chore(exec/temp):Fix CSV fields in stdout output
[EVA-2020-02.git] / doc / setup / README.org
1 #+TITLE:Ninfacyzga-1 Main Setup
2 #+AUTHOR:Steven Baltakatei Sandoval
3 #+EMAIL:baltakatei@gmail.com
4 * Main Setup
5 ** About
6 This document created by [[http://baltakatei.com][Steven Baltakatei Sandoval]] on
7 ~2020-10-07T18:39Z~ under a [[http://creativecommons.org/licenses/by-sa/4.0/][CC BY-SA 4.0]] license and last updated on
8 ~2020-10-17T21:22Z~.
9
10 This document contains information regarding setup of the
11 ninfacyzga-01 hardware common to all operation modes. This includes:
12
13 - Raspberry OS installation
14 - WiFi configuration
15 - Remote SSH login configuration
16
17 ** Scope
18 This document describes hardware and software installation steps
19 common to the various environmental sensing functions of
20 ninfacyzga-01.
21
22 ** Narrative
23 The Raspberry Pi Zero W is the platform in which environment data is
24 gathered, packaged, and stored for further forwarding to a remote
25 repository. The Raspberry OS 10 operating system is used. The device
26 may be equipped with a UPS module in order to allow it to function as
27 a mobile device for short periods of time. The system may use
28 executables such as ~bklog~ to append segments of observed compressed
29 (~gzip~) encrypted (~age~) data to a ~tar~ archive to local disk. This
30 document describes hardware and software configuration procedures
31 generally required by all environment sensing operations.
32
33 ** Description
34 *** Hardware
35 **** Raspberry Pi Zero W
36 See the [[https://www.raspberrypi.org/pi-zero-w/][OEM]] webpage for this product.
37 **** PiZ UpTime 2.0
38 See the [[https://alchemy-power.com/piz-uptime-2-0/][OEM]] webpage for this product.
39
40 *** Software
41 ~bklog~ : A bash script that saves its stdin stream to a tar file. The
42 file may be compressed by ~gzip~ and encrypted by ~age~. It is an
43 executable file contained within this repository at ~exec/bklog~. It
44 should be copied to ~$HOME/.local/bin~.
45
46 ~bkgpslog~ : A legacy bash script similar to ~bklog~ but narrower in
47 scope in that it only records output from ~gpspipe~.
48
49 ~gzip~ : A simple command line app that compresses stdin into a
50 smaller stdout stream.
51
52 ~age~ : A simple command line app that encrypts stdin against public
53 keys specified in its options. Produces encrypted stdout. Is an
54 executable file contained within this repository at ~exec/age~. It
55 should be copied to ~$HOME/.local/bin~.
56
57 *** Output
58 **** Encryption Method
59 Files produced by the bklog script are encrypted against a set of
60 public keys using [[https://github.com/FiloSottile/age][~age~]], a simple command line encryption tool
61 selected over ~gpg~ because of ~age~'s deliberate lack of
62 configurability.
63
64 The public keys are bech32 strings supplied as options to bkgpslog
65 when called. The secret key should *NOT* be stored in Ninfacyzga-01.
66
67 If a key pair was generated using ~age-keygen~, then it is an [[https://en.wikipedia.org/wiki/Curve25519][~X25519~]]
68 key pair. See the [[https://age-encryption.org/v1][~age~ Version 1 specification]].
69
70 An ~ssh-rsa~ or ~ssh-ed25519~ SSH public key string may be used instead of
71 the bech32 public key string produced by ~age-keygen~ for convenience.
72
73 Help information for ~age~ is available by running ~$ age --help~.
74 ***** Encryption Commands
75 ****** Encryption through ~age~
76 In order to illustrate how ~bklog~ encrypts files, below is an example
77 command illustrating how ~age~ may be used to encrypt a file.
