Difference between revisions of "Skynet Software Wiki:Setup Pi"

From Skynet Software Wiki
Jump to navigation Jump to search
(Created page with "= Setting up a Raspberry Pi = 1. Put the Pi together. 2. Connect to WiFi / Cable. 3. Select "Raspberry Pi OS Lite" 4. user pi, password raspberry 5. Note the IP address 6. sud...")
 
(→‎Setup CUPS: Modified IP Addresses)
 
(107 intermediate revisions by 2 users not shown)
Line 1: Line 1:
= Setting up a Raspberry Pi =
+
== Setting up a Raspberry Pi ==
1. Put the Pi together.
+
#Plug a 16GB or larger MicroSD Card into your computer.
2. Connect to WiFi / Cable.
+
#Download and open the [https://downloads.raspberrypi.org/imager/imager_latest.exe Raspberry Pi Imager software].
3. Select "Raspberry Pi OS Lite"
+
##If the Pi is being used as a Clocking In or Dispatch device, choose "Raspberry Pi OS (32-bit)".
4. user pi, password raspberry
+
##If the Pi is being used as a Print Server, choose "Raspberry Pi OS Lite (32-bit)" under 'Raspberry Pi OS (Other)'.
5. Note the IP address
+
#Open the Advanced Options by clicking the cog in the bottom right hand corner.
6. sudo apt-get update
+
##Tick 'Set hostname:' and input the hostname into the box.
7. sudo apt-get upgrade
+
##If connecting over SSH straight away:
8. passwd - and note the new password.
+
###Tick 'Enable SSH'.
9. sudo raspi-confi
+
###Click 'Use password authentication'.
9a. Interface Options
+
###Tick 'Set username and password'.
9a.i.  P1, P3, P4, P5, P7, P8 - All "No".
+
###Leave Username as 'pi'.
9a.ii.  P6 - Set to "No" then "No" again.
+
###Set a password and keep a note of it.
9a.iii. P2 - Set to "Yes"
+
##If the Pi will be connected to WiFi and you have the details:
9b. Localisation Options
+
###Tick 'Configure wifi'.
9b.i.  Timezone - set to "Europe" then "London".
+
###Enter the 'SSID'.
9b.ii.  WLAN Country - set to "GB".
+
###Enter the 'Password'.
9b.iii. Locale - set to "en_GB.UTF-8"
+
###Leave Wifi country as 'GB'.
 +
##Tick 'Set locale Settings'.
 +
#Click 'SAVE'.
 +
#Click 'CHOOSE STORAGE' and ensure you choose the MicroSD Card to install to.
 +
#Click 'WRITE'.
 +
#Once it's installed, plug MicroSD Card into Pi.
 +
#Connect Pi to power & connect an Ethernet cable.
 +
#user pi, password as set above.
 +
#Note the IP address (run "ifconfig" if it doesn't show).
 +
#Run the following commands:
 +
##sudo apt-get purge wolfram-engine scratch nuscratch sonic-pi idle3 smartsim java-common libreoffice* -y
 +
##sudo apt clean
 +
##sudo apt-get autoremove -y
 +
##sudo apt-get update -y
 +
##sudo apt-get upgrade -y
 +
##sudo apt-get dist-upgrade -y
 +
##sudo apt-get install xdotool unclutter sed -y
 +
##sudo raspi-config - '''Only change the following options:'''
 +
###'''1 System Options'''
 +
##*S5 Boot / Auto Login
 +
###*If the Pi is being used as a Print Server - Choose "B1 Console"
 +
###*If the Pi is being used as a Clocking In or Dispatch device - Choose "B4 Desktop Autologin"
 +
##*S6 Network at Book - Set to "Yes"
 +
##*''(If the Pi is being used as a Print Server, ignore this)'' S7 Splash Screen - Set to "No"
 +
##'''3 Interface Options'''
 +
##*I2 - Set to "Yes"
 +
##*I1, I3, I4, I5, I7, I8 - Set all to "No"
 +
##*I6 - Set to "No" then "No" again
 +
##'''6 Advanced Options'''
 +
##*A1 Expand Filesystem - Run this
  
= Setting up a new internal user =
+
It will then ask if you want to reboot - Choose yes.
1. sudo adduser skynet - note the new password.
 
2. sudo usermod -a -G adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,netdev,gpio,i2c,spi skynet
 
3. "sudo su - skynet" - double check this works fine.
 
