[EVA-2020-02.git] / doc / setup / README.org

#+TITLE:Ninfacyzga-1 Main Setup
#+AUTHOR:Steven Baltakatei Sandoval
#+EMAIL:baltakatei@gmail.com
* Main Setup
** About
This document created by [[http://baltakatei.com][Steven Baltakatei Sandoval]] on
~2020-10-07T18:39Z~ under a [[http://creativecommons.org/licenses/by-sa/4.0/][CC BY-SA 4.0]] license and last updated on
~2020-10-17T21:22Z~.

This document contains information regarding setup of the
ninfacyzga-01 hardware common to all operation modes. This includes:

- Raspberry OS installation
- WiFi configuration
- Remote SSH login configuration

** Scope
This document describes hardware and software installation steps
common to the various environmental sensing functions of
ninfacyzga-01.

** Narrative
The Raspberry Pi Zero W is the platform in which environment data is
gathered, packaged, and stored for further forwarding to a remote
repository. The Raspberry OS 10 operating system is used. The device
may be equipped with a UPS module in order to allow it to function as
a mobile device for short periods of time. The system may use
executables such as ~bklog~ to append segments of observed compressed
(~gzip~) encrypted (~age~) data to a ~tar~ archive to local disk. This
document describes hardware and software configuration procedures
generally required by all environment sensing operations.

** Description
*** Hardware
**** Raspberry Pi Zero W
See the [[https://www.raspberrypi.org/pi-zero-w/][OEM]] webpage for this product.
**** PiZ UpTime 2.0
See the [[https://alchemy-power.com/piz-uptime-2-0/][OEM]] webpage for this product.

*** Software
~bklog~ : A bash script that saves its stdin stream to a tar file. The
file may be compressed by ~gzip~ and encrypted by ~age~. It is an
executable file contained within this repository at ~exec/bklog~. It
should be copied to ~$HOME/.local/bin~.

~bkgpslog~ : A legacy bash script similar to ~bklog~ but narrower in
scope in that it only records output from ~gpspipe~.

~gzip~ : A simple command line app that compresses stdin into a
smaller stdout stream.

~age~ : A simple command line app that encrypts stdin against public
keys specified in its options. Produces encrypted stdout. Is an
executable file contained within this repository at ~exec/age~. It
should be copied to ~$HOME/.local/bin~.

*** Output
**** Encryption Method
Files produced by the bklog script are encrypted against a set of
public keys using [[https://github.com/FiloSottile/age][~age~]], a simple command line encryption tool
selected over ~gpg~ because of ~age~'s deliberate lack of
configurability.

The public keys are bech32 strings supplied as options to bkgpslog
when called. The secret key should *NOT* be stored in Ninfacyzga-01.

If a key pair was generated using ~age-keygen~, then it is an [[https://en.wikipedia.org/wiki/Curve25519][~X25519~]]
key pair. See the [[https://age-encryption.org/v1][~age~ Version 1 specification]].

An ~ssh-rsa~ or ~ssh-ed25519~ SSH public key string may be used instead of
the bech32 public key string produced by ~age-keygen~ for convenience.

Help information for ~age~ is available by running ~$ age --help~.
***** Encryption Commands
****** Encryption through ~age~
In order to illustrate how ~bklog~ encrypts files, below is an example
command illustrating how ~age~ may be used to encrypt a file.

#+BEGIN_EXAMPLE
$ echo "asdf" | age -r \
age1kza7pfshy7xwygf9349zgmk7x53mquvedgw9r98qwyyqhssh830qqjzlsw \
> "$HOME/secret_file"
#+END_EXAMPLE

The resulting ~secret-file~ is a binary blob with a plaintext header
indicating how the blob was encrypted (which version of age was used,
which public key was used).

****** Encryption through ~bklog~
~bklog~ may instructed to encrypt files via the ~-e~ and ~-r [pubkey
string]~ options. An example is shown below:

#+BEGIN_EXAMPLE
$ gpspipe -r | bklog -e \
-r age1kza7pfshy7xwygf9349zgmk7x53mquvedgw9r98qwyyqhssh830qqjzlsw \
-r age1ce3pvzrqfcn2pc6zqzglc8ac8yjk3fzukpy08cesqjjwns53xywqmaq7xw \
-r age1pu5usxm743sx7rf22985xv2f4s0luzv6r6yx4fa7p8c2zyvp9fvqus2xr5 \
-o "$HOME/Location"
#+END_EXAMPLE

~bklog~ may be instructed via the ~-e~ and ~-R~ options to watch a
directory in order to locate public key strings in its files. ~bklog~
reads the first line of each file and interprets it as a public key
string.

In this example, the strings beginning with ~age1...~ are
bech32-formatted public key strings. Please see the [[*Key Generation][Key Generation]]
section for an explanation.

Since ~age~ also accepts ~ssh~ public key strings, these may also be
used if they are of the following form (no comment).