78
79 #+BEGIN_EXAMPLE
80 $ echo "asdf" | age -r \
81 age1kza7pfshy7xwygf9349zgmk7x53mquvedgw9r98qwyyqhssh830qqjzlsw \
82 > "$HOME/secret_file"
83 #+END_EXAMPLE
84
85 The resulting ~secret-file~ is a binary blob with a plaintext header
86 indicating how the blob was encrypted (which version of age was used,
87 which public key was used).
88
89 ****** Encryption through ~bklog~
90 ~bklog~ may instructed to encrypt files via the ~-e~ and ~-r [pubkey
91 string]~ options. An example is shown below:
92
93 #+BEGIN_EXAMPLE
94 $ gpspipe -r | bklog -e \
95 -r age1kza7pfshy7xwygf9349zgmk7x53mquvedgw9r98qwyyqhssh830qqjzlsw \
96 -r age1ce3pvzrqfcn2pc6zqzglc8ac8yjk3fzukpy08cesqjjwns53xywqmaq7xw \
97 -r age1pu5usxm743sx7rf22985xv2f4s0luzv6r6yx4fa7p8c2zyvp9fvqus2xr5 \
98 -o "$HOME/Location"
99 #+END_EXAMPLE
100
101 ~bklog~ may be instructed via the ~-e~ and ~-R~ options to watch a
102 directory in order to locate public key strings in its files. ~bklog~
103 reads the first line of each file and interprets it as a public key
104 string.
105
106 In this example, the strings beginning with ~age1...~ are
107 bech32-formatted public key strings. Please see the [[*Key Generation][Key Generation]]
108 section for an explanation.
109
110 Since ~age~ also accepts ~ssh~ public key strings, these may also be
111 used if they are of the following form (no comment).
112
113 : ssh-rsa AAAAB3NzaC1yc2EAAAADAQABA…AACAQDLnJbPs7CjwPT+OxXd
114
115 ***** Decryption Commands
116 Files may be decrypted using a command similar to:
117
118 #+BEGIN_EXAMPLE
119 cat location.gpx.age | age -d -i key.txt > location.gpx
120 #+END_EXAMPLE
121
122 The version of ~age~ used to perform the encryption
123
124 ** Operating Procedures
125 *** Initial Startup
126 **** Physical Setup
127 The device should be supplied with 5V power and an SD card with the
128 latest Raspberry Pi OS image installed. As of 2020-10-07, this will be
129 version 10 (e.g. Raspbian Buster 10).
130
131 No additional hardware (ex: GPS module, UPS module, thermocouples) is
132 required to perform actions described in this document
133
134 **** Software Setup
135 ***** Install Operating System
136 Install Raspberry Pi OS onto an SD card image. See the Raspberry Pi
137 Foundation [[https://www.raspberrypi.org/documentation/installation/installing-images/README.md][installation instructions]].
138
139 Note: "Raspberry Pi OS" is the name used by the Raspberry Pi
140 Foundation to refer to their operating system images to be installed
141 on Raspberry Pi hardware. The change was made in order to facilitate
142 education of beginners not familiar with the wordplay between
143 "Raspberry" and "Debian". See [[https://www.raspberrypi.org/forums/viewtopic.php?f=66&t=275380&sid=1a468f226394ccddf4654a3d3d90cb7d#p1668466][this]] forum post made on 2020-05-28 by
144 plugwash.
145
146 ***** Configure Wireless
147 Configure WiFi in order to permit file transfer and remote
148 administration. For a Raspberry Pi W, the WiFi settings may be
149 programmed via a specific text file in the `boot` partition of a
150 freshly installed image of Raspberry OS. Raspberry Pi Foundation
151 instructions [[https://www.raspberrypi.org/documentation/configuration/wireless/headless.md][here]].
152
153 In summary, create a ~wpa_supplicant.conf~ file containing the
154 following text:
155 #+BEGIN_EXAMPLE
156 ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
157 update_config=1
158 country=US
159
160 network={
161 ssid="<Name of your wireless LAN>"
162 psk="<Password for your wireless LAN>"
163 }
164 #+END_EXAMPLE
165
166 Replace ~<Name of your wireless LAN>~ with your WiFi network's SSID.
167
168 Replace ~<Password for your wireless LAN>~ with your WiFi network's
169 passphrase.
