Skynet Software Wiki:Setup Pi

From Skynet Software Wiki
Revision as of 12:56, 12 January 2022 by Mlloyd (talk | contribs) (Y, not Ctrl Y, idiot.)
Jump to navigation Jump to search

Setting up a Raspberry Pi

  1. Install "Raspberry Pi OS Lite" to a 16GB or larger MicroSD Card. (https://downloads.raspberrypi.org/imager/imager_latest.exe)
  2. If connecting over SSH straight away, put a file called "ssh" into the root folder.
  3. Plug MicroSD Card into Pi.
  4. Connect Pi to power, connect Ethernet cable or setup WiFi & connect to display.
  5. user pi, password raspberry
  6. Note the IP address (run "ifconfig" if it doesn't show)
  7. sudo apt-get purge wolfram-engine scratch scratch2 nuscratch sonic-pi idle3 -y
  8. sudo apt-get purge smartsim java-common minecraft-pi libreoffice* -y
  9. sudo apt clean
  10. sudo apt-get autoremove -y
  11. sudo apt-get update
  12. sudo apt-get upgrade
  13. sudo apt-get dist-upgrade
  14. sudo apt-get install xdotool unclutter sed
  15. sudo raspi-config - Only change the following options:
    1. 1 System Options
      • S3 Password - Change the password for the user "pi" - and keep track of it.
      • S4 Hostname - Change the hostname to something - and keep track of it.
      • S5 Boot / Auto Login - Choose "B1 Console" - NOT B2, B3 or B4.
      • S6 Network at Book - Set to "Yes".
      • S7 Splash Screen - Set to "No".
    2. 3 Interface Options
      • I2 - Set to "Yes"
      • I1, I3, I4, I5, I7, I8 - Set all to "No".
      • I6 - Set to "No" then "No" again.
    3. 5 Localisation Options
      • Timezone - Set to "Europe" then "London".
      • WLAN Country - Set to "GB".
      • Locale - Scroll down to "en_GB.UTF-8 UTF-8" and hit Space to add a *. Do not remove the * from en_US.UTF-8 UTF-8.
      • Select en_GB.UTF-8.
    4. 6 Advanced Options
      • A1 Expand Filesystem - Run this.

It will then ask if you want to reboot - Choose yes.

Once rebooted, remove the "ssh" file you created earlier as it is no longer needed.

Setting up a new internal user

  1. sudo adduser skynet - note the new password.
  2. It will ask for a Full Name - set this as "Spitfire Support" - for the other options just press Enter
  3. sudo usermod -a -G adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,netdev,gpio,i2c,spi skynet
  4. "sudo su - skynet" - double check this works fine.
  5. Logout of SSH and re-login as skynet.
  6. sudo pkill -u pi

Securing SSH and setting up the UFW firewall

For further reference, see CUPS UFW Firewall page

  1. sudo nano /etc/ssh/sshd_config
    • Add "AllowUsers skynet"
  2. Ctrl X, Y, Enter
  3. sudo systemctl restart ssh
  4. sudo apt install ufw -y
  5. sudo ufw allow ssh
  6. sudo ufw allow 631
  7. sudo ufw allow 5353
  8. sudo ufw allow 53
  9. sudo ufw enable
  10. sudo ufw limit ssh/tcp (This will block attackers who have connected more than 5 times in 30 seconds)
  11. sudo ufw allow from 84.92.64.163 to any port 22 (Plusnet)
  12. sudo ufw allow from 212.140.134.122 to any port 22 (Lea House)
  13. sudo ufw allow from 217.182.136.107 to any port 22 (Recon)
  14. sudo ufw allow from 192.168.0.0/16 to any port 22
  15. sudo ufw allow from 84.92.64.163 to any port 631
  16. sudo ufw allow from 212.140.134.122 to any port 631
  17. sudo ufw allow from 217.182.136.107 to any port 631
  18. sudo ufw allow from 192.168.0.0/16 to any port 631
  19. sudo ufw allow from 84.92.64.163 to any port 5353
  20. sudo ufw allow from 212.140.134.122 to any port 5353
  21. sudo ufw allow from 217.182.136.107 to any port 5353
  22. sudo ufw allow from 192.168.0.0/16 to any port 5353
  23. sudo ufw allow from 84.92.64.163 to any port 53
  24. sudo ufw allow from 212.140.134.122 to any port 53
  25. sudo ufw allow from 217.182.136.107 to any port 53
  26. sudo ufw allow from 192.168.0.0/16 to any port 53
  27. sudo ufw allow from Customer's IP Address to any port 22
  28. sudo ufw allow from Customer's IP Address to any port 631
  29. sudo ufw allow from Customer's IP Address to any port 5353
  30. sudo ufw allow from Customer's IP Address to any port 53

