########################################
# IMPORTANT CONSIDERATIONS
########################################

This setup does NOT use SSL for anything. Use acme.sh + vhosts + nginx if you really wanna walk that path

########################################
# Setup environment
########################################
https://ubuntu.com/download/raspberry-pi/thank-you?version=20.04&architecture=arm64+raspi
boot ubuntu server 64bit
    ubuntu / ubuntu
update to latest of everything
apt update && apt install parted wget curl nano tmux vim htop iotop nload
ip addr
ssh into rpi

########################################
# Inspiration
########################################

https://archlinuxarm.org/platforms/armv8/broadcom/raspberry-pi-4#installation
https://github.com/phortx/Raspberry-Pi-Setup-Guide

########################################
# Prep / install arch linux on micro sd card
########################################

parted /dev/sda
mklabel msdos
mkpart
    p
    [enter]
    1
    100M
mkpart
    p
    [enter]
    100M
    -1
set 1 boot on
set 1 lba on
q

mkfs.vat /dev/sda1
mkfs.btrfs /dev/sda2

mkdir /mnt/arch
mount -o nodiratime,noatime,compress /dev/sda2 /mnt/arch
mkdir /mnt/arch/boot
mount /dev/sda1 /mnt/arch/boot
cd /mnt/arch
wget http://os.archlinuxarm.org/os/ArchLinuxARM-rpi-4-latest.tar.gz
tar -xpf ArchLinuxARM-rpi-4-latest.tar.gz
rm ArchLinuxARM-rpi-4-latest.tar.gz

cat > /mnt/arch/boot/config.txt <<EOF
# KmN: Borrowed some stuff from majaro
# See /boot/overlays/README for all available options

gpu_mem=512
dtoverlay=miniuart-bt
initramfs initramfs-linux.img followkernel
disable_overscan=1

#enable vc4
dtoverlay=vc4-fkms-v3d
max_framebuffers=1
EOF

nano -w /mnt/arch/boot/cmdline.txt
    root=mmcblk0p2 rootflags=nodiratime,noatime,compress rw rootwait
    remove kgdboc=ttyAMA0,115200 
    

parted /dev/sda
set 1 boot on
set 1 lba on
set 2 lba on

systemctl poweroff

########################################
# Arch setup finalization
########################################

swap micro sd cards

boot into arch
login as root with password root

pacman-key --init
pacman-key --populate archlinuxarm

pacman -Syy
pacman -Su
systemctl reboot

userdel alarm

passwd

sed -i 's/#Color/Color/' /etc/pacman.conf # Add color to pacman

pacman -S openssh tmux nano vim htop iotop nload python python-pip wget curl git bash-completion p7zip exfat-utils man-db man-pages btrfs-progs sudo

sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/g' /etc/ssh/sshd_config
systemctl enable --now sshd
systemctl restart sshd

ip addr

ln -sf /usr/share/zoneinfo/UTC /etc/localtime
timedatectl set-local-rtc 0
timedatectl set-ntp true
echo LANG=en_US.UTF-8 > /etc/locale.conf
sed -i "s/#en_US.UTF-8/en_US.UTF-8/" /etc/locale.gen
locale-gen
nano -w /etc/hostname
nano -w /etc/hosts

########################################
# Swap
########################################

mkdir /swap
chattr +C /swap
fallocate -l 1024M /swap/swap.1
chmod 600 /swap/swap.1
mkswap /swap/swap.1
swapon /swap/swap.1
echo 'vm.swappiness=1' > /etc/sysctl.d/99-sysctl.conf
echo "/swap/swap.1 none swap defaults 0 0" >> /etc/fstab

########################################
# Tweak journald
########################################

mkdir /etc/systemd/journald.conf.d/
cat > /etc/systemd/journald.conf.d/00-wall.conf <<EOF
[Journal]
ForwardToWall=no
EOF
cat > /etc/systemd/journald.conf.d/00-journal-size.conf <<EOF
[Journal]
SystemMaxUse=256M
EOF
cat > /etc/systemd/journald.conf.d/00-audit.conf <<EOF
[Journal]
Audit=no
EOF
cat > /etc/systemd/journald.conf.d/00-console.conf <<EOF
[Journal]
ForwardToConsole=no
TTYPath=
EOF
systemctl restart systemd-journald
systemctl mask systemd-journald-audit.socket
nano -w /boot/cmdline.txt
    add audit=0 at end of cmdline

