X-Git-Url: https://zdv2.bktei.com/gitweb/EVA-2020-02.git/blobdiff_plain/19f49278d569eea18a1334238de9541c36fce4c9..a2ec72618651817bf625a991c790137e1603e568:/doc/setup/README.org diff --git a/doc/setup/README.org b/doc/setup/README.org index cc575b7..d4a6327 100644 --- a/doc/setup/README.org +++ b/doc/setup/README.org @@ -1,11 +1,11 @@ -#+TITLE:Ninfacyzga-01 Setup +#+TITLE:Ninfacyzga-1 Main Setup #+AUTHOR:Steven Baltakatei Sandoval #+EMAIL:baltakatei@gmail.com * Main Setup ** About This document created by [[http://baltakatei.com][Steven Baltakatei Sandoval]] on ~2020-10-07T18:39Z~ under a [[http://creativecommons.org/licenses/by-sa/4.0/][CC BY-SA 4.0]] license and last updated on -~2020-10-07T23:11Z~. +~2020-10-17T21:22Z~. This document contains information regarding setup of the ninfacyzga-01 hardware common to all operation modes. This includes: @@ -121,10 +121,16 @@ cat location.gpx.age | age -d -i key.txt > location.gpx The version of ~age~ used to perform the encryption - ** Operating Procedures *** Initial Startup **** Physical Setup +The device should be supplied with 5V power and an SD card with the +latest Raspberry Pi OS image installed. As of 2020-10-07, this will be +version 10 (e.g. Raspbian Buster 10). + +No additional hardware (ex: GPS module, UPS module, thermocouples) is +required to perform actions described in this document + **** Software Setup ***** Install Operating System Install Raspberry Pi OS onto an SD card image. See the Raspberry Pi @@ -161,7 +167,7 @@ Replace ~~ with your WiFi network's SSID. Replace ~~ with your WiFi network's passphrase. -***** Configure Remote SSH Login +***** Enable Remote SSH Login Configure SSH to permit remote administration via the command line interface. Raspberry Pi Foundation instructions [[https://www.raspberrypi.org/documentation/remote-access/ssh/README.md][here]]. @@ -169,6 +175,40 @@ In summary, remote SSH access may be enabled upon initial startup of a freshly installed image of Raspberry Pi OS by making sure an empty file named ~ssh~ is present on the ~boot~ partition. +***** Login via SSH +Assuming your router supports finding your Raspberry Pi via its +default hostname of `raspberypi`, log into the pi via Wi-Fi using the +following command: + +: $ ssh pi@raspberrypi + +Otherwise, you may have to identify the raspbery pi's IP address via +your network router's administration console and login via a command +resembling this: + +: $ ssh pi@192.168.x.x + +If you had previously set up a different raspberry pi that also used +the same hostname ~raspberrypi~ or the same IP address (ex: +~192.168.123.123~), you may have to inform your computer that this is a +different device. You may do so using these commands: + +: $ ssh-keygen -f ~/.ssh/known_hosts -R "raspberrypi" +: $ ssh-keygen -R 192.168.123.123 + +***** Add SSH public key +If the use has an SSH public key, it may be added as a line in +~~/.ssh/authorized_keys~. + +Add the ~~/.ssh~ directory if it doesn't already exist. + +: $ mkdir ~/.ssh + +Follow [[https://superuser.com/a/925859/][these]] directions to set permissions. + +: $ chmod 700 ~/.ssh +: $ chmod 644 ~/.ssh/authorized_keys + ***** Change default passphrase The default username is ~pi~ and the default passphrase is ~raspberry~. Change them to something unique. @@ -182,12 +222,36 @@ Update software with distribution repository. : $ sudo apt upgrade -y : $ sudo apt dist-upgrade -y +***** Change time zone +The time zone should be set to "UTC" for simplicity. + +: $ sudo raspi-config + +Navigate to ~4 Localisation Options~, ~I2 Change Time Zone~, ~None of the above~, ~UTC~. + +***** Update hostname +A unique hostname is required to uniquely identify the device on the +network. + +Start up the Raspberry Pi Software Configuration Tool by running: +: $ sudo raspi-config + +- Select `2 Network Options` +- Select `N1 Hostname` + +This document recommends a hostname beginning with the prefix: +: ninfacyzga-1- + +An example hostname would be ~ninfacyzga-1-2~. + ***** Install software ****** ~unattended-upgrades~ Make sure to install the ~unattended-upgrades~ package to make sure the latest security patches for packages are installed. See [[https://linux-audit.com/using-unattended-upgrades-on-debian-and-ubuntu/][this page]] for a description of how ~unattended-upgrades~ works. +: $ sudo apt install unattended-upgrades + The configuration file is located at: ~/etc/apt/apt.conf.d/50unattended-upgrades~ ([[https://linux-audit.com/using-unattended-upgrades-on-debian-and-ubuntu/][ref]]). Make sure that the following lines are present and not commented out. @@ -201,8 +265,24 @@ Install ~syncthing~ for log file transfer capability. : $ sudo apt install syncthing +Enable automatic startup. (See [[https://docs.syncthing.net/users/autostart.html][ref]]). + +: $ sudo systemctl enable syncthing@pi.service +: $ sudo systemctl start syncthing@pi.service + +The WebUI of the local instance of syncthing (port 8384) can be +accessed by running the following command from a separate machine: + +: $ ssh -L 127.0.0.1:8390:127.0.0.1:8384 pi@ninfacyzga-1-x + +Then, the separate machine should navigate to ~localhost:8390~ in a +web browser in order to change the ninfacyzga-1 device's +configuration. The separate machine's Syncthing configuration options +are accessible via its own web browser via ~localhost:8384~. + ****** ~git~ -Install ~git~ for downloading this repository to the device. +~git~ facilitates downloading files from this repository to the +device. It may be installed via: : $ sudo apt install git @@ -217,17 +297,22 @@ those of the ~master~ branch). : $ git checkout --track origin/develop ****** ~age~ +~age~ is required for encrypting data at rest. + Place ~age~ binary (the one compiled for ARM CPU architecture for Linux) in ~$HOME/.local/bin~. A copy of binary may be found within the ~exec~ directory. +: $ mkdir ~/.local/bin +: $ cp exec/age ~/.local/bin/ + ***** Disable Swap File -Since standard Raspbian 10 (Buster) install involves copying -unencrypted file system image to SD card which is mounted by the -Raspberry Pi, system memory may be written to disk in the form of a -Swap file as described [[https://ideaheap.com/2013/07/stopping-sd-card-corruption-on-a-raspberry-pi/][here]]. In order to reduce the chance that -location log data is ever written to disk, swap file functionality -must be disabled[fn:ideaheap_20130731_disableswap]. +Since standard Raspberry OS 10 install involves copying unencrypted +file system image to SD card which is mounted by the Raspberry Pi, +system memory may be written to disk in the form of a Swap file as +described [[https://ideaheap.com/2013/07/stopping-sd-card-corruption-on-a-raspberry-pi/][here]]. In order to reduce the chance that location log data +is ever written to disk, swap file functionality must be +disabled[fn:ideaheap_20130731_disableswap]. Raspbian 10 uses dphys-swapfile to manage a swap file. It may be disabled persistently[fn:rpf_20190702_disableswappersist] by running @@ -260,6 +345,47 @@ https://ideaheap.com/2013/07/stopping-sd-card-corruption-on-a-raspberry-pi/ Raspbian 10 Buster: https://www.raspberrypi.org/forums/viewtopic.php?p=1490692&sid=5c596a124b7805d6b10dab8d3d7caf16#p1490692 +***** Disable Bluetooth +In order to reduce power consumed by bluetooth transmissions, +bluetooth functionality should be disabled (see [[https://di-marco.net/blog/it/2020-04-18-tips-disabling_bluetooth_on_raspberry_pi/][link]]). + +Modify the ~/boot/config.txt~ file (the Pi's equivalent to BIOS +settings; see [[https://www.raspberrypi.org/documentation/configuration/config-txt/][link]]) to make sure the following lines are added: + +#+BEGIN_EXAMPLE +# Disable Bluetooth +dtoverlay=disable-bt +#+END_EXAMPLE + +The ~hciuart~ service is associated with bluetooth functionality via +UART which may conflict with location and time data provided via +~/dev/ttyAMA0~. It should be disabled like so: + +#+BEGIN_EXAMPLE +$ sudo systemctl disable hciuart +#+END_EXAMPLE + +***** Disable login console via serial port +Some ~ninfacyzga~ functions (location and time) require data transfer +via ~/dev/ttyAMA0~. In order to prevent serial login programs from +interfering with such functions, it is necessary to disable them. + +Run the following commands to disable login via ~ttyAMA0~: + +#+BEGIN_EXAMPLE +$ sudo systemctl stop serial-getty@ttyAMA0.service +$ sudo systemctl disable serial-getty@ttyAMA0.service +$ sudo systemctl disable hciuart +#+END_EXAMPLE + +Modify ~/boot/cmdline.txt~ to remove the console: + +#+BEGIN_EXAMPLE +$ sudo nano /boot/cmdline.txt +#+END_EXAMPLE + +Remove ~console=serial0,115200~ + ***** Log Transfer Configuration Log files may be shared to other machines via ~syncthing~. See [[https://docs.syncthing.net/][this]] manual for how to set up a shared folder and add Ninfacyzga-01 as a