From 52c65ec7f4016788cbbdefa0e6aeeaef349a974c Mon Sep 17 00:00:00 2001
From: KemoNine <kemonine@kemonine.info>
Date: Fri, 31 Jul 2020 23:05:51 +0000
Subject: [PATCH] Add initial development notes

---
 notes.txt | 702 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 702 insertions(+)
 create mode 100644 notes.txt

diff --git a/notes.txt b/notes.txt
new file mode 100644
index 0000000..2e0680f
--- /dev/null
+++ b/notes.txt
@@ -0,0 +1,702 @@
+########################################
+# IMPORTANT CONSIDERATIONS
+########################################
+
+This setup does NOT use SSL for anything. Use acme.sh + vhosts + nginx if you really wanna walk that path
+
+########################################
+# Setup environment
+########################################
+https://ubuntu.com/download/raspberry-pi/thank-you?version=20.04&architecture=arm64+raspi
+boot ubuntu server 64bit
+    ubuntu / ubuntu
+update to latest of everything
+apt update && apt install parted wget curl nano tmux vim htop iotop nload
+ip addr
+ssh into rpi
+
+########################################
+# Inspiration
+########################################
+
+https://archlinuxarm.org/platforms/armv8/broadcom/raspberry-pi-4#installation
+https://github.com/phortx/Raspberry-Pi-Setup-Guide
+
+########################################
+# Prep / install arch linux on micro sd card
+########################################
+
+parted /dev/sda
+mklabel msdos
+mkpart
+    p
+    [enter]
+    1
+    100M
+mkpart
+    p
+    [enter]
+    100M
+    -1
+set 1 boot on
+set 1 lba on
+q
+
+mkfs.vat /dev/sda1
+mkfs.btrfs /dev/sda2
+
+mkdir /mnt/arch
+mount -o nodiratime,noatime,compress /dev/sda2 /mnt/arch
+mkdir /mnt/arch/boot
+mount /dev/sda1 /mnt/arch/boot
+cd /mnt/arch
+wget http://os.archlinuxarm.org/os/ArchLinuxARM-rpi-4-latest.tar.gz
+tar -xpf ArchLinuxARM-rpi-4-latest.tar.gz
+rm ArchLinuxARM-rpi-4-latest.tar.gz
+
+cat > /mnt/arch/boot/config.txt <<EOF
+# KmN: Borrowed some stuff from majaro
+# See /boot/overlays/README for all available options
+
+gpu_mem=512
+dtoverlay=miniuart-bt
+initramfs initramfs-linux.img followkernel
+disable_overscan=1
+
+#enable vc4
+dtoverlay=vc4-fkms-v3d
+max_framebuffers=1
+EOF
+
+nano -w /mnt/arch/boot/cmdline.txt
+    root=mmcblk0p2 rootflags=nodiratime,noatime,compress rw rootwait
+    remove kgdboc=ttyAMA0,115200 
+    
+
+parted /dev/sda
+set 1 boot on
+set 1 lba on
+set 2 lba on
+
+systemctl poweroff
+
+########################################
+# Arch setup finalization
+########################################
+
+swap micro sd cards
+
+boot into arch
+login as root with password root
+
+pacman-key --init
+pacman-key --populate archlinuxarm
+
+pacman -Syy
+pacman -Su
+systemctl reboot
+
+userdel alarm
+
+passwd
+
+sed -i 's/#Color/Color/' /etc/pacman.conf # Add color to pacman
+
+pacman -S openssh tmux nano vim htop iotop nload python python-pip wget curl git bash-completion p7zip exfat-utils man-db man-pages btrfs-progs sudo
+
+sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/g' /etc/ssh/sshd_config
+systemctl enable --now sshd
+systemctl restart sshd
+
+ip addr
+
+ln -sf /usr/share/zoneinfo/UTC /etc/localtime
+timedatectl set-local-rtc 0
+timedatectl set-ntp true
+echo LANG=en_US.UTF-8 > /etc/locale.conf
+sed -i "s/#en_US.UTF-8/en_US.UTF-8/" /etc/locale.gen
+locale-gen
+nano -w /etc/hostname
+nano -w /etc/hosts
+
