[EVA-2020-02.git] / doc / setup / README.org

#+TITLE:Ninfacyzga-01 Setup
#+AUTHOR:Steven Baltakatei Sandoval
#+EMAIL:baltakatei@gmail.com
* Main Setup
** About
This document created by [[http://baltakatei.com][Steven Baltakatei Sandoval]] on
~2020-10-07T18:39Z~ under a [[http://creativecommons.org/licenses/by-sa/4.0/][CC BY-SA 4.0]] license and last updated on
~2020-10-07T23:11Z~.

This document contains information regarding setup of the
ninfacyzga-01 hardware common to all operation modes. This includes:

- Raspberry OS installation
- WiFi configuration
- Remote SSH login configuration

** Scope
This document describes hardware and software installation steps
common to the various environmental sensing functions of
ninfacyzga-01.

** Narrative
The Raspberry Pi Zero W is the platform in which environment data is
gathered, packaged, and stored for further forwarding to a remote
repository. The Raspberry OS 10 operating system is used. The device
may be equipped with a UPS module in order to allow it to function as
a mobile device for short periods of time. The system may use
executables such as ~bklog~ to append segments of observed compressed
(~gzip~) encrypted (~age~) data to a ~tar~ archive to local disk. This
document describes hardware and software configuration procedures
generally required by all environment sensing operations.

** Description
*** Hardware
**** Raspberry Pi Zero W
See the [[https://www.raspberrypi.org/pi-zero-w/][OEM]] webpage for this product.
**** PiZ UpTime 2.0
See the [[https://alchemy-power.com/piz-uptime-2-0/][OEM]] webpage for this product.

*** Software
~bklog~ : A bash script that saves its stdin stream to a tar file. The
file may be compressed by ~gzip~ and encrypted by ~age~. It is an
executable file contained within this repository at ~exec/bklog~. It
should be copied to ~$HOME/.local/bin~.

~bkgpslog~ : A legacy bash script similar to ~bklog~ but narrower in
scope in that it only records output from ~gpspipe~.

~gzip~ : A simple command line app that compresses stdin into a
smaller stdout stream.

~age~ : A simple command line app that encrypts stdin against public
keys specified in its options. Produces encrypted stdout. Is an
executable file contained within this repository at ~exec/age~. It
should be copied to ~$HOME/.local/bin~.

*** Output
**** Encryption Method
Files produced by the bklog script are encrypted against a set of
public keys using [[https://github.com/FiloSottile/age][~age~]], a simple command line encryption tool
selected over ~gpg~ because of ~age~'s deliberate lack of
configurability.

The public keys are bech32 strings supplied as options to bkgpslog
when called. The secret key should *NOT* be stored in Ninfacyzga-01.

If a key pair was generated using ~age-keygen~, then it is an [[https://en.wikipedia.org/wiki/Curve25519][~X25519~]]
key pair. See the [[https://age-encryption.org/v1][~age~ Version 1 specification]].

An ~ssh-rsa~ or ~ssh-ed25519~ SSH public key string may be used instead of
the bech32 public key string produced by ~age-keygen~ for convenience.

Help information for ~age~ is available by running ~$ age --help~.
***** Encryption Commands
****** Encryption through ~age~
In order to illustrate how ~bklog~ encrypts files, below is an example
command illustrating how ~age~ may be used to encrypt a file.

#+BEGIN_EXAMPLE
$ echo "asdf" | age -r \
age1kza7pfshy7xwygf9349zgmk7x53mquvedgw9r98qwyyqhssh830qqjzlsw \
> "$HOME/secret_file"
#+END_EXAMPLE

The resulting ~secret-file~ is a binary blob with a plaintext header
indicating how the blob was encrypted (which version of age was used,
which public key was used).