4. Logout of SSH and re-login as skynet.
 
5. sudo pkill -u pi
 
  
= Securing SSH and setting up the UFW firewall =
+
== Setting up a new internal user ==
For further reference, see https://www.cups.org/doc/firewalls.html
+
#sudo adduser skynet - note the new password.
1. sudo nano /etc/ssh/sshd_config
+
#It will ask for a Full Name - set this as "Genisys Support" - for the other options just press Enter
1a. Add "AllowUsers skynet"
+
#sudo usermod -a -G adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,netdev,gpio,i2c,spi skynet
2. sudo systemctl restart ssh
+
#"sudo su - skynet" - double check this works fine.
3. sudo apt install ufw
+
#Logout of SSH and re-login as skynet.
4. sudo ufw allow ssh
+
#sudo pkill -u pi
5. sudo ufw allow 631
 
6. sudo ufw allow 5353
 
7. sudo ufw allow 53
 
8. sudo ufw enable
 
9. sudo ufw limit ssh/tcp
 
10. sudo ufw allow from 84.92.64.163 to any port 22 - Plusnet
 
11. sudo ufw allow from 212.140.134.122 to any port 22 - Lea House
 
12. sudo ufw allow from 217.182.136.107 to any port 22 - Recon
 
13. sudo ufw allow from 192.168.0.0/16 to any port 22
 
14. sudo ufw allow from 84.92.64.163 to any port 631
 
15. sudo ufw allow from 212.140.134.122 to any port 631
 
16. sudo ufw allow from 217.182.136.107 to any port 631
 
17. sudo ufw allow from 192.168.0.0/16 to any port 631
 
18. sudo ufw allow from 84.92.64.163 to any port 5353
 
19. sudo ufw allow from 212.140.134.122 to any port 5353
 
20. sudo ufw allow from 217.182.136.107 to any port 5353
 
21. sudo ufw allow from 192.168.0.0/16 to any port 5353
 
22. sudo ufw allow from 84.92.64.163 to any port 53
 
23. sudo ufw allow from 212.140.134.122 to any port 53
 
24. sudo ufw allow from 217.182.136.107 to any port 53
 
25. sudo ufw allow from 192.168.0.0/16 to any port 53
 
  
= Setting up fail2ban for SSH =
+
== Securing SSH and setting up the UFW firewall ==
1. sudo apt install fail2ban
+
For further reference, see [https://www.cups.org/doc/firewalls.html CUPS UFW Firewall page]
2. sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
+
#sudo nano /etc/ssh/sshd_config
2. sudo nano /etc/fail2ban/jail.local - and add the following:
+
#*Add "AllowUsers skynet"
  [ssh]
+
#Ctrl X, Y, Enter
 +
#sudo systemctl restart ssh
 +
#sudo apt install ufw -y
 +
#sudo ufw allow from 51.68.205.35 proto tcp to any port 22,53,631,5353 (Xenon)
 +
#sudo ufw allow from 145.239.254.22 proto tcp to any port 22,53,631,5353 (Concorde)
 +
#sudo ufw allow from 81.137.221.179 proto tcp to any port 22,53,631,5353 (Office)
 +
#sudo ufw allow from 192.168.0.0/16 proto tcp to any port 22,53,631,5353 (Local)
 +
#sudo ufw allow from ''Customer's IP Address'' proto tcp to any port 22,53,631,5353
 +
#sudo ufw limit ssh/tcp ''(This will block attackers who have connected more than 5 times in 30 seconds)''
 +
#sudo ufw enable
 +
 
 +
== Setting up fail2ban for SSH ==
 +
#sudo apt install fail2ban -y
 +
#sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
 +
#sudo nano /etc/fail2ban/jail.local
 +
#find:
 +
<nowiki># "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
 +
# will not ban a host which matches an address in this list. Several addresses
 +
# can be defined using space (and/or comma) separator.
 +
#ignoreip =  127.0.0.1/8::1</nowiki>
 +
#Remove the #
 +
#Remove 127.0.0.1/8 - leave the "::1" at the end
 +
#Add 51.68.205.35 145.239.254.22 81.137.221.179 meadowview.zapto.org 192.168.0.0/16 - leave the "::1" at the end
 +
#Then find:
 +
<nowiki># "bantime" is the number of seconds that a host is banned.
 +
bantime  = 10m</nowiki>
 +
#Change 10m to 1y
 +
#Then find:
 +
<nowiki># A host is banned if it has generated "maxretry" during the last "findtime"
 +
# seconds.
 +
findtime  = 10m</nowiki>
 +
#Change 10m to 1y
 +
#Then find:
 +
<nowiki># "maxretry" is the number of failures before a host get banned.
 +
maxretry = 5</nowiki>
 +
#Change 5 to 3
 +
#Then find:
 +
<nowiki>#
 +
# JAILS
 +
#
 +
 