+########################################
+# Swap
+########################################
+
+mkdir /swap
+chattr +C /swap
+fallocate -l 1024M /swap/swap.1
+chmod 600 /swap/swap.1
+mkswap /swap/swap.1
+swapon /swap/swap.1
+echo 'vm.swappiness=1' > /etc/sysctl.d/99-sysctl.conf
+echo "/swap/swap.1 none swap defaults 0 0" >> /etc/fstab
+
+########################################
+# Tweak journald
+########################################
+
+mkdir /etc/systemd/journald.conf.d/
+cat > /etc/systemd/journald.conf.d/00-wall.conf <<EOF
+[Journal]
+ForwardToWall=no
+EOF
+cat > /etc/systemd/journald.conf.d/00-journal-size.conf <<EOF
+[Journal]
+SystemMaxUse=256M
+EOF
+cat > /etc/systemd/journald.conf.d/00-audit.conf <<EOF
+[Journal]
+Audit=no
+EOF
+cat > /etc/systemd/journald.conf.d/00-console.conf <<EOF
+[Journal]
+ForwardToConsole=no
+TTYPath=
+EOF
+systemctl restart systemd-journald
+systemctl mask systemd-journald-audit.socket
+nano -w /boot/cmdline.txt
+    add audit=0 at end of cmdline
+
+########################################
+# rpi tooling setup
+########################################
+
+sed -i "s/appendpath '\/usr\/bin'/appendpath '\/usr\/bin'\nappendpath '\/opt\/vc\/bin'/g" /etc/profile
+source /etc/profile
+
+
+pacman -S libnewt
+wget https://raw.github.com/chattama/raspi-config-archlinux/archlinux/raspi-config -O /usr/local/bin/raspi-config
+chmod a+x /usr/local/bin/raspi-config
+
+########################################
+# cpu power / governor
+########################################
+
+pacman -S cpupower
+sed -i "s/#governor='ondemand'/governor='powersave'/g" /etc/default/cpupower
+systemctl enable --now cpupower
+
+
+########################################
+# AUR package manager
+########################################
+
+pacman -S --needed base-devel go
+useradd yay -s /usr/bin/nologin
+mkdir /home/yay
+chown yay: -R /home/yay
+git clone https://aur.archlinux.org/yay.git /opt/yay
+chown yay: -R /opt/yay/
+cd /opt/yay
+cat > /etc/sudoers.d/yay <<EOF
+yay ALL=(ALL) NOPASSWD: ALL
+EOF
+chmod 600 /etc/sudoers.d/yay
+sudo -sHu yay makepkg -si
+cat >> ~/.bashrc <<EOF
+alias yay="/usr/bin/sudo -sHu yay /usr/bin/yay"
+EOF
+source ~/.bashrc
+
+########################################
+# prep for slideshow
+########################################
+
+# prep storage for pics
+btrfs subvolume create /tank
+btrfs subvolume create /tank/pictures
+# load pictures via rclone/syncthing/scp/etc
+
+# basic window manager stuffs for making feh work properly
+yay -S greetd cage xorg-server-xwayland
+systemctl enable --now greetd
+
+########################################
+# setup slide show app
+########################################
+
+pacman -S feh imagemagick ttf-dejavu
+# reload 86400 is to refresh the list of images daily -- tune for preferred number of seconds
+# slideshow-delay is number of seconds (as a float) between images ; tune accordingly
+useradd -s /usr/bin/nologin -m feh
+chmod a+rx /tank/pictures
+pacman -S acl
+setfacl -m "u:feh:rX" /tank/pictures
+setfacl -dm "u:feh:rX" /tank/pictures
+pacman -S incron
+cat > /etc/incron.d/feh <<EOF
+/tank/pictures IN_DELETE systemctl restart greetd
+EOF
+systemctl enable --now incrond
+cat > /usr/local/bin/feh-slideshow.sh <<EOF
+#!/bin/bash
+/usr/bin/feh --auto-zoom --borderless --fullscreen --hide-pointer --image-bg black --randomize --recursive \
+--slideshow-delay 300 --reload 86400 \
