Add initial development notes

This commit is contained in:
KemoNine 2020-07-31 23:05:51 +00:00
parent 72e9a0ed73
commit 52c65ec7f4

702
notes.txt Normal file
View file

@ -0,0 +1,702 @@
########################################
# IMPORTANT CONSIDERATIONS
########################################
This setup does NOT use SSL for anything. Use acme.sh + vhosts + nginx if you really wanna walk that path
########################################
# Setup environment
########################################
https://ubuntu.com/download/raspberry-pi/thank-you?version=20.04&architecture=arm64+raspi
boot ubuntu server 64bit
ubuntu / ubuntu
update to latest of everything
apt update && apt install parted wget curl nano tmux vim htop iotop nload
ip addr
ssh into rpi
########################################
# Inspiration
########################################
https://archlinuxarm.org/platforms/armv8/broadcom/raspberry-pi-4#installation
https://github.com/phortx/Raspberry-Pi-Setup-Guide
########################################
# Prep / install arch linux on micro sd card
########################################
parted /dev/sda
mklabel msdos
mkpart
p
[enter]
1
100M
mkpart
p
[enter]
100M
-1
set 1 boot on
set 1 lba on
q
mkfs.vat /dev/sda1
mkfs.btrfs /dev/sda2
mkdir /mnt/arch
mount -o nodiratime,noatime,compress /dev/sda2 /mnt/arch
mkdir /mnt/arch/boot
mount /dev/sda1 /mnt/arch/boot
cd /mnt/arch
wget http://os.archlinuxarm.org/os/ArchLinuxARM-rpi-4-latest.tar.gz
tar -xpf ArchLinuxARM-rpi-4-latest.tar.gz
rm ArchLinuxARM-rpi-4-latest.tar.gz
cat > /mnt/arch/boot/config.txt <<EOF
# KmN: Borrowed some stuff from majaro
# See /boot/overlays/README for all available options
gpu_mem=512
dtoverlay=miniuart-bt
initramfs initramfs-linux.img followkernel
disable_overscan=1
#enable vc4
dtoverlay=vc4-fkms-v3d
max_framebuffers=1
EOF
nano -w /mnt/arch/boot/cmdline.txt
root=mmcblk0p2 rootflags=nodiratime,noatime,compress rw rootwait
remove kgdboc=ttyAMA0,115200
parted /dev/sda
set 1 boot on
set 1 lba on
set 2 lba on
systemctl poweroff
########################################
# Arch setup finalization
########################################
swap micro sd cards
boot into arch
login as root with password root
pacman-key --init
pacman-key --populate archlinuxarm
pacman -Syy
pacman -Su
systemctl reboot
userdel alarm
passwd
sed -i 's/#Color/Color/' /etc/pacman.conf # Add color to pacman
pacman -S openssh tmux nano vim htop iotop nload python python-pip wget curl git bash-completion p7zip exfat-utils man-db man-pages btrfs-progs sudo
sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/g' /etc/ssh/sshd_config
systemctl enable --now sshd
systemctl restart sshd
ip addr
ln -sf /usr/share/zoneinfo/UTC /etc/localtime
timedatectl set-local-rtc 0
timedatectl set-ntp true
echo LANG=en_US.UTF-8 > /etc/locale.conf
sed -i "s/#en_US.UTF-8/en_US.UTF-8/" /etc/locale.gen
locale-gen
nano -w /etc/hostname
nano -w /etc/hosts
########################################
# Swap
########################################
mkdir /swap
chattr +C /swap
fallocate -l 1024M /swap/swap.1
chmod 600 /swap/swap.1
mkswap /swap/swap.1
swapon /swap/swap.1
echo 'vm.swappiness=1' > /etc/sysctl.d/99-sysctl.conf
echo "/swap/swap.1 none swap defaults 0 0" >> /etc/fstab
########################################
# Tweak journald
########################################
mkdir /etc/systemd/journald.conf.d/
cat > /etc/systemd/journald.conf.d/00-wall.conf <<EOF
[Journal]
ForwardToWall=no
EOF
cat > /etc/systemd/journald.conf.d/00-journal-size.conf <<EOF
[Journal]
SystemMaxUse=256M
EOF
cat > /etc/systemd/journald.conf.d/00-audit.conf <<EOF
[Journal]
Audit=no