########################################
# rpi tooling setup
########################################

sed -i "s/appendpath '\/usr\/bin'/appendpath '\/usr\/bin'\nappendpath '\/opt\/vc\/bin'/g" /etc/profile
source /etc/profile


pacman -S libnewt
wget https://raw.github.com/chattama/raspi-config-archlinux/archlinux/raspi-config -O /usr/local/bin/raspi-config
chmod a+x /usr/local/bin/raspi-config

########################################
# cpu power / governor
########################################

pacman -S cpupower
sed -i "s/#governor='ondemand'/governor='powersave'/g" /etc/default/cpupower
systemctl enable --now cpupower


########################################
# AUR package manager
########################################

pacman -S --needed base-devel go
useradd yay -s /usr/bin/nologin
mkdir /home/yay
chown yay: -R /home/yay
git clone https://aur.archlinux.org/yay.git /opt/yay
chown yay: -R /opt/yay/
cd /opt/yay
cat > /etc/sudoers.d/yay <<EOF
yay ALL=(ALL) NOPASSWD: ALL
EOF
chmod 600 /etc/sudoers.d/yay
sudo -sHu yay makepkg -si
cat >> ~/.bashrc <<EOF
alias yay="/usr/bin/sudo -sHu yay /usr/bin/yay"
EOF
source ~/.bashrc

########################################
# prep for slideshow
########################################

# prep storage for pics
btrfs subvolume create /tank
btrfs subvolume create /tank/pictures
# load pictures via rclone/syncthing/scp/etc

# basic window manager stuffs for making feh work properly
yay -S greetd cage xorg-server-xwayland
systemctl enable --now greetd

########################################
# setup slide show app
########################################

pacman -S feh imagemagick ttf-dejavu
# reload 86400 is to refresh the list of images daily -- tune for preferred number of seconds
# slideshow-delay is number of seconds (as a float) between images ; tune accordingly
useradd -s /usr/bin/nologin -m feh
chmod a+rx /tank/pictures
pacman -S acl
setfacl -m "u:feh:rX" /tank/pictures
setfacl -dm "u:feh:rX" /tank/pictures
pacman -S incron
cat > /etc/incron.d/feh <<EOF
/tank/pictures IN_DELETE systemctl restart greetd
EOF
systemctl enable --now incrond
cat > /usr/local/bin/feh-slideshow.sh <<EOF
#!/bin/bash
/usr/bin/feh --auto-zoom --borderless --fullscreen --hide-pointer --image-bg black --randomize --recursive \
--slideshow-delay 300 --reload 86400 \
--draw-tinted --draw-exif --draw-filename \
--fontpath /usr/share/fonts/TTF/ --font DejaVuSansMono/10 \
--verbose \
/tank/pictures
EOF
chmod a+x /usr/local/bin/feh-slideshow.sh
cat >> /etc/greetd/config.toml <<EOF
[initial_session]
command = "/usr/bin/cage /usr/local/bin/feh-slideshow.sh"
user = "feh"
EOF
systemctl restart greetd

########################################
# email notifications via msmtp
########################################

pacman -S msmtp msmtp-mta

cat > /etc/aliases <<EOF
# Example aliases file

# Send root to Joe and Jane
root: user@domain.tld

# Send cron to Mark
cron: user@domain.tld

# Send everything else to admin
default: user@domain.tld
EOF
cat > /etc/msmtprc <<EOF
# Accounts will inherit settings from this section
defaults
auth             on
tls              on
tls_trust_file   /etc/ssl/certs/ca-certificates.crt

logfile        /var/log/msmtp.log

from           user@domain.tld
keepbcc        on

account        piframe
host           email.domain.tld
port           587
auth           on
user           user@domain.tld
password       apassword

