Home network

Some old notes about home VPN (not currently being used)

DNS settings don’t seem to be taking effect on iPhone VPN: https://superuser.com/questions/637579/setting-dns-servers-using-openvpn-client-config-file

https://openvpn.net/cloud-docs/changing-dns-servers/ - is this because there’ sa different network, the one?

“DNS servers ‘’ will be used for DNS queries when the VPN is active” - in tunnelblick log

but then how do you tell the DNS server to return something in that range?


OK, it’s just a matter of sorting out the client config to use the same DHCP config as the router

and then allow-listing other networks in /etc/init.d/dnsmasq

and now i can connect from phone

Problem with SSH

I noticed that SSH-ing into the pi, when on the VPN from my work laptop, seemed to break all readline-y type apps like vim / paged less, etc. I will see if I can reproduce.

Couldn’t reproduce on home network with either laptop.

Same happened when ssh-ing imto home laptop. Looks like it’s an MTU thing (whatever that is):


Fixed by adding mssfix 1430 to the client config file. Mystery.

Internet in Brazil

Update, 16 May 2022. I believe, with Claro, I am on a CGNAT. e.g. my access point believes its Internet IP address to be (which is a local address), but it’s actually

According to the cable modem configuration page, I have IPv6:

    IPv6 NA 2804:14c:10a::10d4/64
    IPv6 PD 2804:14c:10a:90cd:8601:12ff:febd:6b32/64

(No idea what this means)

? https://en.wikipedia.org/wiki/Prefix_delegation

Taking the IPv6 of something on Mac - http://v6decode.com/#address=fe80%3A%3Aaede%3A48ff%3Afe00%3A1122 shows it’s a link-local unicast

I turned on IPv6 Internet on the access point, hasn’t seemed to acquire an IP addess.

I also accidentally turned on, I think, an IPv6 DHCP server on the Claro modem. Erm.

I wonder what happens if I change from router mode to bridge mode in the router settings. I don’t fully understand the difference.

I changed to bridge - who knows what will happen. OK, that seems to have disabled the DHCPv6 settings in the modem, and the access point now has an IPv6 address! (acquired by “Internet Connection Type: Dynamic IP (SLAAC/DHCPv6)”)

And, erm, my computer now has two IPv6 addresses, with prefixes?!

And what does this mean in terms of people outside the network being able to see stuff inside it? Do I need a firewall or something?

https://blogs.infoblox.com/ipv6-coe/you-thought-there-was-no-nat-for-ipv6-but-nat-still-exists/ this addresses security myths

https://test-ipv6.com/ - it all works now!

Why has resolving optiplex.internal.forooghian.com broken again? Ah, because for some reason it’s now trying to use IPv6 DNS.

Changed them to Google - first thing I don’t understand is how to update the IPv6 DNS servers macOS uses? refreshing DHCP lease doesn’t seem to do it. I had to turn Wi-Fi off and on.

Tried setting router’s DNS as IPv4-mapped IPv6 address, but it just said invalid format. Ditto for trying to set a local address.

IPv6 uses Neighbor Discovery Protocol in place of IPv4’s ARP.

https://datatracker.ietf.org/doc/html/rfc8106 what are the options for an IPv6 server to get DNS configuration?

OptiPlex doesn’t appear in access point’s list of clients for setting up firewall rules.

SLAAC does not provide DNS and Domain name information

If you do not have any requirement to restrict the hosts that can attach to the network using IPv6, then SLAAC, combined with DNS advertisement in the RA, and possibly with DDNS (if needed), would be the right choice.


The Router Advertisement Daemon (radvd) is an open-source software product that implements link-local advertisements of IPv6 router addresses and IPv6 routing prefixes using the Neighbor Discovery Protocol (NDP) as specified in RFC 2461

Radvd also supports the recursive DNS server (RDNSS) and DNS search list (DNSSL) options for NDP published in RFC 6106.[4]


I wish we could just disable the IPv6 DNS configuration for now but I don’t see a way to do that with this router. Of the options it offers for IPv6 LAN:

… I’m pretty sure that all except for ND Proxy will supply DNS server information. And I have no idea what ND Proxy is. Does it let me run my own Router Advertisement server? But then how would I know when the gateway’s IP address changes to tell my clients?

