Difference between revisions of "Skynet Software Wiki:Setup Pi"
m (→Setup CUPS) |
(→Setup CUPS: Modified IP Addresses) |
||
(80 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
− | = Setting up a Raspberry Pi = | + | == Setting up a Raspberry Pi == |
− | # | + | #Plug a 16GB or larger MicroSD Card into your computer. |
− | # | + | #Download and open the [https://downloads.raspberrypi.org/imager/imager_latest.exe Raspberry Pi Imager software]. |
− | # | + | ##If the Pi is being used as a Clocking In or Dispatch device, choose "Raspberry Pi OS (32-bit)". |
− | #user pi, password | + | ##If the Pi is being used as a Print Server, choose "Raspberry Pi OS Lite (32-bit)" under 'Raspberry Pi OS (Other)'. |
− | #Note the IP address | + | #Open the Advanced Options by clicking the cog in the bottom right hand corner. |
− | #sudo apt-get purge wolfram-engine scratch | + | ##Tick 'Set hostname:' and input the hostname into the box. |
− | + | ##If connecting over SSH straight away: | |
− | #sudo apt | + | ###Tick 'Enable SSH'. |
− | #sudo apt-get autoremove -y | + | ###Click 'Use password authentication'. |
− | #sudo apt-get update | + | ###Tick 'Set username and password'. |
− | #sudo apt-get upgrade | + | ###Leave Username as 'pi'. |
− | #sudo apt-get dist-upgrade | + | ###Set a password and keep a note of it. |
− | #sudo apt-get install xdotool unclutter sed | + | ##If the Pi will be connected to WiFi and you have the details: |
− | # | + | ###Tick 'Configure wifi'. |
− | #sudo raspi-config | + | ###Enter the 'SSID'. |
− | ## | + | ###Enter the 'Password'. |
− | ##* | + | ###Leave Wifi country as 'GB'. |
− | ##* | + | ##Tick 'Set locale Settings'. |
− | ##* | + | #Click 'SAVE'. |
− | ## | + | #Click 'CHOOSE STORAGE' and ensure you choose the MicroSD Card to install to. |
− | ##* | + | #Click 'WRITE'. |
− | ##* | + | #Once it's installed, plug MicroSD Card into Pi. |
− | ##* | + | #Connect Pi to power & connect an Ethernet cable. |
+ | #user pi, password as set above. | ||
+ | #Note the IP address (run "ifconfig" if it doesn't show). | ||
+ | #Run the following commands: | ||
+ | ##sudo apt-get purge wolfram-engine scratch nuscratch sonic-pi idle3 smartsim java-common libreoffice* -y | ||
+ | ##sudo apt clean | ||
+ | ##sudo apt-get autoremove -y | ||
+ | ##sudo apt-get update -y | ||
+ | ##sudo apt-get upgrade -y | ||
+ | ##sudo apt-get dist-upgrade -y | ||
+ | ##sudo apt-get install xdotool unclutter sed -y | ||
+ | ##sudo raspi-config - '''Only change the following options:''' | ||
+ | ###'''1 System Options''' | ||
+ | ##*S5 Boot / Auto Login | ||
+ | ###*If the Pi is being used as a Print Server - Choose "B1 Console" | ||
+ | ###*If the Pi is being used as a Clocking In or Dispatch device - Choose "B4 Desktop Autologin" | ||
+ | ##*S6 Network at Book - Set to "Yes" | ||
+ | ##*''(If the Pi is being used as a Print Server, ignore this)'' S7 Splash Screen - Set to "No" | ||
+ | ##'''3 Interface Options''' | ||
+ | ##*I2 - Set to "Yes" | ||
+ | ##*I1, I3, I4, I5, I7, I8 - Set all to "No" | ||
+ | ##*I6 - Set to "No" then "No" again | ||
+ | ##'''6 Advanced Options''' | ||
+ | ##*A1 Expand Filesystem - Run this | ||
− | = Setting up a new internal user = | + | It will then ask if you want to reboot - Choose yes. |
+ | |||
+ | == Setting up a new internal user == | ||
#sudo adduser skynet - note the new password. | #sudo adduser skynet - note the new password. | ||
− | #It will ask for a Full Name - set this as " | + | #It will ask for a Full Name - set this as "Genisys Support" - for the other options just press Enter |
#sudo usermod -a -G adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,netdev,gpio,i2c,spi skynet | #sudo usermod -a -G adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,netdev,gpio,i2c,spi skynet | ||