# Set a default account
account default : piframe

aliases /etc/aliases
EOF

########################################
# Cron (needed for email output of backup jobs)
########################################

pacman -S cronie
mkdir /etc/systemd/system/cronie.service.d
cat > /etc/systemd/system/cronie.service.d/override.conf <<EOF
[Service]
ExecStart=
ExecStart=/usr/bin/crond -n -m '/usr/bin/msmtp -t'
EOF
systemctl daemon-reload
systemctl enable --now cronie


########################################
# restic backups
########################################

pacman -S restic
btrfs subvolume create /tank/backup
restic init -r /tank/backup
cat > /root/restic_backup.sh <<EOF
#!/bin/bash

MACHINE=picture-frame
ZONE=root

export RESTIC_REPOSITORY=/tank/backup/
export RESTIC_PASSWORD=testing1234

/usr/bin/restic backup -v -q \
    --tag $MACHINE --tag $ZONE \
    / \
    --exclude /run \
    --exclude /snapshots \
    --exclude /tank \
    --exclude /scratch \
    --exclude /proc \
    --exclude /sys \
    --exclude /var/lib/schroot/mount \
    --exclude /var/lib/docker \
    --exclude /var/lib/lxcfs \
    --exclude /mnt \
    --exclude /root/.cache \

/usr/bin/restic forget -v \
    --tag $MACHINE --tag $ZONE \
    --keep-daily=7 \
    --keep-weekly=4 \
    --keep-monthly=12 \
    --keep-yearly 1

# This can take a very, very long time
/usr/bin/restic prune && /usr/bin/restic check
EOF
chmod a+x /root/restic_backup.sh
crontab -e
0 7 * * * /root/restic_backup.sh

########################################
# web based admin panel / dashboard / app
########################################

# Remote management on http://ip:9090
pacman -S cockpit cockpit-pcp packagekit udisks2 networkmanager firewalld
systemctl enable --now firewalld
firewall-cmd --zone=public --permanent --add-port=9090/tcp
firewall-cmd --zone=public --permanent --add-service=ssh
firewall-cmd --reload
systemctl enable --now NetworkManager
systemctl enable --now cockpit.socket

########################################
# web server w/ useful links
########################################

pacman -S lighttpd
mkdir /etc/lighttpd/conf.d
echo "include \"/etc/lighttpd/conf.d/*.conf\"" >> /etc/lighttpd/lighttpd.conf
mkdir /srv/http
cat > /srv/http/index.html <<EOF
<html>

<head>
<title>PiFrame</title>
</head>

<body>
<p><a href="http://127.0.0.1:9090">CockPit Web Management</a></p>
<p><a href="http://127.0.0.1:2812">Monit Monitoring</a></p>
<p><a href="http://127.0.0.1:2813">Munin Monitoring</a></p>
<p><a href="http://127.0.0.1:8384">Syncthing Admin Interface</a></p>
<p><a href="http://127.0.0.1:9191">Picture File Browser</a></p>
</body>
</html>
EOF
firewall-cmd --zone=public --permanent --add-service=http
firewall-cmd --zone=public --permanent --add-service=https
firewall-cmd --reload
systemctl enable --now lighttpd

########################################
# system monitoring
########################################

pacman -S monit
mkdir /etc/monit.d
nano -w /etc/monitrc
    include /etc/monit.d/*
    set httpd port 2812 and
        use address 0.0.0.0  # only accept connection from localhost (drop if you use M/Monit)
        allow admin:monit      # require user 'admin' with password 'monit'


    set mailserver robomail.nusku.biz port 587
               username "piframe@robomail.nusku.biz" password "r8QA6AEFaqtCdDjfvzY3gvsX"
               using tls
cat > /etc/monit.d/rootfs <<EOF
check filesystem rootfs with path /
    if space usage > 80% then alert
EOF
cat > /etc/monit.d/tankfs <<EOF
check filesystem tankfs with path /tank
    if space usage > 80% then alert
EOF
cat > /etc/monit.d/feh <<EOF
check process feh matching /usr/bin/feh
    start program = "/usr/bin/systemctl start greetd"
    stop program = "/usr/bin/systemctl stop greetd"
    if does not exist then alert
    if does not exist for 2 cycles then restart
EOF
systemctl enable --now monit
firewall-cmd --zone=public --permanent --add-port=2812/tcp
firewall-cmd --reload