EOF
cat > /etc/systemd/journald.conf.d/00-console.conf <<EOF
[Journal]
ForwardToConsole=no
TTYPath=
EOF
systemctl restart systemd-journald
systemctl mask systemd-journald-audit.socket
nano -w /boot/cmdline.txt
add audit=0 at end of cmdline
########################################
# rpi tooling setup
########################################
sed -i "s/appendpath '\/usr\/bin'/appendpath '\/usr\/bin'\nappendpath '\/opt\/vc\/bin'/g" /etc/profile
source /etc/profile
pacman -S libnewt
wget https://raw.github.com/chattama/raspi-config-archlinux/archlinux/raspi-config -O /usr/local/bin/raspi-config
chmod a+x /usr/local/bin/raspi-config
########################################
# cpu power / governor
########################################
pacman -S cpupower
sed -i "s/#governor='ondemand'/governor='powersave'/g" /etc/default/cpupower
systemctl enable --now cpupower
########################################
# AUR package manager
########################################
pacman -S --needed base-devel go
useradd yay -s /usr/bin/nologin
mkdir /home/yay
chown yay: -R /home/yay
git clone https://aur.archlinux.org/yay.git /opt/yay
chown yay: -R /opt/yay/
cd /opt/yay
cat > /etc/sudoers.d/yay <<EOF
yay ALL=(ALL) NOPASSWD: ALL
EOF
chmod 600 /etc/sudoers.d/yay
sudo -sHu yay makepkg -si
cat >> ~/.bashrc <<EOF
alias yay="/usr/bin/sudo -sHu yay /usr/bin/yay"
EOF
source ~/.bashrc
########################################
# prep for slideshow
########################################
# prep storage for pics
btrfs subvolume create /tank
btrfs subvolume create /tank/pictures
# load pictures via rclone/syncthing/scp/etc
# basic window manager stuffs for making feh work properly
yay -S greetd cage xorg-server-xwayland
systemctl enable --now greetd
########################################
# setup slide show app
########################################
pacman -S feh imagemagick ttf-dejavu
# reload 86400 is to refresh the list of images daily -- tune for preferred number of seconds
# slideshow-delay is number of seconds (as a float) between images ; tune accordingly
useradd -s /usr/bin/nologin -m feh
chmod a+rx /tank/pictures
pacman -S acl
setfacl -m "u:feh:rX" /tank/pictures
setfacl -dm "u:feh:rX" /tank/pictures
pacman -S incron
cat > /etc/incron.d/feh <<EOF
/tank/pictures IN_DELETE systemctl restart greetd
EOF
systemctl enable --now incrond
cat > /usr/local/bin/feh-slideshow.sh <<EOF
#!/bin/bash
/usr/bin/feh --auto-zoom --borderless --fullscreen --hide-pointer --image-bg black --randomize --recursive \
--slideshow-delay 300 --reload 86400 \
--draw-tinted --draw-exif --draw-filename \
--fontpath /usr/share/fonts/TTF/ --font DejaVuSansMono/10 \
--verbose \
/tank/pictures
EOF
chmod a+x /usr/local/bin/feh-slideshow.sh
cat >> /etc/greetd/config.toml <<EOF
[initial_session]
command = "/usr/bin/cage /usr/local/bin/feh-slideshow.sh"
user = "feh"
EOF
systemctl restart greetd
########################################
# email notifications via msmtp
########################################
pacman -S msmtp msmtp-mta
cat > /etc/aliases <<EOF
# Example aliases file
# Send root to Joe and Jane
root: user@domain.tld
# Send cron to Mark
cron: user@domain.tld
# Send everything else to admin
default: user@domain.tld
EOF
cat > /etc/msmtprc <<EOF
# Accounts will inherit settings from this section
defaults
auth on
tls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
logfile /var/log/msmtp.log
from user@domain.tld
keepbcc on
account piframe
host email.domain.tld
port 587
auth on
user user@domain.tld
password apassword
# Set a default account
account default : piframe
aliases /etc/aliases
EOF
########################################