+--draw-tinted --draw-exif --draw-filename \
+--fontpath /usr/share/fonts/TTF/ --font DejaVuSansMono/10 \
+--verbose \
+/tank/pictures
+EOF
+chmod a+x /usr/local/bin/feh-slideshow.sh
+cat >> /etc/greetd/config.toml <<EOF
+[initial_session]
+command = "/usr/bin/cage /usr/local/bin/feh-slideshow.sh"
+user = "feh"
+EOF
+systemctl restart greetd
+
+########################################
+# email notifications via msmtp
+########################################
+
+pacman -S msmtp msmtp-mta
+
+cat > /etc/aliases <<EOF
+# Example aliases file
+
+# Send root to Joe and Jane
+root: user@domain.tld
+
+# Send cron to Mark
+cron: user@domain.tld
+
+# Send everything else to admin
+default: user@domain.tld
+EOF
+cat > /etc/msmtprc <<EOF
+# Accounts will inherit settings from this section
+defaults
+auth             on
+tls              on
+tls_trust_file   /etc/ssl/certs/ca-certificates.crt
+
+logfile        /var/log/msmtp.log
+
+from           user@domain.tld
+keepbcc        on
+
+account        piframe
+host           email.domain.tld
+port           587
+auth           on
+user           user@domain.tld
+password       apassword
+
+# Set a default account
+account default : piframe
+
+aliases /etc/aliases
+EOF
+
+########################################
+# Cron (needed for email output of backup jobs)
+########################################
+
+pacman -S cronie
+mkdir /etc/systemd/system/cronie.service.d
+cat > /etc/systemd/system/cronie.service.d/override.conf <<EOF
+[Service]
+ExecStart=
+ExecStart=/usr/bin/crond -n -m '/usr/bin/msmtp -t'
+EOF
+systemctl daemon-reload
+systemctl enable --now cronie
+
+
+########################################
+# restic backups
+########################################
+
+pacman -S restic
+btrfs subvolume create /tank/backup
+restic init -r /tank/backup
+cat > /root/restic_backup.sh <<EOF
+#!/bin/bash
+
+MACHINE=picture-frame
+ZONE=root
+
+export RESTIC_REPOSITORY=/tank/backup/
+export RESTIC_PASSWORD=testing1234
+
+/usr/bin/restic backup -v -q \
+    --tag $MACHINE --tag $ZONE \
+    / \
+    --exclude /run \
+    --exclude /snapshots \
+    --exclude /tank \
+    --exclude /scratch \
+    --exclude /proc \
+    --exclude /sys \
+    --exclude /var/lib/schroot/mount \
+    --exclude /var/lib/docker \
+    --exclude /var/lib/lxcfs \
+    --exclude /mnt \
+    --exclude /root/.cache \
+
+/usr/bin/restic forget -v \
+    --tag $MACHINE --tag $ZONE \
+    --keep-daily=7 \
+    --keep-weekly=4 \
+    --keep-monthly=12 \
+    --keep-yearly 1
+
+# This can take a very, very long time
+/usr/bin/restic prune && /usr/bin/restic check
+EOF
+chmod a+x /root/restic_backup.sh
+crontab -e
+0 7 * * * /root/restic_backup.sh
+
+########################################
+# web based admin panel / dashboard / app
+########################################
+
+# Remote management on http://ip:9090
+pacman -S cockpit cockpit-pcp packagekit udisks2 networkmanager firewalld
+systemctl enable --now firewalld
+firewall-cmd --zone=public --permanent --add-port=9090/tcp
+firewall-cmd --zone=public --permanent --add-service=ssh
+firewall-cmd --reload
+systemctl enable --now NetworkManager
+systemctl enable --now cockpit.socket
+
+########################################
+# web server w/ useful links
+########################################
+
+pacman -S lighttpd
+mkdir /etc/lighttpd/conf.d