I wonder if it needs to be something like modem -> some machine of mine with firewall etc running -> access point

(But is there any way to totally disable the IPv6 firewall on the access point? People complaining about this: https://community.tp-link.com/en/home/forum/topic/220864?page=1 and suggestions of how to modify your firmware to allow it)

Need to understand better the various types of IPv6 local / private addresses. (e.g. ULA Unique Local Addresses)

I guess instead of having a local DNS server I could also just dyndns everything, but that doesn’t seem right.


AAAA record is like an A record but for IPv6

I believe that dnsmasq is also a DHCPv6 server

I wonder if I can completely just turn this router into an access point

For now I’ve turned off IPv6 on the router again, so that at least DNS works again

NordVPN claims that most VPN providers don’t support IPv6 (including them)

To get a public IPv4 address there would also be the option of connecting to a VPN (one that offers a non-NAT-ed one e.g. https://www.azirevpn.com/) from inside the network. You can also buy a dedicated IP from NordVPN for 70 USD / year.

Perhaps we could run OpenWRT from a VM for now, as an easy way to play around?

Using Docker for home server

Seems like using docker-compose is what most people on Reddit are doing

Setting up OptiPlex

let’s consider all of the preceding a first prototype

I’ve set up static IP for OptiPlex in router

So, SSH doesn’t work out of the box

I don’t know why the computer turns itself off a few mins after startup before I login at the GUI

Copied key with ssh-copy-id

Followed these instructions to install Plex: https://support.plex.tv/articles/200288586-installation/ (seems like I need to access it by IP address instead of optiplex.internal.forooghian.com)

After install, it says:

PlexMediaServer install: WARNING: The Intel GMM library, required for Intel Compute Runtime support, is missing.
PlexMediaServer install:          Please install package:  'intel-gmmlib' from https://github.com/intel/compute-runtime/releases
PlexMediaServer install:
PlexMediaServer install: WARNING: The Intel IGC Core, required for Intel Compute Runtime support, is missing.
PlexMediaServer install:          Please install package:  'intel-igc-core' from https://github.com/intel/compute-runtime/releases
PlexMediaServer install:
PlexMediaServer install: WARNING: The Intel IGC OpenCL library, required for Intel Compute Runtime support, is missing.
PlexMediaServer install:          Please install package:  'intel-igc-opencl' from https://github.com/intel/compute-runtime/releases
PlexMediaServer install:
PlexMediaServer install: WARNING: The Intel OpenCL library, required for Intel Compute Runtime support, is missing.
PlexMediaServer install:          Please install package:  'intel-opencl' from https://github.com/intel/compute-runtime/releases
PlexMediaServer install: Intel Compute Runtime packages are available from:  https://github.com/intel/compute-runtime/releases
PlexMediaServer install: Please be certain to install them in the listed order.

I don’t know if I need those for anything - QuickSync? Well, let’s leave it for now.

Turned on in web GUI “Scan my library automatically:

“Generate video preview thumbnails” as a scheduled task and when media is added. Ditto chapter thumbnails and analyzing audio tracks for loudness

The Plex library directories are /var/lib/plexmediaserver

Did sudo chmod 777 . in that directory so that I could copy to it over SSH (pretty sure that’s not the best way to do it)

Why is scp-ing movies to the server suuuuuper slow? Like 24MB/s

How to set up SSL access to the server?

Installed transmission just to have something for torrenting: https://linuxconfig.org/how-to-set-up-transmission-daemon-on-a-raspberry-pi-and-control-it-via-web-interface (TODO add this file to my config repo)

It’s available on

Let’s try setting up the DNS server?

Let’s also set up VPN again. For now, manually updated Namecheap’s home.forooghian.com to current IP. Will set up something dynamic later.

OK, for whatever reason, that’s failing to connect. I wonder if it’s related to whatever I’d seen before about struggling to get an IP address for your home in Brazil? Will have to investigate.

Hmm, computer still seems to be going to sleep after some inactivity, after which point I can’t SSH into it. Mashing on the keyboard means I can again.

(BIOS: hold F2 on startup)

Tried turning on “Block Sleep” in BIOS.

Also turned on automatially powering back on after power loss.

Erm, it still seems to become unresponsive after a while, but now the power light remains solid. what’s that?