: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABA…AACAQDLnJbPs7CjwPT+OxXd

***** Decryption Commands
Files may be decrypted using a command similar to:

#+BEGIN_EXAMPLE
cat location.gpx.age | age -d -i key.txt > location.gpx
#+END_EXAMPLE

The version of ~age~ used to perform the encryption 

** Operating Procedures
*** Initial Startup
**** Physical Setup
The device should be supplied with 5V power and an SD card with the
latest Raspberry Pi OS image installed. As of 2020-10-07, this will be
version 10 (e.g. Raspbian Buster 10).

No additional hardware (ex: GPS module, UPS module, thermocouples) is
required to perform actions described in this document

**** Software Setup
***** Install Operating System
Install Raspberry Pi OS onto an SD card image. See the Raspberry Pi
Foundation [[https://www.raspberrypi.org/documentation/installation/installing-images/README.md][installation instructions]].

Note: "Raspberry Pi OS" is the name used by the Raspberry Pi
Foundation to refer to their operating system images to be installed
on Raspberry Pi hardware. The change was made in order to facilitate
education of beginners not familiar with the wordplay between
"Raspberry" and "Debian". See [[https://www.raspberrypi.org/forums/viewtopic.php?f=66&t=275380&sid=1a468f226394ccddf4654a3d3d90cb7d#p1668466][this]] forum post made on 2020-05-28 by
plugwash.

***** Configure Wireless
Configure WiFi in order to permit file transfer and remote
administration. For a Raspberry Pi W, the WiFi settings may be
programmed via a specific text file in the `boot` partition of a
freshly installed image of Raspberry OS. Raspberry Pi Foundation
instructions [[https://www.raspberrypi.org/documentation/configuration/wireless/headless.md][here]].

In summary, create a ~wpa_supplicant.conf~ file containing the
following text:
#+BEGIN_EXAMPLE
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
country=US

network={
 ssid="<Name of your wireless LAN>"
 psk="<Password for your wireless LAN>"
}
#+END_EXAMPLE

Replace ~<Name of your wireless LAN>~ with your WiFi network's SSID.

Replace ~<Password for your wireless LAN>~ with your WiFi network's
passphrase.
***** Enable Remote SSH Login
Configure SSH to permit remote administration via the command line
interface. Raspberry Pi Foundation instructions [[https://www.raspberrypi.org/documentation/remote-access/ssh/README.md][here]].

In summary, remote SSH access may be enabled upon initial startup of a
freshly installed image of Raspberry Pi OS by making sure an empty
file named ~ssh~ is present on the ~boot~ partition.

***** Login via SSH
Assuming your router supports finding your Raspberry Pi via its
default hostname of `raspberypi`, log into the pi via Wi-Fi using the
following command:

: $ ssh pi@raspberrypi

Otherwise, you may have to identify the raspbery pi's IP address via
your network router's administration console and login via a command
resembling this:

: $ ssh pi@192.168.x.x

If you had previously set up a different raspberry pi that also used
the same hostname ~raspberrypi~ or the same IP address (ex:
~192.168.123.123~), you may have to inform your computer that this is a
different device. You may do so using these commands:

: $ ssh-keygen -f ~/.ssh/known_hosts -R "raspberrypi"
: $ ssh-keygen -R 192.168.123.123

***** Add SSH public key
If the use has an SSH public key, it may be added as a line in
~~/.ssh/authorized_keys~.

Add the ~~/.ssh~ directory if it doesn't already exist.

: $ mkdir ~/.ssh

Follow [[https://superuser.com/a/925859/][these]] directions to set permissions.

: $ chmod 700 ~/.ssh
: $ chmod 644 ~/.ssh/authorized_keys

***** Change default passphrase
The default username is ~pi~ and the default passphrase is
~raspberry~. Change them to something unique.

: $ passwd

***** Update software
Update software with distribution repository.

: $ sudo apt update
: $ sudo apt upgrade -y
: $ sudo apt dist-upgrade -y

***** Change time zone
The time zone should be set to "UTC" for simplicity.

: $ sudo raspi-config

Navigate to ~4 Localisation Options~, ~I2 Change Time Zone~, ~None of the above~, ~UTC~.

***** Update hostname
A unique hostname is required to uniquely identify the device on the
network.

Start up the Raspberry Pi Software Configuration Tool by running:
: $ sudo raspi-config

- Select `2 Network Options`
- Select `N1 Hostname`

This document recommends a hostname beginning with the prefix:
: ninfacyzga-1-

An example hostname would be ~ninfacyzga-1-2~.

***** Install software
****** ~unattended-upgrades~
Make sure to install the ~unattended-upgrades~ package to make sure
the latest security patches for packages are installed. See [[https://linux-audit.com/using-unattended-upgrades-on-debian-and-ubuntu/][this page]]
for a description of how ~unattended-upgrades~ works.