#"sudo su - skynet" - double check this works fine. | #"sudo su - skynet" - double check this works fine. | ||
Line 32: | Line 57: | ||
#sudo pkill -u pi | #sudo pkill -u pi | ||
− | = Securing SSH and setting up the UFW firewall = | + | == Securing SSH and setting up the UFW firewall == |
For further reference, see [https://www.cups.org/doc/firewalls.html CUPS UFW Firewall page] | For further reference, see [https://www.cups.org/doc/firewalls.html CUPS UFW Firewall page] | ||
#sudo nano /etc/ssh/sshd_config | #sudo nano /etc/ssh/sshd_config | ||
#*Add "AllowUsers skynet" | #*Add "AllowUsers skynet" | ||
+ | #Ctrl X, Y, Enter | ||
#sudo systemctl restart ssh | #sudo systemctl restart ssh | ||
− | #sudo apt install ufw | + | #sudo apt install ufw -y |
− | #sudo ufw allow | + | #sudo ufw allow from 51.68.205.35 proto tcp to any port 22,53,631,5353 (Xenon) |
− | #sudo ufw allow 631 | + | #sudo ufw allow from 145.239.254.22 proto tcp to any port 22,53,631,5353 (Concorde) |
− | #sudo ufw allow 5353 | + | #sudo ufw allow from 81.137.221.179 proto tcp to any port 22,53,631,5353 (Office) |
− | #sudo ufw allow 53 | + | #sudo ufw allow from 192.168.0.0/16 proto tcp to any port 22,53,631,5353 (Local) |
+ | #sudo ufw allow from ''Customer's IP Address'' proto tcp to any port 22,53,631,5353 | ||
+ | #sudo ufw limit ssh/tcp ''(This will block attackers who have connected more than 5 times in 30 seconds)'' | ||
#sudo ufw enable | #sudo ufw enable | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | = Setting up fail2ban for SSH = | + | == Setting up fail2ban for SSH == |
#sudo apt install fail2ban -y | #sudo apt install fail2ban -y | ||
#sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local | #sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local | ||
− | #sudo nano /etc/fail2ban/jail.local - and | + | #sudo nano /etc/fail2ban/jail.local |
− | [ssh] | + | #find: |
+ | <nowiki># "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban | ||
+ | # will not ban a host which matches an address in this list. Several addresses | ||
+ | # can be defined using space (and/or comma) separator. | ||
+ | #ignoreip = 127.0.0.1/8::1</nowiki> | ||
+ | #Remove the # | ||
+ | #Remove 127.0.0.1/8 - leave the "::1" at the end | ||
+ | #Add 51.68.205.35 145.239.254.22 81.137.221.179 meadowview.zapto.org 192.168.0.0/16 - leave the "::1" at the end | ||
+ | #Then find: | ||
+ | <nowiki># "bantime" is the number of seconds that a host is banned. | ||
+ | bantime = 10m</nowiki> | ||
+ | #Change 10m to 1y | ||
+ | #Then find: | ||
+ | <nowiki># A host is banned if it has generated "maxretry" during the last "findtime" | ||
+ | # seconds. | ||
+ | findtime = 10m</nowiki> | ||
+ | #Change 10m to 1y | ||
+ | #Then find: | ||
+ | <nowiki># "maxretry" is the number of failures before a host get banned. | ||
+ | maxretry = 5</nowiki> | ||
+ | #Change 5 to 3 | ||
+ | #Then find: | ||
+ | <nowiki># | ||
+ | # JAILS | ||
+ | # | ||
+ | |||
+ | # | ||
+ | # SSH servers | ||
+ | # | ||
+ | |||
+ | [sshd] | ||
+ | |||
+ | # To use more aggressive sshd modes set filter parameter "mode" in jail.local: | ||
+ | # normal (default), ddos, extra or aggressive (combines all). | ||
+ | # See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details. | ||
+ | #mode = normal | ||
+ | port = ssh | ||
+ | logpath = %(sshd_log)s | ||
+ | backend = %(sshd_backend)s</nowiki> | ||
+ | Add the following below it: | ||
+ | <nowiki>[ssh] | ||
enabled = true | enabled = true | ||
port = ssh | port = ssh | ||
Line 75: | Line 122: | ||
logpath = /var/log/auth.log | logpath = /var/log/auth.log | ||