Following this: https://www.tecmint.com/disable-suspend-and-hibernation-in-linux/

lawrence@lawrence-OptiPlex-3080:~$ systemctl status sleep.target suspend.target hibernate.target hybrid-sleep.target
● sleep.target - Sleep
     Loaded: loaded (/lib/systemd/system/sleep.target; static; vendor preset: enabled)
     Active: inactive (dead) since Fri 2022-05-13 19:16:15 -03; 2min 33s ago
       Docs: man:systemd.special(7)

May 13 19:11:50 lawrence-OptiPlex-3080 systemd[1]: Reached target Sleep.
May 13 19:16:15 lawrence-OptiPlex-3080 systemd[1]: Stopped target Sleep.

● suspend.target - Suspend
     Loaded: loaded (/lib/systemd/system/suspend.target; static; vendor preset: enabled)
     Active: inactive (dead)
       Docs: man:systemd.special(7)

May 13 19:16:15 lawrence-OptiPlex-3080 systemd[1]: Reached target Suspend.
May 13 19:16:15 lawrence-OptiPlex-3080 systemd[1]: Stopped target Suspend.

● hibernate.target - Hibernate
     Loaded: loaded (/lib/systemd/system/hibernate.target; static; vendor preset: enabled)
     Active: inactive (dead)
       Docs: man:systemd.special(7)

● hybrid-sleep.target - Hybrid Suspend+Hibernate
     Loaded: loaded (/lib/systemd/system/hybrid-sleep.target; static; vendor preset: enabled)
     Active: inactive (dead)
       Docs: man:systemd.special(7)

Let’s try sudo systemctl mask sleep.target suspend.target hibernate.target hybrid-sleep.target - that seems to have done the trick. Undid the BIOS change.

I’ve installed the Samsung SSD 840 EVO (500GB) that was in my now-blown-up caddy. It just seems to contain iPhone backups. Happy to get rid of that. Gonna reformat to ext4.

I want to eventually figure out how to full-disk encrypt this (LUKS?), though. But for now will live with it as is. Mounting on /mnt/storage. Used https://www.linuxbabe.com/desktop-linux/how-to-automount-file-systems-on-linux to add to etc/fstab to auto-mount.

Let’s move our Plex directory there.

Let’s set up Dnsmasq for running a DNS server.

dnsmasq: failed to create listening socket for port 53: Address already in use
lawrence@lawrence-OptiPlex-3080:~$ sudo ss -lp "sport = :domain"
Netid    State      Recv-Q     Send-Q         Local Address:Port           Peer Address:Port    Process
udp      UNCONN     0          0        *        users:(("systemd-resolve",pid=1041,fd=12))
tcp      LISTEN     0          4096     *        users:(("systemd-resolve",pid=1041,fd=13))

what on earth is systemd-resolve?


let’s disable the stub listener:


and then use localhost as primary nameserver:


Erm, now DNS is broken on that machine, which is nice

Added to /etc/dnsmasq.conf (for Google DNS):


OK, well, I didn’t manage to change the /etc/resolv.conf (it got reverted). But, erm, something about the Optiplex being plugged in makes the whole network messed up (Internet light on access point goes off, can’t access any sites over Wi-Fi, etc). And then unplugging Optiplex from Ehternet fixes things. NO IDEA what happened.

That’s deeply confusing - how can plugging in a device bring the network down? As far as I can see, nothing was configured to use the Optiplex for anything…?

I can still access, I can no longer access (ping times out)

I can’t ping my Optiplex, I can ping the Apple TV

Now the Optiplex has vanished from clients list on router

Plugged it into TV, now Ubuntu isn’t even getting as far as a GUI on startup!

Press ESC on startup to get to GRUB and then boot into recovery mode

Bottom of screen is cut off in recovery mode, that’s nice

Ah, /etc/resolv.conf is currently a symlink to ../run/systemd/resolve/stub-resolv.conf. We need to I think just create our own file isntead

Ctrl-alt-F1 switches to first tty where you can then log in

This is so wildly confusing

Well, can I restore to the factory settings of the OS? I know it’s nuclear but not sure what else to do, not sure how I broke it. (There’s a recovery option on the GRUB menu)

I’ve also reserved the Wi-Fi interface an address on the router:

10-51-07-8C-DA-39 /

Now, to turn off Wi-Fi, use NetworkManager apparently:

nmcli radio wifi off / on

OK, the OptiPlex is at


Wow, OK, that was all working. And then I did an apt update && apt upgrade && reboot and the network is broken again. What the heck? I wonder if something got reverted after an update.