: $ sudo apt install unattended-upgrades

The configuration file is located at:
~/etc/apt/apt.conf.d/50unattended-upgrades~ ([[https://linux-audit.com/using-unattended-upgrades-on-debian-and-ubuntu/][ref]]). Make sure that the
following lines are present and not commented out.

#+BEGIN_EXAMPLE
Unattended-Upgrade::Automatic-Reboot "true";
#+END_EXAMPLE

****** ~syncthing~
Install ~syncthing~ for log file transfer capability.

: $ sudo apt install syncthing

Enable automatic startup. (See [[https://docs.syncthing.net/users/autostart.html][ref]]).

: $ sudo systemctl enable syncthing@pi.service
: $ sudo systemctl start syncthing@pi.service

The WebUI of the local instance of syncthing (port 8384) can be
accessed by running the following command from a separate machine:

: $ ssh -L 127.0.0.1:8390:127.0.0.1:8384 pi@ninfacyzga-1-x

Then, the separate machine should navigate to ~localhost:8390~ in a
web browser in order to change the ninfacyzga-1 device's
configuration. The separate machine's Syncthing configuration options
are accessible via its own web browser via ~localhost:8384~.

****** ~git~
~git~ facilitates downloading files from this repository to the
device. It may be installed via:

: $ sudo apt install git

****** ninfacyzga-01 git repository
Create the directory ~/git-OC/~ . Within this directory, run the
following commands to clone the ~ninfacyzga-01~ git repository:
: $ git clone https://zdv2.bktei.com/gitweb/ninfacyzga-01.git
: $ cd ninfacyzga-01

Check out the ~develop~ branch (if the latest changes are desired over
those of the ~master~ branch).
: $ git checkout --track origin/develop

****** ~age~
~age~ is required for encrypting data at rest.

Place ~age~ binary (the one compiled for ARM CPU architecture for
Linux) in ~$HOME/.local/bin~. A copy of binary may be found within the
~exec~ directory.

: $ mkdir ~/.local/bin
: $ cp exec/age ~/.local/bin/

***** Disable Swap File
Since standard Raspberry OS 10 install involves copying unencrypted
file system image to SD card which is mounted by the Raspberry Pi,
system memory may be written to disk in the form of a Swap file as
described [[https://ideaheap.com/2013/07/stopping-sd-card-corruption-on-a-raspberry-pi/][here]]. In order to reduce the chance that location log data
is ever written to disk, swap file functionality must be
disabled[fn:ideaheap_20130731_disableswap].

Raspbian 10 uses dphys-swapfile to manage a swap file. It may be
disabled persistently[fn:rpf_20190702_disableswappersist] by running
the following command:

: sudo systemctl disable dphys-swapfile.service

To view the status of the swap file in Raspbian 10, run ~free -m~:

#+BEGIN_EXAMPLE
pi@ninfacyzga-01:~$ free -m
          total    used    free  shared  buff/cache   available
Mem:        432      86      36      21         309         268
Swap:        99       0      99
#+END_EXAMPLE

After disabling the swap file and rebooting:

#+BEGIN_EXAMPLE
pi@ninfacyzga-01:~$ free -m
          total    used    free  shared  buff/cache   available
Mem:        432      89     214       3         128         289
Swap:         0       0       0
#+END_EXAMPLE

[fn:ideaheap_20130731_disableswap] Explanation:
https://ideaheap.com/2013/07/stopping-sd-card-corruption-on-a-raspberry-pi/

[fn:rpf_20190702_disableswappersist] Persistant disabling of swap in
Raspbian 10 Buster:
https://www.raspberrypi.org/forums/viewtopic.php?p=1490692&sid=5c596a124b7805d6b10dab8d3d7caf16#p1490692

***** Disable Bluetooth
In order to reduce power consumed by bluetooth transmissions,
bluetooth functionality should be disabled (see [[https://di-marco.net/blog/it/2020-04-18-tips-disabling_bluetooth_on_raspberry_pi/][link]]).

Modify the ~/boot/config.txt~ file (the Pi's equivalent to BIOS
settings; see [[https://www.raspberrypi.org/documentation/configuration/config-txt/][link]]) to make sure the following lines are added:

#+BEGIN_EXAMPLE
# Disable Bluetooth
dtoverlay=disable-bt
#+END_EXAMPLE

The ~hciuart~ service is associated with bluetooth functionality via
UART which may conflict with location and time data provided via
~/dev/ttyAMA0~. It should be disabled like so:

#+BEGIN_EXAMPLE
$ sudo systemctl disable hciuart
#+END_EXAMPLE

***** Disable login console via serial port
Some ~ninfacyzga~ functions (location and time) require data transfer
via ~/dev/ttyAMA0~. In order to prevent serial login programs from
interfering with such functions, it is necessary to disable them.