 +
#
 +
# SSH servers
 +
#
 +
 
 +
[sshd]
 +
 
 +
# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
 +
# normal (default), ddos, extra or aggressive (combines all).
 +
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
 +
#mode  = normal
 +
port    = ssh
 +
logpath = %(sshd_log)s
 +
backend = %(sshd_backend)s</nowiki>
 +
Add the following below it:
 +
  <nowiki>[ssh]
 
  enabled  = true
 
  enabled  = true
 
  port    = ssh
 
  port    = ssh
Line 64: Line 122:
 
  logpath  = /var/log/auth.log
 
  logpath  = /var/log/auth.log
 
  maxretry = 3
 
  maxretry = 3
  bantime  = -1
+
  bantime  = 1y</nowiki>
 +
#Ctrl X, Y, Enter
  
= Make the Raspberry Pi Static =
+
Fail2Ban must be restarted to load the new settings:
1. sudo nano /etc/dhcpcd.conf
+
#sudo service fail2ban restart
interface wlan0 (or eth0 if ethernet)
 
static ip_address=192.168.1.155/24 (or as required)
 
static routers=192.168.1.254 (or as required)
 
static domain_name_servers=192.168.1.254 (or as required)
 
2. sudo nano /etc/hostname
 
2a. Change the hostname to something - and keep track of it.
 
  
= Setup CUPS =
+
== Setup CUPS ==
1. sudo apt install cups
+
#sudo apt install cups -y
2. sudo usermod -a -G lpadmin pi
+
#sudo usermod -a -G lpadmin pi
3. sudo usermod -a -G lpadmin skynet
+
#sudo usermod -a -G lpadmin skynet
4. sudo cupsctl --remote-any
+
#sudo cupsctl --remote-any
5. https://{internal_ip}:631 -> "Edit Configuration" and add this line to the bottom:
+
#<nowiki>https://</nowiki>''{internal_ip}'':631 -> "Edit Configuration" and add this line to the bottom:
 
  MaxJobs 0
 
  MaxJobs 0
6. Location "Location /" and "Location /admin" and replace the content with:
+
#Find "<Location />" and "<Location /admin>" and replace the content inside both areas with (don't remove "</Location />" and "</Location /admin>"):
 
  Order allow,deny
 
  Order allow,deny
 
  Allow from localhost
 
  Allow from localhost
  Allow from 84.92.64.163
+
  Allow from 51.68.205.35
  Allow from 212.140.134.122
+
  Allow from 81.137.221.179
  Allow from 217.182.136.107
+
  Allow from 145.239.254.22
  Allow from 192.168.1.*
+
  Allow from 192.168.*
7. Once saved, make sure "Allow printing from the internet" is ticked.
+
Allow from ''<Customers' IP Address>''
 +
#Further below find "<Location /admin/log>" and add the following below "Require user @SYSTEM" (don't remove "</Location /admin/log>"):
 +
Order allow,deny
 +
Allow @LOCAL
 +
Allow from localhost
 +
Allow from 51.68.205.35
 +
Allow from 81.137.221.179
 +
Allow from 145.239.254.22
 +
Allow from 192.168.*
 +
Allow from ''<Customers' IP Address>''
 +
#Click "Save Changes".
  
= Add printer to CUPS - Zebra GK420d (USB) =
+
== Add label printer to CUPS on Raspberry Pi - Zebra GK420d ==
1. https://{internal_ip}:631 (change IP as required, user/pass is the skynet one)
 
2. Administration -> Add Printer
 
3. Select "Zebra Technologies ZTC GK420d (Zebra Technologies ZTC GK420d)" from the "Local Printers" list and "Continue".
 
4. Change "Name" to something simple - e.g. customer01, Description/Location as required and tick "Share This Printer" -> "Continue".
 