Hmm, this time the GUI isn’t messed up, though.

Seems like /etc/resolv.conf has been replaced by a file (no longer a symlink)

# Generated by NetworkManager

dnsmasq is running perfectly happily

/etc/systemd/resolved.conf is as before (DNSStubListener=no)

So it’s just that resolv.conf, why has it been replaced?

I’ve tried changing it back, let’s see if it gets replaced again. I rebooted, and it seems not.

OK, looking at man NetworkManager.conf, the dns option seems relevant. One of the options is dnsmasq, which is probably a good thing, but I already have a dnsmasq set up and don’t want to faff with it now. So let’s choose none, which apparently means it won’t touch resolv.conf.

Now (possibly because not connected to Internet) dnsmasq is returning REFUSED, even when I try to get transmission.internal.forooghian.com. Possibly because of interface-name not having an IP address.

OK, that was due to lack of Internet. Still transmission.internal.forooghian.com giving something unexpected by the looks of it. But let’s reconnect and see if things are working.

Grr, well, the whole network hasn’t come down, which is nice. But for some reason I can’t make DNS requests from my laptop to the OptiPlex.

Ah, perhaps dnsmasq started on Wi-Fi and then broke once I turned off Wi-Fi or something. Yup, restarting dnsmasq sorted that out.

OK, cool. I don’t know how to double-check that NetworkManager isn’t going to play those tricks again, I don’t know if the only way to trigger it is a software update, which there isn’t any available right now.


dig transmission.internal.forooghian.com

; <<>> DiG 9.10.6 <<>> transmission.internal.forooghian.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39168
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 512
;transmission.internal.forooghian.com. IN A

forooghian.com.		1800	IN	SOA	dns1.registrar-servers.com. hostmaster.registrar-servers.com. 1652641991 43200 3600 604800 3601

;; Query time: 23 msec
;; WHEN: Sun May 15 16:19:46 -03 2022
;; MSG SIZE  rcvd: 135


dig @ transmission.internal.forooghian.com

returns the right thing

Erm and now the aforementioned command is working…?! OK, I’ve reset DNS cache on Mac and things seem okay.

Setting up Let’s Encrypt again

So, I don’t want:

So I’m thinking about using some other DNS provider with a more permissive API, and hosting the DNS for a subdomain there (using an NS record, I think), e.g. acme.forooghian.com, and then using DNS alias mode (https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode) to delegate validation for internal.forooghian.com to that domain.

Well, Cloudflare doesn’t even let me add a subdomain

http://freedns.afraid.org seems to want you to pay else people can use subdomains of your domain?!

Gonna try https://desec.io/ - a free, security-minded, open-source, donation-sustained service. I don’t know how to set up DNSSEC - Namecheap doesn’t seem to accept the records that deSEC is asking me to add. But oh well, I can at least resolve subdomains of acme.forooghian.com.


https://www.eff.org/deeplinks/2018/02/technical-deep-dive-securing-automation-acme-dns-challenge-validation is an article all about this sort of security

OK, let’s try with acme.sh

I have a suspicion I just accidentally deleted lawrence’s crontab. Hope there was nothing important there.

I ran

export DEDYN_TOKEN=<token>

acme.sh --issue --dns dns_desec --domain 'internal.forooghian.com' --domain '*.internal.forooghian.com' --challenge-alias acme.forooghian.com

and got a lot of Processing, The CA is processing your order, please just wait. (26/30) and eventually internal.forooghian.com:Timeout

(It’s trying to use ZeroSSL, not Let’s Encrypt: https://community.letsencrypt.org/t/the-acme-sh-will-change-default-ca-to-zerossl-on-august-1st-2021/144052)

Let’s try with Let’s Encrypt (add --server letsencrypt)

add --debug to see more logs from acme.sh

Well, it’s still failing, now don’t even know why. Yay

[dom mai 15 20:03:22 -03 2022] Checking internal.forooghian.com for _acme-challenge.acme.forooghian.com
[dom mai 15 20:03:23 -03 2022] Domain internal.forooghian.com '_acme-challenge.acme.forooghian.com' success.
[dom mai 15 20:03:23 -03 2022] Checking internal.forooghian.com for _acme-challenge.acme.forooghian.com
[dom mai 15 20:03:23 -03 2022] Domain internal.forooghian.com '_acme-challenge.acme.forooghian.com' success.
[dom mai 15 20:03:23 -03 2022] All success, let's return
[dom mai 15 20:03:23 -03 2022] Verifying: internal.forooghian.com
[dom mai 15 20:03:24 -03 2022] Pending, The CA is processing your order, please just wait. (1/30)
[dom mai 15 20:03:28 -03 2022] internal.forooghian.com:Verify error:No TXT record found at _acme-challenge.internal.forooghian.com