****** Encryption through ~bklog~
~bklog~ may instructed to encrypt files via the ~-e~ and ~-r [pubkey
string]~ options. An example is shown below:

#+BEGIN_EXAMPLE
$ gpspipe -r | bklog -e \
-r age1kza7pfshy7xwygf9349zgmk7x53mquvedgw9r98qwyyqhssh830qqjzlsw \
-r age1ce3pvzrqfcn2pc6zqzglc8ac8yjk3fzukpy08cesqjjwns53xywqmaq7xw \
-r age1pu5usxm743sx7rf22985xv2f4s0luzv6r6yx4fa7p8c2zyvp9fvqus2xr5 \
-o "$HOME/Location"
#+END_EXAMPLE

~bklog~ may be instructed via the ~-e~ and ~-R~ options to watch a
directory in order to locate public key strings in its files. ~bklog~
reads the first line of each file and interprets it as a public key
string.

In this example, the strings beginning with ~age1...~ are
bech32-formatted public key strings. Please see the [[*Key Generation][Key Generation]]
section for an explanation.

Since ~age~ also accepts ~ssh~ public key strings, these may also be
used if they are of the following form (no comment).

: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABA…AACAQDLnJbPs7CjwPT+OxXd

***** Decryption Commands
Files may be decrypted using a command similar to:

#+BEGIN_EXAMPLE
cat location.gpx.age | age -d -i key.txt > location.gpx
#+END_EXAMPLE

The version of ~age~ used to perform the encryption 


** Operating Procedures
*** Initial Startup
**** Physical Setup
**** Software Setup
***** Install Operating System
Install Raspberry Pi OS onto an SD card image. See the Raspberry Pi
Foundation [[https://www.raspberrypi.org/documentation/installation/installing-images/README.md][installation instructions]].

Note: "Raspberry Pi OS" is the name used by the Raspberry Pi
Foundation to refer to their operating system images to be installed
on Raspberry Pi hardware. The change was made in order to facilitate
education of beginners not familiar with the wordplay between
"Raspberry" and "Debian". See [[https://www.raspberrypi.org/forums/viewtopic.php?f=66&t=275380&sid=1a468f226394ccddf4654a3d3d90cb7d#p1668466][this]] forum post made on 2020-05-28 by
plugwash.

***** Configure Wireless
Configure WiFi in order to permit file transfer and remote
administration. For a Raspberry Pi W, the WiFi settings may be
programmed via a specific text file in the `boot` partition of a
freshly installed image of Raspberry OS. Raspberry Pi Foundation
instructions [[https://www.raspberrypi.org/documentation/configuration/wireless/headless.md][here]].

In summary, create a ~wpa_supplicant.conf~ file containing the
following text:
#+BEGIN_EXAMPLE
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
country=US

network={
 ssid="<Name of your wireless LAN>"
 psk="<Password for your wireless LAN>"
}
#+END_EXAMPLE

Replace ~<Name of your wireless LAN>~ with your WiFi network's SSID.

Replace ~<Password for your wireless LAN>~ with your WiFi network's
passphrase.
***** Configure Remote SSH Login
Configure SSH to permit remote administration via the command line
interface. Raspberry Pi Foundation instructions [[https://www.raspberrypi.org/documentation/remote-access/ssh/README.md][here]].

In summary, remote SSH access may be enabled upon initial startup of a
freshly installed image of Raspberry Pi OS by making sure an empty
file named ~ssh~ is present on the ~boot~ partition.

***** Change default passphrase
The default username is ~pi~ and the default passphrase is
~raspberry~. Change them to something unique.

: $ passwd

***** Update software
Update software with distribution repository.

: $ sudo apt update
: $ sudo apt upgrade -y
: $ sudo apt dist-upgrade -y

***** Install software
****** ~unattended-upgrades~
Make sure to install the ~unattended-upgrades~ package to make sure
the latest security patches for packages are installed. See [[https://linux-audit.com/using-unattended-upgrades-on-debian-and-ubuntu/][this page]]
for a description of how ~unattended-upgrades~ works.

The configuration file is located at:
~/etc/apt/apt.conf.d/50unattended-upgrades~ ([[https://linux-audit.com/using-unattended-upgrades-on-debian-and-ubuntu/][ref]]). Make sure that the
following lines are present and not commented out.

