Summer has officially arrived in London: Force 8 winds and a month’s worth of rain in a weekend. In the finest British traditions of boundless meteorological optimism, I need (FSVO “need”) to build a computer-based system to make those rare sunny moments even better. In Spring 2017 I built one named Apollo.
We are fortunate to have access to a small rooftop with a couple of chairs, our boiler and our water tank. The boiler cupboard has a 230V supply. The roof is lead-lined.
Requirement: a headless, weatherproof, invisible music server.
The Volumio Project has done the hard work on the software side. Volumio is a Linux-based music server available to download as a pre-built image for a variety of hardware platforms. It can play music from your home network and link to online services such as Spotify and LastFM. The Raspberry Pi is my weapon of choice for lightweight networked Linux projects, and I’ll need an amplifier to turn it into a HiFi.
IQaudio is a small British company that has the solution: the Pi-DigiAMP+ is a daughterboard that sits on top of the Pi (what the cool kids now call HATs), connects to its GPIO port and can power a pair of 6ohm 40W speakers. Needless to say, the Pi’s weedy 5V PSU won’t get the party started, so you need a chunky 65W PSU to go with it. The DigiAMP then powers the Pi through the GPIO.
My little Pi has now turned into a mains-powered monster, so I need a large weatherproof box to house it and its associated gubbins. That box comes with a metal back-plate to which I can fix all of the components, and it’s long enough for a 4-gang extension block. Since it’s designed to go outdoors, all cables run through 20mm glands and the power lead is terminated with a splashproof ABB connector. This is undoubtedly over-engineered: the box is housed inside the boiler cupboard, but it’s future-resistant (there’s no such thing as future-proof) in case I want to lift-and-shift it to a new property.
A couple of marine speakers finish the job, with some soldered-on phono connectors that I picked up from my local Maplin just before it closed for good. They’re waterproof, small enough to be tucked behind plant pots and the cable is thin enough to tuck under the lead flashing.
I need to connect this thing to my network, but my landlady doesn’t seem to share my enthusiasm for chasing out walls to run Cat-6. The roof is lead-lined so WiFi is also out of the question (and, seriously, who uses WiFi for a headless server?)
With a heavy heart I realise that the only practical solution is HomePlug, otherwise known as Powerline Ethernet. As a keen radio amateur I usually consider these things to be the devil’s work: twin-and-earth cabling is not designed to effectively contain high-frequency signals. Nevertheless, I live in London so I’m still not the worst local source of RF noise, and I’ve given up trying to do anything with HF since my 20m copper “washing line” was rumbled. TP-Link makes some neat little boxes that combine a 2-port HomePlug adaptor with a WiFi hotpot, thereby solving my rooftop Guest WiFi problem at the same time.
Volumio works pretty well out-the-box as a media server but, as with all Internet of Things devices, convenience comes at the cost of security. The developers haven’t done a bad job of locking it down (compared to many I’ve seen) but I still need to harden it a bit more before I feel happy. What follows was true in 2017 and may have improved since then.
Apollo sits on my untrusted guest network and there are several layers of security between it, my other security domains, and the Internet. Nonetheless, out of the box it has:
- Hard-coded default credentials. The main user account “volumio” has the default password “volumio”. SSH is disabled by default but can be trivially re-enabled through the web interface. Changing the password breaks the updater because of the way the script uses sudo.
- A WiFi hot-spot. Definitely a feature not a bug, but don’t forget that recent versions of the Pi come with built-in WiFi hardware so it’ll have to be manually disabled if you don’t want it.
- Some old versions of software with known vulnerabilities. Volumio is built on Raspbian but isn’t as up-to-date.
Once those were addressed, I had to provide it with access to my media library. My MP3 collection (hey, Spotify didn’t exist when I was at University!) sits on my NAS on my trusted network. An intermediate box NFS-mounts my music collection and presents it to Apollo as a Samba share which makes it easier for my IPS to keep an eye on things. My firewall config allows devices on my trusted and semi-trusted network to control Apollo through its web interface.
In terms of securing my attack-surface, I’m happy with that level of attention. My MP3 collection contains no Rick Astley, which allows me to mitigate against being Rick-rolled at 3am by any unexpectedly mischievous and tech-savvy neighbours (unless they’ve also hacked my Spotify account).
Now I can sit back with a glass of rosé, select the music from my phone… and wait for the rain to start.