chore(exec/temp):Fix CSV fields in stdout output
[EVA-2020-02.git] / doc / setup / README.org
... / ...
CommitLineData
1#+TITLE:Ninfacyzga-1 Main Setup
2#+AUTHOR:Steven Baltakatei Sandoval
3#+EMAIL:baltakatei@gmail.com
4* Main Setup
5** About
6This document created by [[http://baltakatei.com][Steven Baltakatei Sandoval]] on
7~2020-10-07T18:39Z~ under a [[http://creativecommons.org/licenses/by-sa/4.0/][CC BY-SA 4.0]] license and last updated on
8~2020-10-17T21:22Z~.
9
10This document contains information regarding setup of the
11ninfacyzga-01 hardware common to all operation modes. This includes:
12
13- Raspberry OS installation
14- WiFi configuration
15- Remote SSH login configuration
16
17** Scope
18This document describes hardware and software installation steps
19common to the various environmental sensing functions of
20ninfacyzga-01.
21
22** Narrative
23The Raspberry Pi Zero W is the platform in which environment data is
24gathered, packaged, and stored for further forwarding to a remote
25repository. The Raspberry OS 10 operating system is used. The device
26may be equipped with a UPS module in order to allow it to function as
27a mobile device for short periods of time. The system may use
28executables such as ~bklog~ to append segments of observed compressed
29(~gzip~) encrypted (~age~) data to a ~tar~ archive to local disk. This
30document describes hardware and software configuration procedures
31generally required by all environment sensing operations.
32
33** Description
34*** Hardware
35**** Raspberry Pi Zero W
36See the [[https://www.raspberrypi.org/pi-zero-w/][OEM]] webpage for this product.
37**** PiZ UpTime 2.0
38See the [[https://alchemy-power.com/piz-uptime-2-0/][OEM]] webpage for this product.
39
40*** Software
41~bklog~ : A bash script that saves its stdin stream to a tar file. The
42file may be compressed by ~gzip~ and encrypted by ~age~. It is an
43executable file contained within this repository at ~exec/bklog~. It
44should be copied to ~$HOME/.local/bin~.
45
46~bkgpslog~ : A legacy bash script similar to ~bklog~ but narrower in
47scope in that it only records output from ~gpspipe~.
48
49~gzip~ : A simple command line app that compresses stdin into a
50smaller stdout stream.
51
52~age~ : A simple command line app that encrypts stdin against public
53keys specified in its options. Produces encrypted stdout. Is an
54executable file contained within this repository at ~exec/age~. It
55should be copied to ~$HOME/.local/bin~.
56
57*** Output
58**** Encryption Method
59Files produced by the bklog script are encrypted against a set of
60public keys using [[https://github.com/FiloSottile/age][~age~]], a simple command line encryption tool
61selected over ~gpg~ because of ~age~'s deliberate lack of
62configurability.
63
64The public keys are bech32 strings supplied as options to bkgpslog
65when called. The secret key should *NOT* be stored in Ninfacyzga-01.
66
67If a key pair was generated using ~age-keygen~, then it is an [[https://en.wikipedia.org/wiki/Curve25519][~X25519~]]
68key pair. See the [[https://age-encryption.org/v1][~age~ Version 1 specification]].
69
70An ~ssh-rsa~ or ~ssh-ed25519~ SSH public key string may be used instead of
71the bech32 public key string produced by ~age-keygen~ for convenience.
72
73Help information for ~age~ is available by running ~$ age --help~.
74***** Encryption Commands
75****** Encryption through ~age~
76In order to illustrate how ~bklog~ encrypts files, below is an example
77command illustrating how ~age~ may be used to encrypt a file.
78
79#+BEGIN_EXAMPLE
80$ echo "asdf" | age -r \
81age1kza7pfshy7xwygf9349zgmk7x53mquvedgw9r98qwyyqhssh830qqjzlsw \
82> "$HOME/secret_file"
83#+END_EXAMPLE
84
85The resulting ~secret-file~ is a binary blob with a plaintext header
86indicating how the blob was encrypted (which version of age was used,
87which public key was used).
88
89****** Encryption through ~bklog~
90~bklog~ may instructed to encrypt files via the ~-e~ and ~-r [pubkey
91string]~ options. An example is shown below:
92
93#+BEGIN_EXAMPLE
94$ gpspipe -r | bklog -e \
95-r age1kza7pfshy7xwygf9349zgmk7x53mquvedgw9r98qwyyqhssh830qqjzlsw \
96-r age1ce3pvzrqfcn2pc6zqzglc8ac8yjk3fzukpy08cesqjjwns53xywqmaq7xw \
97-r age1pu5usxm743sx7rf22985xv2f4s0luzv6r6yx4fa7p8c2zyvp9fvqus2xr5 \
98-o "$HOME/Location"
99#+END_EXAMPLE
100
101~bklog~ may be instructed via the ~-e~ and ~-R~ options to watch a
102directory in order to locate public key strings in its files. ~bklog~
103reads the first line of each file and interprets it as a public key
104string.