# Cron (needed for email output of backup jobs)
########################################
pacman -S cronie
mkdir /etc/systemd/system/cronie.service.d
cat > /etc/systemd/system/cronie.service.d/override.conf <<EOF
[Service]
ExecStart=
ExecStart=/usr/bin/crond -n -m '/usr/bin/msmtp -t'
EOF
systemctl daemon-reload
systemctl enable --now cronie
########################################
# restic backups
########################################
pacman -S restic
btrfs subvolume create /tank/backup
restic init -r /tank/backup
cat > /root/restic_backup.sh <<EOF
#!/bin/bash
MACHINE=picture-frame
ZONE=root
export RESTIC_REPOSITORY=/tank/backup/
export RESTIC_PASSWORD=testing1234
/usr/bin/restic backup -v -q \
--tag $MACHINE --tag $ZONE \
/ \
--exclude /run \
--exclude /snapshots \
--exclude /tank \
--exclude /scratch \
--exclude /proc \
--exclude /sys \
--exclude /var/lib/schroot/mount \
--exclude /var/lib/docker \
--exclude /var/lib/lxcfs \
--exclude /mnt \
--exclude /root/.cache \
/usr/bin/restic forget -v \
--tag $MACHINE --tag $ZONE \
--keep-daily=7 \
--keep-weekly=4 \
--keep-monthly=12 \
--keep-yearly 1
# This can take a very, very long time
/usr/bin/restic prune && /usr/bin/restic check
EOF
chmod a+x /root/restic_backup.sh
crontab -e
0 7 * * * /root/restic_backup.sh
########################################
# web based admin panel / dashboard / app
########################################
# Remote management on http://ip:9090
pacman -S cockpit cockpit-pcp packagekit udisks2 networkmanager firewalld
systemctl enable --now firewalld
firewall-cmd --zone=public --permanent --add-port=9090/tcp
firewall-cmd --zone=public --permanent --add-service=ssh
firewall-cmd --reload
systemctl enable --now NetworkManager
systemctl enable --now cockpit.socket
########################################
# web server w/ useful links
########################################
pacman -S lighttpd
mkdir /etc/lighttpd/conf.d
echo "include \"/etc/lighttpd/conf.d/*.conf\"" >> /etc/lighttpd/lighttpd.conf
mkdir /srv/http
cat > /srv/http/index.html <<EOF
<html>
<head>
<title>PiFrame</title>
</head>
<body>
<p><a href="http://127.0.0.1:9090">CockPit Web Management</a></p>
<p><a href="http://127.0.0.1:2812">Monit Monitoring</a></p>
<p><a href="http://127.0.0.1:2813">Munin Monitoring</a></p>
<p><a href="http://127.0.0.1:8384">Syncthing Admin Interface</a></p>
<p><a href="http://127.0.0.1:9191">Picture File Browser</a></p>
</body>
</html>
EOF
firewall-cmd --zone=public --permanent --add-service=http
firewall-cmd --zone=public --permanent --add-service=https
firewall-cmd --reload
systemctl enable --now lighttpd
########################################
# system monitoring
########################################
pacman -S monit
mkdir /etc/monit.d
nano -w /etc/monitrc
include /etc/monit.d/*
set httpd port 2812 and
use address 0.0.0.0 # only accept connection from localhost (drop if you use M/Monit)
allow admin:monit # require user 'admin' with password 'monit'
set mailserver robomail.nusku.biz port 587
username "piframe@robomail.nusku.biz" password "r8QA6AEFaqtCdDjfvzY3gvsX"
using tls
cat > /etc/monit.d/rootfs <<EOF
check filesystem rootfs with path /
if space usage > 80% then alert
EOF
cat > /etc/monit.d/tankfs <<EOF
check filesystem tankfs with path /tank
if space usage > 80% then alert
EOF
cat > /etc/monit.d/feh <<EOF
check process feh matching /usr/bin/feh
start program = "/usr/bin/systemctl start greetd"
stop program = "/usr/bin/systemctl stop greetd"
if does not exist then alert
if does not exist for 2 cycles then restart
EOF
systemctl enable --now monit
firewall-cmd --zone=public --permanent --add-port=2812/tcp