Run the following commands to disable login via ~ttyAMA0~:

#+BEGIN_EXAMPLE
$ sudo systemctl stop serial-getty@ttyAMA0.service
$ sudo systemctl disable serial-getty@ttyAMA0.service
$ sudo systemctl disable hciuart
#+END_EXAMPLE

Modify ~/boot/cmdline.txt~ to remove the console:

#+BEGIN_EXAMPLE
$ sudo nano /boot/cmdline.txt
#+END_EXAMPLE

Remove ~console=serial0,115200~

***** Log Transfer Configuration
Log files may be shared to other machines via ~syncthing~. See [[https://docs.syncthing.net/][this]]
manual for how to set up a shared folder and add Ninfacyzga-01 as a
device. Syncthing's directory synchronization capability allows a
remote machine to delete files from Ninfacyzga-01 by deleting from the
shared folder that they both share.

When log files are removed from Ninfacyzga-01 is not within the scope
of this document.
***** Key Generation
An ~age~ encryption key may be generated like so:
#+BEGIN_EXAMPLE
$ umask          # Gets current umask
0022             # Note: This is the default umask for Raspbian 10
$ umask 066      # So key.txt will have no perms except for owner (you)
$ umask          # Confirm umask set to 066
0066
$ age-keygen > key.txt
Public key: age1pu5usxm743sx7rf22985xv2f4s0luzv6r6yx4fa7p8c2zyvp9fvqus2xr5
$ ls -al key.txt
-rw------- 1 baltakatei baltakatei 184 Jun 29 18:28 key.txt
$ umask 0022     # Return umask to default value
$ umask          
0022
#+END_EXAMPLE

The resulting public/private keypair data looks like:
#+BEGIN_EXAMPLE
$ cat key.txt
# created: 2020-06-29T18:01:56Z
# public key: age1pu5usxm743sx7rf22985xv2f4s0luzv6r6yx4fa7p8c2zyvp9fvqus2xr5
AGE-SECRET-KEY-1NEUU5U2XGZGL9UYWNPU5DL99TGJJHFSN4F2E2WCCSDJJ6L5ZMLESNTVTU0
#+END_EXAMPLE

The file ~key.txt~ is not password-protected by default and should be
secured like an SSH public key should. The ~$ umask 066~ command run
before the ~$ age-keygen > key.txt~ command ensures ~key.txt~ will not
be readable, writeable, or executable to anyone except the owner
(you).

*** Normal Startup
*** Normal Operation
*** Normal Shutdown
*** Unscheduled Shutdown
*** End of Life Disposal
See [[file:../setup/README.org][Main Setup]] procedures.

LiPo batteries used by the PiZ Uptime 2.0 module should be disposed of
properly with their potential ignitability in mind, especially if they
are not fully discharged.

Consult your local municipality for its "E-Waste Disposal" (or
equivalent) policy. Metals used in the Raspberry Pi and related
components may be recycled.