5. Model - Select "Zebra ZPL Label Printer (en)" and "Add Printer"
 
6. "Administration" -> "Manage Printers" -> click the new printer -> "Administration" -> "Set Default Options"
 
7. Media Size -> "4.00x6.00" -> "Set Default Options"
 
  
= Customer Firewall Setup =
+
=== USB ===
 +
#<nowiki>https://</nowiki>''{Raspberry Pi IP}'':631 (change IP as required, user/pass is the skynet one)
 +
#Click "Administration" then "Add Printer".
 +
##Select "Zebra Technologies ZTC GK420d (Zebra Technologies ZTC GK420d)" from the "Local Printers" list then click "Continue".
 +
##Change "Name" to something simple - e.g. customer01, Description/Location as required and tick "Share This Printer" then click "Continue".
 +
##Model - Select "Zebra ZPL Label Printer (en)" then click "Add Printer".
 +
#On Default Options:
 +
##Media Size -> "4.00x6.00"
 +
##Resolution -> "203dpi"
 +
##"Set Default Options".
 +
 
 +
If you need to change the Default Options:<br />
 +
"Administration" -> "Manage Printers" -> click the printer -> "Administration" -> "Set Default Options"
 +
 
 +
=== Ethernet ===
 +
#<nowiki>https://</nowiki>''{Raspberry Pi IP}'':631 (change IP as required, user/pass is the skynet one)
 +
#Click "Administration" then "Add Printer".
 +
##Select "AppSocket/HP JetDirect" from the "Other Network Printers:" list then click Continue.
 +
##Put "socket://''<IP Address of printer>'' into the "Connection:" box then click "Continue".
 +
##Change "Name" to something simple - e.g. customer01, Description/Location as required, tick "Share This Printer" then click "Continue".
 +
##Make - Select "Zebra".
 +
##Model - Select "Zebra ZPL Label Printer (en)" and click "Add Printer".
 +
#On Default Options:
 +
##Media Size -> "4.00x6.00"
 +
##Resolution -> "203dpi"
 +
##"Set Default Options".
 +
 
 +
If you need to change the Default Options:<br />
 +
"Administration" -> "Manage Printers" -> click the printer -> "Administration" -> "Set Default Options"
 +
 
 +
== Add A4 printer to CUPS on Raspberry Pi ==
 +
 
 +
=== Ethernet ===
 +
#<nowiki>https://</nowiki>''{Raspberry Pi IP}'':631 (change IP as required, user/pass is the skynet one)
 +
#Click "Administration" then "Add Printer".
 +
##Find the printer in the "Discovered Network Printers" list then click Continue.
 +
##Change "Name" to something simple - e.g. customer01, Description/Location as required, tick "Share This Printer" then click "Continue".
 +
##Make should be pre-selected to the make of the printer.
 +
##Model - The top option should be the correct one and match the make & model of the printer. If it also shows as "CUPS+Gutenprint vx.x.x (en)" that's the best one.
 +
#On Default Options:
 +
##Media Size -> "A4"
 +
##Resolution -> "Automatic"
 +
##2-Sided Printing -> If the customer wants this on, set it as "Long Edge (Standard)" otherwise set it to "Off".
 +
##"Set Default Options".
 +
 
 +
If you need to change the Default Options:<br />
 +
"Administration" -> "Manage Printers" -> click the printer -> "Administration" -> "Set Default Options"
 +
 
 +
=== File Change To Stop Right Side of Page Being Cut Off ===
 +
 
 +
#cd /etc/cups/ppd
 +
#sudo nano ''printer_name''.ppd
 +
#Find "*DefaultImageableArea: A4"
 +
#Find "*ImageableArea A4/A4:  "10.000 12.000 585.000 830.000"" a few lines down from the above line.
 +
#Change the numbers to "18.000 20.000 593.000 838.000".
 +
#Ctrl X, Y, Enter
 +
 
 +
== Customer Firewall Setup ==
 
Now make sure the following ports are forwarded to the printer from the external firewall (change as required) - if any of these are changed, you will need to change the above steps as well.
 
