doc(setup):Note need to install gpsbabel
[EVA-2020-02.git] / doc / setup / README.org
... / ...
CommitLineData
1#+TITLE:Ninfacyzga-01 Setup
2#+AUTHOR:Steven Baltakatei Sandoval
3#+EMAIL:baltakatei@gmail.com
4* Main Setup
5** About
6This document created by [[http://baltakatei.com][Steven Baltakatei Sandoval]] on
7~2020-10-07T18:39Z~ under a [[http://creativecommons.org/licenses/by-sa/4.0/][CC BY-SA 4.0]] license and last updated on
8~2020-10-08T00:50Z~.
9
10This document contains information regarding setup of the
11ninfacyzga-01 hardware common to all operation modes. This includes:
12
13- Raspberry OS installation
14- WiFi configuration
15- Remote SSH login configuration
16
17** Scope
18This document describes hardware and software installation steps
19common to the various environmental sensing functions of
20ninfacyzga-01.
21
22** Narrative
23The Raspberry Pi Zero W is the platform in which environment data is
24gathered, packaged, and stored for further forwarding to a remote
25repository. The Raspberry OS 10 operating system is used. The device
26may be equipped with a UPS module in order to allow it to function as
27a mobile device for short periods of time. The system may use
28executables such as ~bklog~ to append segments of observed compressed
29(~gzip~) encrypted (~age~) data to a ~tar~ archive to local disk. This
30document describes hardware and software configuration procedures
31generally required by all environment sensing operations.
32
33** Description
34*** Hardware
35**** Raspberry Pi Zero W
36See the [[https://www.raspberrypi.org/pi-zero-w/][OEM]] webpage for this product.
37**** PiZ UpTime 2.0
38See the [[https://alchemy-power.com/piz-uptime-2-0/][OEM]] webpage for this product.
39
40*** Software
41~bklog~ : A bash script that saves its stdin stream to a tar file. The
42file may be compressed by ~gzip~ and encrypted by ~age~. It is an
43executable file contained within this repository at ~exec/bklog~. It
44should be copied to ~$HOME/.local/bin~.
45
46~bkgpslog~ : A legacy bash script similar to ~bklog~ but narrower in
47scope in that it only records output from ~gpspipe~.
48
49~gzip~ : A simple command line app that compresses stdin into a
50smaller stdout stream.
51
52~age~ : A simple command line app that encrypts stdin against public
53keys specified in its options. Produces encrypted stdout. Is an
54executable file contained within this repository at ~exec/age~. It
55should be copied to ~$HOME/.local/bin~.
56
57*** Output
58**** Encryption Method
59Files produced by the bklog script are encrypted against a set of
60public keys using [[https://github.com/FiloSottile/age][~age~]], a simple command line encryption tool
61selected over ~gpg~ because of ~age~'s deliberate lack of
62configurability.
63
64The public keys are bech32 strings supplied as options to bkgpslog
65when called. The secret key should *NOT* be stored in Ninfacyzga-01.
66
67If a key pair was generated using ~age-keygen~, then it is an [[https://en.wikipedia.org/wiki/Curve25519][~X25519~]]
68key pair. See the [[https://age-encryption.org/v1][~age~ Version 1 specification]].
69
70An ~ssh-rsa~ or ~ssh-ed25519~ SSH public key string may be used instead of
71the bech32 public key string produced by ~age-keygen~ for convenience.
72
73Help information for ~age~ is available by running ~$ age --help~.
74***** Encryption Commands
75****** Encryption through ~age~
76In order to illustrate how ~bklog~ encrypts files, below is an example
77command illustrating how ~age~ may be used to encrypt a file.
78
79#+BEGIN_EXAMPLE
80$ echo "asdf" | age -r \
81age1kza7pfshy7xwygf9349zgmk7x53mquvedgw9r98qwyyqhssh830qqjzlsw \
82> "$HOME/secret_file"
83#+END_EXAMPLE
84
85The resulting ~secret-file~ is a binary blob with a plaintext header
86indicating how the blob was encrypted (which version of age was used,
87which public key was used).