maxretry = 3 | maxretry = 3 | ||
− | bantime = | + | bantime = 1y</nowiki> |
+ | #Ctrl X, Y, Enter | ||
− | + | Fail2Ban must be restarted to load the new settings: | |
− | + | #sudo service fail2ban restart | |
− | |||
− | |||
− | |||
− | |||
− | #sudo | ||
− | |||
− | = Setup CUPS = | + | == Setup CUPS == |
#sudo apt install cups -y | #sudo apt install cups -y | ||
#sudo usermod -a -G lpadmin pi | #sudo usermod -a -G lpadmin pi | ||
#sudo usermod -a -G lpadmin skynet | #sudo usermod -a -G lpadmin skynet | ||
#sudo cupsctl --remote-any | #sudo cupsctl --remote-any | ||
− | #<nowiki>https://{internal_ip}:631 | + | #<nowiki>https://</nowiki>''{internal_ip}'':631 -> "Edit Configuration" and add this line to the bottom: |
MaxJobs 0 | MaxJobs 0 | ||
− | # | + | #Find "<Location />" and "<Location /admin>" and replace the content inside both areas with (don't remove "</Location />" and "</Location /admin>"): |
Order allow,deny | Order allow,deny | ||
Allow from localhost | Allow from localhost | ||
− | Allow from | + | Allow from 51.68.205.35 |
− | Allow from | + | Allow from 81.137.221.179 |
− | Allow from | + | Allow from 145.239.254.22 |
− | Allow from 192.168 | + | Allow from 192.168.* |
− | Allow from <Customers' IP Address> | + | Allow from ''<Customers' IP Address>'' |
− | # | + | #Further below find "<Location /admin/log>" and add the following below "Require user @SYSTEM" (don't remove "</Location /admin/log>"): |
+ | Order allow,deny | ||
+ | Allow @LOCAL | ||
+ | Allow from localhost | ||
+ | Allow from 51.68.205.35 | ||
+ | Allow from 81.137.221.179 | ||
+ | Allow from 145.239.254.22 | ||
+ | Allow from 192.168.* | ||
+ | Allow from ''<Customers' IP Address>'' | ||
+ | #Click "Save Changes". | ||
− | = Add printer to CUPS - Zebra GK420d = | + | == Add label printer to CUPS on Raspberry Pi - Zebra GK420d == |
− | == USB == | + | === USB === |
− | #<nowiki>https://{ | + | #<nowiki>https://</nowiki>''{Raspberry Pi IP}'':631 (change IP as required, user/pass is the skynet one) |
#Click "Administration" then "Add Printer". | #Click "Administration" then "Add Printer". | ||
##Select "Zebra Technologies ZTC GK420d (Zebra Technologies ZTC GK420d)" from the "Local Printers" list then click "Continue". | ##Select "Zebra Technologies ZTC GK420d (Zebra Technologies ZTC GK420d)" from the "Local Printers" list then click "Continue". | ||
##Change "Name" to something simple - e.g. customer01, Description/Location as required and tick "Share This Printer" then click "Continue". | ##Change "Name" to something simple - e.g. customer01, Description/Location as required and tick "Share This Printer" then click "Continue". | ||
##Model - Select "Zebra ZPL Label Printer (en)" then click "Add Printer". | ##Model - Select "Zebra ZPL Label Printer (en)" then click "Add Printer". | ||
− | # | + | #On Default Options: |
− | + | ##Media Size -> "4.00x6.00" | |
+ | ##Resolution -> "203dpi" | ||
+ | ##"Set Default Options". | ||
+ | |||
+ | If you need to change the Default Options:<br /> | ||
+ | "Administration" -> "Manage Printers" -> click the printer -> "Administration" -> "Set Default Options" | ||
− | == Ethernet == | + | === Ethernet === |
− | #<nowiki>https://{ | + | #<nowiki>https://</nowiki>''{Raspberry Pi IP}'':631 (change IP as required, user/pass is the skynet one) |
#Click "Administration" then "Add Printer". | #Click "Administration" then "Add Printer". | ||
##Select "AppSocket/HP JetDirect" from the "Other Network Printers:" list then click Continue. | ##Select "AppSocket/HP JetDirect" from the "Other Network Printers:" list then click Continue. | ||