Now make sure the following ports are forwarded to the printer from the external firewall (change as required) - if any of these are changed, you will need to change the above steps as well.
1. 631 for cups
+
#631. 53. 5353 for cups (TCP and UDP)
2. 22 for ssh
+
#22 for ssh (TCP)
 +
 
 +
== Add Printer to Skynet (Xenon) ==
 +
 
 +
=== Normal ZPL Driver ===
 +
#<nowiki>http://xenon.genisys-systems.co.uk:631/</nowiki>
 +
#"Administration" -> "Add Printer" -> "Internet Printing Protocol (ipp)"
 +
#ipp://skynet:''{password}''@''{public_ip_address}'':631/printers/''{name}''
 +
#Name - Use our standard naming convention.
 +
#Make - Select "Generic".
 +
#Model - Select "Generic PDF Printer (en)".
 +
#On Default Options:
 +
##Resolution to 300 dpi
 +
##Override A4 with Letter to "No"
 +
##"Set Default Options"
 +
 
 +
If you need to change the Default Options:<br />
 +
"Administration" -> "Manage Printers" -> click the printer -> "Administration" -> "Set Default Options"
 +
 
 +
=== EPL Driver ''(for DPD/UPS)'' ===
 +
#<nowiki>http://xenon.genisys-systems.co.uk:631/</nowiki>
 +
#"Administration" -> "Add Printer" -> "Internet Printing Protocol (ipp)"
 +
#ipp://skynet:''{password}''@''{public_ip_address}'':631/printers/''{name}''
 +
#Name - as above but with "_dpd" on the end of it.
 +
#Make - Select "Raw".
 +
#Model - Select "Raw Queue".
 +
 
 +
You will experience messages such as PPD errors, semi-colon errors etc. but this is normal for a RAW printer. No further setup is required.
 +
 
 +
== Setting up Pi as a Kiosk ==
 +
#sudo nano /home/pi/kiosk.sh
 +
#!/bin/bash
 +
export DISPLAY=:0
 +
xset s noblank
 +
xset s off
 +
xset -dpms
 +
unclutter -idle 0.5 -root &
 +
sed -i 's/"exited_cleanly":false/"exited_cleanly":true/' /home/pi/.config/chromium/Default/Preferences
 +
sed -i 's/"exit_type":"Crashed"/"exit_type":"Normal"/' /home/pi/.config/chromium/Default/Preferences
 +
/usr/bin/chromium-browser --noerrdialogs --disable-infobars --kiosk <nowiki>http://sams.spitfire-ams.co.uk/tablet_scan.php</nowiki> &
 +
#Ctrl X, Y, Enter
 +
#sudo nano /lib/systemd/system/kiosk.service
 +
<nowiki> [Unit]
 +
Description=Chromium Kiosk
 +
Wants=graphical.target
 +
After=graphical.target
 +
 
 +
[Service]
 +
Environment=DISPLAY=:0.0
 +
Environment=XAUTHORITY=/home/pi/.Xauthority
 +
Type=simple
 +
ExecStart=/bin/bash /home/pi/kiosk.sh
 +
Restart=on-abort
 +
User=pi
 +
Group=pi
 +
 
 +
[Install]
 +
WantedBy=graphical.target</nowiki>
 +
#Ctrl X, Y, Enter
 +
#sudo systemctl enable kiosk.service
 +
#sudo systemctl start kiosk.service
 +
#sudo nano /home/pi/.config/autostart/kiosk.desktop
 +
[Desktop Entry]
 +
Type=Application
 +
Name=Kiosk
 +
Exec=/home/pi/kiosk.sh
 +
X-GNOME-Autostart-enabled=true
 +
#Ctrl X, Y, Enter
 +
#sudo chmod 755 kiosk.sh
 +
#sudo chown pi:pi kiosk.sh
 +
 
 +
== After Testing ==
 +
Once all of the above has been completed, you can test a print locally.
 +
 
 +
== Debugging ==
  
= Add Printer to Spitfire (Recon) =
+
Found by [[user:Ncroker|Ncroker]]:
Now add the printer via Recon:
 
1. https://recon.spitfire-ams.co.uk:631/
 
2. "Administration" -> "Add Printer" -> "Internet Printing Protocol (ipp)"
 
3. ipp://skynet:{password}@{public_ip_address}:631/printers/{name}
 
4. "Administration" -> "Manage Printers" -> click the new printer -> "Administration" -> "Set Default Options"
 
a. Resolution to 300 dpi
 
b. Override A4 with Letter to "No"
 
c. "Set Default Options"
 
  
= After Testing =
+
This page has some cool debugging stuff: https://wiki.ubuntu.com/DebuggingPrintingProblems<br/>
Once all of the above has been completed, you can test a print locally. Before sending it off to the customer, make sure to comment out the settings from "/etc/dhcpcd.conf" under "Make the Raspberry Pi Static" are commented out, as then it'll be easier to locate it on the customers network and repeat any firewall steps.
+
It's for Ubuntu, but still seems to work on Xenon/Pi.