+echo "include \"/etc/lighttpd/conf.d/*.conf\"" >> /etc/lighttpd/lighttpd.conf
+mkdir /srv/http
+cat > /srv/http/index.html <<EOF
+<html>
+
+<head>
+<title>PiFrame</title>
+</head>
+
+<body>
+<p><a href="http://127.0.0.1:9090">CockPit Web Management</a></p>
+<p><a href="http://127.0.0.1:2812">Monit Monitoring</a></p>
+<p><a href="http://127.0.0.1:2813">Munin Monitoring</a></p>
+<p><a href="http://127.0.0.1:8384">Syncthing Admin Interface</a></p>
+<p><a href="http://127.0.0.1:9191">Picture File Browser</a></p>
+</body>
+</html>
+EOF
+firewall-cmd --zone=public --permanent --add-service=http
+firewall-cmd --zone=public --permanent --add-service=https
+firewall-cmd --reload
+systemctl enable --now lighttpd
+
+########################################
+# system monitoring
+########################################
+
+pacman -S monit
+mkdir /etc/monit.d
+nano -w /etc/monitrc
+    include /etc/monit.d/*
+    set httpd port 2812 and
+        use address 0.0.0.0  # only accept connection from localhost (drop if you use M/Monit)
+        allow admin:monit      # require user 'admin' with password 'monit'
+
+
+    set mailserver robomail.nusku.biz port 587
+               username "piframe@robomail.nusku.biz" password "r8QA6AEFaqtCdDjfvzY3gvsX"
+               using tls
+cat > /etc/monit.d/rootfs <<EOF
+check filesystem rootfs with path /
+    if space usage > 80% then alert
+EOF
+cat > /etc/monit.d/tankfs <<EOF
+check filesystem tankfs with path /tank
+    if space usage > 80% then alert
+EOF
+cat > /etc/monit.d/feh <<EOF
+check process feh matching /usr/bin/feh
+    start program = "/usr/bin/systemctl start greetd"
+    stop program = "/usr/bin/systemctl stop greetd"
+    if does not exist then alert
+    if does not exist for 2 cycles then restart
+EOF
+systemctl enable --now monit
+firewall-cmd --zone=public --permanent --add-port=2812/tcp
+firewall-cmd --reload
+
+
+########################################
+# system _resource_ monitoring
+########################################
+
+pacman -S munin perl-cgi-fast
+nano -w /etc/munin/munin.conf
+    graph_strategy cgi
+    html_strategy cron
+    [piframe]
+        address 127.0.0.1
+        use_node_name yes
+chown munin: /var/lib/munin/cgi-tmp
+chown munin: -R /usr/share/munin/www
+munin-node-configure --shell # activate useful plugins
+sudo -sHu munin munin-cron # prime munin data
+systemctl enable --now munin-node
+crontab /etc/munin/munin-cron-entry -u munin
+cat > /etc/lighttpd/lighttpd-munin.conf <<EOF
+# Apply the following tweaks to the /etc/munin/munin.conf file ahead of running lighttpd for munin
+## Use cgi rendering for graph and html
+#graph_strategy cgi
+#html_strategy cron
+
+server.username = "munin"
+server.groupname = "munin"
+
+server.document-root = "/srv/http"
+server.port = 2813
+
+server.errorlog         = "/var/log/munin/lighttpd-error.log"
+dir-listing.activate    = "disable"
+server.modules          = (
+                            "mod_access",
+                            "mod_accesslog",
+                            "mod_alias",
+                            "mod_rewrite",
+                            "mod_redirect",
+                            "mod_cgi",
+                            "mod_fastcgi",
+                            )
+server.follow-symlink = "enable"
+index-file.names = ( "index.html", "index.htm" )
+
+url.redirect += ( "^/*$" => "/munin/" )
+