− | ##Put "socket://<IP Address of printer> into the "Connection:" box then click "Continue". | + | ##Put "socket://''<IP Address of printer>'' into the "Connection:" box then click "Continue". |
##Change "Name" to something simple - e.g. customer01, Description/Location as required, tick "Share This Printer" then click "Continue". | ##Change "Name" to something simple - e.g. customer01, Description/Location as required, tick "Share This Printer" then click "Continue". | ||
+ | ##Make - Select "Zebra". | ||
##Model - Select "Zebra ZPL Label Printer (en)" and click "Add Printer". | ##Model - Select "Zebra ZPL Label Printer (en)" and click "Add Printer". | ||
− | #Administration" -> "Manage Printers" -> click the | + | #On Default Options: |
− | + | ##Media Size -> "4.00x6.00" | |
+ | ##Resolution -> "203dpi" | ||
+ | ##"Set Default Options". | ||
+ | |||
+ | If you need to change the Default Options:<br /> | ||
+ | "Administration" -> "Manage Printers" -> click the printer -> "Administration" -> "Set Default Options" | ||
+ | |||
+ | == Add A4 printer to CUPS on Raspberry Pi == | ||
− | = Customer Firewall Setup = | + | === Ethernet === |
+ | #<nowiki>https://</nowiki>''{Raspberry Pi IP}'':631 (change IP as required, user/pass is the skynet one) | ||
+ | #Click "Administration" then "Add Printer". | ||
+ | ##Find the printer in the "Discovered Network Printers" list then click Continue. | ||
+ | ##Change "Name" to something simple - e.g. customer01, Description/Location as required, tick "Share This Printer" then click "Continue". | ||
+ | ##Make should be pre-selected to the make of the printer. | ||
+ | ##Model - The top option should be the correct one and match the make & model of the printer. If it also shows as "CUPS+Gutenprint vx.x.x (en)" that's the best one. | ||
+ | #On Default Options: | ||
+ | ##Media Size -> "A4" | ||
+ | ##Resolution -> "Automatic" | ||
+ | ##2-Sided Printing -> If the customer wants this on, set it as "Long Edge (Standard)" otherwise set it to "Off". | ||
+ | ##"Set Default Options". | ||
+ | |||
+ | If you need to change the Default Options:<br /> | ||
+ | "Administration" -> "Manage Printers" -> click the printer -> "Administration" -> "Set Default Options" | ||
+ | |||
+ | === File Change To Stop Right Side of Page Being Cut Off === | ||
+ | |||
+ | #cd /etc/cups/ppd | ||
+ | #sudo nano ''printer_name''.ppd | ||
+ | #Find "*DefaultImageableArea: A4" | ||
+ | #Find "*ImageableArea A4/A4: "10.000 12.000 585.000 830.000"" a few lines down from the above line. | ||
+ | #Change the numbers to "18.000 20.000 593.000 838.000". | ||
+ | #Ctrl X, Y, Enter | ||
+ | |||
+ | == Customer Firewall Setup == | ||
Now make sure the following ports are forwarded to the printer from the external firewall (change as required) - if any of these are changed, you will need to change the above steps as well. | Now make sure the following ports are forwarded to the printer from the external firewall (change as required) - if any of these are changed, you will need to change the above steps as well. | ||
− | #631 for cups | + | #631. 53. 5353 for cups (TCP and UDP) |
− | #22 for ssh | + | #22 for ssh (TCP) |
+ | |||
+ | == Add Printer to Skynet (Xenon) == | ||
− | = | + | === Normal ZPL Driver === |
− | + | #<nowiki>http://xenon.genisys-systems.co.uk:631/</nowiki> | |
− | #<nowiki> | ||
#"Administration" -> "Add Printer" -> "Internet Printing Protocol (ipp)" | #"Administration" -> "Add Printer" -> "Internet Printing Protocol (ipp)" | ||
− | #ipp://skynet:{password}@{public_ip_address}:631/printers/{name} | + | #ipp://skynet:''{password}''@''{public_ip_address}'':631/printers/''{name}'' |
− | # | + | #Name - Use our standard naming convention. |
+ | #Make - Select "Generic". | ||
+ | #Model - Select "Generic PDF Printer (en)". | ||