Latest revision as of 09:27, 30 October 2024

Setting up a Raspberry Pi

  1. Plug a 16GB or larger MicroSD Card into your computer.
  2. Download and open the Raspberry Pi Imager software.
    1. If the Pi is being used as a Clocking In or Dispatch device, choose "Raspberry Pi OS (32-bit)".
    2. If the Pi is being used as a Print Server, choose "Raspberry Pi OS Lite (32-bit)" under 'Raspberry Pi OS (Other)'.
  3. Open the Advanced Options by clicking the cog in the bottom right hand corner.
    1. Tick 'Set hostname:' and input the hostname into the box.
    2. If connecting over SSH straight away:
      1. Tick 'Enable SSH'.
      2. Click 'Use password authentication'.
      3. Tick 'Set username and password'.
      4. Leave Username as 'pi'.
      5. Set a password and keep a note of it.
    3. If the Pi will be connected to WiFi and you have the details:
      1. Tick 'Configure wifi'.
      2. Enter the 'SSID'.
      3. Enter the 'Password'.
      4. Leave Wifi country as 'GB'.
    4. Tick 'Set locale Settings'.
  4. Click 'SAVE'.
  5. Click 'CHOOSE STORAGE' and ensure you choose the MicroSD Card to install to.
  6. Click 'WRITE'.
  7. Once it's installed, plug MicroSD Card into Pi.
  8. Connect Pi to power & connect an Ethernet cable.
  9. user pi, password as set above.
  10. Note the IP address (run "ifconfig" if it doesn't show).
  11. Run the following commands:
    1. sudo apt-get purge wolfram-engine scratch nuscratch sonic-pi idle3 smartsim java-common libreoffice* -y
    2. sudo apt clean
    3. sudo apt-get autoremove -y
    4. sudo apt-get update -y
    5. sudo apt-get upgrade -y
    6. sudo apt-get dist-upgrade -y
    7. sudo apt-get install xdotool unclutter sed -y
    8. sudo raspi-config - Only change the following options:
      1. 1 System Options
      • S5 Boot / Auto Login
        • If the Pi is being used as a Print Server - Choose "B1 Console"
        • If the Pi is being used as a Clocking In or Dispatch device - Choose "B4 Desktop Autologin"
      • S6 Network at Book - Set to "Yes"
      • (If the Pi is being used as a Print Server, ignore this) S7 Splash Screen - Set to "No"
    9. 3 Interface Options
      • I2 - Set to "Yes"
      • I1, I3, I4, I5, I7, I8 - Set all to "No"
      • I6 - Set to "No" then "No" again
    10. 6 Advanced Options
      • A1 Expand Filesystem - Run this

It will then ask if you want to reboot - Choose yes.

Setting up a new internal user

  1. sudo adduser skynet - note the new password.
  2. It will ask for a Full Name - set this as "Genisys Support" - for the other options just press Enter
  3. sudo usermod -a -G adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,netdev,gpio,i2c,spi skynet
  4. "sudo su - skynet" - double check this works fine.
  5. Logout of SSH and re-login as skynet.
  6. sudo pkill -u pi

Securing SSH and setting up the UFW firewall

For further reference, see CUPS UFW Firewall page

  1. sudo nano /etc/ssh/sshd_config
    • Add "AllowUsers skynet"
  2. Ctrl X, Y, Enter
  3. sudo systemctl restart ssh
  4. sudo apt install ufw -y
  5. sudo ufw allow from 51.68.205.35 proto tcp to any port 22,53,631,5353 (Xenon)
  6. sudo ufw allow from 145.239.254.22 proto tcp to any port 22,53,631,5353 (Concorde)
  7. sudo ufw allow from 81.137.221.179 proto tcp to any port 22,53,631,5353 (Office)
  8. sudo ufw allow from 192.168.0.0/16 proto tcp to any port 22,53,631,5353 (Local)
  9. sudo ufw allow from Customer's IP Address proto tcp to any port 22,53,631,5353
  10. sudo ufw limit ssh/tcp (This will block attackers who have connected more than 5 times in 30 seconds)
  11. sudo ufw enable