#+BEGIN_EXAMPLE
Unattended-Upgrade::Automatic-Reboot "true";
#+END_EXAMPLE

****** ~syncthing~
Install ~syncthing~ for log file transfer capability.

: $ sudo apt install syncthing

****** ~git~
Install ~git~ for downloading this repository to the device.

: $ sudo apt install git

****** ninfacyzga-01 git repository
Create the directory ~/git-OC/~ . Within this directory, run the
following commands to clone the ~ninfacyzga-01~ git repository:
: $ git clone https://zdv2.bktei.com/gitweb/ninfacyzga-01.git
: $ cd ninfacyzga-01

Check out the ~develop~ branch (if the latest changes are desired over
those of the ~master~ branch).
: $ git checkout --track origin/develop

****** ~age~
Place ~age~ binary (the one compiled for ARM CPU architecture for
Linux) in ~$HOME/.local/bin~. A copy of binary may be found within the
~exec~ directory.

***** Disable Swap File
Since standard Raspbian 10 (Buster) install involves copying
unencrypted file system image to SD card which is mounted by the
Raspberry Pi, system memory may be written to disk in the form of a
Swap file as described [[https://ideaheap.com/2013/07/stopping-sd-card-corruption-on-a-raspberry-pi/][here]]. In order to reduce the chance that
location log data is ever written to disk, swap file functionality
must be disabled[fn:ideaheap_20130731_disableswap].

Raspbian 10 uses dphys-swapfile to manage a swap file. It may be
disabled persistently[fn:rpf_20190702_disableswappersist] by running
the following command:

: sudo systemctl disable dphys-swapfile.service

To view the status of the swap file in Raspbian 10, run ~free -m~:

#+BEGIN_EXAMPLE
pi@ninfacyzga-01:~$ free -m
          total    used    free  shared  buff/cache   available
Mem:        432      86      36      21         309         268
Swap:        99       0      99
#+END_EXAMPLE

After disabling the swap file and rebooting:

#+BEGIN_EXAMPLE
pi@ninfacyzga-01:~$ free -m
          total    used    free  shared  buff/cache   available
Mem:        432      89     214       3         128         289
Swap:         0       0       0
#+END_EXAMPLE

[fn:ideaheap_20130731_disableswap] Explanation:
https://ideaheap.com/2013/07/stopping-sd-card-corruption-on-a-raspberry-pi/

[fn:rpf_20190702_disableswappersist] Persistant disabling of swap in
Raspbian 10 Buster:
https://www.raspberrypi.org/forums/viewtopic.php?p=1490692&sid=5c596a124b7805d6b10dab8d3d7caf16#p1490692

***** Log Transfer Configuration
Log files may be shared to other machines via ~syncthing~. See [[https://docs.syncthing.net/][this]]
manual for how to set up a shared folder and add Ninfacyzga-01 as a
device. Syncthing's directory synchronization capability allows a
remote machine to delete files from Ninfacyzga-01 by deleting from the
shared folder that they both share.

When log files are removed from Ninfacyzga-01 is not within the scope
of this document.
***** Key Generation
An ~age~ encryption key may be generated like so:
#+BEGIN_EXAMPLE
$ umask          # Gets current umask
0022             # Note: This is the default umask for Raspbian 10
$ umask 066      # So key.txt will have no perms except for owner (you)
$ umask          # Confirm umask set to 066
0066
$ age-keygen > key.txt
Public key: age1pu5usxm743sx7rf22985xv2f4s0luzv6r6yx4fa7p8c2zyvp9fvqus2xr5
$ ls -al key.txt
-rw------- 1 baltakatei baltakatei 184 Jun 29 18:28 key.txt
$ umask 0022     # Return umask to default value
$ umask          
0022
#+END_EXAMPLE

The resulting public/private keypair data looks like:
#+BEGIN_EXAMPLE
$ cat key.txt
# created: 2020-06-29T18:01:56Z
# public key: age1pu5usxm743sx7rf22985xv2f4s0luzv6r6yx4fa7p8c2zyvp9fvqus2xr5
AGE-SECRET-KEY-1NEUU5U2XGZGL9UYWNPU5DL99TGJJHFSN4F2E2WCCSDJJ6L5ZMLESNTVTU0
#+END_EXAMPLE

The file ~key.txt~ is not password-protected by default and should be
secured like an SSH public key should. The ~$ umask 066~ command run
before the ~$ age-keygen > key.txt~ command ensures ~key.txt~ will not
be readable, writeable, or executable to anyone except the owner
(you).