########################################
# system _resource_ monitoring
########################################

pacman -S munin perl-cgi-fast
nano -w /etc/munin/munin.conf
    graph_strategy cgi
    html_strategy cron
    [piframe]
        address 127.0.0.1
        use_node_name yes
chown munin: /var/lib/munin/cgi-tmp
chown munin: -R /usr/share/munin/www
munin-node-configure --shell # activate useful plugins
sudo -sHu munin munin-cron # prime munin data
systemctl enable --now munin-node
crontab /etc/munin/munin-cron-entry -u munin
cat > /etc/lighttpd/lighttpd-munin.conf <<EOF
# Apply the following tweaks to the /etc/munin/munin.conf file ahead of running lighttpd for munin
## Use cgi rendering for graph and html
#graph_strategy cgi
#html_strategy cron

server.username = "munin"
server.groupname = "munin"

server.document-root = "/srv/http"
server.port = 2813

server.errorlog         = "/var/log/munin/lighttpd-error.log"
dir-listing.activate    = "disable"
server.modules          = (
                            "mod_access",
                            "mod_accesslog",
                            "mod_alias",
                            "mod_rewrite",
                            "mod_redirect",
                            "mod_cgi",
                            "mod_fastcgi",
                            )
server.follow-symlink = "enable"
index-file.names = ( "index.html", "index.htm" )

url.redirect += ( "^/*$" => "/munin/" )

\$HTTP["url"] =~ "/munin-cgi/munin-cgi-graph" {
  alias.url += ( "/munin-cgi/munin-cgi-graph" => "/usr/share/munin/cgi/munin-cgi-graph" )
  cgi.assign = ( "" => "" )
}

#alias.url += ( "/munin/static" => "/etc/munin/static" )
alias.url += ( "/munin" => "/usr/share/munin/www" )

mimetype.assign         = (
                                ".html" => "text/html",
                                ".txt" => "text/plain",
                                ".css" => "text/css",
                                ".js" => "application/x-javascript",
                                ".jpg" => "image/jpeg",
                                ".jpeg" => "image/jpeg",
                                ".gif" => "image/gif",
                                ".png" => "image/png",
                                "" => "application/octet-stream"
                        )
EOF
cat > /etc/systemd/system/lighttpd-munin.service <<EOF
[Unit]
Description=Lighttpd Web Server (munin)
After=syslog.target network.target

[Service]
PrivateTmp=true
ExecStart=/usr/bin/lighttpd-angel -D -f /etc/lighttpd/lighttpd-munin.conf
ExecReload=/bin/kill -HUP $MAINPID
KillSignal=SIGINT

[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable --now lighttpd-munin
firewall-cmd --zone=public --permanent --add-port=2813/tcp
firewall-cmd --reload

########################################
# syncthing / rclone / web based file browser
########################################

curl https://rclone.org/install.sh | bash
pacman -S syncthing
touch /tank/pictures/.stfolder
chown feh: /tank/pictures/.stfolder
systemctl enable --now syncthing@feh.service # use feh user so perms are right for pics
ssh -L 8385:127.0.0.1:8384 user@piframe
http://localhost:8385
Change settings
    General
        Minimum free disk space : 10%
        Anonymous usage reporting : Disabled
    GUI
        Listen address : 0.0.0.0:8384
        GUI Auth user : admin
        GUI Auth password : apassword
Delete default folder
Add /tank/pictures folder
Connect to upstream device w/ files you want to sync
Setup picture sync as inbound only
firewall-cmd --zone=public --permanent --add-port=8384/tcp
firewall-cmd --zone=public --permanent --add-port=22000/tcp
firewall-cmd --reload

