Here's how I set up a media PC using Kodi (formerly XMBC) and a Raspberry Pi 4.
Hardware
The hardware is fairly straightforward, but here's what I ended up getting:
- Raspberry Pi 4 board: I went for the maximum amount of RAM (8 GB).
- SD-card: Since I'm not going to store any media on here, 32 GB is plenty.
- HDMI to micro-HDMI cable
- Case and power supply
You'll probably want to add a remote control to that setup. I used an old Streamzap I had lying around.
Installing the OS on the SD-card
Plug the SD card into a computer using a USB adapter.
Download the imager and use it to install Raspbian on the SDcard.
Then you can simply plug the SD card into the Pi and boot.
System configuration
Using sudo raspi-config, I changed the following:
- Set hostname (System Options)
- Wait for network at boot (System Options): needed for NFS
- Disable screen blanking (Display Options)
- Enable ssh (Interface Options)
- Configure locale, timezone and keyboard (Localisation Options)
- Set WiFi country (Localisation Options)
Then I enabled automatic updates:
apt install unattended-upgrades anacron
echo 'Unattended-Upgrade::Origins-Pattern {
"origin=Debian,codename=${distro_codename},label=Debian";
"origin=Debian,codename=${distro_codename},label=Debian-Security";
"origin=Raspbian,codename=${distro_codename},label=Raspbian";
"origin=Raspberry Pi Foundation,codename=${distro_codename},label=Raspberry Pi Foundation";
};' | sudo tee /etc/apt/apt.conf.d/51unattended-upgrades-raspbian
Headless setup
Should you need to do the setup without a monitor, you can enable ssh by
inserting the SD card into a computer and then creating an empty file called
ssh in the boot partition.
Plug it into your router and boot it up. Check the IP that it received by looking at the active DHCP leases in your router's admin panel.
Then login:
ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no pi@192.168.1.xxx
using the default password of raspberry.
Hardening
In order to secure the Pi, I followed most of the steps I usually take when setting up a new Linux server.
I created a new user account for admin and ssh access:
adduser francois
addgroup sshuser
adduser francois sshuser
adduser francois sudo
and changed the pi user password to a random one:
pwgen -sy 32
sudo passwd pi
before removing its admin permissions:
deluser pi adm
deluser pi sudo
deluser pi dialout
deluser pi cdrom
deluser pi lpadmin
Finally, I enabled the Uncomplicated Firewall by installing its package:
apt install ufw
and only allowing ssh connections.
After starting ufw using systemctl start ufw.service, you can check that
it's configured as expected using ufw status. It should display the
following:
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
Installing Kodi
Kodi is very straightforward to install since it's now part of the Raspbian repositories:
apt install kodi
To make it start at boot/login, while still being able to exit and use other apps if needed:
cp /etc/xdg/lxsession/LXDE-pi/autostart ~/.config/lxsession/LXDE-pi/
echo "@kodi" >> ~/.config/lxsession/LXDE-pi/autostart
In order to improve privacy while fetching metadata, I also installed Tor:
apt install tor
and then set a proxy in the Kodi System | Internet access settings:
- Proxy type:
SOCKS5 with remote DNS resolving - Server:
localhost - Port:
9050
Note that you should set the following in /etc/tor/torrc:
SocksPort localhost:9050
so that the Tor daemon is only available locallyj
Network File System
In order to avoid having to have all media storage connected directly to the Pi via USB, I setup an NFS share over my local network.
First, give static IP allocations to the server and the Pi in your DHCP
server, then add it to the /etc/hosts file on your NFS server:
192.168.1.3 pi
Install the NFS server package:
apt instal nfs-kernel-server
Setup the directories to share in /etc/exports:
/pub/movies pi(ro,insecure,all_squash,subtree_check)
/pub/tv_shows pi(ro,insecure,all_squash,subtree_check)
Open the right ports on your firewall by putting this in /etc/network/iptables.up.rules:
-A INPUT -s 192.168.1.3 -p udp -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp --dport 111 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p udp --dport 111 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p udp --dport 123 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp --dport 600:1124 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p udp --dport 600:1124 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp --dport 2049 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p udp --dport 2049 -j ACCEPT
Finally, apply all of these changes:
iptables-apply
systemctl restart nfs-kernel-server.service
On the Pi, put the server's static IP in /etc/hosts:
192.168.1.2 fileserver
and this in /etc/fstab:
fileserver:/data/movies /kodi/movies nfs ro,bg,hard,noatime,async,nolock 0 0
fileserver:/data/tv /kodi/tv nfs ro,bg,hard,noatime,async,nolock 0 0
Then create the mount points and mount everything:
mkdir -p /kodi/movies
mkdir /kodi/tv
mount /kodi/movies
mount /kodi/tv
That's a fair question. The primary reason is that I would need to customize more things since that user is already setup for everything to just work.
Once it's de-fanged (no sudo access, no ssh access, random password), it's probably not very dangerous.
Interesting. I was not aware there were images for stock Debian.