+ | #On Default Options: | ||
##Resolution to 300 dpi | ##Resolution to 300 dpi | ||
##Override A4 with Letter to "No" | ##Override A4 with Letter to "No" | ||
##"Set Default Options" | ##"Set Default Options" | ||
− | = Setting up Pi as a Kiosk = | + | If you need to change the Default Options:<br /> |
+ | "Administration" -> "Manage Printers" -> click the printer -> "Administration" -> "Set Default Options" | ||
+ | |||
+ | === EPL Driver ''(for DPD/UPS)'' === | ||
+ | #<nowiki>http://xenon.genisys-systems.co.uk:631/</nowiki> | ||
+ | #"Administration" -> "Add Printer" -> "Internet Printing Protocol (ipp)" | ||
+ | #ipp://skynet:''{password}''@''{public_ip_address}'':631/printers/''{name}'' | ||
+ | #Name - as above but with "_dpd" on the end of it. | ||
+ | #Make - Select "Raw". | ||
+ | #Model - Select "Raw Queue". | ||
+ | |||
+ | You will experience messages such as PPD errors, semi-colon errors etc. but this is normal for a RAW printer. No further setup is required. | ||
+ | |||
+ | == Setting up Pi as a Kiosk == | ||
#sudo nano /home/pi/kiosk.sh | #sudo nano /home/pi/kiosk.sh | ||
#!/bin/bash | #!/bin/bash | ||
Line 150: | Line 256: | ||
sed -i 's/"exit_type":"Crashed"/"exit_type":"Normal"/' /home/pi/.config/chromium/Default/Preferences | sed -i 's/"exit_type":"Crashed"/"exit_type":"Normal"/' /home/pi/.config/chromium/Default/Preferences | ||
/usr/bin/chromium-browser --noerrdialogs --disable-infobars --kiosk <nowiki>http://sams.spitfire-ams.co.uk/tablet_scan.php</nowiki> & | /usr/bin/chromium-browser --noerrdialogs --disable-infobars --kiosk <nowiki>http://sams.spitfire-ams.co.uk/tablet_scan.php</nowiki> & | ||
− | + | #Ctrl X, Y, Enter | |
#sudo nano /lib/systemd/system/kiosk.service | #sudo nano /lib/systemd/system/kiosk.service | ||
− | [Unit] | + | <nowiki> [Unit] |
Description=Chromium Kiosk | Description=Chromium Kiosk | ||
Wants=graphical.target | Wants=graphical.target | ||
Line 167: | Line 273: | ||
[Install] | [Install] | ||
− | WantedBy=graphical.target | + | WantedBy=graphical.target</nowiki> |
− | + | #Ctrl X, Y, Enter | |
#sudo systemctl enable kiosk.service | #sudo systemctl enable kiosk.service | ||
#sudo systemctl start kiosk.service | #sudo systemctl start kiosk.service | ||
− | |||
#sudo nano /home/pi/.config/autostart/kiosk.desktop | #sudo nano /home/pi/.config/autostart/kiosk.desktop | ||
[Desktop Entry] | [Desktop Entry] | ||
Line 178: | Line 283: | ||
Exec=/home/pi/kiosk.sh | Exec=/home/pi/kiosk.sh | ||
X-GNOME-Autostart-enabled=true | X-GNOME-Autostart-enabled=true | ||
− | + | #Ctrl X, Y, Enter | |
#sudo chmod 755 kiosk.sh | #sudo chmod 755 kiosk.sh | ||
#sudo chown pi:pi kiosk.sh | #sudo chown pi:pi kiosk.sh | ||
− | = After Testing = | + | == After Testing == |
− | Once all of the above has been completed, you can test a print locally. | + | Once all of the above has been completed, you can test a print locally. |
+ | |||
+ | == Debugging == | ||
+ | |||
+ | Found by [[user:Ncroker|Ncroker]]: | ||
+ | |||
+ | This page has some cool debugging stuff: https://wiki.ubuntu.com/DebuggingPrintingProblems<br/> | ||
+ | It's for Ubuntu, but still seems to work on Xenon/Pi. |
Latest revision as of 09:27, 30 October 2024
Contents
- 1 Setting up a Raspberry Pi
- 2 Setting up a new internal user
- 3 Securing SSH and setting up the UFW firewall
- 4 Setting up fail2ban for SSH
- 5 Setup CUPS
- 6 Add label printer to CUPS on Raspberry Pi - Zebra GK420d
- 7 Add A4 printer to CUPS on Raspberry Pi
- 8 Customer Firewall Setup
- 9 Add Printer to Skynet (Xenon)
- 10 Setting up Pi as a Kiosk
- 11 After Testing
- 12 Debugging
Setting up a Raspberry Pi
- Plug a 16GB or larger MicroSD Card into your computer.
