Calibre

Calibre is a popular e-book cataloguing, reading, and sharing toolkit. It has an extensive collection of plugins that range from search to DRM removal tools. Using Python, you can write your own Calibre plugins.

Calibre is useful as both a stand-alone application run on a workstation (“run by an end user”) as well as a server offering remote clients access to the collection of books that are catalogued. This collection is called a “Calibre Library” and is essentially a directory whose files are solely managed by Calibre itself. (I.e., treat the Calibre Library folder as though it were a single file, not a folder. You should never have to cd into the folder or mv, cp, or chmod files in it.)

Installing

On Debian-derived GNU/Linux systems, Calibre can be easily installed from the distribution’s package repositories:

sudo apt install calibre

In many cases, package repositories can be badly outdated. If you want a newer version of Calibre than is available in your Operating System distribution’s package archives, follow the Calibre developer’s instructions to download and install the software.

Configuring

There are numerous different configurations in which Calibre can be used. This page describes the configurations useful for and familiar to the Tech Autonomy Infrastructure committee needs. Most of this information can also be found in various sections of Calibre’s own user manual.

Long-running single Calibre server process

This section describes configuring the calibre-server binary with systemd to invoke a long-running single Calibre server process using the built-in Web server features of the Calibre software suite after Tor is available:

  1. Set up the Calibre user if installing Calibre did not already add such a user (use getent passwd calibre to see if such a user has already been created):
    sudo adduser --system --home /YOUR/CHOSEN/CALIBRE/HOME/FOLDER calibre
  2. Set up the systemd service: sudo vim /etc/systemd/system/calibre.service
    # FILE: /etc/systemd/system/calibre.service
#
# Calibre "Digital Library" boot-time startup script.
#
# This script is a systemd service unit that ensures
# the calibre Web server is operational after Tor starts.
# Without this process running, the digital library is
# not available over a Web connection. Tor handles all
# other parts of the network connection and connectivity.
#
[Unit]
Description=Calibre eBook Management suite Web server
After=tor.service

[Service]
User=calibre
Group=nogroup
UMask=0077
# Place other configuration options, if desired, in the invocation. For example:
#     --url-prefix=library --listen-on=127.0.0.1 --port=8888
ExecStart=/usr/bin/calibre-server --with-library="/PATH/TO/YOUR/Calibre Library"
Restart=on-failure
# Extra security precautions
# Calibre is currently incompatible with `MemoryDenyWriteExecute=true`. :(
#MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
PrivateUsers=true
ProtectControlGroups=true
ProtectHome=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=full
LockPersonality=true
RestrictAddressFamilies=AF_INET
RestrictRealtime=true

[Install]
WantedBy=multi-user.target
  3. Tell systemd to re-read its configuration files:
    sudo systemctl daemon-reload
  4. Enable the Calibre service so that it runs atomatically during startup after the next reboot:
    sudo systemctl enable calibre.service
  5. Manually start the Calibre service:
    sudo systemctl start calibre.service

To test that this is working, check to see if Calibre is now bound to a listening network socket and accepting incoming requests:

sudo ss --listening --tcp --numeric --processes | grep calibre
LISTEN     0      5                         *:8080                     *:*      users:(("calibre-server",pid=3925,fd=7))

The above sample output suggests Calibre is listening on its default Web port of 8080 for incoming connections from any remote computer, so you should be able to reach the Calibre server’s Web server at http://YOUR.SERVER.IP.ADDRESS:8080/. This will expose your Calibre Library’s files to any computer connected to your LAN. If you want to further restrict access to the service, consider adding --listen-on=127.0.0.1 to the calibre-server invocation and then configuring an authenticated Onion service to actually expose the Calibre service to clients across an internetwork.

Socket-activated on-demand Calibre server process

TK-TODO

Hardening

If you intend to run Calibre as a service for other users, and especially if you configured Calibre yourself (as opposed to implementing one of the configurations described above) you should strongly consider taking additional security precautions to help ensure that it is as difficult as possible for attackers to exploit. This section describes a non-exhaustive guide to securing your Calibre server instance.

Network security

Restrict LAN access

TK-TODO: The --listen-on and --port options.

Disable OPDS advertisements

TK-TODO: The --disable-use-bonjour option; this will prevent calibre-server from registering an (m)DNS-SD advertisement to the LAN. This is important if you want to hide the Calibre server itself from the LAN and make it available only over a Tor connection, for example. In this case, you should use this option in conjunction with the --listen-on option.

Provide a TLS certificate

TK-TODO: The --ssl-certfile and --ssl-keyfile options. Be certain you understand the implications of identity correlation and possible de-anonymization attack vectors if you use both a TLS certificate and an Onion service before you add a TLS certificate to your Calibre server instance.

Use application-level user access control

TK-TODO: The --enable-auth option and its friends. Older Calibre versions can do this more crudely with their --password and --username options.

Also the --ban-after and --ban-for options to frustrate password guessing (bruteforce) attack attempts.

Host-based security

Disable logging

Newer versions of Calibre’s calibre-server process do not perform access logging by default, but see the --access-log and --log options for more details. Older versions do perform access logging by default, and as they do not have the --access-log option available, this logging cannot be easily disabled. If you have one of these older versions of Calibre, you should mitigate the risk of this default data collection by adding the following to /etc/logrotate.d/calibre-server, which will ensure access logs are retained for no more than one day and are securely deleted (using shred(1)) on each daily log rotation interval:

# This ensures that logrotate eradicates calibre's logfiles.
# There is no need to be logging who is accessing our library.
/PATH/TO/YOUR/CHOSEN/CALIBRE_HOME/.config/calibre/server*log.txt {
        daily
        copytruncate
        rotate 0
        size 1
        shred
        missingok
        nomail
        postrotate
                shred --remove /PATH/TO/YOUR/CHOSEN/CALIBRE_HOME/.config/calibre/server*log.txt.1
        endscript
}

Provisioning

The Shift-CTRL Space group provides an Ansible role for provisioning a Calibre server that on a Raspberry Pi. It can be installed in your local $ANSIBLE_ROLES_PATH (see Ansible Configuration Settings) for use with an Ansible project with:

ansible-galaxy install https://github.com/shiftctrlspace/ansible-role-calibre/archive/master.tar.gz