170 ***** Enable Remote SSH Login
171 Configure SSH to permit remote administration via the command line
172 interface. Raspberry Pi Foundation instructions [[https://www.raspberrypi.org/documentation/remote-access/ssh/README.md][here]].
173
174 In summary, remote SSH access may be enabled upon initial startup of a
175 freshly installed image of Raspberry Pi OS by making sure an empty
176 file named ~ssh~ is present on the ~boot~ partition.
177
178 ***** Login via SSH
179 Assuming your router supports finding your Raspberry Pi via its
180 default hostname of `raspberypi`, log into the pi via Wi-Fi using the
181 following command:
182
183 : $ ssh pi@raspberrypi
184
185 Otherwise, you may have to identify the raspbery pi's IP address via
186 your network router's administration console and login via a command
187 resembling this:
188
189 : $ ssh pi@192.168.x.x
190
191 If you had previously set up a different raspberry pi that also used
192 the same hostname ~raspberrypi~ or the same IP address (ex:
193 ~192.168.123.123~), you may have to inform your computer that this is a
194 different device. You may do so using these commands:
195
196 : $ ssh-keygen -f ~/.ssh/known_hosts -R "raspberrypi"
197 : $ ssh-keygen -R 192.168.123.123
198
199 ***** Add SSH public key
200 If the use has an SSH public key, it may be added as a line in
201 ~~/.ssh/authorized_keys~.
202
203 Add the ~~/.ssh~ directory if it doesn't already exist.
204
205 : $ mkdir ~/.ssh
206
207 Follow [[https://superuser.com/a/925859/][these]] directions to set permissions.
208
209 : $ chmod 700 ~/.ssh
210 : $ chmod 644 ~/.ssh/authorized_keys
211
212 ***** Change default passphrase
213 The default username is ~pi~ and the default passphrase is
214 ~raspberry~. Change them to something unique.
215
216 : $ passwd
217
218 ***** Update software
219 Update software with distribution repository.
220
221 : $ sudo apt update
222 : $ sudo apt upgrade -y
223 : $ sudo apt dist-upgrade -y
224
225 ***** Change time zone
226 The time zone should be set to "UTC" for simplicity.
227
228 : $ sudo raspi-config
229
230 Navigate to ~4 Localisation Options~, ~I2 Change Time Zone~, ~None of the above~, ~UTC~.
231
232 ***** Update hostname
233 A unique hostname is required to uniquely identify the device on the
234 network.
235
236 Start up the Raspberry Pi Software Configuration Tool by running:
237 : $ sudo raspi-config
238
239 - Select `2 Network Options`
240 - Select `N1 Hostname`
241
242 This document recommends a hostname beginning with the prefix:
243 : ninfacyzga-1-
244
245 An example hostname would be ~ninfacyzga-1-2~.
246
247 ***** Install software
248 ****** ~unattended-upgrades~
249 Make sure to install the ~unattended-upgrades~ package to make sure
250 the latest security patches for packages are installed. See [[https://linux-audit.com/using-unattended-upgrades-on-debian-and-ubuntu/][this page]]
251 for a description of how ~unattended-upgrades~ works.
252
253 : $ sudo apt install unattended-upgrades
254
255 The configuration file is located at:
256 ~/etc/apt/apt.conf.d/50unattended-upgrades~ ([[https://linux-audit.com/using-unattended-upgrades-on-debian-and-ubuntu/][ref]]). Make sure that the
257 following lines are present and not commented out.