So, dig -t txt _acme-challenge.acme.forooghian.com is returning the nice long thing

_acme-challenge.acme.forooghian.com. 3600 IN TXT "Vj3yPAIwQ6ch_XPkAwijJHaV06Zd8xtg6TM7d9afTZM"

but dig -t txt _acme-challenge.internal.forooghian.com returns no records

dig -t txt _acme-challenge.forooghian.com returns the CNAME (don’t know how to make it follow that)

OK, was a problem with my DNS records. Sorted it out.

Rebooted, now DNS not working? What’s going on? Wonder if it’s starting on wrong interface.

Hmm, after doing one lookup on the machine, it then starts to work remotely too. Errrrrm.

I wonder if related to

mai 15 20:38:54 lawrence-OptiPlex-3080 dnsmasq[1183]: Ignoring query from non-local network

Very confusing.

I added interface=enp2s0 to dnsmasq config, seems to have done something useful, who knows?

Not sure if the auto renew works, nor if my certificates are right. everything is in ~/.acme.sh/internal.forooghian.com. there’s a .conf file, which doesn’t mention the DEDYN_TOKEN. does this need to be in the environment when the cron job runs?

openssl x509 -in fullchain.cer -noout -text

        Subject: CN = internal.forooghian.com
        X509v3 Subject Alternative Name:
        DNS:*.internal.forooghian.com, DNS:internal.forooghian.com

Also will I get warned if the cron job fails?

Let’s try setting up HAProxy.

and will it then auto install to haproxy after I do it once?

frontend default
        bind :80

        acl ACL_transmission.internal.forooghian.com hdr(host) -i transmission.internal.forooghian.com
        use_backend be_transmission if ACL_transmission.internal.forooghian.com

backend be_transmission
        server transmission

Tried to then deploy SSL to HAProxy:

acme.sh --deploy --domain internal.forooghian.com --deploy-hook haproxy

but failed

[dom mai 15 21:29:24 -03 2022] Moving new certificate into place
/home/lawrence/.acme.sh/deploy/haproxy.sh: line 163: /etc/haproxy/internal.forooghian.com.pem: Permission denied

I think I might want to run it as root, so that I can restart HAProxy afterwards, etc. Otherwise, will need to sort out directory permissions / sudoers file to allow me to do stuff. https://github.com/shellrent/acme.sh/wiki/sudo

used visudo to add:

lawrence ALL = NOPASSWD: /bin/systemctl reload haproxy

this lets me reload without password (https://www.cyberciti.biz/faq/linux-unix-running-sudo-command-without-a-password/)

and then

export DEPLOY_HAPROXY_RELOAD="sudo /bin/systemctl reload haproxy"
export DEPLOY_HAPROXY_PEM_PATH=/home/lawrence/haproxy-certs

acme.sh --deploy --domain internal.forooghian.com --deploy-hook haproxy

Seems to have saved that config to the acme.sh config file for the domain:

Le_Deploy_haproxy_reload='sudo /bin/systemctl reload haproxy'

Then to set up HAProxy SSL termination:


TODO: how to make those services (transission etc) ONLY available from the machine? so that e.g if I remove basic auth and let HAProxy handle it, I can only get to the service through HAProxy outside of the machine?

TODO: is there a risk of Transmission being able to write to random locations? like overwriting system files and stuff

Now the frontend looks like:

frontend internal
	bind :80
	bind :443 ssl crt /home/lawrence/haproxy-certs/internal.forooghian.com.pem

	http-request redirect scheme https code 301 unless { ssl_fc }
	http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"

	acl ACL_transmission.internal.forooghian.com hdr(host) -i transmission.internal.forooghian.com
	use_backend be_transmission if ACL_transmission.internal.forooghian.com

Ahhh, the dedyn token is stored in ~/.acme.sh/account.conf. Cool, so I think that the renewal stuff should all be working. I won’t know if the cronjob fails, but that’s another thing to figure out sometime in general.


