Now that I’m done with my WiFi project, and everyone is surfing happily (it seems), I’m ready for my next project. For years now I’ve had a basic video surveillance setup using old Panasonic Security Cameras (BL-VP104W) and one ultra sketchy Chinese camera. You know, one of those with extra backdoor admin accounts named 888888 that you can’t disable. I bought extras that I can’t sell on eBay at any price.
So I want to upgrade to a better video solution. Fortunately, Ubiquiti offers a solution that is as cost-effective as its infrastructure.
My requirements are simple:
- I prefer to avoid cloud storage (but I want the option to ship to the cloud, or record to the cloud as an option, rather than as default);
- I want my front door to email me a picture each time it detects motion;
Of course, being me, I want to add some excitement to it, so I also want to use ZFS as my storage system for the recordings, so that I can get to know ZFS.
ZFS
I’ll probably do a longer post about ZFS, since it’s awesome, but for now, I’m going to start with a 2 drive mirror, and then probably eventually migrate to a 3 drive RAID system.
Basically, ZFS combines storage and filesystem management in one place. Where you used to use LVM and then format (which tool like 10 commands), ZFS combines both together and does awesome stuff like snapshots and replication.
Why? For whatever reason, I worry a lot about ransomware attacks, so I want to ensure that my file server can’t be attacked that way. ZFS alows scheduled snapshots to be taken and allows rollbacks to prior times.
Steps
To do this, we’ll do the following:
- Install the Unifi Video Controller
- Setup the SSL cert to the video controller
- Setup ZFS volumes
Install the Video Controller
Unifi Video is very easy to install on the same server as the Unifi Controller, and here are the steps I followed:
wget https://dl.ubnt.com/firmwares/ufv/v3.9.12/unifi-video.Ubuntu16.04_amd64.v3.9.12.deb apt install ./unifi-video.Ubuntu16.04_amd64.v3.9.12.deb ufw allow 7080/tcp ufw allow 7443/tcp ufw allow 7445/tcp ufw allow 7446/tcp ufw allow 7447/tcp ufw allow 10001/udp ufw allow 6666/tcp ufw allow 7442/tcp
The first two steps install the program, and the ufw steps allow the firewall to work.
This got the server up and running so I could access it through the url https://server:7443. However, as I used the server, I got periodic popups that indicated 404 errors, and errors that said ‘Connection Lost, the connection to your NVR has been lost‘. Guessing that it might be a certificate problem (restarting the service and rebooting didn’t help), and seeing a self-signed certificate installed by default, I moved on to linking the video controller to my pfSense LetsEncrypt process.
Unifi Video SSL LetsEncrypt Setup
If you’ll recall my prior post, I already have a set of scripts that transfer a p12 certificate to my Ubuntu server that this is all hosted on. I just needed to add it to the video controller.
It turns out that Unifi Video uses a different system for managing certs than the unifi controller, so I had to perform the following steps that I found here and here (the latter was very helpful, much of this is directly from there).
1. Generate DER-encoded certificate and key from the p12 certificate. This is piping a decode into another openssl to encode
sudo openssl pkcs12 -in unifi.p12 -nokeys -clcerts -passin pass:test1234 | openssl x509 -outform der -out unifi.crt.der sudo openssl pkcs12 -in unifi.p12 -nocerts -passin pass:test1234 -passout pass:123456 | openssl pkcs8 -topk8 -inform PEM -passin pass:123456 -outform DER -nocrypt -out unifi_key.der
2. Remove the installed certs
sudo rm /usr/lib/unifi-video/data/{keystore,ufv-truststore}
sudo rm /usr/lib/unifi-video/conf/evostream/server.*
3. Copy yours to the appropriate place, creating a folder if appropriate
mkdir /usr/lib/unifi-video/data/certificates sudo mv unifi.crt.der /usr/lib/unifi-video/data/certificates/ufv-server.cert.der sudo mv unifi_key.der /usr/lib/unifi-video/data/certificates/ufv-server.key.der
4. Grant ownership to unifi.
sudo chown -R unifi-video:unifi-video /usr/lib/unifi- video/data/certificates
5. You also need to edit the system.properties to use your new cert:
vi /usr/lib/unifi-video/data/system.properties
so that it looks like:
# unifi-video v3.9.12 #Wed Nov 21 03:32:26 UTC 2018 is_default=false uuid=b3deea25-8740-4085-905f-4676fcf219f6 # app.http.port = 7080 # app.https.port = 7443 # ems.liveflv.port = 6666 # ems.livews.port = 7445 # ems.livewss.port = 7446 ufv.custom.certs.enable=true
The last line is the one that matters.
6. Then restart the server. Do this once by hand, since we don’t need to delete the old files each time. Once you have it set up, update your certificate copier script.
7. Update the certificate installation script on your unifi server (that is called by your pfSense box)
Your new Certificate installation script will look like:
#!/bin/bash #Unifi Controller Stuff sudo keytool -delete -alias unifi -keystore /var/lib/unifi/keystore -storepass aircontrolenterprise > /dev/null 2>&1 sudo keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore /var/lib/unifi/keystore -srckeystore ~/unifi.p12 -srcstoretype PKCS12 -alias unifi -srcstorepass test1234 > /dev/null 2>&1 #end unifi controller # Video Stuff sudo openssl pkcs12 -in unifi.p12 -nokeys -clcerts -passin pass:test1234 | openssl x509 -outform der -out unifi.crt.der sudo openssl pkcs12 -in unifi.p12 -nocerts -passin pass:test1234 -passout pass:123456 | openssl pkcs8 -topk8 -inform PEM -passin pass:123456 -outform DER -nocrypt -out unifi_key.der sudo mv unifi.crt.der /usr/lib/unifi-video/data/certificates/ufv-server.cert.der sudo mv unifi_key.der /usr/lib/unifi-video/data/certificates/ufv-server.key.der sudo chown -R unifi-video:unifi-video /usr/lib/unifi-video/data/certificates #end video stuff sudo service unifi-video restart >/dev/null 2>&1 sudo service unifi restart> /dev/null 2>&1 echo 'Success'
You also need to amend your sudoers file with:
pfSenseCertCopier ALL=(root) NOPASSWD:/usr/bin/keytool, /usr/sbin/service, /usr/bin/openssl, /bin/mv, /bin/chown
To allow the pfSenseCertCopier user to move files, etc. .
Once called by the pfSense server, this will set up your unifi video cert, and the controller will work. You can then set up cameras, etc.
ZFS Setup
I assume you have installed some hard drives, and want to set up a zfs pool to hold all your videos. That’s easy:
apt install zfsutils-linux zpool create primary-pool mirror /dev/sda /dev/sdb zpool status
The awesome thing here is that you will immediately have a folder mounted to your root named ‘primary-pool’ that is immediately available, in one command. That’s it!
Now you can set up your cameras to record and have ample space to do so.
Summary and Next Steps
Next I’ll setup ZFS snapshots and maybe tell a funny story about surveillance cameras. But actually we’ll talk about cybersecurity…
What I’m listening to as I do this: Judas Priest’s Painkiller. This was among the CDs that got me into metal, and it’s my favorite Priest album. They have a huge range, from brooding (Sad Wings of Destiny) to rocking (Breaking the Law) to almost parody (Loch Ness), and Painkiller showcases their best. Great drumming, a killer intro, and awesome solos from KK Downing and Glenn Tipton. Plus Halford’s range is at peak operatic.