88
89****** Encryption through ~bklog~
90~bklog~ may instructed to encrypt files via the ~-e~ and ~-r [pubkey
91string]~ options. An example is shown below:
92
93#+BEGIN_EXAMPLE
94$ gpspipe -r | bklog -e \
95-r age1kza7pfshy7xwygf9349zgmk7x53mquvedgw9r98qwyyqhssh830qqjzlsw \
96-r age1ce3pvzrqfcn2pc6zqzglc8ac8yjk3fzukpy08cesqjjwns53xywqmaq7xw \
97-r age1pu5usxm743sx7rf22985xv2f4s0luzv6r6yx4fa7p8c2zyvp9fvqus2xr5 \
98-o "$HOME/Location"
99#+END_EXAMPLE
100
101~bklog~ may be instructed via the ~-e~ and ~-R~ options to watch a
102directory in order to locate public key strings in its files. ~bklog~
103reads the first line of each file and interprets it as a public key
104string.
105
106In this example, the strings beginning with ~age1...~ are
107bech32-formatted public key strings. Please see the [[*Key Generation][Key Generation]]
108section for an explanation.
109
110Since ~age~ also accepts ~ssh~ public key strings, these may also be
111used if they are of the following form (no comment).
112
113: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABA…AACAQDLnJbPs7CjwPT+OxXd
114
115***** Decryption Commands
116Files may be decrypted using a command similar to:
117
118#+BEGIN_EXAMPLE
119cat location.gpx.age | age -d -i key.txt > location.gpx
120#+END_EXAMPLE
121
122The version of ~age~ used to perform the encryption
123
124** Operating Procedures
125*** Initial Startup
126**** Physical Setup
127The device should be supplied with 5V power and an SD card with the
128latest Raspberry Pi OS image installed. As of 2020-10-07, this will be
129version 10 (e.g. Raspbian Buster 10).
130
131No additional hardware (ex: GPS module, UPS module, thermocouples) is
132required to perform actions described in this document
133
134**** Software Setup
135***** Install Operating System
136Install Raspberry Pi OS onto an SD card image. See the Raspberry Pi
137Foundation [[https://www.raspberrypi.org/documentation/installation/installing-images/README.md][installation instructions]].
138
139Note: "Raspberry Pi OS" is the name used by the Raspberry Pi
140Foundation to refer to their operating system images to be installed
141on Raspberry Pi hardware. The change was made in order to facilitate
142education of beginners not familiar with the wordplay between
143"Raspberry" and "Debian". See [[https://www.raspberrypi.org/forums/viewtopic.php?f=66&t=275380&sid=1a468f226394ccddf4654a3d3d90cb7d#p1668466][this]] forum post made on 2020-05-28 by
144plugwash.
145
146***** Configure Wireless
147Configure WiFi in order to permit file transfer and remote
148administration. For a Raspberry Pi W, the WiFi settings may be
149programmed via a specific text file in the `boot` partition of a
150freshly installed image of Raspberry OS. Raspberry Pi Foundation
151instructions [[https://www.raspberrypi.org/documentation/configuration/wireless/headless.md][here]].
152
153In summary, create a ~wpa_supplicant.conf~ file containing the
154following text:
155#+BEGIN_EXAMPLE
156ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
157update_config=1
158country=US
159
160network={
161 ssid="<Name of your wireless LAN>"
162 psk="<Password for your wireless LAN>"
163}
164#+END_EXAMPLE
165
166Replace ~<Name of your wireless LAN>~ with your WiFi network's SSID.
167
168Replace ~<Password for your wireless LAN>~ with your WiFi network's
169passphrase.
170***** Enable Remote SSH Login
171Configure SSH to permit remote administration via the command line
172interface. Raspberry Pi Foundation instructions [[https://www.raspberrypi.org/documentation/remote-access/ssh/README.md][here]].
173
174In summary, remote SSH access may be enabled upon initial startup of a
175freshly installed image of Raspberry Pi OS by making sure an empty
176file named ~ssh~ is present on the ~boot~ partition.
177
178***** Add SSH public key
179If the use has an SSH public key, it may be added as a line in
180~~/.ssh/authorized_keys~.