- Download and open the Raspberry Pi Imager software.
- If the Pi is being used as a Clocking In or Dispatch device, choose "Raspberry Pi OS (32-bit)".
- If the Pi is being used as a Print Server, choose "Raspberry Pi OS Lite (32-bit)" under 'Raspberry Pi OS (Other)'.
- Open the Advanced Options by clicking the cog in the bottom right hand corner.
- Tick 'Set hostname:' and input the hostname into the box.
- If connecting over SSH straight away:
- Tick 'Enable SSH'.
- Click 'Use password authentication'.
- Tick 'Set username and password'.
- Leave Username as 'pi'.
- Set a password and keep a note of it.
- If the Pi will be connected to WiFi and you have the details:
- Tick 'Configure wifi'.
- Enter the 'SSID'.
- Enter the 'Password'.
- Leave Wifi country as 'GB'.
- Tick 'Set locale Settings'.
- Click 'SAVE'.
- Click 'CHOOSE STORAGE' and ensure you choose the MicroSD Card to install to.
- Click 'WRITE'.
- Once it's installed, plug MicroSD Card into Pi.
- Connect Pi to power & connect an Ethernet cable.
- user pi, password as set above.
- Note the IP address (run "ifconfig" if it doesn't show).
- Run the following commands:
- sudo apt-get purge wolfram-engine scratch nuscratch sonic-pi idle3 smartsim java-common libreoffice* -y
- sudo apt clean
- sudo apt-get autoremove -y
- sudo apt-get update -y
- sudo apt-get upgrade -y
- sudo apt-get dist-upgrade -y
- sudo apt-get install xdotool unclutter sed -y
- sudo raspi-config - Only change the following options:
- 1 System Options
- S5 Boot / Auto Login
- If the Pi is being used as a Print Server - Choose "B1 Console"
- If the Pi is being used as a Clocking In or Dispatch device - Choose "B4 Desktop Autologin"
- S6 Network at Book - Set to "Yes"
- (If the Pi is being used as a Print Server, ignore this) S7 Splash Screen - Set to "No"
- 3 Interface Options
- I2 - Set to "Yes"
- I1, I3, I4, I5, I7, I8 - Set all to "No"
- I6 - Set to "No" then "No" again
- 6 Advanced Options
- A1 Expand Filesystem - Run this
It will then ask if you want to reboot - Choose yes.
Setting up a new internal user
- sudo adduser skynet - note the new password.
- It will ask for a Full Name - set this as "Genisys Support" - for the other options just press Enter
- sudo usermod -a -G adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,netdev,gpio,i2c,spi skynet
- "sudo su - skynet" - double check this works fine.
- Logout of SSH and re-login as skynet.