Setting up fail2ban for SSH

  1. sudo apt install fail2ban -y
  2. sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
  3. sudo nano /etc/fail2ban/jail.local
    1. find:
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
#ignoreip =  127.0.0.1/8::1
  1. Remove the #
  2. Remove 127.0.0.1/8 - leave the "::1" at the end
  3. Add 84.92.64.163 212.140.134.122 217.182.136.107 - leave the "::1" at the end
  4. Then find:
#
# JAILS
#

#
# SSH servers
#

[sshd]

# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode   = normal
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

Add the following below it:

[ssh]
 enabled  = true
 port     = ssh
 filter   = sshd
 logpath  = /var/log/auth.log
 maxretry = 3
 bantime  = -1
  1. Ctrl X, Y, Enter

Fail2Ban must be restarted to load the new settings:

  1. sudo service fail2ban restart

Setup CUPS

  1. sudo apt install cups -y
  2. sudo usermod -a -G lpadmin pi
  3. sudo usermod -a -G lpadmin skynet
  4. sudo cupsctl --remote-any
  5. https://{internal_ip}:631 -> "Edit Configuration" and add this line to the bottom:
MaxJobs 0
  1. Find "<Location />" and "<Location /admin>" and replace the content inside both areas with (don't remove "</Location />" and "</Location /admin>"):
Order allow,deny
Allow from localhost
Allow from 84.92.64.163
Allow from 212.140.134.122
Allow from 217.182.136.107
Allow from 192.168.1.*
Allow from <Customers' IP Address>
  1. Further below find "<Location /admin/log>" and add the following below "Require user @SYSTEM" (don't remove "</Location /admin/log>"):
Order allow,deny
Allow from localhost
Allow from 84.92.64.163
Allow from 212.140.134.122
Allow from 217.182.136.107
Allow from 192.168.1.*
Allow from <Customers' IP Address>
  1. Once saved, make sure "Allow printing from the internet" is ticked.

Add label printer to CUPS on Raspberry Pi - Zebra GK420d

USB

  1. https://{Raspberry Pi IP}:631 (change IP as required, user/pass is the skynet one)
  2. Click "Administration" then "Add Printer".
    1. Select "Zebra Technologies ZTC GK420d (Zebra Technologies ZTC GK420d)" from the "Local Printers" list then click "Continue".
    2. Change "Name" to something simple - e.g. customer01, Description/Location as required and tick "Share This Printer" then click "Continue".
    3. Model - Select "Zebra ZPL Label Printer (en)" then click "Add Printer".
  3. On Default Options:
    1. Media Size -> "4.00x6.00"
    2. Resolution -> "203dpi"
    3. "Set Default Options".

If you need to change the Default Options:
"Administration" -> "Manage Printers" -> click the printer -> "Administration" -> "Set Default Options"

Ethernet

  1. https://{Raspberry Pi IP}:631 (change IP as required, user/pass is the skynet one)
  2. Click "Administration" then "Add Printer".
    1. Select "AppSocket/HP JetDirect" from the "Other Network Printers:" list then click Continue.
    2. Put "socket://<IP Address of printer> into the "Connection:" box then click "Continue".
    3. Change "Name" to something simple - e.g. customer01, Description/Location as required, tick "Share This Printer" then click "Continue".
    4. Make - Select "Zebra".
    5. Model - Select "Zebra ZPL Label Printer (en)" and click "Add Printer".
  3. On Default Options:
    1. Media Size -> "4.00x6.00"
    2. Resolution -> "203dpi"
    3. "Set Default Options".

If you need to change the Default Options:
"Administration" -> "Manage Printers" -> click the printer -> "Administration" -> "Set Default Options"

Add A4 printer to CUPS on Raspberry Pi

Ethernet

  1. https://{Raspberry Pi IP}:631 (change IP as required, user/pass is the skynet one)
  2. Click "Administration" then "Add Printer".
    1. Find the printer in the "Discovered Network Printers" list then click Continue.
    2. Change "Name" to something simple - e.g. customer01, Description/Location as required, tick "Share This Printer" then click "Continue".
    3. Make should be pre-selected to the make of the printer.
    4. Model - The top option should be the correct one and match the make & model of the printer. If it also shows as "CUPS+Gutenprint vx.x.x (en)" that's the best one.
  3. On Default Options:
    1. Media Size -> "A4"
    2. Resolution -> "Automatic"
    3. 2-Sided Printing -> If the customer wants this on, set it as "Long Edge (Standard)" otherwise set it to "Off".
    4. "Set Default Options".