*** Normal Startup
*** Normal Operation
*** Normal Shutdown
*** Unscheduled Shutdown
*** End of Life Disposal
See [[file:../setup/README.org][Main Setup]] procedures.

LiPo batteries used by the PiZ Uptime 2.0 module should be disposed of
properly with their potential ignitability in mind, especially if they
are not fully discharged.

Consult your local municipality for its "E-Waste Disposal" (or
equivalent) policy. Metals used in the Raspberry Pi and related
components may be recycled.

Take extra precuation if lead solder was used in assembling the
electronics. Consumer electronics in early 21st century should use
lead-free solder.
Commit	Line	Data
7b09912b SBS	1	#+TITLE:Ninfacyzga-01 Setup
	2	#+AUTHOR:Steven Baltakatei Sandoval
	3	#+EMAIL:baltakatei@gmail.com
	4	* Main Setup
	5	** About
	6	This document created by [[http://baltakatei.com][Steven Baltakatei Sandoval]] on
	7	~2020-10-07T18:39Z~ under a [[http://creativecommons.org/licenses/by-sa/4.0/][CC BY-SA 4.0]] license and last updated on
19f49278	8	~2020-10-07T23:11Z~.
7b09912b SBS	9
	10	This document contains information regarding setup of the
	11	ninfacyzga-01 hardware common to all operation modes. This includes:
	12
	13	- Raspberry OS installation
	14	- WiFi configuration
	15	- Remote SSH login configuration
	16
	17	** Scope
	18	This document describes hardware and software installation steps
	19	common to the various environmental sensing functions of
	20	ninfacyzga-01.
	21
	22	** Narrative
	23	The Raspberry Pi Zero W is the platform in which environment data is
	24	gathered, packaged, and stored for further forwarding to a remote
	25	repository. The Raspberry OS 10 operating system is used. The device
	26	may be equipped with a UPS module in order to allow it to function as
	27	a mobile device for short periods of time. The system may use
	28	executables such as ~bklog~ to append segments of observed compressed
	29	(~gzip~) encrypted (~age~) data to a ~tar~ archive to local disk. This
	30	document describes hardware and software configuration procedures
	31	generally required by all environment sensing operations.
	32
	33	** Description
	34	*** Hardware
	35	**** Raspberry Pi Zero W
	36	See the [[https://www.raspberrypi.org/pi-zero-w/][OEM]] webpage for this product.
	37	**** PiZ UpTime 2.0
	38	See the [[https://alchemy-power.com/piz-uptime-2-0/][OEM]] webpage for this product.
	39
	40	*** Software
	41	~bklog~ : A bash script that saves its stdin stream to a tar file. The
	42	file may be compressed by ~gzip~ and encrypted by ~age~. It is an
	43	executable file contained within this repository at ~exec/bklog~. It
	44	should be copied to ~$HOME/.local/bin~.
	45
	46	~bkgpslog~ : A legacy bash script similar to ~bklog~ but narrower in
	47	scope in that it only records output from ~gpspipe~.
	48
	49	~gzip~ : A simple command line app that compresses stdin into a
	50	smaller stdout stream.
	51
	52	~age~ : A simple command line app that encrypts stdin against public
	53	keys specified in its options. Produces encrypted stdout. Is an
	54	executable file contained within this repository at ~exec/age~. It
	55	should be copied to ~$HOME/.local/bin~.
	56
	57	*** Output
	58	**** Encryption Method
	59	Files produced by the bklog script are encrypted against a set of
	60	public keys using [[https://github.com/FiloSottile/age][~age~]], a simple command line encryption tool
	61	selected over ~gpg~ because of ~age~'s deliberate lack of
	62	configurability.
	63
	64	The public keys are bech32 strings supplied as options to bkgpslog