Setting up fail2ban for SSH

  1. sudo apt install fail2ban -y
  2. sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
  3. sudo nano /etc/fail2ban/jail.local
  4. find:
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
#ignoreip =  127.0.0.1/8::1
  1. Remove the #
  2. Remove 127.0.0.1/8 - leave the "::1" at the end
  3. Add 51.68.205.35 145.239.254.22 81.137.221.179 meadowview.zapto.org 192.168.0.0/16 - leave the "::1" at the end
  4. Then find:
# "bantime" is the number of seconds that a host is banned.
bantime  = 10m
  1. Change 10m to 1y
  2. Then find:
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 10m
  1. Change 10m to 1y
  2. Then find:
# "maxretry" is the number of failures before a host get banned.
maxretry = 5
  1. Change 5 to 3
  2. Then find:
#
# JAILS
#

#
# SSH servers
#

[sshd]

# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode   = normal
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

Add the following below it:

[ssh]
 enabled  = true
 port     = ssh
 filter   = sshd
 logpath  = /var/log/auth.log
 maxretry = 3
 bantime  = 1y
  1. Ctrl X, Y, Enter

Fail2Ban must be restarted to load the new settings:

  1. sudo service fail2ban restart

Setup CUPS

  1. sudo apt install cups -y
  2. sudo usermod -a -G lpadmin pi
  3. sudo usermod -a -G lpadmin skynet
  4. sudo cupsctl --remote-any
  5. https://{internal_ip}:631 -> "Edit Configuration" and add this line to the bottom:
MaxJobs 0
  1. Find "<Location />" and "<Location /admin>" and replace the content inside both areas with (don't remove "</Location />" and "</Location /admin>"):
Order allow,deny
Allow from localhost
Allow from 51.68.205.35
Allow from 81.137.221.179
Allow from 145.239.254.22
Allow from 192.168.*
Allow from <Customers' IP Address>
  1. Further below find "<Location /admin/log>" and add the following below "Require user @SYSTEM" (don't remove "</Location /admin/log>"):
Order allow,deny
Allow @LOCAL
Allow from localhost
Allow from 51.68.205.35
Allow from 81.137.221.179
Allow from 145.239.254.22
Allow from 192.168.*
Allow from <Customers' IP Address>
  1. Click "Save Changes".

Add label printer to CUPS on Raspberry Pi - Zebra GK420d

USB

  1. https://{Raspberry Pi IP}:631 (change IP as required, user/pass is the skynet one)
  2. Click "Administration" then "Add Printer".
    1. Select "Zebra Technologies ZTC GK420d (Zebra Technologies ZTC GK420d)" from the "Local Printers" list then click "Continue".
    2. Change "Name" to something simple - e.g. customer01, Description/Location as required and tick "Share This Printer" then click "Continue".
    3. Model - Select "Zebra ZPL Label Printer (en)" then click "Add Printer".
  3. On Default Options:
    1. Media Size -> "4.00x6.00"
    2. Resolution -> "203dpi"
    3. "Set Default Options".

If you need to change the Default Options:
"Administration" -> "Manage Printers" -> click the printer -> "Administration" -> "Set Default Options"

Ethernet

  1. https://{Raspberry Pi IP}:631 (change IP as required, user/pass is the skynet one)
  2. Click "Administration" then "Add Printer".
    1. Select "AppSocket/HP JetDirect" from the "Other Network Printers:" list then click Continue.
    2. Put "socket://<IP Address of printer> into the "Connection:" box then click "Continue".
    3. Change "Name" to something simple - e.g. customer01, Description/Location as required, tick "Share This Printer" then click "Continue".
    4. Make - Select "Zebra".
    5. Model - Select "Zebra ZPL Label Printer (en)" and click "Add Printer".
  3. On Default Options:
    1. Media Size -> "4.00x6.00"
    2. Resolution -> "203dpi"
    3. "Set Default Options".

If you need to change the Default Options:
"Administration" -> "Manage Printers" -> click the printer -> "Administration" -> "Set Default Options"

Add A4 printer to CUPS on Raspberry Pi

Ethernet

  1. https://{Raspberry Pi IP}:631 (change IP as required, user/pass is the skynet one)
  2. Click "Administration" then "Add Printer".
    1. Find the printer in the "Discovered Network Printers" list then click Continue.
    2. Change "Name" to something simple - e.g. customer01, Description/Location as required, tick "Share This Printer" then click "Continue".
    3. Make should be pre-selected to the make of the printer.
    4. Model - The top option should be the correct one and match the make & model of the printer. If it also shows as "CUPS+Gutenprint vx.x.x (en)" that's the best one.
  3. On Default Options:
    1. Media Size -> "A4"
    2. Resolution -> "Automatic"
    3. 2-Sided Printing -> If the customer wants this on, set it as "Long Edge (Standard)" otherwise set it to "Off".
    4. "Set Default Options".