Take extra precuation if lead solder was used in assembling the
electronics. Consumer electronics in early 21st century should use
lead-free solder.
Commit	Line	Data
88b5ae54	1	#+TITLE:Ninfacyzga-1 Main Setup
7b09912b SBS	2	#+AUTHOR:Steven Baltakatei Sandoval
	3	#+EMAIL:baltakatei@gmail.com
	4	* Main Setup
	5	** About
	6	This document created by [[http://baltakatei.com][Steven Baltakatei Sandoval]] on
	7	~2020-10-07T18:39Z~ under a [[http://creativecommons.org/licenses/by-sa/4.0/][CC BY-SA 4.0]] license and last updated on
f16e5fe2	8	~2020-10-17T21:22Z~.
7b09912b SBS	9
	10	This document contains information regarding setup of the
	11	ninfacyzga-01 hardware common to all operation modes. This includes:
	12
	13	- Raspberry OS installation
	14	- WiFi configuration
	15	- Remote SSH login configuration
	16
	17	** Scope
	18	This document describes hardware and software installation steps
	19	common to the various environmental sensing functions of
	20	ninfacyzga-01.
	21
	22	** Narrative
	23	The Raspberry Pi Zero W is the platform in which environment data is
	24	gathered, packaged, and stored for further forwarding to a remote
	25	repository. The Raspberry OS 10 operating system is used. The device
	26	may be equipped with a UPS module in order to allow it to function as
	27	a mobile device for short periods of time. The system may use
	28	executables such as ~bklog~ to append segments of observed compressed
	29	(~gzip~) encrypted (~age~) data to a ~tar~ archive to local disk. This
	30	document describes hardware and software configuration procedures
	31	generally required by all environment sensing operations.
	32
	33	** Description
	34	*** Hardware
	35	**** Raspberry Pi Zero W
	36	See the [[https://www.raspberrypi.org/pi-zero-w/][OEM]] webpage for this product.
	37	**** PiZ UpTime 2.0
	38	See the [[https://alchemy-power.com/piz-uptime-2-0/][OEM]] webpage for this product.
	39
	40	*** Software
	41	~bklog~ : A bash script that saves its stdin stream to a tar file. The
	42	file may be compressed by ~gzip~ and encrypted by ~age~. It is an
	43	executable file contained within this repository at ~exec/bklog~. It
	44	should be copied to ~$HOME/.local/bin~.
	45
	46	~bkgpslog~ : A legacy bash script similar to ~bklog~ but narrower in
	47	scope in that it only records output from ~gpspipe~.
	48
	49	~gzip~ : A simple command line app that compresses stdin into a
	50	smaller stdout stream.
	51
	52	~age~ : A simple command line app that encrypts stdin against public
	53	keys specified in its options. Produces encrypted stdout. Is an
	54	executable file contained within this repository at ~exec/age~. It
	55	should be copied to ~$HOME/.local/bin~.
	56
	57	*** Output
	58	**** Encryption Method
	59	Files produced by the bklog script are encrypted against a set of
	60	public keys using [[https://github.com/FiloSottile/age][~age~]], a simple command line encryption tool
	61	selected over ~gpg~ because of ~age~'s deliberate lack of
	62	configurability.
	63
	64	The public keys are bech32 strings supplied as options to bkgpslog
	65	when called. The secret key should NOT be stored in Ninfacyzga-01.
	66
	67	If a key pair was generated using ~age-keygen~, then it is an [[https://en.wikipedia.org/wiki/Curve25519][~X25519~]]
	68	key pair. See the [[https://age-encryption.org/v1][~age~ Version 1 specification]].
	69
	70	An ~ssh-rsa~ or ~ssh-ed25519~ SSH public key string may be used instead of
	71	the bech32 public key string produced by ~age-keygen~ for convenience.
	72
73	Help information for ~age~ is available by running ~$ age --help~.
74	***** Encryption Commands
75	****** Encryption through ~age~
76	In order to illustrate how ~bklog~ encrypts files, below is an example
77	command illustrating how ~age~ may be used to encrypt a file.
78
79	#+BEGIN_EXAMPLE
80	$ echo "asdf" \| age -r \
81	age1kza7pfshy7xwygf9349zgmk7x53mquvedgw9r98qwyyqhssh830qqjzlsw \
82	> "$HOME/secret_file"
83	#+END_EXAMPLE
84
85	The resulting ~secret-file~ is a binary blob with a plaintext header
86	indicating how the blob was encrypted (which version of age was used,
87	which public key was used).
88
89	****** Encryption through ~bklog~
90	~bklog~ may instructed to encrypt files via the ~-e~ and ~-r [pubkey
91	string]~ options. An example is shown below:
92
93	#+BEGIN_EXAMPLE
94	$ gpspipe -r \| bklog -e \
95	-r age1kza7pfshy7xwygf9349zgmk7x53mquvedgw9r98qwyyqhssh830qqjzlsw \
96	-r age1ce3pvzrqfcn2pc6zqzglc8ac8yjk3fzukpy08cesqjjwns53xywqmaq7xw \
97	-r age1pu5usxm743sx7rf22985xv2f4s0luzv6r6yx4fa7p8c2zyvp9fvqus2xr5 \
98	-o "$HOME/Location"
99	#+END_EXAMPLE
100
101	~bklog~ may be instructed via the ~-e~ and ~-R~ options to watch a
102	directory in order to locate public key strings in its files. ~bklog~
