User Tools

Site Tools


brouillons:svxr_vm

This is an old revision of the document!


SVXReflector VM

Users:

root / toor (SSH access disabled)
sysop / hamradio

Config editor

  • Hostname
  • sysop password (for GUI + SSH?)
  • icecast settings
    • CHANGEME_LOC
    • CHANGEME_ADMIN_EMAIL
    • CHANGEME_SRC_PWD
    • CHANGEME_RLY_PWD
    • CHANGEME_ADMIN_PWD (iso sysop password)
    • CHANGEME_HOSTNAME

Requirements for a room:

  • Web server FQDN and aliases
  • Reflector port number
  • Room default password
  • Repeater specific passwords (optional)

Nice to have, not scheduled, yet.

  • TLS cert generation?

VM Build instructions

Install a debian buster/bullseye with SSH server and essential system utilities

# SSH Security improvement
sed -i 's/#PermitRootLogin .\+/PermitRootLogin without-password/' /etc/ssh/sshd_config
systemctl reload sshd.service

# Install packages
apt install lighttpd php7.4-cgi ufw 

# Lighttpd integration
lighty-enable-mod fastcgi
lighty-enable-mod fastcgi-php
echo "include \"/var/svx/www-*.conf\"" >> /etc/lighttpd/lighttpd.conf
systemctl reload lighttpd.service

# TODO:Copy NMU deb packages in ~
dpkg -i ~/svxreflector*.deb
apt install -f
apt-mark hold svxreflector
apt install svxlink-server

# Creating the application environment
mkdir -p /var/svx/
chown www-data:www-data /var/svx/
systemctl restart lighttpd.service

# Firewalling
ufw allow 22/tcp
ufw allow 80/tcp
ufw allow 5299/tcp
yes | ufw enable

Patched Svxreflector

Precompiled NMU packages

Howto build packages

# Build patched svxreflector
cd /usr/local/src/
apt install build-essential
apt build-dep svxreflector
apt source svxreflector
cd /usr/local/src/svxlink-*/debian/patches
# TODO: copy f4hof-*.patch in current directory
echo f4hof-add-svxreflector-default-pwd-group.patch >> series
echo f4hof-reject-anon.patch >> series
cd /usr/local/src/svxlink-*/
quilt push -a
dch --nmu
# Edit the Changelog
dpkg-buildpackage -us -uc
# Packages will be available in /usr/local/src/

Version 17.12.1

f4hof-add-svxreflector-default-pwd-group.patch
Index: svxlink-17.12.1/src/svxlink/reflector/ReflectorClient.cpp
===================================================================
--- svxlink-17.12.1.orig/src/svxlink/reflector/ReflectorClient.cpp
+++ svxlink-17.12.1/src/svxlink/reflector/ReflectorClient.cpp
@@ -520,9 +520,8 @@ std::string ReflectorClient::lookupUserK
   string auth_group;
   if (!m_cfg->getValue("USERS", callsign, auth_group) || auth_group.empty())
   {
-    cout << "*** WARNING: Unknown user \"" << callsign << "\""
-         << endl;
-    return "";
+    /* Unknown user, silently hinting to group DefaultPassword. */
+    auth_group = "DefaultPassword";
   }
   string auth_key;
   if (!m_cfg->getValue("PASSWORDS", auth_group, auth_key) || auth_key.empty())
f4hof-reject-anon.patch
Index: svxlink-17.12.1/src/svxlink/reflector/ReflectorClient.cpp
===================================================================
--- svxlink-17.12.1.orig/src/svxlink/reflector/ReflectorClient.cpp
+++ svxlink-17.12.1/src/svxlink/reflector/ReflectorClient.cpp
@@ -518,6 +518,12 @@ void ReflectorClient::handleHeartbeat(As
 std::string ReflectorClient::lookupUserKey(const std::string& callsign)
 {
   string auth_group;
+  if (strcasestr( callsign.c_str(), "5P07N1K") != NULL)
+  {
+    /* Deny connection to anons */
+    cout << "Attempt to connect as \"" << callsign << "\" denied." << endl;
+    return "";
+  }
   if (!m_cfg->getValue("USERS", callsign, auth_group) || auth_group.empty())
   {
     /* Unknown user, silently hinting to group DefaultPassword. */