	65	when called. The secret key should NOT be stored in Ninfacyzga-01.
	66
	67	If a key pair was generated using ~age-keygen~, then it is an [[https://en.wikipedia.org/wiki/Curve25519][~X25519~]]
	68	key pair. See the [[https://age-encryption.org/v1][~age~ Version 1 specification]].
	69
	70	An ~ssh-rsa~ or ~ssh-ed25519~ SSH public key string may be used instead of
	71	the bech32 public key string produced by ~age-keygen~ for convenience.
	72
73	Help information for ~age~ is available by running ~$ age --help~.
74	***** Encryption Commands
75	****** Encryption through ~age~
76	In order to illustrate how ~bklog~ encrypts files, below is an example
77	command illustrating how ~age~ may be used to encrypt a file.
78
79	#+BEGIN_EXAMPLE
80	$ echo "asdf" \| age -r \
81	age1kza7pfshy7xwygf9349zgmk7x53mquvedgw9r98qwyyqhssh830qqjzlsw \
82	> "$HOME/secret_file"
83	#+END_EXAMPLE
84
85	The resulting ~secret-file~ is a binary blob with a plaintext header
86	indicating how the blob was encrypted (which version of age was used,
87	which public key was used).
88
89	****** Encryption through ~bklog~
90	~bklog~ may instructed to encrypt files via the ~-e~ and ~-r [pubkey
91	string]~ options. An example is shown below:
92
93	#+BEGIN_EXAMPLE
94	$ gpspipe -r \| bklog -e \
95	-r age1kza7pfshy7xwygf9349zgmk7x53mquvedgw9r98qwyyqhssh830qqjzlsw \
96	-r age1ce3pvzrqfcn2pc6zqzglc8ac8yjk3fzukpy08cesqjjwns53xywqmaq7xw \
97	-r age1pu5usxm743sx7rf22985xv2f4s0luzv6r6yx4fa7p8c2zyvp9fvqus2xr5 \
98	-o "$HOME/Location"
99	#+END_EXAMPLE
100
101	~bklog~ may be instructed via the ~-e~ and ~-R~ options to watch a
102	directory in order to locate public key strings in its files. ~bklog~
103	reads the first line of each file and interprets it as a public key
104	string.
105
106	In this example, the strings beginning with ~age1...~ are
107	bech32-formatted public key strings. Please see the [[*Key Generation][Key Generation]]
108	section for an explanation.
109
110	Since ~age~ also accepts ~ssh~ public key strings, these may also be
111	used if they are of the following form (no comment).
112
113	: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABA…AACAQDLnJbPs7CjwPT+OxXd
114
115	***** Decryption Commands
116	Files may be decrypted using a command similar to:
117
118	#+BEGIN_EXAMPLE
119	cat location.gpx.age \| age -d -i key.txt > location.gpx
120	#+END_EXAMPLE
121
122	The version of ~age~ used to perform the encryption
123
124
125	** Operating Procedures
126	*** Initial Startup
127	**** Physical Setup
128	**** Software Setup
129	***** Install Operating System
130	Install Raspberry Pi OS onto an SD card image. See the Raspberry Pi
131	Foundation [[https://www.raspberrypi.org/documentation/installation/installing-images/README.md][installation instructions]].
132
133	Note: "Raspberry Pi OS" is the name used by the Raspberry Pi
134	Foundation to refer to their operating system images to be installed
135	on Raspberry Pi hardware. The change was made in order to facilitate
136	education of beginners not familiar with the wordplay between
137	"Raspberry" and "Debian". See [[https://www.raspberrypi.org/forums/viewtopic.php?f=66&t=275380&sid=1a468f226394ccddf4654a3d3d90cb7d#p1668466][this]] forum post made on 2020-05-28 by
138	plugwash.
139
140	***** Configure Wireless
141	Configure WiFi in order to permit file transfer and remote
142	administration. For a Raspberry Pi W, the WiFi settings may be
143	programmed via a specific text file in the `boot` partition of a