If you need to change the Default Options:
"Administration" -> "Manage Printers" -> click the printer -> "Administration" -> "Set Default Options"

File Change To Stop Right Side of Page Being Cut Off

  1. cd /etc/cups/ppd
  2. sudo nano printer_name.ppd
  3. Find "*DefaultImageableArea: A4"
  4. Find "*ImageableArea A4/A4: "10.000 12.000 585.000 830.000"" a few lines down from the above line.
  5. Change the numbers to "18.000 20.000 593.000 838.000".
  6. Ctrl X, Y, Enter

Customer Firewall Setup

Now make sure the following ports are forwarded to the printer from the external firewall (change as required) - if any of these are changed, you will need to change the above steps as well.

  1. 631. 53. 5353 for cups (TCP and UDP)
  2. 22 for ssh (TCP)

Add Printer to Skynet (Xenon)

Normal ZPL Driver

  1. http://xenon.genisys-systems.co.uk:631/
  2. "Administration" -> "Add Printer" -> "Internet Printing Protocol (ipp)"
  3. ipp://skynet:{password}@{public_ip_address}:631/printers/{name}
  4. Name - Use our standard naming convention.
  5. Make - Select "Generic".
  6. Model - Select "Generic PDF Printer (en)".
  7. On Default Options:
    1. Resolution to 300 dpi
    2. Override A4 with Letter to "No"
    3. "Set Default Options"

If you need to change the Default Options:
"Administration" -> "Manage Printers" -> click the printer -> "Administration" -> "Set Default Options"

EPL Driver (for DPD/UPS)

  1. http://xenon.genisys-systems.co.uk:631/
  2. "Administration" -> "Add Printer" -> "Internet Printing Protocol (ipp)"
  3. ipp://skynet:{password}@{public_ip_address}:631/printers/{name}
  4. Name - as above but with "_dpd" on the end of it.
  5. Make - Select "Raw".
  6. Model - Select "Raw Queue".

You will experience messages such as PPD errors, semi-colon errors etc. but this is normal for a RAW printer. No further setup is required.

Setting up Pi as a Kiosk

  1. sudo nano /home/pi/kiosk.sh
#!/bin/bash
export DISPLAY=:0
xset s noblank
xset s off
xset -dpms
unclutter -idle 0.5 -root &
sed -i 's/"exited_cleanly":false/"exited_cleanly":true/' /home/pi/.config/chromium/Default/Preferences
sed -i 's/"exit_type":"Crashed"/"exit_type":"Normal"/' /home/pi/.config/chromium/Default/Preferences
/usr/bin/chromium-browser --noerrdialogs --disable-infobars --kiosk http://sams.spitfire-ams.co.uk/tablet_scan.php &
  1. Ctrl X, Y, Enter
  2. sudo nano /lib/systemd/system/kiosk.service
 [Unit]
 Description=Chromium Kiosk
 Wants=graphical.target
 After=graphical.target

 [Service]
 Environment=DISPLAY=:0.0
 Environment=XAUTHORITY=/home/pi/.Xauthority
 Type=simple
 ExecStart=/bin/bash /home/pi/kiosk.sh
 Restart=on-abort
 User=pi
 Group=pi

 [Install]
 WantedBy=graphical.target
  1. Ctrl X, Y, Enter
  2. sudo systemctl enable kiosk.service
  3. sudo systemctl start kiosk.service
  4. sudo nano /home/pi/.config/autostart/kiosk.desktop
[Desktop Entry]
Type=Application
Name=Kiosk
Exec=/home/pi/kiosk.sh
X-GNOME-Autostart-enabled=true
  1. Ctrl X, Y, Enter
  2. sudo chmod 755 kiosk.sh
  3. sudo chown pi:pi kiosk.sh

After Testing

Once all of the above has been completed, you can test a print locally.

Debugging

Found by Ncroker:

This page has some cool debugging stuff: https://wiki.ubuntu.com/DebuggingPrintingProblems
It's for Ubuntu, but still seems to work on Xenon/Pi.