+\$HTTP["url"] =~ "/munin-cgi/munin-cgi-graph" {
+  alias.url += ( "/munin-cgi/munin-cgi-graph" => "/usr/share/munin/cgi/munin-cgi-graph" )
+  cgi.assign = ( "" => "" )
+}
+
+#alias.url += ( "/munin/static" => "/etc/munin/static" )
+alias.url += ( "/munin" => "/usr/share/munin/www" )
+
+mimetype.assign         = (
+                                ".html" => "text/html",
+                                ".txt" => "text/plain",
+                                ".css" => "text/css",
+                                ".js" => "application/x-javascript",
+                                ".jpg" => "image/jpeg",
+                                ".jpeg" => "image/jpeg",
+                                ".gif" => "image/gif",
+                                ".png" => "image/png",
+                                "" => "application/octet-stream"
+                        )
+EOF
+cat > /etc/systemd/system/lighttpd-munin.service <<EOF
+[Unit]
+Description=Lighttpd Web Server (munin)
+After=syslog.target network.target
+
+[Service]
+PrivateTmp=true
+ExecStart=/usr/bin/lighttpd-angel -D -f /etc/lighttpd/lighttpd-munin.conf
+ExecReload=/bin/kill -HUP $MAINPID
+KillSignal=SIGINT
+
+[Install]
+WantedBy=multi-user.target
+EOF
+systemctl daemon-reload
+systemctl enable --now lighttpd-munin
+firewall-cmd --zone=public --permanent --add-port=2813/tcp
+firewall-cmd --reload
+
+########################################
+# syncthing / rclone / web based file browser
+########################################
+
+curl https://rclone.org/install.sh | bash
+pacman -S syncthing
+touch /tank/pictures/.stfolder
+chown feh: /tank/pictures/.stfolder
+systemctl enable --now syncthing@feh.service # use feh user so perms are right for pics
+ssh -L 8385:127.0.0.1:8384 user@piframe
+http://localhost:8385
+Change settings
+    General
+        Minimum free disk space : 10%
+        Anonymous usage reporting : Disabled
+    GUI
+        Listen address : 0.0.0.0:8384
+        GUI Auth user : admin
+        GUI Auth password : apassword
+Delete default folder
+Add /tank/pictures folder
+Connect to upstream device w/ files you want to sync
+Setup picture sync as inbound only
+firewall-cmd --zone=public --permanent --add-port=8384/tcp
+firewall-cmd --zone=public --permanent --add-port=22000/tcp
+firewall-cmd --reload
+
+curl -fsSL https://filebrowser.org/get.sh | bash
+mkdir /home/feh/filebrowser
+filebrowser -c /home/feh/filebrowser/pictures.json -d /home/feh/filebrowser/pictures.db \
+    config init
+filebrowser -c /home/feh/filebrowser/pictures.json -d /home/feh/filebrowser/pictures.db \
+    config set --address 0.0.0.0
+filebrowser -c /home/feh/filebrowser/pictures.json -d /home/feh/filebrowser/pictures.db \
+    config set --port 9191
+filebrowser -c /home/feh/filebrowser/pictures.json -d /home/feh/filebrowser/pictures.db \
+    config set --branding.name "PiFrame - Pictures"
+filebrowser -c /home/feh/filebrowser/pictures.json -d /home/feh/filebrowser/pictures.db \
+    users add admin apassword
+chown feh: -R /home/feh/filebrowser
+firewall-cmd --zone=public --permanent --add-port=9191/tcp
+firewall-cmd --reload
+cat > /etc/systemd/system/filebrowser-pictures.service <<EOF
+[Unit]
+Description=Filebrowser - Pictures
+After=network.target
+
+[Service]
+User=feh
+PrivateTmp=true
+ExecStart=/usr/local/bin/filebrowser -c /home/feh/filebrowser/pictures.json -d /home/feh/filebrowser/pictures.db -r /tank/pictures --img-processors 1 --disable-thumbnails