Update available for Plex Media Server
You are currently running version on the server "OptiPlex". Version is now available. This update will need to be installed manually after download.

That said, Plex in Docker with watchtower or ouroboros will keep things up to date.

How to enable auto updates?

Apparently maybe the Snap version does

I’m confused about how to make it so that Plex can delete stuff - at the moment things seem to be created by debian-transmission and can’t be deleted by plex.

Installing Flood

sudo apt install nodejs npm

oh, that’s ancient version, using NodeSource distrib (because too lazy to faff with untarring right now):


curl -fsSL https://deb.nodesource.com/setup_17.x | sudo -E bash -
sudo apt-get install -y nodejs

(18 complains about my glibc version too old)

erm, seem to be unable to reach that

Seems to have some storage somewhere, because I configured some options (username, where to find Transmission) and they’re still configured on next launch. I think it’s stored in ~/.local/share/flood.

flood --host ''

and then you set up in the web interface (would be nice if could do with text):

OK, now in Transmission

Flood has a cool little button to register to handle magnet links, that’s nice

Followed the steps for setting up as a systemd service (including creating a user called download)

Got haproxy pointing to it

Weirdly it seemed to have 100kb/s speed limits turned on by default?! I changed that to unlimited in the UI and now downloads just seem to have stopped…

Well, flicked that to some non-unlimited and back again, and seems to work.

https://trac.transmissionbt.com/wiki/MagnetLinks - there’s also transmission-remote, command line app that lets you add stuff.

rTorrent + ruTorrent also seems to be another widely-recomended option if this one isn’t good.

there’s also desktop clients for transmision (e.g. transmission-qt, transmission-remote-gui)

how to enable SSL for transmission RPC?

playing around with Transmission Remote GUI - it seems nice

Suffers from not having access to the paths when adding files - but you can set up a local to remote path mapping, which I think means that I’d need to set up a file server

Time Machine

Sounds like Samba (SMB protocol plus some Apple extensions you need to enable) plus Avahi (for service discovery)



Samba is an open-source implementation of Microsoft’s SMB protocol

How to upgrade server

Let’s see what sudo apt upgrade does

What about Plex? OK, so I set it up with https://support.plex.tv/articles/235974187-enable-repository-updating-for-supported-linux-server-distributions/ and then I was just able to upgrade it with sudo apt upgrade. Nice.

What about Ubuntu? We’re currently on 18.04.2 LTS and the latest in this major version is 18.04.6 LTS. But there’s now 22.04 LTS too.

There’s some upgrade instructions here: https://ubuntu.com/blog/how-to-upgrade-from-ubuntu-18-04-lts-to-20-04-lts-today

Ran sudo do-release-upgrade -d and it said

Checking for a new Ubuntu release
In /etc/update-manager/release-upgrades Prompt
is set to never so upgrading is not possible.

So let’s try to set it in that file to lts and run again.

It asked me about /etc/resolved.conf, I just kept mine. See screenshot of diff. Ditto for /etc/haproxy/haproxy.cfg, /etc/dnsmasq.conf

Erm, it did all its stuff, and then after restart it’s still saying

Welcome to Ubuntu 18.04.2 LTS (beaver-osp1-ygritte X37) (GNU/Linux 5.4.0-125-generic x86_64)

Hmm, lsb_release does show 20 though. Hmm. It’s the scripts in /etc/update-motd.d that set it; for some reason they’re getting the older version. Dunno. Seems like it’s come from /etc/lsb-release. Not sure why that wasn’t updated. Well, just updated that file with the contents stolen from here


https://www.reddit.com/r/FindMeADistro/comments/d3atzf/what_linux_distro_for_headless_home_server/ talks about unattended-upgrades for installing upgrades automatically

How to upgrade BIOS of server

The fan of the OptiPlex is really noisy, Internet suggests that a BIOS update might fix it.

Looks like fwupdmgr is the tool for doing this.

fwupdmgr get-updates shows a bunch of stuff. I think I currently have 2.3.1.

Well, I updated it to 2.15.0. Then it seemed to not connect over SSH on reboot. I plugged it in to the TV and it started up, maybe just was doing a filesystem check or something?