If you need to change the Default Options:
"Administration" -> "Manage Printers" -> click the printer -> "Administration" -> "Set Default Options"

File Change To Stop Right Side of Page Being Cut Off

  1. cd /etc/cups/ppd
  2. sudo nano printer_name.ppd
  3. Find "*DefaultImageableArea: A4"
  4. Find "*ImageableArea A4/A4: "10.000 12.000 585.000 830.000"" a few lines down from the above line.
  5. Change the numbers to "18.000 20.000 593.000 838.000".
  6. Ctrl X, Y, Enter

Customer Firewall Setup

Now make sure the following ports are forwarded to the printer from the external firewall (change as required) - if any of these are changed, you will need to change the above steps as well.

  1. 631 for cups (TCP and UDP)
  2. 22 for ssh (TCP)

Add Printer to Spitfire (Recon)

Normal ZPL Driver

  1. https://recon.spitfire-ams.co.uk:631/
  2. "Administration" -> "Add Printer" -> "Internet Printing Protocol (ipp)"
  3. ipp://skynet:{password}@{public_ip_address}:631/printers/{name}
  4. Name - Use our standard naming convention.
  5. Make - Select "Generic".
  6. Model - Select "Generic PDF Printer (en)".
  7. On Default Options:
    1. Resolution to 300 dpi
    2. Override A4 with Letter to "No"
    3. "Set Default Options"

If you need to change the Default Options:
"Administration" -> "Manage Printers" -> click the printer -> "Administration" -> "Set Default Options"

EPL Driver (for DPD)

  1. https://recon.spitfire-ams.co.uk:631/
  2. "Administration" -> "Add Printer" -> "Internet Printing Protocol (ipp)"
  3. ipp://skynet:{password}@{public_ip_address}:631/printers/{name}
  4. Name - as above but with "_dpd" on the end of it.
  5. Make - Select "Raw".
  6. Model - Select "Raw Queue".

You will experience messages such as PPD errors, semi-colon errors etc. but this is normal for a RAW printer. No further setup is required.

Setting up Pi as a Kiosk

  1. sudo nano /home/pi/kiosk.sh
#!/bin/bash
export DISPLAY=:0
xset s noblank
xset s off
xset -dpms
unclutter -idle 0.5 -root &
sed -i 's/"exited_cleanly":false/"exited_cleanly":true/' /home/pi/.config/chromium/Default/Preferences
sed -i 's/"exit_type":"Crashed"/"exit_type":"Normal"/' /home/pi/.config/chromium/Default/Preferences
/usr/bin/chromium-browser --noerrdialogs --disable-infobars --kiosk http://sams.spitfire-ams.co.uk/tablet_scan.php &
  1. Ctrl X, Y, Enter
  2. sudo nano /lib/systemd/system/kiosk.service
[Unit]
Description=Chromium Kiosk
Wants=graphical.target
After=graphical.target
[Service]
Environment=DISPLAY=:0.0
Environment=XAUTHORITY=/home/pi/.Xauthority
Type=simple
ExecStart=/bin/bash /home/pi/kiosk.sh
Restart=on-abort
User=pi
Group=pi
[Install]
WantedBy=graphical.target
  1. Ctrl X, Y, Enter
  2. sudo systemctl enable kiosk.service
  3. sudo systemctl start kiosk.service
  4. sudo nano /home/pi/.config/autostart/kiosk.desktop
[Desktop Entry]
Type=Application
Name=Kiosk
Exec=/home/pi/kiosk.sh
X-GNOME-Autostart-enabled=true
  1. Ctrl X, Y, Enter
  2. sudo chmod 755 kiosk.sh
  3. sudo chown pi:pi kiosk.sh

After Testing

Once all of the above has been completed, you can test a print locally. Before sending it off to the customer, make sure to comment out the settings from "/etc/dhcpcd.conf" under "Make the Raspberry Pi Static" are commented out, as then it'll be easier to locate it on the customers network and repeat any firewall steps.

Debugging

Found by Ncroker:

This page has some cool debugging stuff: https://wiki.ubuntu.com/DebuggingPrintingProblems
It's for Ubuntu, but still seems to work on Recon/Pi.