258
259 #+BEGIN_EXAMPLE
260 Unattended-Upgrade::Automatic-Reboot "true";
261 #+END_EXAMPLE
262
263 ****** ~syncthing~
264 Install ~syncthing~ for log file transfer capability.
265
266 : $ sudo apt install syncthing
267
268 Enable automatic startup. (See [[https://docs.syncthing.net/users/autostart.html][ref]]).
269
270 : $ sudo systemctl enable syncthing@pi.service
271 : $ sudo systemctl start syncthing@pi.service
272
273 The WebUI of the local instance of syncthing (port 8384) can be
274 accessed by running the following command from a separate machine:
275
276 : $ ssh -L 127.0.0.1:8390:127.0.0.1:8384 pi@ninfacyzga-1-x
277
278 Then, the separate machine should navigate to ~localhost:8390~ in a
279 web browser in order to change the ninfacyzga-1 device's
280 configuration. The separate machine's Syncthing configuration options
281 are accessible via its own web browser via ~localhost:8384~.
282
283 ****** ~git~
284 ~git~ facilitates downloading files from this repository to the
285 device. It may be installed via:
286
287 : $ sudo apt install git
288
289 ****** ninfacyzga-01 git repository
290 Create the directory ~/git-OC/~ . Within this directory, run the
291 following commands to clone the ~ninfacyzga-01~ git repository:
292 : $ git clone https://zdv2.bktei.com/gitweb/ninfacyzga-01.git
293 : $ cd ninfacyzga-01
294
295 Check out the ~develop~ branch (if the latest changes are desired over
296 those of the ~master~ branch).
297 : $ git checkout --track origin/develop
298
299 ****** ~age~
300 ~age~ is required for encrypting data at rest.
301
302 Place ~age~ binary (the one compiled for ARM CPU architecture for
303 Linux) in ~$HOME/.local/bin~. A copy of binary may be found within the
304 ~exec~ directory.
305
306 : $ mkdir ~/.local/bin
307 : $ cp exec/age ~/.local/bin/
308
309 ***** Disable Swap File
310 Since standard Raspberry OS 10 install involves copying unencrypted
311 file system image to SD card which is mounted by the Raspberry Pi,
312 system memory may be written to disk in the form of a Swap file as
313 described [[https://ideaheap.com/2013/07/stopping-sd-card-corruption-on-a-raspberry-pi/][here]]. In order to reduce the chance that location log data
314 is ever written to disk, swap file functionality must be
315 disabled[fn:ideaheap_20130731_disableswap].
316
317 Raspbian 10 uses dphys-swapfile to manage a swap file. It may be
318 disabled persistently[fn:rpf_20190702_disableswappersist] by running
319 the following command:
320
321 : sudo systemctl disable dphys-swapfile.service
322
323 To view the status of the swap file in Raspbian 10, run ~free -m~:
324
325 #+BEGIN_EXAMPLE
326 pi@ninfacyzga-01:~$ free -m
327 total used free shared buff/cache available
328 Mem: 432 86 36 21 309 268
329 Swap: 99 0 99
330 #+END_EXAMPLE
331
332 After disabling the swap file and rebooting:
333
334 #+BEGIN_EXAMPLE
335 pi@ninfacyzga-01:~$ free -m
336 total used free shared buff/cache available
337 Mem: 432 89 214 3 128 289
338 Swap: 0 0 0
339 #+END_EXAMPLE
340
341 [fn:ideaheap_20130731_disableswap] Explanation:
342 https://ideaheap.com/2013/07/stopping-sd-card-corruption-on-a-raspberry-pi/
343
344 [fn:rpf_20190702_disableswappersist] Persistant disabling of swap in
345 Raspbian 10 Buster:
346 https://www.raspberrypi.org/forums/viewtopic.php?p=1490692&sid=5c596a124b7805d6b10dab8d3d7caf16#p1490692
347
348 ***** Disable Bluetooth
349 In order to reduce power consumed by bluetooth transmissions,
350 bluetooth functionality should be disabled (see [[https://di-marco.net/blog/it/2020-04-18-tips-disabling_bluetooth_on_raspberry_pi/][link]]).