181
182Follow [[https://superuser.com/a/925859/][these]] directions to set permissions.
183
184: $ chmod 700 ~/.ssh
185: $ chmod 644 ~/.ssh/authorized_keys
186
187***** Change default passphrase
188The default username is ~pi~ and the default passphrase is
189~raspberry~. Change them to something unique.
190
191: $ passwd
192
193***** Update software
194Update software with distribution repository.
195
196: $ sudo apt update
197: $ sudo apt upgrade -y
198: $ sudo apt dist-upgrade -y
199
200***** Change time zone
201The time zone should be set to "UTC" for simplicity.
202
203: $ sudo raspi-config
204
205Navigate to ~4 Localisation Options~, ~I2 Change Time Zone~, ~None of the above~, ~UTC~.
206
207***** Update hostname
208A unique hostname is required to uniquely identify the device on the
209network.
210
211Start up the Raspberry Pi Software Configuration Tool by running:
212: $ sudo raspi-config
213
214- Select `2 Network Options`
215- Select `N1 Hostname`
216
217This document recommends a hostname beginning with the prefix:
218: ninfacyzga-1-
219
220An example hostname would be ~ninfacyzga-1-2~.
221
222***** Install software
223****** ~unattended-upgrades~
224Make sure to install the ~unattended-upgrades~ package to make sure
225the latest security patches for packages are installed. See [[https://linux-audit.com/using-unattended-upgrades-on-debian-and-ubuntu/][this page]]
226for a description of how ~unattended-upgrades~ works.
227
228The configuration file is located at:
229~/etc/apt/apt.conf.d/50unattended-upgrades~ ([[https://linux-audit.com/using-unattended-upgrades-on-debian-and-ubuntu/][ref]]). Make sure that the
230following lines are present and not commented out.
231
232#+BEGIN_EXAMPLE
233Unattended-Upgrade::Automatic-Reboot "true";
234#+END_EXAMPLE
235
236****** ~syncthing~
237Install ~syncthing~ for log file transfer capability.
238
239: $ sudo apt install syncthing
240
241Enable automatic startup. (See [[https://docs.syncthing.net/users/autostart.html][ref]]).
242
243: $ sudo systemctl enable syncthing@pi.service
244: $ sudo systemctl start syncthing@pi.service
245
246The WebUI of the local instance of syncthing (port 8384) can be
247accessed by running the following command from a separate machine:
248
249: $ ssh -L 127.0.0.1:8390:127.0.0.1:8384 pi@ninfacyzga-1-x
250
251Then, the separate machine should navigate to ~localhost:8390~ in a
252web browser in order to change the ninfacyzga-1 device's
253configuration. The separate machine's Syncthing configuration options
254are accessible via its own web browser via ~localhost:8384~.
255
256****** ~git~
257~git~ facilitates downloading files from this repository to the
258device. It may be installed via:
259
260: $ sudo apt install git
261
262****** ninfacyzga-01 git repository
263Create the directory ~/git-OC/~ . Within this directory, run the
264following commands to clone the ~ninfacyzga-01~ git repository:
265: $ git clone https://zdv2.bktei.com/gitweb/ninfacyzga-01.git
266: $ cd ninfacyzga-01
267
268Check out the ~develop~ branch (if the latest changes are desired over
269those of the ~master~ branch).
270: $ git checkout --track origin/develop
271
272****** ~age~
273~age~ is required for encrypting data at rest.
274
275Place ~age~ binary (the one compiled for ARM CPU architecture for
276Linux) in ~$HOME/.local/bin~. A copy of binary may be found within the
277~exec~ directory.
278
279: $ mkdir ~/.local/bin
280: $ cp exec/age ~/.local/bin/
281
282***** Disable Swap File
283Since standard Raspberry OS 10 install involves copying unencrypted
284file system image to SD card which is mounted by the Raspberry Pi,
285system memory may be written to disk in the form of a Swap file as
286described [[https://ideaheap.com/2013/07/stopping-sd-card-corruption-on-a-raspberry-pi/][here]]. In order to reduce the chance that location log data
287is ever written to disk, swap file functionality must be
288disabled[fn:ideaheap_20130731_disableswap].