105
106In this example, the strings beginning with ~age1...~ are
107bech32-formatted public key strings. Please see the [[*Key Generation][Key Generation]]
108section for an explanation.
109
110Since ~age~ also accepts ~ssh~ public key strings, these may also be
111used if they are of the following form (no comment).
112
113: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABA…AACAQDLnJbPs7CjwPT+OxXd
114
115***** Decryption Commands
116Files may be decrypted using a command similar to:
117
118#+BEGIN_EXAMPLE
119cat location.gpx.age | age -d -i key.txt > location.gpx
120#+END_EXAMPLE
121
122The version of ~age~ used to perform the encryption
123
124** Operating Procedures
125*** Initial Startup
126**** Physical Setup
127The device should be supplied with 5V power and an SD card with the
128latest Raspberry Pi OS image installed. As of 2020-10-07, this will be
129version 10 (e.g. Raspbian Buster 10).
130
131No additional hardware (ex: GPS module, UPS module, thermocouples) is
132required to perform actions described in this document
133
134**** Software Setup
135***** Install Operating System
136Install Raspberry Pi OS onto an SD card image. See the Raspberry Pi
137Foundation [[https://www.raspberrypi.org/documentation/installation/installing-images/README.md][installation instructions]].
138
139Note: "Raspberry Pi OS" is the name used by the Raspberry Pi
140Foundation to refer to their operating system images to be installed
141on Raspberry Pi hardware. The change was made in order to facilitate
142education of beginners not familiar with the wordplay between
143"Raspberry" and "Debian". See [[https://www.raspberrypi.org/forums/viewtopic.php?f=66&t=275380&sid=1a468f226394ccddf4654a3d3d90cb7d#p1668466][this]] forum post made on 2020-05-28 by
144plugwash.
145
146***** Configure Wireless
147Configure WiFi in order to permit file transfer and remote
148administration. For a Raspberry Pi W, the WiFi settings may be
149programmed via a specific text file in the `boot` partition of a
150freshly installed image of Raspberry OS. Raspberry Pi Foundation
151instructions [[https://www.raspberrypi.org/documentation/configuration/wireless/headless.md][here]].
152
153In summary, create a ~wpa_supplicant.conf~ file containing the
154following text:
155#+BEGIN_EXAMPLE
156ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
157update_config=1
158country=US
159
160network={
161 ssid="<Name of your wireless LAN>"
162 psk="<Password for your wireless LAN>"
163}
164#+END_EXAMPLE
165
166Replace ~<Name of your wireless LAN>~ with your WiFi network's SSID.
167
168Replace ~<Password for your wireless LAN>~ with your WiFi network's
169passphrase.
170***** Enable Remote SSH Login
171Configure SSH to permit remote administration via the command line
172interface. Raspberry Pi Foundation instructions [[https://www.raspberrypi.org/documentation/remote-access/ssh/README.md][here]].
173
174In summary, remote SSH access may be enabled upon initial startup of a
175freshly installed image of Raspberry Pi OS by making sure an empty
176file named ~ssh~ is present on the ~boot~ partition.
177
178***** Login via SSH
179Assuming your router supports finding your Raspberry Pi via its
180default hostname of `raspberypi`, log into the pi via Wi-Fi using the
181following command:
182
183: $ ssh pi@raspberrypi
184
185Otherwise, you may have to identify the raspbery pi's IP address via
186your network router's administration console and login via a command
187resembling this:
188
189: $ ssh pi@192.168.x.x
190
191If you had previously set up a different raspberry pi that also used
192the same hostname ~raspberrypi~ or the same IP address (ex:
193~192.168.123.123~), you may have to inform your computer that this is a
194different device. You may do so using these commands:
195
196: $ ssh-keygen -f ~/.ssh/known_hosts -R "raspberrypi"
197: $ ssh-keygen -R 192.168.123.123
198
199***** Add SSH public key
200If the use has an SSH public key, it may be added as a line in
201~~/.ssh/authorized_keys~.
202
203Add the ~~/.ssh~ directory if it doesn't already exist.
204
205: $ mkdir ~/.ssh
206
207Follow [[https://superuser.com/a/925859/][these]] directions to set permissions.
208
209: $ chmod 700 ~/.ssh
210: $ chmod 644 ~/.ssh/authorized_keys
211
212***** Change default passphrase
213The default username is ~pi~ and the default passphrase is
214~raspberry~. Change them to something unique.
215
216: $ passwd
217
218***** Update software
219Update software with distribution repository.