144	freshly installed image of Raspberry OS. Raspberry Pi Foundation
145	instructions [[https://www.raspberrypi.org/documentation/configuration/wireless/headless.md][here]].
146
147	In summary, create a ~wpa_supplicant.conf~ file containing the
148	following text:
149	#+BEGIN_EXAMPLE
150	ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
151	update_config=1
152	country=US
153
154	network={
155	ssid="<Name of your wireless LAN>"
156	psk="<Password for your wireless LAN>"
157	}
158	#+END_EXAMPLE
159
160	Replace ~<Name of your wireless LAN>~ with your WiFi network's SSID.
161
162	Replace ~<Password for your wireless LAN>~ with your WiFi network's
163	passphrase.
164	***** Configure Remote SSH Login
165	Configure SSH to permit remote administration via the command line
166	interface. Raspberry Pi Foundation instructions [[https://www.raspberrypi.org/documentation/remote-access/ssh/README.md][here]].
167
168	In summary, remote SSH access may be enabled upon initial startup of a
169	freshly installed image of Raspberry Pi OS by making sure an empty
170	file named ~ssh~ is present on the ~boot~ partition.
171
172	***** Change default passphrase
173	The default username is ~pi~ and the default passphrase is
174	~raspberry~. Change them to something unique.
175
176	: $ passwd
177
178	***** Update software
179	Update software with distribution repository.
180
181	: $ sudo apt update
182	: $ sudo apt upgrade -y
183	: $ sudo apt dist-upgrade -y
184
185	***** Install software
186	****** ~unattended-upgrades~
187	Make sure to install the ~unattended-upgrades~ package to make sure
188	the latest security patches for packages are installed. See [[https://linux-audit.com/using-unattended-upgrades-on-debian-and-ubuntu/][this page]]
189	for a description of how ~unattended-upgrades~ works.
190
191	The configuration file is located at:
192	~/etc/apt/apt.conf.d/50unattended-upgrades~ ([[https://linux-audit.com/using-unattended-upgrades-on-debian-and-ubuntu/][ref]]). Make sure that the
193	following lines are present and not commented out.
194
195	#+BEGIN_EXAMPLE
196	Unattended-Upgrade::Automatic-Reboot "true";
197	#+END_EXAMPLE
198
199	****** ~syncthing~
200	Install ~syncthing~ for log file transfer capability.
201
202	: $ sudo apt install syncthing
203
204	****** ~git~
205	Install ~git~ for downloading this repository to the device.
206
207	: $ sudo apt install git
208
209	****** ninfacyzga-01 git repository
210	Create the directory ~/git-OC/~ . Within this directory, run the
211	following commands to clone the ~ninfacyzga-01~ git repository:
19f49278	212	: $ git clone https://zdv2.bktei.com/gitweb/ninfacyzga-01.git
7b09912b SBS	213	: $ cd ninfacyzga-01
	214
	215	Check out the ~develop~ branch (if the latest changes are desired over
	216	those of the ~master~ branch).
	217	: $ git checkout --track origin/develop
	218
	219	****** ~age~
	220	Place ~age~ binary (the one compiled for ARM CPU architecture for
	221	Linux) in ~$HOME/.local/bin~. A copy of binary may be found within the
	222	~exec~ directory.
	223
	224	***** Disable Swap File
	225	Since standard Raspbian 10 (Buster) install involves copying
	226	unencrypted file system image to SD card which is mounted by the
	227	Raspberry Pi, system memory may be written to disk in the form of a
	228	Swap file as described [[https://ideaheap.com/2013/07/stopping-sd-card-corruption-on-a-raspberry-pi/][here]]. In order to reduce the chance that
	229	location log data is ever written to disk, swap file functionality
	230	must be disabled[fn:ideaheap_20130731_disableswap].
