-#+TITLE:Ninfacyzga-01 Setup
+#+TITLE:Ninfacyzga-1 Main Setup
#+AUTHOR:Steven Baltakatei Sandoval
#+EMAIL:baltakatei@gmail.com
* Main Setup
** About
This document created by [[http://baltakatei.com][Steven Baltakatei Sandoval]] on
~2020-10-07T18:39Z~ under a [[http://creativecommons.org/licenses/by-sa/4.0/][CC BY-SA 4.0]] license and last updated on
-~2020-10-07T23:11Z~.
+~2020-10-17T21:22Z~.
This document contains information regarding setup of the
ninfacyzga-01 hardware common to all operation modes. This includes:
The version of ~age~ used to perform the encryption
-
** Operating Procedures
*** Initial Startup
**** Physical Setup
+The device should be supplied with 5V power and an SD card with the
+latest Raspberry Pi OS image installed. As of 2020-10-07, this will be
+version 10 (e.g. Raspbian Buster 10).
+
+No additional hardware (ex: GPS module, UPS module, thermocouples) is
+required to perform actions described in this document
+
**** Software Setup
***** Install Operating System
Install Raspberry Pi OS onto an SD card image. See the Raspberry Pi
Replace ~<Password for your wireless LAN>~ with your WiFi network's
passphrase.
-***** Configure Remote SSH Login
+***** Enable Remote SSH Login
Configure SSH to permit remote administration via the command line
interface. Raspberry Pi Foundation instructions [[https://www.raspberrypi.org/documentation/remote-access/ssh/README.md][here]].
freshly installed image of Raspberry Pi OS by making sure an empty
file named ~ssh~ is present on the ~boot~ partition.
+***** Login via SSH
+Assuming your router supports finding your Raspberry Pi via its
+default hostname of `raspberypi`, log into the pi via Wi-Fi using the
+following command:
+
+: $ ssh pi@raspberrypi
+
+Otherwise, you may have to identify the raspbery pi's IP address via
+your network router's administration console and login via a command
+resembling this:
+
+: $ ssh pi@192.168.x.x
+
+If you had previously set up a different raspberry pi that also used
+the same hostname ~raspberrypi~ or the same IP address (ex:
+~192.168.123.123~), you may have to inform your computer that this is a
+different device. You may do so using these commands:
+
+: $ ssh-keygen -f ~/.ssh/known_hosts -R "raspberrypi"
+: $ ssh-keygen -R 192.168.123.123
+
+***** Add SSH public key
+If the use has an SSH public key, it may be added as a line in
+~~/.ssh/authorized_keys~.
+
+Add the ~~/.ssh~ directory if it doesn't already exist.
+
+: $ mkdir ~/.ssh
+
+Follow [[https://superuser.com/a/925859/][these]] directions to set permissions.
+
+: $ chmod 700 ~/.ssh
+: $ chmod 644 ~/.ssh/authorized_keys
+
***** Change default passphrase
The default username is ~pi~ and the default passphrase is
~raspberry~. Change them to something unique.
: $ sudo apt upgrade -y
: $ sudo apt dist-upgrade -y
+***** Change time zone
+The time zone should be set to "UTC" for simplicity.
+
+: $ sudo raspi-config
+
+Navigate to ~4 Localisation Options~, ~I2 Change Time Zone~, ~None of the above~, ~UTC~.
+
+***** Update hostname
+A unique hostname is required to uniquely identify the device on the
+network.
+
+Start up the Raspberry Pi Software Configuration Tool by running:
+: $ sudo raspi-config
+
+- Select `2 Network Options`
+- Select `N1 Hostname`
+
+This document recommends a hostname beginning with the prefix:
+: ninfacyzga-1-
+
+An example hostname would be ~ninfacyzga-1-2~.
+
***** Install software
****** ~unattended-upgrades~
Make sure to install the ~unattended-upgrades~ package to make sure
the latest security patches for packages are installed. See [[https://linux-audit.com/using-unattended-upgrades-on-debian-and-ubuntu/][this page]]
for a description of how ~unattended-upgrades~ works.
+: $ sudo apt install unattended-upgrades
+
The configuration file is located at:
~/etc/apt/apt.conf.d/50unattended-upgrades~ ([[https://linux-audit.com/using-unattended-upgrades-on-debian-and-ubuntu/][ref]]). Make sure that the
following lines are present and not commented out.
: $ sudo apt install syncthing
+Enable automatic startup. (See [[https://docs.syncthing.net/users/autostart.html][ref]]).