220
221: $ sudo apt update
222: $ sudo apt upgrade -y
223: $ sudo apt dist-upgrade -y
224
225***** Change time zone
226The time zone should be set to "UTC" for simplicity.
227
228: $ sudo raspi-config
229
230Navigate to ~4 Localisation Options~, ~I2 Change Time Zone~, ~None of the above~, ~UTC~.
231
232***** Update hostname
233A unique hostname is required to uniquely identify the device on the
234network.
235
236Start up the Raspberry Pi Software Configuration Tool by running:
237: $ sudo raspi-config
238
239- Select `2 Network Options`
240- Select `N1 Hostname`
241
242This document recommends a hostname beginning with the prefix:
243: ninfacyzga-1-
244
245An example hostname would be ~ninfacyzga-1-2~.
246
247***** Install software
248****** ~unattended-upgrades~
249Make sure to install the ~unattended-upgrades~ package to make sure
250the latest security patches for packages are installed. See [[https://linux-audit.com/using-unattended-upgrades-on-debian-and-ubuntu/][this page]]
251for a description of how ~unattended-upgrades~ works.
252
253: $ sudo apt install unattended-upgrades
254
255The configuration file is located at:
256~/etc/apt/apt.conf.d/50unattended-upgrades~ ([[https://linux-audit.com/using-unattended-upgrades-on-debian-and-ubuntu/][ref]]). Make sure that the
257following lines are present and not commented out.
258
259#+BEGIN_EXAMPLE
260Unattended-Upgrade::Automatic-Reboot "true";
261#+END_EXAMPLE
262
263****** ~syncthing~
264Install ~syncthing~ for log file transfer capability.
265
266: $ sudo apt install syncthing
267
268Enable automatic startup. (See [[https://docs.syncthing.net/users/autostart.html][ref]]).
269
270: $ sudo systemctl enable syncthing@pi.service
271: $ sudo systemctl start syncthing@pi.service
272
273The WebUI of the local instance of syncthing (port 8384) can be
274accessed by running the following command from a separate machine:
275
276: $ ssh -L 127.0.0.1:8390:127.0.0.1:8384 pi@ninfacyzga-1-x
277
278Then, the separate machine should navigate to ~localhost:8390~ in a
279web browser in order to change the ninfacyzga-1 device's
280configuration. The separate machine's Syncthing configuration options
281are accessible via its own web browser via ~localhost:8384~.
282
283****** ~git~
284~git~ facilitates downloading files from this repository to the
285device. It may be installed via:
286
287: $ sudo apt install git
288
289****** ninfacyzga-01 git repository
290Create the directory ~/git-OC/~ . Within this directory, run the
291following commands to clone the ~ninfacyzga-01~ git repository:
292: $ git clone https://zdv2.bktei.com/gitweb/ninfacyzga-01.git
293: $ cd ninfacyzga-01
294
295Check out the ~develop~ branch (if the latest changes are desired over
296those of the ~master~ branch).
297: $ git checkout --track origin/develop
298
299****** ~age~
300~age~ is required for encrypting data at rest.
301
302Place ~age~ binary (the one compiled for ARM CPU architecture for
303Linux) in ~$HOME/.local/bin~. A copy of binary may be found within the
304~exec~ directory.
305
306: $ mkdir ~/.local/bin
307: $ cp exec/age ~/.local/bin/
308
309***** Disable Swap File
310Since standard Raspberry OS 10 install involves copying unencrypted
311file system image to SD card which is mounted by the Raspberry Pi,
312system memory may be written to disk in the form of a Swap file as
313described [[https://ideaheap.com/2013/07/stopping-sd-card-corruption-on-a-raspberry-pi/][here]]. In order to reduce the chance that location log data
314is ever written to disk, swap file functionality must be
315disabled[fn:ideaheap_20130731_disableswap].
316
317Raspbian 10 uses dphys-swapfile to manage a swap file. It may be
318disabled persistently[fn:rpf_20190702_disableswappersist] by running
319the following command:
320
321: sudo systemctl disable dphys-swapfile.service
322
323To view the status of the swap file in Raspbian 10, run ~free -m~:
324
325#+BEGIN_EXAMPLE
326pi@ninfacyzga-01:~$ free -m
327 total used free shared buff/cache available
328Mem: 432 86 36 21 309 268
329Swap: 99 0 99
330#+END_EXAMPLE
331
332After disabling the swap file and rebooting:
333
334#+BEGIN_EXAMPLE
335pi@ninfacyzga-01:~$ free -m
336 total used free shared buff/cache available
337Mem: 432 89 214 3 128 289
338Swap: 0 0 0
339#+END_EXAMPLE
340
341[fn:ideaheap_20130731_disableswap] Explanation:
342https://ideaheap.com/2013/07/stopping-sd-card-corruption-on-a-raspberry-pi/
343
344[fn:rpf_20190702_disableswappersist] Persistant disabling of swap in
345Raspbian 10 Buster:
346https://www.raspberrypi.org/forums/viewtopic.php?p=1490692&sid=5c596a124b7805d6b10dab8d3d7caf16#p1490692
347
348***** Disable Bluetooth
349In order to reduce power consumed by bluetooth transmissions,
350bluetooth functionality should be disabled (see [[https://di-marco.net/blog/it/2020-04-18-tips-disabling_bluetooth_on_raspberry_pi/][link]]).