- sudo pkill -u pi
Securing SSH and setting up the UFW firewall
For further reference, see CUPS UFW Firewall page
- sudo nano /etc/ssh/sshd_config
- Add "AllowUsers skynet"
- Ctrl X, Y, Enter
- sudo systemctl restart ssh
- sudo apt install ufw -y
- sudo ufw allow from 51.68.205.35 proto tcp to any port 22,53,631,5353 (Xenon)
- sudo ufw allow from 145.239.254.22 proto tcp to any port 22,53,631,5353 (Concorde)
- sudo ufw allow from 81.137.221.179 proto tcp to any port 22,53,631,5353 (Office)
- sudo ufw allow from 192.168.0.0/16 proto tcp to any port 22,53,631,5353 (Local)
- sudo ufw allow from Customer's IP Address proto tcp to any port 22,53,631,5353
- sudo ufw limit ssh/tcp (This will block attackers who have connected more than 5 times in 30 seconds)
- sudo ufw enable
Setting up fail2ban for SSH
- sudo apt install fail2ban -y
- sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
- sudo nano /etc/fail2ban/jail.local
- find:
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban # will not ban a host which matches an address in this list. Several addresses # can be defined using space (and/or comma) separator. #ignoreip = 127.0.0.1/8::1
- Remove the #
- Remove 127.0.0.1/8 - leave the "::1" at the end
- Add 51.68.205.35 145.239.254.22 81.137.221.179 meadowview.zapto.org 192.168.0.0/16 - leave the "::1" at the end
- Then find:
# "bantime" is the number of seconds that a host is banned. bantime = 10m
- Change 10m to 1y
- Then find:
# A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 10m
- Change 10m to 1y
- Then find:
# "maxretry" is the number of failures before a host get banned. maxretry = 5
- Change 5 to 3
- Then find:
# # JAILS # # # SSH servers # [sshd] # To use more aggressive sshd modes set filter parameter "mode" in jail.local: # normal (default), ddos, extra or aggressive (combines all). # See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details. #mode = normal port = ssh logpath = %(sshd_log)s backend = %(sshd_backend)s
Add the following below it:
[ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3 bantime = 1y
- Ctrl X, Y, Enter
Fail2Ban must be restarted to load the new settings:
- sudo service fail2ban restart
Setup CUPS
- sudo apt install cups -y
- sudo usermod -a -G lpadmin pi
- sudo usermod -a -G lpadmin skynet
- sudo cupsctl --remote-any
- https://{internal_ip}:631 -> "Edit Configuration" and add this line to the bottom:
MaxJobs 0
- Find "<Location />" and "<Location /admin>" and replace the content inside both areas with (don't remove "</Location />" and "</Location /admin>"):
Order allow,deny Allow from localhost Allow from 51.68.205.35 Allow from 81.137.221.179 Allow from 145.239.254.22 Allow from 192.168.* Allow from <Customers' IP Address>
- Further below find "<Location /admin/log>" and add the following below "Require user @SYSTEM" (don't remove "</Location /admin/log>"):
Order allow,deny Allow @LOCAL Allow from localhost Allow from 51.68.205.35 Allow from 81.137.221.179 Allow from 145.239.254.22 Allow from 192.168.* Allow from <Customers' IP Address>
- Click "Save Changes".
Add label printer to CUPS on Raspberry Pi - Zebra GK420d
USB
- https://{Raspberry Pi IP}:631 (change IP as required, user/pass is the skynet one)
- Click "Administration" then "Add Printer".
- Select "Zebra Technologies ZTC GK420d (Zebra Technologies ZTC GK420d)" from the "Local Printers" list then click "Continue".
- Change "Name" to something simple - e.g. customer01, Description/Location as required and tick "Share This Printer" then click "Continue".
- Model - Select "Zebra ZPL Label Printer (en)" then click "Add Printer".
- On Default Options:
- Media Size -> "4.00x6.00"
- Resolution -> "203dpi"
- "Set Default Options".
If you need to change the Default Options:
"Administration" -> "Manage Printers" -> click the printer -> "Administration" -> "Set Default Options"
Ethernet
- https://{Raspberry Pi IP}:631 (change IP as required, user/pass is the skynet one)
- Click "Administration" then "Add Printer".
- Select "AppSocket/HP JetDirect" from the "Other Network Printers:" list then click Continue.
- Put "socket://<IP Address of printer> into the "Connection:" box then click "Continue".
- Change "Name" to something simple - e.g. customer01, Description/Location as required, tick "Share This Printer" then click "Continue".
- Make - Select "Zebra".
- Model - Select "Zebra ZPL Label Printer (en)" and click "Add Printer".
- On Default Options:
- Media Size -> "4.00x6.00"
- Resolution -> "203dpi"
- "Set Default Options".
If you need to change the Default Options:
"Administration" -> "Manage Printers" -> click the printer -> "Administration" -> "Set Default Options"
Add A4 printer to CUPS on Raspberry Pi
Ethernet
- https://{Raspberry Pi IP}:631 (change IP as required, user/pass is the skynet one)
- Click "Administration" then "Add Printer".
- Find the printer in the "Discovered Network Printers" list then click Continue.