Getting the fan speed

I wonder how to find the fan speed. I tried installing lm-sensors, then did sudo sensors-detect and then sensors, but it didn’t show anything about fans:

Adapter: ISA adapter
Package id 0:  +32.0°C  (high = +80.0°C, crit = +100.0°C)
Core 0:        +28.0°C  (high = +80.0°C, crit = +100.0°C)
Core 1:        +32.0°C  (high = +80.0°C, crit = +100.0°C)
Core 2:        +31.0°C  (high = +80.0°C, crit = +100.0°C)
Core 3:        +29.0°C  (high = +80.0°C, crit = +100.0°C)

Adapter: ACPI interface
temp1:        +27.8°C  (crit = +119.0°C)

Adapter: Virtual device
temp1:            N/A

Adapter: PCI adapter
Composite:    +26.9°C  (low  = -273.1°C, high = +82.8°C)
                       (crit = +84.8°C)
ERROR: Can't get value of subfeature temp2_min: I/O error
ERROR: Can't get value of subfeature temp2_max: I/O error
Sensor 1:     +26.9°C  (low  =  +0.0°C, high =  +0.0°C)
Found unknown chip with ID 0xfe00
Probing for Super-I/O at 0x4e/0x4f


After some upgrade, I’m now getting a 503 from torrents.internal.forooghian.com.

Flood isn’t starting, because

set 21 22:18:37 lawrence-OptiPlex-3080 env[48687]: /usr/bin/env: ‘node’: No such file or directory
set 21 22:18:37 lawrence-OptiPlex-3080 systemd[1]: flood@download.service: Main process exited, code=exited, status=127/n/a
set 21 22:18:37 lawrence-OptiPlex-3080 systemd[1]: flood@download.service: Failed with result 'exit-code'.

Well, I re-followed my old steps for installing Node (18, this time)

iOS 16 / macOS Ventura

DNS stopped working - seemed to be using Google DNS (my secondary) instead of Optiplex. https://www.reddit.com/r/pihole/comments/xcu3tu/ios_16_dns_issue/ – sounds like “secondary” is a misnomer, it’s not a fallback. So removed the secondary from TP-Link router DHCP

Getting permissions working for Plex and Transmission

Going to create a group media-library-editors of users who can edit the stuff in /mnt/storage/Plex:

lawrence@lawrence-OptiPlex-3080:/mnt/storage$ sudo addgroup media-library-editors
Adding group `media-library-editors' (GID 1000) ...

And will add the plex and debian-transmission users (as well as myself) to it:

lawrence@lawrence-OptiPlex-3080:/mnt/storage$ sudo adduser plex media-library-editors
Adding user `plex' to group `media-library-editors' ...
Adding user plex to group media-library-editors
lawrence@lawrence-OptiPlex-3080:/mnt/storage$ sudo adduser debian-transmission media-library-editors
Adding user `debian-transmission' to group `media-library-editors' ...
Adding user debian-transmission to group media-library-editors
lawrence@lawrence-OptiPlex-3080:/mnt/storage$ sudo adduser lawrence media-library-editors
Adding user `lawrence' to group `media-library-editors' ...
Adding user lawrence to group media-library-editors

Now I need to fix up the permissions on the existing files. First set the group owner of everything to media-library-editors:

lawrence@lawrence-OptiPlex-3080:/mnt/storage$ sudo chown -R :media-library-editors /mnt/storage/Plex

We now want group owners and owner to have:

Hmm, no, something’s wrong, for example it’s giving me permission denied when I try to cd into /storage/Plex/Movies/Trainspotting (1996) [1080p]. It’s like it doesn’t think that I’m part of the group.

Interestingly, the groups command doesn’t think I’m in the group:

lawrence@lawrence-OptiPlex-3080:/mnt/storage/Plex/Movies$ groups
lawrence adm cdrom sudo dip plugdev lpadmin sambashare

but in /etc/group I am:

lawrence@lawrence-OptiPlex-3080:/mnt/storage/Plex/Movies$ grep media /etc/group

Hmm, here’s what man groups says (emphasis mine):

Print group memberships for each USERNAME or, if no USERNAME is specified, for the current process **(which may differ if the groups database has changed)**.

If I add my name:

lawrence@lawrence-OptiPlex-3080:/mnt/storage/Plex/Movies$ groups lawrence
lawrence : lawrence adm cdrom sudo dip plugdev lpadmin sambashare media-library-editors

OK, so I re-logged in over SSH and now it’s OK.

