr/bin/nodejs /usr/bin/node

Now we get to install the actual scuttlebot software

sudo npm install -g node-gyp
sudo npm install -g scuttlebot 

Note: when you want to upgrade scuttlebot software, you can just run “sudo npm install -g scuttlebot” again.

(Now we need to wait for about 30 minutes…)

And we are back! Now we can configure the scuttlebot (or sbot) software

Lets start by making a little helper script:

sudo nano /~run-sbot.sh

add lines:

#!/bin/bash
while true; do
sbot server
done

Lets create a sane configuration file for sbot, which will NOT allow it to talk to other pubs and which allows us to create invites even when the pub is not running on a public IP.

Note that you will eventually want to change the logging level to “notice” to cut down on the verbose notes that the server provides when running.

sudo nano ~/.ssb/config

Add following content:

 {
    "host": "192.168.220.1",
    "port": 8080,
    "timeout": 30000,
    "pub": false,
    "local": true,
    "friends": {
    	"dunbar": 150,
    	"hops": 3
    },
    "gossip": {
    	"connections": 2,
    	"local": true,
    	"global": false,
    	"seeds": true
    },
    "master": [],
    "allowPrivate": true,
    "loggging": {
    	"level": "info"
    }
  }

Step 3: run scuttlebot pub instance

Lets test sbot and get it running in a screen instance and do basic setup

screen
sh ~/run-sbot.sh

Detach screen (Ctrl+A, Ctrl+D)

Find your pub-id

sbot whoami

Create a pub profile (include @ in your pub-id!, name is your domain name)

sbot publish --type about --about @2mIgPUT-YOUR-PUB-ID-HERE-FROM-PREVIOUS-STEP=.ed25519 --name "Raspberry Pi SSB PUB"

Add an avatar picture to your blob store

cat ./avatar.jpg | sbot blobs.add

You'll get the hash of the file as the response (e.g. “&hT/5N2Kgbdv3IsTr6d3WbY9j3a6pf1IcPswg2nyXYCA=.sha256”). Time to add it as an avatar pic:

sbot publish --type about --about @2mIgPUT-YOUR-PUB-ID-HERE-FROM-PREVIOUS-STEP=.ed25519 --image "&hT/5THE-FILE-ID-HERE-FROM-PREVIOUS-STEP=.sha256"

Create invites (the number indicates how many times it can be used)

sbot invite.create 1

First post!!!11one!

sbot publish --type post --text "Hello world!"

Since everything works ok, lets get the sbot server to run on boot:

sudo nano /etc/rc.local

Add the following line just before the “exit 0” line

su pi -c '/home/pi/run-sbot.sh >> /home/pi/sbot.log 2>&1 &'

TODO: Guide on backing up the .ssb directory

Step 4: set the web server

We have lighttpd already installed and running from the first step. Now we need to add some relevant content to it to help the new user. To bootstrap the process, we can use the SSB-Onboarding-Link-Generator to create us a nice single-page website.

I've modified the resulting site to make it completely independent of internet access by hosting the following locally, in the RPi's SD card:

  • All the static images and GIF-animations.
  • Web-fonts
  • Recent copies of Patchwork installation packages for Mac OSX, Linux and Windows
  • Scuttlebutt - A Love Story video

Now all we need is a way for the user to find this page. This can be done by forcing all DNS lookups to return the Rpi's IP-address. Alternatively, we could advertise the correct URL as part of the WLAN SSID, e.g. “1. Connect 2. http://raspberry” (assuming we name the host raspberry).

Annex A - alternative setup with dnsmasq

IMPORTANT: THE FOLLOWING TEXT IS NOT READY - THEY CONSIST MOSTLY OF MY RANDOM NOTES ON THE TOPIC AND WILL NOT WORK AS-IS!!

sudo apt-get install dnsmasq

Instead of working with /etc/dhcp/dhcpd.conf (which is ok when using isc-dhcp-server), we need to

sudo nano /etc/dhcpcd.conf

Add the following to the end of the file:

interface wlan0
static ip_address=192.168.220.1/24
static routers=192.168.220.0

Then run

sudo service dhcpcd restart

The default dnsmasq.conf has too much stuff, so lets move that to a backup file and start fresh:

sudo mv /etc/dnsmasq.conf /etc/dnsmasq.conf.orig
sudo nano /etc/dnsmasq.conf

Add the following wo dnsmasq.conf:

interface=wlan0       # Use interface wlan0  
listen-address=192.168.220.1   # Specify the address to listen on  
bind-interfaces      # Bind to the interface
server=8.8.8.8       # Use Google DNS  
domain-needed        # Don't forward short names  
bogus-priv           # Drop the non-routed address spaces.  
dhcp-range=192.168.220.50,192.168.220.150,12h # IP range and lease time  
address=/#/192.168.220.1   # Return Pi's IP for any and all DNS requests.

Lets start the new software

sudo service hostapd start
sudo service dnsmasq start

NOTE: do we need to disable dhcpcd.service?

Last modified: le 2018/04/19 07:12