firewall-cmd --reload
########################################
# system _resource_ monitoring
########################################
pacman -S munin perl-cgi-fast
nano -w /etc/munin/munin.conf
graph_strategy cgi
html_strategy cron
[piframe]
address 127.0.0.1
use_node_name yes
chown munin: /var/lib/munin/cgi-tmp
chown munin: -R /usr/share/munin/www
munin-node-configure --shell # activate useful plugins
sudo -sHu munin munin-cron # prime munin data
systemctl enable --now munin-node
crontab /etc/munin/munin-cron-entry -u munin
cat > /etc/lighttpd/lighttpd-munin.conf <<EOF
# Apply the following tweaks to the /etc/munin/munin.conf file ahead of running lighttpd for munin
## Use cgi rendering for graph and html
#graph_strategy cgi
#html_strategy cron
server.username = "munin"
server.groupname = "munin"
server.document-root = "/srv/http"
server.port = 2813
server.errorlog = "/var/log/munin/lighttpd-error.log"
dir-listing.activate = "disable"
server.modules = (
"mod_access",
"mod_accesslog",
"mod_alias",
"mod_rewrite",
"mod_redirect",
"mod_cgi",
"mod_fastcgi",
)
server.follow-symlink = "enable"
index-file.names = ( "index.html", "index.htm" )
url.redirect += ( "^/*$" => "/munin/" )
\$HTTP["url"] =~ "/munin-cgi/munin-cgi-graph" {
alias.url += ( "/munin-cgi/munin-cgi-graph" => "/usr/share/munin/cgi/munin-cgi-graph" )
cgi.assign = ( "" => "" )
}
#alias.url += ( "/munin/static" => "/etc/munin/static" )
alias.url += ( "/munin" => "/usr/share/munin/www" )
mimetype.assign = (
".html" => "text/html",
".txt" => "text/plain",
".css" => "text/css",
".js" => "application/x-javascript",
".jpg" => "image/jpeg",
".jpeg" => "image/jpeg",
".gif" => "image/gif",
".png" => "image/png",
"" => "application/octet-stream"
)
EOF
cat > /etc/systemd/system/lighttpd-munin.service <<EOF
[Unit]
Description=Lighttpd Web Server (munin)
After=syslog.target network.target
[Service]
PrivateTmp=true
ExecStart=/usr/bin/lighttpd-angel -D -f /etc/lighttpd/lighttpd-munin.conf
ExecReload=/bin/kill -HUP $MAINPID
KillSignal=SIGINT
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable --now lighttpd-munin
firewall-cmd --zone=public --permanent --add-port=2813/tcp
firewall-cmd --reload
########################################
# syncthing / rclone / web based file browser
########################################
curl https://rclone.org/install.sh | bash
pacman -S syncthing
touch /tank/pictures/.stfolder
chown feh: /tank/pictures/.stfolder
systemctl enable --now syncthing@feh.service # use feh user so perms are right for pics
ssh -L 8385:127.0.0.1:8384 user@piframe
http://localhost:8385
Change settings
General
Minimum free disk space : 10%
Anonymous usage reporting : Disabled
GUI
Listen address : 0.0.0.0:8384
GUI Auth user : admin
GUI Auth password : apassword
Delete default folder
Add /tank/pictures folder
Connect to upstream device w/ files you want to sync
Setup picture sync as inbound only
firewall-cmd --zone=public --permanent --add-port=8384/tcp
firewall-cmd --zone=public --permanent --add-port=22000/tcp
firewall-cmd --reload
curl -fsSL https://filebrowser.org/get.sh | bash
mkdir /home/feh/filebrowser
filebrowser -c /home/feh/filebrowser/pictures.json -d /home/feh/filebrowser/pictures.db \
config init
filebrowser -c /home/feh/filebrowser/pictures.json -d /home/feh/filebrowser/pictures.db \
config set --address 0.0.0.0
filebrowser -c /home/feh/filebrowser/pictures.json -d /home/feh/filebrowser/pictures.db \
config set --port 9191
filebrowser -c /home/feh/filebrowser/pictures.json -d /home/feh/filebrowser/pictures.db \
config set --branding.name "PiFrame - Pictures"