103	reads the first line of each file and interprets it as a public key
104	string.
105
106	In this example, the strings beginning with ~age1...~ are
107	bech32-formatted public key strings. Please see the [[*Key Generation][Key Generation]]
108	section for an explanation.
109
110	Since ~age~ also accepts ~ssh~ public key strings, these may also be
111	used if they are of the following form (no comment).
112
113	: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABA…AACAQDLnJbPs7CjwPT+OxXd
114
115	***** Decryption Commands
116	Files may be decrypted using a command similar to:
117
118	#+BEGIN_EXAMPLE
119	cat location.gpx.age \| age -d -i key.txt > location.gpx
120	#+END_EXAMPLE
121
122	The version of ~age~ used to perform the encryption
123
7b09912b SBS	124	** Operating Procedures
	125	*** Initial Startup
	126	**** Physical Setup
7ac6ab14 SBS	127	The device should be supplied with 5V power and an SD card with the
	128	latest Raspberry Pi OS image installed. As of 2020-10-07, this will be
	129	version 10 (e.g. Raspbian Buster 10).
	130
	131	No additional hardware (ex: GPS module, UPS module, thermocouples) is
	132	required to perform actions described in this document
	133
7b09912b SBS	134	**** Software Setup
	135	***** Install Operating System
	136	Install Raspberry Pi OS onto an SD card image. See the Raspberry Pi
	137	Foundation [[https://www.raspberrypi.org/documentation/installation/installing-images/README.md][installation instructions]].
	138
	139	Note: "Raspberry Pi OS" is the name used by the Raspberry Pi
	140	Foundation to refer to their operating system images to be installed
	141	on Raspberry Pi hardware. The change was made in order to facilitate
	142	education of beginners not familiar with the wordplay between
	143	"Raspberry" and "Debian". See [[https://www.raspberrypi.org/forums/viewtopic.php?f=66&t=275380&sid=1a468f226394ccddf4654a3d3d90cb7d#p1668466][this]] forum post made on 2020-05-28 by
	144	plugwash.
	145
	146	***** Configure Wireless
	147	Configure WiFi in order to permit file transfer and remote
	148	administration. For a Raspberry Pi W, the WiFi settings may be
	149	programmed via a specific text file in the `boot` partition of a
	150	freshly installed image of Raspberry OS. Raspberry Pi Foundation
	151	instructions [[https://www.raspberrypi.org/documentation/configuration/wireless/headless.md][here]].
	152
	153	In summary, create a ~wpa_supplicant.conf~ file containing the
	154	following text:
	155	#+BEGIN_EXAMPLE
	156	ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
	157	update_config=1
	158	country=US
	159
	160	network={
	161	ssid="<Name of your wireless LAN>"
	162	psk="<Password for your wireless LAN>"
	163	}
	164	#+END_EXAMPLE
	165
	166	Replace ~<Name of your wireless LAN>~ with your WiFi network's SSID.
	167
	168	Replace ~<Password for your wireless LAN>~ with your WiFi network's
	169	passphrase.
f792ba51	170	***** Enable Remote SSH Login
7b09912b SBS	171	Configure SSH to permit remote administration via the command line
	172	interface. Raspberry Pi Foundation instructions [[https://www.raspberrypi.org/documentation/remote-access/ssh/README.md][here]].
	173
	174	In summary, remote SSH access may be enabled upon initial startup of a
	175	freshly installed image of Raspberry Pi OS by making sure an empty
	176	file named ~ssh~ is present on the ~boot~ partition.
	177
f16e5fe2 SBS	178	***** Login via SSH
	179	Assuming your router supports finding your Raspberry Pi via its
	180	default hostname of `raspberypi`, log into the pi via Wi-Fi using the
	181	following command:
	182
	183	: $ ssh pi@raspberrypi
	184
	185	Otherwise, you may have to identify the raspbery pi's IP address via
	186	your network router's administration console and login via a command
	187	resembling this:
	188
	189	: $ ssh pi@192.168.x.x
	190
	191	If you had previously set up a different raspberry pi that also used
	192	the same hostname ~raspberrypi~ or the same IP address (ex:
	193	~192.168.123.123~), you may have to inform your computer that this is a
	194	different device. You may do so using these commands:
	195
	196	: $ ssh-keygen -f ~/.ssh/known_hosts -R "raspberrypi"
	197	: $ ssh-keygen -R 192.168.123.123
	198
f792ba51 SBS	199	***** Add SSH public key
	200	If the use has an SSH public key, it may be added as a line in
	201	~~/.ssh/authorized_keys~.
	202
f16e5fe2 SBS	203	Add the ~~/.ssh~ directory if it doesn't already exist.
	204
	205	: $ mkdir ~/.ssh
	206
f792ba51 SBS	207	Follow [[https://superuser.com/a/925859/][these]] directions to set permissions.
	208
	209	: $ chmod 700 ~/.ssh
	210	: $ chmod 644 ~/.ssh/authorized_keys
	211
7b09912b SBS	212	***** Change default passphrase