+
+: $ sudo systemctl enable syncthing@pi.service
+: $ sudo systemctl start syncthing@pi.service
+
+The WebUI of the local instance of syncthing (port 8384) can be
+accessed by running the following command from a separate machine:
+
+: $ ssh -L 127.0.0.1:8390:127.0.0.1:8384 pi@ninfacyzga-1-x
+
+Then, the separate machine should navigate to ~localhost:8390~ in a
+web browser in order to change the ninfacyzga-1 device's
+configuration. The separate machine's Syncthing configuration options
+are accessible via its own web browser via ~localhost:8384~.
+
****** ~git~
-Install ~git~ for downloading this repository to the device.
+~git~ facilitates downloading files from this repository to the
+device. It may be installed via:
: $ sudo apt install git
: $ git checkout --track origin/develop
****** ~age~
+~age~ is required for encrypting data at rest.
+
Place ~age~ binary (the one compiled for ARM CPU architecture for
Linux) in ~$HOME/.local/bin~. A copy of binary may be found within the
~exec~ directory.
+: $ mkdir ~/.local/bin
+: $ cp exec/age ~/.local/bin/
+
***** Disable Swap File
-Since standard Raspbian 10 (Buster) install involves copying
-unencrypted file system image to SD card which is mounted by the
-Raspberry Pi, system memory may be written to disk in the form of a
-Swap file as described [[https://ideaheap.com/2013/07/stopping-sd-card-corruption-on-a-raspberry-pi/][here]]. In order to reduce the chance that
-location log data is ever written to disk, swap file functionality
-must be disabled[fn:ideaheap_20130731_disableswap].
+Since standard Raspberry OS 10 install involves copying unencrypted
+file system image to SD card which is mounted by the Raspberry Pi,
+system memory may be written to disk in the form of a Swap file as
+described [[https://ideaheap.com/2013/07/stopping-sd-card-corruption-on-a-raspberry-pi/][here]]. In order to reduce the chance that location log data
+is ever written to disk, swap file functionality must be
+disabled[fn:ideaheap_20130731_disableswap].
Raspbian 10 uses dphys-swapfile to manage a swap file. It may be
disabled persistently[fn:rpf_20190702_disableswappersist] by running
Raspbian 10 Buster:
https://www.raspberrypi.org/forums/viewtopic.php?p=1490692&sid=5c596a124b7805d6b10dab8d3d7caf16#p1490692
+***** Disable Bluetooth
+In order to reduce power consumed by bluetooth transmissions,
+bluetooth functionality should be disabled (see [[https://di-marco.net/blog/it/2020-04-18-tips-disabling_bluetooth_on_raspberry_pi/][link]]).
+
+Modify the ~/boot/config.txt~ file (the Pi's equivalent to BIOS
+settings; see [[https://www.raspberrypi.org/documentation/configuration/config-txt/][link]]) to make sure the following lines are added:
+
+#+BEGIN_EXAMPLE
+# Disable Bluetooth
+dtoverlay=disable-bt
+#+END_EXAMPLE
+
+The ~hciuart~ service is associated with bluetooth functionality via
+UART which may conflict with location and time data provided via
+~/dev/ttyAMA0~. It should be disabled like so:
+
+#+BEGIN_EXAMPLE
+$ sudo systemctl disable hciuart
+#+END_EXAMPLE
+
+***** Disable login console via serial port
+Some ~ninfacyzga~ functions (location and time) require data transfer
+via ~/dev/ttyAMA0~. In order to prevent serial login programs from
+interfering with such functions, it is necessary to disable them.
+
+Run the following commands to disable login via ~ttyAMA0~:
+
+#+BEGIN_EXAMPLE
+$ sudo systemctl stop serial-getty@ttyAMA0.service
+$ sudo systemctl disable serial-getty@ttyAMA0.service
+$ sudo systemctl disable hciuart
+#+END_EXAMPLE
+
+Modify ~/boot/cmdline.txt~ to remove the console:
+
+#+BEGIN_EXAMPLE
+$ sudo nano /boot/cmdline.txt
+#+END_EXAMPLE
+
+Remove ~console=serial0,115200~
+
***** Log Transfer Configuration
Log files may be shared to other machines via ~syncthing~. See [[https://docs.syncthing.net/][this]]
manual for how to set up a shared folder and add Ninfacyzga-01 as a
projects / EVA-2020-02.git / blobdiff