Here's how I set up a media PC using Kodi (formerly XMBC) and a Raspberry Pi 4.
Hardware
The hardware is fairly straightforward, but here's what I ended up getting:
- Raspberry Pi 4 board: I went for the maximum amount of RAM (8 GB).
- SD-card: Since I'm not going to store any media on here, 64 GB is plenty. However speed is very important for the UI to feel responsive. Look for V30, U3 and A2 ratings.
- HDMI to micro-HDMI cable
- Case and power supply
You'll probably want to add a remote control to that setup. I used an old Streamzap I had lying around.
Installing the OS on the SD-card
Plug the SD card into a computer using a USB adapter.
Download the imager and use it to install Raspbian on the SDcard.
Then you can simply plug the SD card into the Pi and boot.
System configuration
Using sudo raspi-config
, I changed the following:
- Set hostname (System Options)
- Wait for network at boot (System Options): needed for NFS
- Disable screen blanking (Display Options)
- Enable ssh (Interface Options)
- Configure locale, timezone and keyboard (Localisation Options)
- Set WiFi country (Localisation Options)
Then I installed anacron
to make sure that all cron jobs get run even when
the machine is off:
apt install anacron
I found that automatic updates are already enabled by apt-daily-upgrade.timer
.
Headless setup
Should you need to do the setup without a monitor, you can enable ssh by
inserting the SD card into a computer and then creating an empty file called
ssh
in the boot partition.
Plug it into your router and boot it up. Check the IP that it received by looking at the active DHCP leases in your router's admin panel.
Then login:
ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no pi@192.168.1.xxx
using the default password of raspberry
.
Hardening
In order to secure the Pi, I followed most of the steps I usually take when setting up a new Linux server.
I created a new user account for admin and ssh access:
adduser francois
addgroup sshuser
adduser francois sshuser
adduser francois sudo
and changed the pi
user password to a random one:
pwgen -sy 32
sudo passwd pi
before removing its admin permissions:
deluser pi adm
deluser pi sudo
deluser pi dialout
deluser pi cdrom
deluser pi lpadmin
Finally, I enabled the Uncomplicated Firewall. I had to reconfigure debconf to see all medium-priority questions:
dpkg-reconfigure debconf
before installing the ufw
package:
apt install ufw
and only allowing ssh connections.
After starting ufw using systemctl start ufw.service
, you can check that
it's configured as expected using ufw status
. It should display the
following:
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
Installing Kodi
Kodi is very straightforward to install since it's now part of the Raspbian repositories:
apt install kodi
To make it start at boot/login, while still being able to exit and use other apps if needed:
cp /etc/xdg/lxsession/LXDE-pi/autostart ~/.config/lxsession/LXDE-pi/
echo "@kodi" >> ~/.config/lxsession/LXDE-pi/autostart
In order to improve privacy while fetching metadata, I also installed Tor:
apt install tor
and then set a proxy in the Kodi System | Internet access settings:
- Proxy type:
SOCKS5 with remote DNS resolving
- Server:
localhost
- Port:
9050
Note that you should set the following in /etc/tor/torrc
:
SocksPort localhost:9050
so that the Tor daemon is only available locallyj
Network File System
In order to avoid having to have all media storage connected directly to the Pi via USB, I setup an NFS share over my local network.
First, give static IP allocations to the server and the Pi in your DHCP
server, then add it to the /etc/hosts
file on your NFS server:
192.168.1.3 pi
Install the NFS server package:
apt install nfs-kernel-server
Setup the directories to share in /etc/exports
:
/pub/movies pi(ro,insecure,all_squash,subtree_check)
/pub/tv_shows pi(ro,insecure,all_squash,subtree_check)
Open the right ports on your firewall by putting this in /etc/network/iptables.up.rules
:
-A INPUT -s 192.168.1.3 -p udp -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp --dport 111 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p udp --dport 111 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p udp --dport 123 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp --dport 600:1124 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p udp --dport 600:1124 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp --dport 2049 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p udp --dport 2049 -j ACCEPT
Finally, apply all of these changes:
iptables-apply
systemctl restart nfs-kernel-server.service
On the Pi, put the server's static IP in /etc/hosts
:
192.168.1.2 fileserver
and this in /etc/fstab
:
fileserver:/data/movies /kodi/movies nfs ro,bg,hard,noatime,async,nolock 0 0
fileserver:/data/tv /kodi/tv nfs ro,bg,hard,noatime,async,nolock 0 0
Install the NFS client package:
apt install nfs-common
Then create the mount points and mount everything:
mkdir -p /kodi/movies
mkdir /kodi/tv
mount /kodi/movies
mount /kodi/tv
In order for these directories to get mounted at boot, you need to enable
the "S6 Network at Boot" option in raspi-config
(System options section)
and then run the folowing:
systemctl enable NetworkManager-wait-online.service
to further wait for the network.
That's a fair question. The primary reason is that I would need to customize more things since that user is already setup for everything to just work.
Once it's de-fanged (no sudo access, no ssh access, random password), it's probably not very dangerous.
Interesting. I was not aware there were images for stock Debian.