filebrowser -c /home/feh/filebrowser/pictures.json -d /home/feh/filebrowser/pictures.db \
users add admin apassword
chown feh: -R /home/feh/filebrowser
firewall-cmd --zone=public --permanent --add-port=9191/tcp
firewall-cmd --reload
cat > /etc/systemd/system/filebrowser-pictures.service <<EOF
[Unit]
Description=Filebrowser - Pictures
After=network.target
[Service]
User=feh
PrivateTmp=true
ExecStart=/usr/local/bin/filebrowser -c /home/feh/filebrowser/pictures.json -d /home/feh/filebrowser/pictures.db -r /tank/pictures --img-processors 1 --disable-thumbnails
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable --now filebrowser-pictures
########################################
# wifi setup
########################################
nmtui # final wifi config to keep wires to a minimum (COCKPIT SETUP REQUIRED)
# use wifi-menu if not using network manger (network manager is part of cockpit setup)
########################################
# hdmi on/off commands
########################################
vcgencmd get_lcd_info
vcgencmd display_power 0
vcgencmd display_power 1
########################################
# schedule on/off of monitor
########################################
cat > /etc/systemd/system/screen-on.timer <<EOF
[Unit]
Description=Turn on display
[Timer]
OnCalendar=*-*-* 6:00:00
Persistent=true
[Install]
WantedBy=timers.target
EOF
cat > /etc/systemd/system/screen-on.service <<EOF
[Unit]
Description=Turn on display
[Service]
Type=oneshot
ExecStart=/opt/vc/bin/vcgencmd display_power 1
StandardOutput=journal
[Install]
WantedBy=multi-user.target
EOF
cat > /etc/systemd/system/screen-off.timer <<EOF
[Unit]
Description=Turn off display
[Timer]
OnCalendar=*-*-* 00:00:00
Persistent=true
[Install]
WantedBy=timers.target
EOF
cat > /etc/systemd/system/screen-off.service <<EOF
[Unit]
Description=Turn off display
[Service]
Type=oneshot
ExecStart=/opt/vc/bin/vcgencmd display_power 0
StandardOutput=journal
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable screen-on.timer
systemctl enable screen-off.timer
########################################
# automatic updates (UNWISE)
########################################
auto updates (may be problematic given aur packages)
https://bbs.archlinux.org/viewtopic.php?id=247428
########################################
# future : ambient light control
########################################
https://www.adafruit.com/product/4463
https://www.adafruit.com/product/4681
https://learn.adafruit.com/adafruit-bh1750-ambient-light-sensor/python-circuitpython
https://www.raspberrypi.org/forums/viewtopic.php?t=145894
http://www.ddcutil.com/building/
http://www.ddcutil.com/raspberry/
https://github.com/raspberrypi/linux/issues/3152
tweak /boot/config.txt to have dtoverlay=vc4-kms-v3d instead of fkms
pacman -S i2c-tools
cat > /etc/modules-load.d/i2c.conf <<EOF
i2c-dev
EOF
systemctl reboot
lsmod | grep i2c
ls /dev/i2c*
i2cdetect -r -y 11
pacman -S ddcutil
ddcutil detect
ddcutil capabilities
ddcutil getcvp
ddcutil setvcp
ddcutil vcpinfo
ddcutil dumpvcp
########################################
# future : human detection
########################################
https://www.sparkfun.com/products/14349
https://www.sparkfun.com/products/15794
https://learn.sparkfun.com/tutorials/qwiic-human-presence-sensor-ak9753-hookup-guide
https://github.com/sparkfun/SparkFun_AK975x_Arduino_Library
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! Misc Notes
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
https://www.raspberrypi.org/forums/viewtopic.php?f=29&t=24679
eyyy, 2560x1600 @ 50hz via hdmi on a pi4 is working!
hdmi_cvt=2560 1600 50 5 0 0 1
hdmi_group=2
hdmi_mode=88