- Change "Name" to something simple - e.g. customer01, Description/Location as required, tick "Share This Printer" then click "Continue".
- Make should be pre-selected to the make of the printer.
- Model - The top option should be the correct one and match the make & model of the printer. If it also shows as "CUPS+Gutenprint vx.x.x (en)" that's the best one.
- On Default Options:
- Media Size -> "A4"
- Resolution -> "Automatic"
- 2-Sided Printing -> If the customer wants this on, set it as "Long Edge (Standard)" otherwise set it to "Off".
- "Set Default Options".
If you need to change the Default Options:
"Administration" -> "Manage Printers" -> click the printer -> "Administration" -> "Set Default Options"
File Change To Stop Right Side of Page Being Cut Off
- cd /etc/cups/ppd
- sudo nano printer_name.ppd
- Find "*DefaultImageableArea: A4"
- Find "*ImageableArea A4/A4: "10.000 12.000 585.000 830.000"" a few lines down from the above line.
- Change the numbers to "18.000 20.000 593.000 838.000".
- Ctrl X, Y, Enter
Customer Firewall Setup
Now make sure the following ports are forwarded to the printer from the external firewall (change as required) - if any of these are changed, you will need to change the above steps as well.
- 631. 53. 5353 for cups (TCP and UDP)
- 22 for ssh (TCP)
Add Printer to Skynet (Xenon)
Normal ZPL Driver
- http://xenon.genisys-systems.co.uk:631/
- "Administration" -> "Add Printer" -> "Internet Printing Protocol (ipp)"
- ipp://skynet:{password}@{public_ip_address}:631/printers/{name}
- Name - Use our standard naming convention.
- Make - Select "Generic".
- Model - Select "Generic PDF Printer (en)".
- On Default Options:
- Resolution to 300 dpi
- Override A4 with Letter to "No"
- "Set Default Options"
If you need to change the Default Options:
"Administration" -> "Manage Printers" -> click the printer -> "Administration" -> "Set Default Options"
EPL Driver (for DPD/UPS)
- http://xenon.genisys-systems.co.uk:631/
- "Administration" -> "Add Printer" -> "Internet Printing Protocol (ipp)"
- ipp://skynet:{password}@{public_ip_address}:631/printers/{name}
- Name - as above but with "_dpd" on the end of it.
- Make - Select "Raw".
- Model - Select "Raw Queue".
You will experience messages such as PPD errors, semi-colon errors etc. but this is normal for a RAW printer. No further setup is required.
Setting up Pi as a Kiosk
- sudo nano /home/pi/kiosk.sh
#!/bin/bash export DISPLAY=:0 xset s noblank xset s off xset -dpms unclutter -idle 0.5 -root & sed -i 's/"exited_cleanly":false/"exited_cleanly":true/' /home/pi/.config/chromium/Default/Preferences sed -i 's/"exit_type":"Crashed"/"exit_type":"Normal"/' /home/pi/.config/chromium/Default/Preferences /usr/bin/chromium-browser --noerrdialogs --disable-infobars --kiosk http://sams.spitfire-ams.co.uk/tablet_scan.php &
- Ctrl X, Y, Enter
- sudo nano /lib/systemd/system/kiosk.service
[Unit] Description=Chromium Kiosk Wants=graphical.target After=graphical.target [Service] Environment=DISPLAY=:0.0 Environment=XAUTHORITY=/home/pi/.Xauthority Type=simple ExecStart=/bin/bash /home/pi/kiosk.sh Restart=on-abort User=pi Group=pi [Install] WantedBy=graphical.target
- Ctrl X, Y, Enter
- sudo systemctl enable kiosk.service
- sudo systemctl start kiosk.service
- sudo nano /home/pi/.config/autostart/kiosk.desktop
[Desktop Entry] Type=Application Name=Kiosk Exec=/home/pi/kiosk.sh X-GNOME-Autostart-enabled=true
- Ctrl X, Y, Enter
- sudo chmod 755 kiosk.sh
- sudo chown pi:pi kiosk.sh
After Testing
Once all of the above has been completed, you can test a print locally.
Debugging
Found by Ncroker:
This page has some cool debugging stuff: https://wiki.ubuntu.com/DebuggingPrintingProblems
It's for Ubuntu, but still seems to work on Xenon/Pi.