351
352Modify the ~/boot/config.txt~ file (the Pi's equivalent to BIOS
353settings; see [[https://www.raspberrypi.org/documentation/configuration/config-txt/][link]]) to make sure the following lines are added:
354
355#+BEGIN_EXAMPLE
356# Disable Bluetooth
357dtoverlay=disable-bt
358#+END_EXAMPLE
359
360The ~hciuart~ service is associated with bluetooth functionality via
361UART which may conflict with location and time data provided via
362~/dev/ttyAMA0~. It should be disabled like so:
363
364#+BEGIN_EXAMPLE
365$ sudo systemctl disable hciuart
366#+END_EXAMPLE
367
368***** Disable login console via serial port
369Some ~ninfacyzga~ functions (location and time) require data transfer
370via ~/dev/ttyAMA0~. In order to prevent serial login programs from
371interfering with such functions, it is necessary to disable them.
372
373Run the following commands to disable login via ~ttyAMA0~:
374
375#+BEGIN_EXAMPLE
376$ sudo systemctl stop serial-getty@ttyAMA0.service
377$ sudo systemctl disable serial-getty@ttyAMA0.service
378$ sudo systemctl disable hciuart
379#+END_EXAMPLE
380
381Modify ~/boot/cmdline.txt~ to remove the console:
382
383#+BEGIN_EXAMPLE
384$ sudo nano /boot/cmdline.txt
385#+END_EXAMPLE
386
387Remove ~console=serial0,115200~
388
389***** Log Transfer Configuration
390Log files may be shared to other machines via ~syncthing~. See [[https://docs.syncthing.net/][this]]
391manual for how to set up a shared folder and add Ninfacyzga-01 as a
392device. Syncthing's directory synchronization capability allows a
393remote machine to delete files from Ninfacyzga-01 by deleting from the
394shared folder that they both share.
395
396When log files are removed from Ninfacyzga-01 is not within the scope
397of this document.
398***** Key Generation
399An ~age~ encryption key may be generated like so:
400#+BEGIN_EXAMPLE
401$ umask # Gets current umask
4020022 # Note: This is the default umask for Raspbian 10
403$ umask 066 # So key.txt will have no perms except for owner (you)
404$ umask # Confirm umask set to 066
4050066
406$ age-keygen > key.txt
407Public key: age1pu5usxm743sx7rf22985xv2f4s0luzv6r6yx4fa7p8c2zyvp9fvqus2xr5
408$ ls -al key.txt
409-rw------- 1 baltakatei baltakatei 184 Jun 29 18:28 key.txt
410$ umask 0022 # Return umask to default value
411$ umask
4120022
413#+END_EXAMPLE
414
415The resulting public/private keypair data looks like:
416#+BEGIN_EXAMPLE
417$ cat key.txt
418# created: 2020-06-29T18:01:56Z
419# public key: age1pu5usxm743sx7rf22985xv2f4s0luzv6r6yx4fa7p8c2zyvp9fvqus2xr5
420AGE-SECRET-KEY-1NEUU5U2XGZGL9UYWNPU5DL99TGJJHFSN4F2E2WCCSDJJ6L5ZMLESNTVTU0
421#+END_EXAMPLE
422
423The file ~key.txt~ is not password-protected by default and should be
424secured like an SSH public key should. The ~$ umask 066~ command run
425before the ~$ age-keygen > key.txt~ command ensures ~key.txt~ will not
426be readable, writeable, or executable to anyone except the owner
427(you).
428
429*** Normal Startup
430*** Normal Operation
431*** Normal Shutdown
432*** Unscheduled Shutdown
433*** End of Life Disposal
434See [[file:../setup/README.org][Main Setup]] procedures.
435
436LiPo batteries used by the PiZ Uptime 2.0 module should be disposed of
437properly with their potential ignitability in mind, especially if they
438are not fully discharged.
439
440Consult your local municipality for its "E-Waste Disposal" (or
441equivalent) policy. Metals used in the Raspberry Pi and related
442components may be recycled.
443
444Take extra precuation if lead solder was used in assembling the
445electronics. Consumer electronics in early 21st century should use
446lead-free solder.
447
448
449