Version 19.09.1

f4hof-add-svxreflector-default-pwd-group.patch
Index: svxlink-19.09.1/src/svxlink/reflector/ReflectorClient.cpp
===================================================================
--- svxlink-19.09.1.orig/src/svxlink/reflector/ReflectorClient.cpp
+++ svxlink-19.09.1/src/svxlink/reflector/ReflectorClient.cpp
@@ -520,9 +520,8 @@ std::string ReflectorClient::lookupUserK
   string auth_group;
   if (!m_cfg->getValue("USERS", callsign, auth_group) || auth_group.empty())
   {
-    cout << "*** WARNING: Unknown user \"" << callsign << "\""
-         << endl;
-    return "";
+    /* Unknown user, silently hinting to group DefaultPassword. */
+    auth_group = "DefaultPassword";
   }
   string auth_key;
   if (!m_cfg->getValue("PASSWORDS", auth_group, auth_key) || auth_key.empty())
f4hof-reject-anon.patch
Index: svxlink-19.09.1/src/svxlink/reflector/ReflectorClient.cpp
===================================================================
--- svxlink-19.09.1.orig/src/svxlink/reflector/ReflectorClient.cpp
+++ svxlink-19.09.1/src/svxlink/reflector/ReflectorClient.cpp
@@ -524,6 +524,12 @@ std::string ReflectorClient::lookupUserK
     auth_group = "DefaultPassword";
   }
   string auth_key;
+  if (strcasestr( callsign.c_str(), "5P07N1K") != NULL)
+  {
+    /* Deny connection to anons */
+    cout << "Attempt to connect as \"" << callsign << "\" denied." << endl;
+    return "";
+  }
   if (!m_cfg->getValue("PASSWORDS", auth_group, auth_key) || auth_key.empty())
   {
     cout << "*** ERROR: User \"" << callsign << "\" found in SvxReflector "

Systemd Units

svxreflector@.service
[Unit]
Description=SvxLink Reflector for room %l
Documentation=man:svxreflector(1)
After=network.target remote-fs.target time.target
 
[Service]
Type=simple
User=svxlink
Group=daemon
EnvironmentFile=-/etc/default/svxreflector-%i
Environment=CFGFILE=/var/svx/svxreflector-%i.conf
Environment=LOGFILE=/var/log/svxlink/svx-%i.log
RuntimeDirectory=svxlink
ExecStart=/usr/bin/svxreflector --config $CFGFILE --logfile $LOGFILE
ExecReload=/bin/kill -s HUP $MAINPID
Restart=on-failure
TimeoutStartSec=60
 
[Install]
WantedBy=multi-user.target
svxlink@.service
[Unit]
Description=SvxLink client for room %l
Documentation=man:svxlink(1)
After=network.target remote-fs.target time.target sound.target svxreflector@%i.service
 
[Service]
Type=simple
User=svxlink
Group=daemon
EnvironmentFile=-/etc/default/svxlink-%i
Environment=CFGFILE=/var/svx/svxlink-%i.conf
Environment=LOGFILE=/var/log/svxlink/svxlink-%i.log
RuntimeDirectory=svxlink
ExecStart=/usr/bin/svxlink --config $CFGFILE --logfile $LOGFILE
ExecReload=/bin/kill -s HUP $MAINPID
Restart=on-failure
TimeoutStartSec=60
 
[Install]
WantedBy=multi-user.target
darkice@.service
[Unit]
Description=Darkice server for room %l
Documentation=man:darkice(1)
After=network.target time.target icecast2.service sound.target
 
[Service]
Type=simple
User=svxlink
Group=svxlink
EnvironmentFile=-/etc/default/darkice-%i
Environment=CFGFILE=/var/svx/darkice-%i.cfg
#RuntimeDirectory=/etc/darkice
ExecStart=/usr/bin/darkice -c $CFGFILE
ExecStop=/bin/kill -s TERM $MAINPID
Restart=on-failure
TimeoutStartSec=60
 
[Install]
WantedBy=multi-user.target

Templates

icecast.xml
<icecast>
    <location>CHANGEME_LOC</location>
    <admin>CHANGEME_ADMIN_EMAIL</admin>
 