Final thing to do is to set the setgid bit on all of the directories, so that anything created within them is also owned by the media-library-editors group:

sudo find /mnt/storage/Plex -type d -exec chmod g+s '{}' \;

Erm, but now I’m confused. I deleted Sherlock (a bunch of shows) using the Plex UI, and it vanished in Plex but it’s all still there in the file system. What? Scanned library and it’s re-appeared. Erm. Oh, but after an upgrade of Plex it all is well. So there’s clearly something going on weird with group membership not taking place until process restarted.

Ditto, I tried downloading a torrent and it’s getting a permission denied error. Let’s restart transmission:

lawrence@lawrence-OptiPlex-3080:/mnt/storage/Plex/TV Shows$ sudo systemctl restart transmission-daemon.service

Hmm, there’s one final problem, though, which is that the Transmission daemon is not granting write permissions to group owners for new files:

-rw-r--r-- 1 debian-transmission media-library-editors 1954505535 dez 28 23:07 foo.mp4

I think that this has something to do with umask (https://en.wikipedia.org/wiki/Umask), which I had not quite got to in the book yet.

Current Transmission daemon process is running with umask 0022 (cat /proc/141119/status | grep -i umask) - this gives r-x permission for world and group

I don’t fully understand umask – what I want is to take away rwx permissions for world, and to leave all permissions for owner and group. I think that’s umask 007. I tried running that in my terminal and then creating a file, and it appears like this:

-rw-rw----  1 lawrence media-library-editors    0 dez 29 17:49  bar

So I think that’s what I want. OK, in Transmission I can set the umask property in the config file:

"umask": "007"

No idea where my Transmission config file is (even though pretty sure edited it before). Ah, manpage + /etc/password and looking at debian-transmission user shows us it’s /var/lib/transmission-daemon/.config

Well, I’m still getting some weird permissions:

drwxr-sr-x 3 debian-transmission media-library-editors       4096 dez 29 18:01  bar

Compared to other things:

drwxrws--- 2 debian-transmission media-library-editors       4096 jun 24  2022 baz

It seems to have ignored my umask:

lawrence@lawrence-OptiPlex-3080:/mnt/storage/Plex/Movies$ cat /proc/1427487/status | grep -i umask
Umask:	0022

Hmm, it says in the config file documentation that umask is meant to be a string, but here it says it’s a decimal number:


So let’s try

"umask": 7

Wait, no, I just want to take away w permissions for world, so that’s umask 002. Let’s try

"umask": 2

OK, now it looks good:

drwxrws---  3 debian-transmission media-library-editors       4096 dez 29 18:17  bar

I don’t know why the directory has the setgid bit set, is that something that’s inherited? According to the Wikipedia page for setgid, yes:

Created subdirectories also inherit the setgid bit.

I’ve noticed that when Plex deletes things, it only deletes the movie file and not the containing directory, which sometimes contains some other text files and stuff like that. Sounds like there isn’t much I can do about this.

Some notes about network speed

Measure it using iperf (had to install on my laptop and on server). With my laptop on Wi-Fi (in same room as access point) and the server on Ethernet, it gives:

[lawrence@Lawrences-MacBook-Pro:~] iperf -c optiplex.internal.forooghian.com
Client connecting to optiplex.internal.forooghian.com, TCP port 5001
TCP window size:  128 KByte (default)
[  1] local port 50190 connected with port 5001 (icwnd/mss/irtt=11/1448/2000)
[ ID] Interval       Transfer     Bandwidth
[  1] 0.00-10.05 sec   749 MBytes   625 Mbits/sec

That’s very fast indeed (about 13s for a gigabyte, I guess). I wonder how close to theoretical max that is?

The router is “TP-Link AX1500 Wi-Fi 6 Router”:

But there seems to be something where it can combine both to get 1500 Mbps, not looked into it.

And the Wi-Fi menu on my Mac says “Tx Rate: 1,200 Mbps” (seems to vary though) and “PHY Mode: 802.11ax”

So data is transferring at about half the theoretical max. I wonder where the bottleneck is. The iperf man page seems like an interesting place to read sometime.

But weirdly, fast.com tells me that my Internet speed is 830Mbps, which is faster than the internal speed, eh?

I wonder what I’d get if I used the USB LAN adapter on my computer.