+
+[Install]
+WantedBy=multi-user.target
+EOF
+systemctl daemon-reload
+systemctl enable --now filebrowser-pictures
+
+########################################
+# wifi setup
+########################################
+
+nmtui # final wifi config to keep wires to a minimum (COCKPIT SETUP REQUIRED)
+# use wifi-menu if not using network manger (network manager is part of cockpit setup)
+
+########################################
+# hdmi on/off commands
+########################################
+
+vcgencmd get_lcd_info
+vcgencmd display_power 0
+vcgencmd display_power 1
+
+########################################
+# schedule on/off of monitor
+########################################
+
+cat > /etc/systemd/system/screen-on.timer <<EOF
+[Unit]
+Description=Turn on display
+
+[Timer]
+OnCalendar=*-*-* 6:00:00
+Persistent=true
+
+[Install]
+WantedBy=timers.target
+EOF
+cat > /etc/systemd/system/screen-on.service <<EOF
+[Unit]
+Description=Turn on display
+
+[Service]
+Type=oneshot
+ExecStart=/opt/vc/bin/vcgencmd display_power 1
+StandardOutput=journal
+
+[Install]
+WantedBy=multi-user.target
+EOF
+cat > /etc/systemd/system/screen-off.timer <<EOF
+[Unit]
+Description=Turn off display
+
+[Timer]
+OnCalendar=*-*-* 00:00:00
+Persistent=true
+
+[Install]
+WantedBy=timers.target
+EOF
+cat > /etc/systemd/system/screen-off.service <<EOF
+[Unit]
+Description=Turn off display
+
+[Service]
+Type=oneshot
+ExecStart=/opt/vc/bin/vcgencmd display_power 0
+StandardOutput=journal
+
+[Install]
+WantedBy=multi-user.target
+EOF
+systemctl daemon-reload
+systemctl enable screen-on.timer
+systemctl enable screen-off.timer
+
+########################################
+# automatic updates (UNWISE)
+########################################
+
+auto updates (may be problematic given aur packages)
+https://bbs.archlinux.org/viewtopic.php?id=247428
+
+
+########################################
+# future : ambient light control
+########################################
+
+https://www.adafruit.com/product/4463
+https://www.adafruit.com/product/4681
+https://learn.adafruit.com/adafruit-bh1750-ambient-light-sensor/python-circuitpython
+https://www.raspberrypi.org/forums/viewtopic.php?t=145894
+http://www.ddcutil.com/building/
+http://www.ddcutil.com/raspberry/
+https://github.com/raspberrypi/linux/issues/3152
+
+tweak /boot/config.txt to have dtoverlay=vc4-kms-v3d instead of fkms
+pacman -S i2c-tools
+cat > /etc/modules-load.d/i2c.conf <<EOF
+i2c-dev
+EOF
+systemctl reboot
+lsmod | grep i2c
+ls /dev/i2c*
+i2cdetect -r -y 11
+
+pacman -S ddcutil
+ddcutil detect
+ddcutil capabilities
+ddcutil getcvp
+ddcutil setvcp
+ddcutil vcpinfo
+ddcutil dumpvcp
+
+
+########################################
+# future : human detection
+########################################
+
+https://www.sparkfun.com/products/14349
+https://www.sparkfun.com/products/15794
+https://learn.sparkfun.com/tutorials/qwiic-human-presence-sensor-ak9753-hookup-guide
+https://github.com/sparkfun/SparkFun_AK975x_Arduino_Library
+
+
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+! Misc Notes
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+https://www.raspberrypi.org/forums/viewtopic.php?f=29&t=24679
+
+eyyy, 2560x1600 @ 50hz via hdmi on a pi4 is working!
+
+hdmi_cvt=2560 1600 50 5 0 0 1
+hdmi_group=2
+hdmi_mode=88