	231
	232	Raspbian 10 uses dphys-swapfile to manage a swap file. It may be
	233	disabled persistently[fn:rpf_20190702_disableswappersist] by running
	234	the following command:
	235
	236	: sudo systemctl disable dphys-swapfile.service
	237
	238	To view the status of the swap file in Raspbian 10, run ~free -m~:
	239
	240	#+BEGIN_EXAMPLE
	241	pi@ninfacyzga-01:~$ free -m
	242	total used free shared buff/cache available
	243	Mem: 432 86 36 21 309 268
	244	Swap: 99 0 99
	245	#+END_EXAMPLE
	246
	247	After disabling the swap file and rebooting:
	248
	249	#+BEGIN_EXAMPLE
	250	pi@ninfacyzga-01:~$ free -m
	251	total used free shared buff/cache available
	252	Mem: 432 89 214 3 128 289
	253	Swap: 0 0 0
	254	#+END_EXAMPLE
	255
	256	[fn:ideaheap_20130731_disableswap] Explanation:
	257	https://ideaheap.com/2013/07/stopping-sd-card-corruption-on-a-raspberry-pi/
	258
	259	[fn:rpf_20190702_disableswappersist] Persistant disabling of swap in
	260	Raspbian 10 Buster:
	261	https://www.raspberrypi.org/forums/viewtopic.php?p=1490692&sid=5c596a124b7805d6b10dab8d3d7caf16#p1490692
	262
	263	***** Log Transfer Configuration
	264	Log files may be shared to other machines via ~syncthing~. See [[https://docs.syncthing.net/][this]]
	265	manual for how to set up a shared folder and add Ninfacyzga-01 as a
	266	device. Syncthing's directory synchronization capability allows a
	267	remote machine to delete files from Ninfacyzga-01 by deleting from the
	268	shared folder that they both share.
	269
	270	When log files are removed from Ninfacyzga-01 is not within the scope
	271	of this document.
	272	***** Key Generation
	273	An ~age~ encryption key may be generated like so:
	274	#+BEGIN_EXAMPLE
	275	$ umask # Gets current umask
	276	0022 # Note: This is the default umask for Raspbian 10
277	$ umask 066 # So key.txt will have no perms except for owner (you)
278	$ umask # Confirm umask set to 066
279	0066
280	$ age-keygen > key.txt
281	Public key: age1pu5usxm743sx7rf22985xv2f4s0luzv6r6yx4fa7p8c2zyvp9fvqus2xr5
282	$ ls -al key.txt
283	-rw------- 1 baltakatei baltakatei 184 Jun 29 18:28 key.txt
284	$ umask 0022 # Return umask to default value
285	$ umask
286	0022
287	#+END_EXAMPLE
288
289	The resulting public/private keypair data looks like:
290	#+BEGIN_EXAMPLE
291	$ cat key.txt
292	# created: 2020-06-29T18:01:56Z
293	# public key: age1pu5usxm743sx7rf22985xv2f4s0luzv6r6yx4fa7p8c2zyvp9fvqus2xr5
294	AGE-SECRET-KEY-1NEUU5U2XGZGL9UYWNPU5DL99TGJJHFSN4F2E2WCCSDJJ6L5ZMLESNTVTU0
295	#+END_EXAMPLE
296
297	The file ~key.txt~ is not password-protected by default and should be
298	secured like an SSH public key should. The ~$ umask 066~ command run
299	before the ~$ age-keygen > key.txt~ command ensures ~key.txt~ will not
300	be readable, writeable, or executable to anyone except the owner
301	(you).
302
303	*** Normal Startup
304	*** Normal Operation
305	*** Normal Shutdown
306	*** Unscheduled Shutdown
307	*** End of Life Disposal
308	See [[file:../setup/README.org][Main Setup]] procedures.
309
310	LiPo batteries used by the PiZ Uptime 2.0 module should be disposed of
311	properly with their potential ignitability in mind, especially if they
312	are not fully discharged.
313
314	Consult your local municipality for its "E-Waste Disposal" (or
315	equivalent) policy. Metals used in the Raspberry Pi and related
316	components may be recycled.
317
318	Take extra precuation if lead solder was used in assembling the
319	electronics. Consumer electronics in early 21st century should use
320	lead-free solder.
321
322
323