	213	The default username is ~pi~ and the default passphrase is
	214	~raspberry~. Change them to something unique.
	215
	216	: $ passwd
	217
	218	***** Update software
	219	Update software with distribution repository.
	220
	221	: $ sudo apt update
	222	: $ sudo apt upgrade -y
	223	: $ sudo apt dist-upgrade -y
	224
8311e24c SBS	225	***** Change time zone
	226	The time zone should be set to "UTC" for simplicity.
	227
	228	: $ sudo raspi-config
	229
	230	Navigate to ~4 Localisation Options~, ~I2 Change Time Zone~, ~None of the above~, ~UTC~.
	231
f792ba51 SBS	232	***** Update hostname
	233	A unique hostname is required to uniquely identify the device on the
	234	network.
	235
	236	Start up the Raspberry Pi Software Configuration Tool by running:
	237	: $ sudo raspi-config
	238
	239	- Select `2 Network Options`
	240	- Select `N1 Hostname`
	241
	242	This document recommends a hostname beginning with the prefix:
	243	: ninfacyzga-1-
	244
	245	An example hostname would be ~ninfacyzga-1-2~.
	246
7b09912b SBS	247	***** Install software
	248	****** ~unattended-upgrades~
	249	Make sure to install the ~unattended-upgrades~ package to make sure
	250	the latest security patches for packages are installed. See [[https://linux-audit.com/using-unattended-upgrades-on-debian-and-ubuntu/][this page]]
	251	for a description of how ~unattended-upgrades~ works.
	252
f16e5fe2 SBS	253	: $ sudo apt install unattended-upgrades
f16e5fe2 SBS	254
7b09912b SBS	255	The configuration file is located at:
	256	~/etc/apt/apt.conf.d/50unattended-upgrades~ ([[https://linux-audit.com/using-unattended-upgrades-on-debian-and-ubuntu/][ref]]). Make sure that the
	257	following lines are present and not commented out.
	258
	259	#+BEGIN_EXAMPLE
	260	Unattended-Upgrade::Automatic-Reboot "true";
	261	#+END_EXAMPLE
	262
	263	****** ~syncthing~
	264	Install ~syncthing~ for log file transfer capability.
	265
	266	: $ sudo apt install syncthing
	267
da6d2970 SBS	268	Enable automatic startup. (See [[https://docs.syncthing.net/users/autostart.html][ref]]).
	269
	270	: $ sudo systemctl enable syncthing@pi.service
	271	: $ sudo systemctl start syncthing@pi.service
	272
5c65ffa9 SBS	273	The WebUI of the local instance of syncthing (port 8384) can be
	274	accessed by running the following command from a separate machine:
	275
	276	: $ ssh -L 127.0.0.1:8390:127.0.0.1:8384 pi@ninfacyzga-1-x
	277
	278	Then, the separate machine should navigate to ~localhost:8390~ in a
	279	web browser in order to change the ninfacyzga-1 device's
	280	configuration. The separate machine's Syncthing configuration options
	281	are accessible via its own web browser via ~localhost:8384~.
	282
7b09912b	283	****** ~git~
f792ba51 SBS	284	~git~ facilitates downloading files from this repository to the
f792ba51 SBS	285	device. It may be installed via:
7b09912b SBS	286
	287	: $ sudo apt install git
	288
	289	****** ninfacyzga-01 git repository
	290	Create the directory ~/git-OC/~ . Within this directory, run the
	291	following commands to clone the ~ninfacyzga-01~ git repository:
19f49278	292	: $ git clone https://zdv2.bktei.com/gitweb/ninfacyzga-01.git
7b09912b SBS	293	: $ cd ninfacyzga-01
	294
	295	Check out the ~develop~ branch (if the latest changes are desired over
	296	those of the ~master~ branch).
	297	: $ git checkout --track origin/develop
	298
	299	****** ~age~
f792ba51 SBS	300	~age~ is required for encrypting data at rest.
f792ba51 SBS	301
7b09912b SBS	302	Place ~age~ binary (the one compiled for ARM CPU architecture for
	303	Linux) in ~$HOME/.local/bin~. A copy of binary may be found within the
	304	~exec~ directory.
	305
f792ba51 SBS	306	: $ mkdir ~/.local/bin
	307	: $ cp exec/age ~/.local/bin/
	308
7b09912b	309	***** Disable Swap File
f792ba51 SBS	310	Since standard Raspberry OS 10 install involves copying unencrypted
	311	file system image to SD card which is mounted by the Raspberry Pi,
	312	system memory may be written to disk in the form of a Swap file as
	313	described [[https://ideaheap.com/2013/07/stopping-sd-card-corruption-on-a-raspberry-pi/][here]]. In order to reduce the chance that location log data
	314	is ever written to disk, swap file functionality must be
	315	disabled[fn:ideaheap_20130731_disableswap].
7b09912b SBS	316
	317	Raspbian 10 uses dphys-swapfile to manage a swap file. It may be
	318	disabled persistently[fn:rpf_20190702_disableswappersist] by running
	319	the following command:
	320
	321	: sudo systemctl disable dphys-swapfile.service
	322
	323	To view the status of the swap file in Raspbian 10, run ~free -m~:
	324
	325	#+BEGIN_EXAMPLE
	326	pi@ninfacyzga-01:~$ free -m
	327	total used free shared buff/cache available
	328	Mem: 432 86 36 21 309 268