curl -fsSL https://filebrowser.org/get.sh | bash
mkdir /home/feh/filebrowser
filebrowser -c /home/feh/filebrowser/pictures.json -d /home/feh/filebrowser/pictures.db \
    config init
filebrowser -c /home/feh/filebrowser/pictures.json -d /home/feh/filebrowser/pictures.db \
    config set --address 0.0.0.0
filebrowser -c /home/feh/filebrowser/pictures.json -d /home/feh/filebrowser/pictures.db \
    config set --port 9191
filebrowser -c /home/feh/filebrowser/pictures.json -d /home/feh/filebrowser/pictures.db \
    config set --branding.name "PiFrame - Pictures"
filebrowser -c /home/feh/filebrowser/pictures.json -d /home/feh/filebrowser/pictures.db \
    users add admin apassword
chown feh: -R /home/feh/filebrowser
firewall-cmd --zone=public --permanent --add-port=9191/tcp
firewall-cmd --reload
cat > /etc/systemd/system/filebrowser-pictures.service <<EOF
[Unit]
Description=Filebrowser - Pictures
After=network.target

[Service]
User=feh
PrivateTmp=true
ExecStart=/usr/local/bin/filebrowser -c /home/feh/filebrowser/pictures.json -d /home/feh/filebrowser/pictures.db -r /tank/pictures --img-processors 1 --disable-thumbnails

[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable --now filebrowser-pictures

########################################
# wifi setup
########################################

nmtui # final wifi config to keep wires to a minimum (COCKPIT SETUP REQUIRED)
# use wifi-menu if not using network manger (network manager is part of cockpit setup)

########################################
# hdmi on/off commands
########################################

vcgencmd get_lcd_info
vcgencmd display_power 0
vcgencmd display_power 1

########################################
# schedule on/off of monitor
########################################

cat > /etc/systemd/system/screen-on.timer <<EOF
[Unit]
Description=Turn on display

[Timer]
OnCalendar=*-*-* 6:00:00
Persistent=true

[Install]
WantedBy=timers.target
EOF
cat > /etc/systemd/system/screen-on.service <<EOF
[Unit]
Description=Turn on display

[Service]
Type=oneshot
ExecStart=/opt/vc/bin/vcgencmd display_power 1
StandardOutput=journal

[Install]
WantedBy=multi-user.target
EOF
cat > /etc/systemd/system/screen-off.timer <<EOF
[Unit]
Description=Turn off display

[Timer]
OnCalendar=*-*-* 00:00:00
Persistent=true

[Install]
WantedBy=timers.target
EOF
cat > /etc/systemd/system/screen-off.service <<EOF
[Unit]
Description=Turn off display

[Service]
Type=oneshot
ExecStart=/opt/vc/bin/vcgencmd display_power 0
StandardOutput=journal

[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable screen-on.timer
systemctl enable screen-off.timer

########################################
# automatic updates (UNWISE)
########################################

auto updates (may be problematic given aur packages)
https://bbs.archlinux.org/viewtopic.php?id=247428


########################################
# future : ambient light control
########################################

https://www.adafruit.com/product/4463
https://www.adafruit.com/product/4681
https://learn.adafruit.com/adafruit-bh1750-ambient-light-sensor/python-circuitpython
https://www.raspberrypi.org/forums/viewtopic.php?t=145894
http://www.ddcutil.com/building/
http://www.ddcutil.com/raspberry/
https://github.com/raspberrypi/linux/issues/3152

tweak /boot/config.txt to have dtoverlay=vc4-kms-v3d instead of fkms
pacman -S i2c-tools
cat > /etc/modules-load.d/i2c.conf <<EOF
i2c-dev
EOF
systemctl reboot
lsmod | grep i2c
ls /dev/i2c*
i2cdetect -r -y 11

pacman -S ddcutil
ddcutil detect
ddcutil capabilities
ddcutil getcvp
ddcutil setvcp
ddcutil vcpinfo
ddcutil dumpvcp


########################################
# future : human detection
########################################

https://www.sparkfun.com/products/14349
https://www.sparkfun.com/products/15794
https://learn.sparkfun.com/tutorials/qwiic-human-presence-sensor-ak9753-hookup-guide
https://github.com/sparkfun/SparkFun_AK975x_Arduino_Library


!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! Misc Notes
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

https://www.raspberrypi.org/forums/viewtopic.php?f=29&t=24679

eyyy, 2560x1600 @ 50hz via hdmi on a pi4 is working!

hdmi_cvt=2560 1600 50 5 0 0 1
hdmi_group=2
hdmi_mode=88