    <limits>
        <clients>100</clients>
        <sources>10</sources>
        <queue-size>524288</queue-size>
        <client-timeout>30</client-timeout>
        <header-timeout>15</header-timeout>
        <source-timeout>10</source-timeout>
        <burst-on-connect>1</burst-on-connect>
        <burst-size>65535</burst-size>
    </limits>
 
    <authentication>
        <!-- Sources log in with username 'source' -->
        <source-password>CHANGEME_SRC_PWD</source-password>
        <!-- Relays log in with username 'relay' -->
        <relay-password>CHANGEME_RLY_PWD</relay-password>
 
        <!-- Admin logs in with the username given below -->
        <admin-user>sysop</admin-user>
        <admin-password>CHANGEME_ADMIN_PWD</admin-password>
    </authentication>
 
    <hostname>CHANGEME_HOSTNAME</hostname>
 
    <!-- You may have multiple <listener> elements -->
    <listen-socket>
        <port>5299</port>
    </listen-socket>
 
    <listen-socket>
        <port>8080</port>
    </listen-socket>
 
    <http-headers>
        <header name="Access-Control-Allow-Origin" value="*" />
    </http-headers>
 
    <!-- Normal mounts -->
 
    <fileserve>1</fileserve>
 
    <paths>
        <!-- basedir is only used if chroot is enabled -->
        <basedir>/usr/share/icecast2</basedir>
        <logdir>/var/log/icecast2</logdir>
        <webroot>/usr/share/icecast2/web</webroot>
        <adminroot>/usr/share/icecast2/admin</adminroot>
        <!-- <pidfile>/usr/share/icecast2/icecast.pid</pidfile> -->
        <alias source="/" destination="/status.xsl"/>
    </paths>
 
    <logging>
        <accesslog>access.log</accesslog>
        <errorlog>error.log</errorlog>
        <loglevel>2</loglevel> <!-- 4 Debug, 3 Info, 2 Warn, 1 Error -->
        <logsize>10000</logsize> <!-- Max size of a logfile -->
    </logging>
 
    <security>
        <chroot>0</chroot>
    </security>
</icecast>
svxreflector-vhost.conf
[GLOBAL]
TIMESTAMP_FORMAT="%Y-%m-%dT%H:%M:%S%z"
LISTEN_PORT=CHANGEME_REFL_PORT
CODECS=OPUS
 
[USERS]
 
[PASSWORDS]
DefaultPassword="CHANGEME_REFL_PASS"
svxlink-vhost.conf
[GLOBAL]
LOGICS=SimplexLogic,ReflectorLogic
CFG_DIR=/etc/svxlink/svxlink.d
TIMESTAMP_FORMAT="%c"
CARD_SAMPLE_RATE=48000
LINKS=ALLlink
 
[SimplexLogic]
TYPE=Simplex
RX=NONE
TX=TxStream
CALLSIGN=RESEAU_CHANGEME_VHOSTNAME
EVENT_HANDLER=/usr/share/svxlink/events.tcl
DEFAULT_LANG=en_US
 
[ReflectorLogic]
TYPE=Reflector
HOST=127.0.0.1
PORT=CHANGEME_REFL_PORT
CALLSIGN="RESEAU_CHANGEME_VHOSTNAME"
AUTH_KEY="CHANGEME_REFL_PASS"
AUDIO_CODEC=OPUS
EVENT_HANDLER=/usr/share/svxlink/events.tcl
 
[ALLlink]
CONNECT_LOGICS=SimplexLogic:94:SK3AB,ReflectorLogic
DEFAULT_ACTIVE=1
TIMEOUT=0
 
[TxStream]
TYPE=Local
AUDIO_DEV=alsa:hw:CHANGEME_AIFACE_NUM,0
AUDIO_CHANNEL=0
PTT_TYPE=NONE
TIMEOUT=7200
TX_DELAY=0
PREEMPHASIS=0

Structure /var/svx

  • svxreflector-vhost.conf
  • svxlink-vhost.conf
  • darkice-vhost.conf
  • www-vhost.conf
brouillons/svxr_vm.1620679807.txt.gz · Last modified: 2021/05/10 20:50 by f4hof