	329	Swap: 99 0 99
	330	#+END_EXAMPLE
	331
	332	After disabling the swap file and rebooting:
	333
	334	#+BEGIN_EXAMPLE
	335	pi@ninfacyzga-01:~$ free -m
	336	total used free shared buff/cache available
	337	Mem: 432 89 214 3 128 289
	338	Swap: 0 0 0
	339	#+END_EXAMPLE
	340
	341	[fn:ideaheap_20130731_disableswap] Explanation:
	342	https://ideaheap.com/2013/07/stopping-sd-card-corruption-on-a-raspberry-pi/
	343
	344	[fn:rpf_20190702_disableswappersist] Persistant disabling of swap in
	345	Raspbian 10 Buster:
	346	https://www.raspberrypi.org/forums/viewtopic.php?p=1490692&sid=5c596a124b7805d6b10dab8d3d7caf16#p1490692
	347
88b5ae54 SBS	348	***** Disable Bluetooth
	349	In order to reduce power consumed by bluetooth transmissions,
	350	bluetooth functionality should be disabled (see [[https://di-marco.net/blog/it/2020-04-18-tips-disabling_bluetooth_on_raspberry_pi/][link]]).
	351
	352	Modify the ~/boot/config.txt~ file (the Pi's equivalent to BIOS
	353	settings; see [[https://www.raspberrypi.org/documentation/configuration/config-txt/][link]]) to make sure the following lines are added:
	354
	355	#+BEGIN_EXAMPLE
	356	# Disable Bluetooth
	357	dtoverlay=disable-bt
	358	#+END_EXAMPLE
	359
	360	The ~hciuart~ service is associated with bluetooth functionality via
	361	UART which may conflict with location and time data provided via
	362	~/dev/ttyAMA0~. It should be disabled like so:
	363
	364	#+BEGIN_EXAMPLE
	365	$ sudo systemctl disable hciuart
	366	#+END_EXAMPLE
	367
	368	***** Disable login console via serial port
	369	Some ~ninfacyzga~ functions (location and time) require data transfer
	370	via ~/dev/ttyAMA0~. In order to prevent serial login programs from
	371	interfering with such functions, it is necessary to disable them.
	372
	373	Run the following commands to disable login via ~ttyAMA0~:
	374
	375	#+BEGIN_EXAMPLE
	376	$ sudo systemctl stop serial-getty@ttyAMA0.service
	377	$ sudo systemctl disable serial-getty@ttyAMA0.service
	378	$ sudo systemctl disable hciuart
	379	#+END_EXAMPLE
	380
	381	Modify ~/boot/cmdline.txt~ to remove the console:
	382
	383	#+BEGIN_EXAMPLE
	384	$ sudo nano /boot/cmdline.txt
	385	#+END_EXAMPLE
	386
	387	Remove ~console=serial0,115200~
	388
7b09912b SBS	389	***** Log Transfer Configuration
	390	Log files may be shared to other machines via ~syncthing~. See [[https://docs.syncthing.net/][this]]
	391	manual for how to set up a shared folder and add Ninfacyzga-01 as a
	392	device. Syncthing's directory synchronization capability allows a
	393	remote machine to delete files from Ninfacyzga-01 by deleting from the
	394	shared folder that they both share.
	395
	396	When log files are removed from Ninfacyzga-01 is not within the scope
	397	of this document.
	398	***** Key Generation
	399	An ~age~ encryption key may be generated like so:
	400	#+BEGIN_EXAMPLE
	401	$ umask # Gets current umask
	402	0022 # Note: This is the default umask for Raspbian 10
	403	$ umask 066 # So key.txt will have no perms except for owner (you)
	404	$ umask # Confirm umask set to 066
	405	0066
	406	$ age-keygen > key.txt
	407	Public key: age1pu5usxm743sx7rf22985xv2f4s0luzv6r6yx4fa7p8c2zyvp9fvqus2xr5
	408	$ ls -al key.txt
	409	-rw------- 1 baltakatei baltakatei 184 Jun 29 18:28 key.txt
	410	$ umask 0022 # Return umask to default value
	411	$ umask
	412	0022
	413	#+END_EXAMPLE
	414
	415	The resulting public/private keypair data looks like:
	416	#+BEGIN_EXAMPLE
	417	$ cat key.txt
	418	# created: 2020-06-29T18:01:56Z
	419	# public key: age1pu5usxm743sx7rf22985xv2f4s0luzv6r6yx4fa7p8c2zyvp9fvqus2xr5
	420	AGE-SECRET-KEY-1NEUU5U2XGZGL9UYWNPU5DL99TGJJHFSN4F2E2WCCSDJJ6L5ZMLESNTVTU0
	421	#+END_EXAMPLE
	422
	423	The file ~key.txt~ is not password-protected by default and should be
	424	secured like an SSH public key should. The ~$ umask 066~ command run
	425	before the ~$ age-keygen > key.txt~ command ensures ~key.txt~ will not
	426	be readable, writeable, or executable to anyone except the owner
	427	(you).
	428
	429	*** Normal Startup
	430	*** Normal Operation
	431	*** Normal Shutdown
	432	*** Unscheduled Shutdown
	433	*** End of Life Disposal
	434	See [[file:../setup/README.org][Main Setup]] procedures.
	435
	436	LiPo batteries used by the PiZ Uptime 2.0 module should be disposed of
	437	properly with their potential ignitability in mind, especially if they
	438	are not fully discharged.
	439
	440	Consult your local municipality for its "E-Waste Disposal" (or
	441	equivalent) policy. Metals used in the Raspberry Pi and related
	442	components may be recycled.
	443
	444	Take extra precuation if lead solder was used in assembling the
	445	electronics. Consumer electronics in early 21st century should use
	446	lead-free solder.
	447
	448
	449