justin/tinyboard
1
0
Fork 0
forked from finn/tinyboard
Code Pull Requests Activity
65 Commits 1 Branch 0 Tags
5326823b81c1d1836f6bc9600e3516e2959fb39e
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE

README.md

TinyBoard

A hub-spoke architecture for secure file sharing over SSH tunnels using autossh and rclone.

Spokes are ARM devices (e.g. OrangePi, Raspberry Pi) running Armbian that establish reverse SSH tunnels to a central hub server. The hub mounts spoke filesystems via SFTP using rclone, making files accessible across all devices without exposing them to the internet.

Quickstart

Setting up a new Hub

On a fresh Debian/Ubuntu VPS or server:

apt install git
git clone https://gut.oily.dad/oily.mom/tinyboard
cd tinyboard
./setup.sh   # choose option 4

Setting up a new Spoke

On a fresh Armbian device:

  1. Modify spoke/armb-not_logged_in_yet accordingly, then drop it onto the SD card as /root/.not_logged_in_yet before first boot (WiFi credentials)
  2. Boot, SSH in as root
  3. Run:
apt install git
git clone https://gut.oily.dad/oily.mom/tinyboard
cd tinyboard
./setup-network.sh   # configure static IP — SSH session will drop, reconnect
./setup.sh           # choose option 1

Onboarding a Spoke from the Hub

Once the spoke tunnel is up, run on the hub:

cd tinyboard
./setup.sh   # choose option 2

Offboarding a Spoke from the Hub

cd tinyboard
./setup.sh   # choose option 3

Architecture

  [ Spoke ]                        [ Hub ]
  OrangePi / RPi                   VPS / Server
  Armbian                          Any Linux

  autossh container  ──────────►  sshd (GatewayPorts)
  reverse tunnel                   port 111xx

                                   rclone SFTP mount
                                   ~/mnt/<spoke-name>/

Spokes initiate outbound SSH connections to the hub, creating reverse tunnels. The hub then uses rclone to mount each spoke's filesystem over SFTP through the tunnel. No inbound ports need to be open on the spoke.

Directory Structure

tinyboard/
├── setup.sh                  ← entry point
├── setup-network.sh          ← configure static IP on spoke before setup
├── spoke/
│   ├── setup-spoke.sh        ← automated spoke setup
│   ├── compose.yaml          ← Docker Compose for autossh + syncthing
│   ├── Dockerfile            ← autossh container
│   └── armb-not_logged_in_yet ← Armbian first-boot WiFi config template
└── hub/
    ├── setup-hub.sh          ← automated hub setup
    ├── onboard-spoke.sh      ← add a new spoke to the hub
    └── offboard-spoke.sh     ← remove a spoke from the hub

Setup Scripts

setup.sh

Entry point. Presents a menu:

  1. Set up this device as a new spoke
  2. Onboard a new spoke from the hub
  3. Offboard a spoke from the hub
  4. Set up this device as a new hub

setup-network.sh

Run as root on a new spoke before setup.sh. Configures a static IP via netplan. Supports both WiFi and wired interfaces. Automatically reverts if network connectivity is lost after applying the new config.

spoke/setup-spoke.sh

Run as root on a new spoke. Handles:

  • Package installation (apt/dnf/yum/pacman)
  • Docker installation
  • SSH server setup
  • Hostname configuration
  • SSH key generation and hub authorization
  • Tunnel port auto-detection on the hub
  • Docker image build and container start
  • Optional password auth disable

hub/setup-hub.sh

Run as root on a new hub server. Handles:

  • Package installation (apt/dnf/yum/pacman)
  • rclone installation
  • Hub user creation
  • SSH server configuration (GatewayPorts, AllowTcpForwarding)
  • FUSE configuration
  • rclone config directory setup
  • Optional password auth disable

hub/onboard-spoke.sh

Run as the hub user after a spoke connects. Handles:

  • SSH key generation and deployment to spoke
  • rclone remote configuration
  • Spoke registration in ~/.config/tinyboard/spokes
  • Per-spoke crontab entry for auto-mount on reboot

hub/offboard-spoke.sh

Run as the hub user to remove a spoke. Handles:

  • Unmounting the spoke filesystem
  • Removing the crontab entry
  • Removing the rclone remote
  • Optionally removing the hub SSH key
  • Removing from the spoke registry

Spoke Registry

The hub maintains a registry of connected spokes at ~/.config/tinyboard/spokes:

rocky  11113  /home/armbian/.ssh/armbian-rocky-202504  /home/armbian/mnt/rocky
gouda  11114  /home/armbian/.ssh/armbian-gouda-202504  /home/armbian/mnt/gouda

Each spoke gets its own mount point at ~/mnt/<spoke-name>/ and a dedicated rclone crontab entry.

Security

  • All communication is over SSH tunnels — no spoke ports exposed to the internet
  • SSH keys are used for all authentication
  • Scripts check and auto-fix unsafe file permissions (600/400)
  • Password authentication can be disabled during setup
  • Scripts refuse to disable password auth if no authorized keys are present (lockout prevention)
  • Netplan changes are verified with a 30-second connectivity check before being made permanent

Sensitive Files

Before committing, ensure the following do not contain real credentials:

  • spoke/armb-not_logged_in_yet — contains WiFi SSID, password, and user passwords

Requirements

Spoke: Armbian (Debian-based), ARM device, Docker, autossh, git

Hub: Any Linux server (Debian/Ubuntu/RHEL/Arch), rclone, fuse, openssh-server

View Git Blame Copy Permalink
Description
No description provided
Readme 256 KiB
Languages
Shell 98.8%
Dockerfile 1.2%