289
290Raspbian 10 uses dphys-swapfile to manage a swap file. It may be
291disabled persistently[fn:rpf_20190702_disableswappersist] by running
292the following command:
293
294: sudo systemctl disable dphys-swapfile.service
295
296To view the status of the swap file in Raspbian 10, run ~free -m~:
297
298#+BEGIN_EXAMPLE
299pi@ninfacyzga-01:~$ free -m
300 total used free shared buff/cache available
301Mem: 432 86 36 21 309 268
302Swap: 99 0 99
303#+END_EXAMPLE
304
305After disabling the swap file and rebooting:
306
307#+BEGIN_EXAMPLE
308pi@ninfacyzga-01:~$ free -m
309 total used free shared buff/cache available
310Mem: 432 89 214 3 128 289
311Swap: 0 0 0
312#+END_EXAMPLE
313
314[fn:ideaheap_20130731_disableswap] Explanation:
315https://ideaheap.com/2013/07/stopping-sd-card-corruption-on-a-raspberry-pi/
316
317[fn:rpf_20190702_disableswappersist] Persistant disabling of swap in
318Raspbian 10 Buster:
319https://www.raspberrypi.org/forums/viewtopic.php?p=1490692&sid=5c596a124b7805d6b10dab8d3d7caf16#p1490692
320
321***** Log Transfer Configuration
322Log files may be shared to other machines via ~syncthing~. See [[https://docs.syncthing.net/][this]]
323manual for how to set up a shared folder and add Ninfacyzga-01 as a
324device. Syncthing's directory synchronization capability allows a
325remote machine to delete files from Ninfacyzga-01 by deleting from the
326shared folder that they both share.
327
328When log files are removed from Ninfacyzga-01 is not within the scope
329of this document.
330***** Key Generation
331An ~age~ encryption key may be generated like so:
332#+BEGIN_EXAMPLE
333$ umask # Gets current umask
3340022 # Note: This is the default umask for Raspbian 10
335$ umask 066 # So key.txt will have no perms except for owner (you)
336$ umask # Confirm umask set to 066
3370066
338$ age-keygen > key.txt
339Public key: age1pu5usxm743sx7rf22985xv2f4s0luzv6r6yx4fa7p8c2zyvp9fvqus2xr5
340$ ls -al key.txt
341-rw------- 1 baltakatei baltakatei 184 Jun 29 18:28 key.txt
342$ umask 0022 # Return umask to default value
343$ umask
3440022
345#+END_EXAMPLE
346
347The resulting public/private keypair data looks like:
348#+BEGIN_EXAMPLE
349$ cat key.txt
350# created: 2020-06-29T18:01:56Z
351# public key: age1pu5usxm743sx7rf22985xv2f4s0luzv6r6yx4fa7p8c2zyvp9fvqus2xr5
352AGE-SECRET-KEY-1NEUU5U2XGZGL9UYWNPU5DL99TGJJHFSN4F2E2WCCSDJJ6L5ZMLESNTVTU0
353#+END_EXAMPLE
354
355The file ~key.txt~ is not password-protected by default and should be
356secured like an SSH public key should. The ~$ umask 066~ command run
357before the ~$ age-keygen > key.txt~ command ensures ~key.txt~ will not
358be readable, writeable, or executable to anyone except the owner
359(you).
360
361*** Normal Startup
362*** Normal Operation
363*** Normal Shutdown
364*** Unscheduled Shutdown
365*** End of Life Disposal
366See [[file:../setup/README.org][Main Setup]] procedures.
367
368LiPo batteries used by the PiZ Uptime 2.0 module should be disposed of
369properly with their potential ignitability in mind, especially if they
370are not fully discharged.
371
372Consult your local municipality for its "E-Waste Disposal" (or
373equivalent) policy. Metals used in the Raspberry Pi and related
374components may be recycled.
375
376Take extra precuation if lead solder was used in assembling the
377electronics. Consumer electronics in early 21st century should use
378lead-free solder.
379
380
381