351
352 Modify the ~/boot/config.txt~ file (the Pi's equivalent to BIOS
353 settings; see [[https://www.raspberrypi.org/documentation/configuration/config-txt/][link]]) to make sure the following lines are added:
354
355 #+BEGIN_EXAMPLE
356 # Disable Bluetooth
357 dtoverlay=disable-bt
358 #+END_EXAMPLE
359
360 The ~hciuart~ service is associated with bluetooth functionality via
361 UART which may conflict with location and time data provided via
362 ~/dev/ttyAMA0~. It should be disabled like so:
363
364 #+BEGIN_EXAMPLE
365 $ sudo systemctl disable hciuart
366 #+END_EXAMPLE
367
368 ***** Disable login console via serial port
369 Some ~ninfacyzga~ functions (location and time) require data transfer
370 via ~/dev/ttyAMA0~. In order to prevent serial login programs from
371 interfering with such functions, it is necessary to disable them.
372
373 Run the following commands to disable login via ~ttyAMA0~:
374
375 #+BEGIN_EXAMPLE
376 $ sudo systemctl stop serial-getty@ttyAMA0.service
377 $ sudo systemctl disable serial-getty@ttyAMA0.service
378 $ sudo systemctl disable hciuart
379 #+END_EXAMPLE
380
381 Modify ~/boot/cmdline.txt~ to remove the console:
382
383 #+BEGIN_EXAMPLE
384 $ sudo nano /boot/cmdline.txt
385 #+END_EXAMPLE
386
387 Remove ~console=serial0,115200~
388
389 ***** Log Transfer Configuration
390 Log files may be shared to other machines via ~syncthing~. See [[https://docs.syncthing.net/][this]]
391 manual for how to set up a shared folder and add Ninfacyzga-01 as a
392 device. Syncthing's directory synchronization capability allows a
393 remote machine to delete files from Ninfacyzga-01 by deleting from the
394 shared folder that they both share.
395
396 When log files are removed from Ninfacyzga-01 is not within the scope
397 of this document.
398 ***** Key Generation
399 An ~age~ encryption key may be generated like so:
400 #+BEGIN_EXAMPLE
401 $ umask # Gets current umask
402 0022 # Note: This is the default umask for Raspbian 10
403 $ umask 066 # So key.txt will have no perms except for owner (you)
404 $ umask # Confirm umask set to 066
405 0066
406 $ age-keygen > key.txt
407 Public key: age1pu5usxm743sx7rf22985xv2f4s0luzv6r6yx4fa7p8c2zyvp9fvqus2xr5
408 $ ls -al key.txt
409 -rw------- 1 baltakatei baltakatei 184 Jun 29 18:28 key.txt
410 $ umask 0022 # Return umask to default value
411 $ umask
412 0022
413 #+END_EXAMPLE
414
415 The resulting public/private keypair data looks like:
416 #+BEGIN_EXAMPLE
417 $ cat key.txt
418 # created: 2020-06-29T18:01:56Z
419 # public key: age1pu5usxm743sx7rf22985xv2f4s0luzv6r6yx4fa7p8c2zyvp9fvqus2xr5
420 AGE-SECRET-KEY-1NEUU5U2XGZGL9UYWNPU5DL99TGJJHFSN4F2E2WCCSDJJ6L5ZMLESNTVTU0
421 #+END_EXAMPLE
422
423 The file ~key.txt~ is not password-protected by default and should be
424 secured like an SSH public key should. The ~$ umask 066~ command run
425 before the ~$ age-keygen > key.txt~ command ensures ~key.txt~ will not
426 be readable, writeable, or executable to anyone except the owner
427 (you).
428
429 *** Normal Startup
430 *** Normal Operation
431 *** Normal Shutdown
432 *** Unscheduled Shutdown
433 *** End of Life Disposal
434 See [[file:../setup/README.org][Main Setup]] procedures.
435
436 LiPo batteries used by the PiZ Uptime 2.0 module should be disposed of
437 properly with their potential ignitability in mind, especially if they
438 are not fully discharged.
439
440 Consult your local municipality for its "E-Waste Disposal" (or
441 equivalent) policy. Metals used in the Raspberry Pi and related
442 components may be recycled.
443
444 Take extra precuation if lead solder was used in assembling the
445 electronics. Consumer electronics in early 21st century should use
446 lead-free solder.
447
448
449