Recipe for Shinobi Security DVR

Debian 10.3 container
enable nesting in PVE! (required for systemd private resources for mariadb): pct set ### --features nesting=1
4 cores, 8 GB disk, 2 GB RAM, 512 MB swap, big storage mountpoint on /mnt/dvr

adduser tdobes
adduser tdobes adm
adduser tdobes systemd-journal

aptitude update && aptitude forget-new && aptitude full-upgrade

aptitude install apt-transport-https gnupg ca-certificates
echo 'deb buster main' > /etc/apt/sources.list.d/nodesource.list
echo 'deb-src buster main' >> /etc/apt/sources.list.d/nodesource.list
wget -O- | apt-key add -
aptitude update

aptitude install git nodejs

# create an npmrc so npm will install packages to a sane location (/usr/local instead of /usr)
echo '# DO NOT MODIFY THIS FILE - use /etc/npmrc instead.' > /usr/lib/node_modules/npm/npmrc
echo 'globalconfig=/etc/npmrc' >> /usr/lib/node_modules/npm/npmrc
echo 'globalignorefile=/etc/npmignore' >> /usr/lib/node_modules/npm/npmrc
echo 'prefix=/usr/local' >> /usr/lib/node_modules/npm/npmrc
echo >> /usr/lib/node_modules/npm/npmrc

aptitude install mariadb-server mariadb-client

# this installs a ton of xorg deps:
# aptitude --without-recommends install ffmpeg
# alternate plan: install static binaries instead (from
tar -xJf ffmpeg-release-amd64-static.tar.xz
mv ffmpeg-*-amd64-static/ffmpeg ffmpeg-*-amd64-static/ffprobe /usr/local/bin/
rm -r ffmpeg-release-amd64-static.tar.xz ffmpeg-*-amd64-static/

# see
mkdir -p /opt/shinobi
git clone -b master /opt/shinobi
echo '{"Product": "Shinobi Professional (Pro)", "Branch": "master", "Version": "'`GIT_DIR=/opt/shinobi/.git git rev-parse HEAD`'", "Date": "'`date`'", "Repository": ""}' > /opt/shinobi/version.json

# see
# and

shinobi_cron_key=`head -c 1024 < /dev/urandom | sha256sum | awk '{print substr($1,1,29)}'`
sed -e 's|change_this_to_something_very_random__just_anything_other_than_this|'$shinobi_cron_key'|' /opt/shinobi/conf.sample.json > /opt/shinobi/conf.json
sed -e "s/\"mail\":\".*\",/\"mail\":\"$adminemail\",/" -e "s/\"pass\":\".*\"/\"pass\":\"` echo -n $adminpass | md5sum | cut -d' ' -f1`\"/" /opt/shinobi/super.sample.json > /opt/shinobi/super.json
# these credentials are used for logging in at http://cameradvr:8080/super to create other user accounts

aptitude install dos2unix zip build-essential

pushd /opt/shinobi

# these make too many assumptions, so we'll do stuff manually instead:
#mysql -u $sqluser -p$sqlpass -e "source sql/user.sql" # this has the MySQL username, password, and database name hardcoded
#mysql -u $sqluser -p$sqlpass -e "source sql/framework.sql" # this has the MySQL database name hardcoded

mysqladmin create shinobi
sqlpass=`head -c 1024 < /dev/urandom | base64 -w 0 | head -c 30`
mysql -e "grant all on shinobi.* to shinobi@localhost identified by '$sqlpass';"
sed -e 's/ccio/shinobi/g' sql/framework.sql | mysql shinobi
sed -i -e 's/"host": ".*",/"host": "localhost",/' -e 's/"user": ".*",/"user": "shinobi",/' -e 's/"database": ".*",/"database": "shinobi",/' -e "s|\"password\": \".*\",|\"password\": \"$sqlpass\",|" conf.json

npm install npm -g # use npm to update global install of npm to latest version
hash -r # clear the bash cache so we use the newer npm
npm install --unsafe-perm # install all dependencies needed by shinobi
npm audit fix --force # checks dependencies for security issues and auto-fix

# hmm... shinobi installer wants 3.0.0 -- FIXME: can we update this to something more recent?
npm install pm2@3.0.0 -g

mkdir -p /etc/shinobisystems
echo /opt/shinobi > /etc/shinobisystems/path.txt
ln -s path.txt /etc/shinobisystems/cctv.txt
chmod +x INSTALL/shinobi
ln -s `readlink -f INSTALL/shinobi` /usr/local/bin/shinobi

touch INSTALL/installed.txt

pm2 start camera.js
pm2 start cron.js
pm2 startup
pm2 save

# but logging off will stop everything, so...
pm2 kill
systemctl start pm2-root

# ...some customizations: run on port 80, don't use 2nd videos folder, configure to use sendmail, remove gmail auth lines
sed -i -e 's/"port": 8080,/"port": 80,/' -e '/{"name":"second","path":"__DIR__\/videos2"}/d' -e 's/"service": "gmail",/"sendmail": true/' -e '/"auth":/,+3d' /opt/shinobi/conf.json

# mount ZFS video path from host into container
# on vmhost...
zfs create tank/shinobi
zfs set atime=off tank/shinobi
zfs set compression=zstd tank/shinobi
pct set ### --mp0 /tank/shinobi,mp=/mnt/video
# restart container, then on container...
systemctl stop pm2-root
mv /opt/shinobi/videos/* /mnt/video/
mv /opt/shinobi/videos /opt/shinobi/videos.old
ln -s /mnt/video /opt/shinobi/videos
systemctl start pm2-root

# FIXME: everything runs as root... this seems to be what upstream intends, but we should be able to do better

adduser --system --home /nonexistent --no-create-home shinobi

# probably should create a PM2_HOME directory in /var/local for pm2...
mkdir -p /var/local/pm2
chown shinobi:staff /var/local/pm2
chmod g+w /var/local/pm2

# then started it using systemd like this:

echo '[Unit]' > /etc/systemd/system/nodecg.service
echo 'Description=NodeCG Service' >> /etc/systemd/system/nodecg.service
echo '' >> /etc/systemd/system/nodecg.service
echo >> /etc/systemd/system/nodecg.service
echo '[Service]' >> /etc/systemd/system/nodecg.service
echo 'ExecStart=/usr/bin/pm2 start /var/local/nodecg/index.js --name nodecg' >> /etc/systemd/system/nodecg.service
echo 'User=nodecg' >> /etc/systemd/system/nodecg.service
echo 'Environment=PM2_HOME=/var/local/pm2' >> /etc/systemd/system/nodecg.service
echo 'Type=forking' >> /etc/systemd/system/nodecg.service
echo 'Restart=always' >> /etc/systemd/system/nodecg.service
echo 'RestartSec=1' >> /etc/systemd/system/nodecg.service
echo >> /etc/systemd/system/nodecg.service
echo '[Install]' >> /etc/systemd/system/nodecg.service
echo '' >> /etc/systemd/system/nodecg.service

systemctl daemon-reload
systemctl enable nodecg.service
systemctl start nodecg.service
computer/shinobi_dvr.txt · Last modified: 2021/06/06 13:41 by tdobes
Recent changes RSS feed Driven by DokuWiki Valid XHTML 1.0 Valid CSS