1. Debian on Raspberry Pi
    1. Before first boot
      1. Generate host SSH keys
      2. Configure internet
      3. Pubkey auth for root
    2. On first boot
      1. Packages
      2. Vestigial notes

Pi 4 w/1GB of RAM is $30 https://www.adafruit.com/product/4295, which is ~the same price as buying older models.

Pi 4 has dual-band WiFi

Debian on Raspberry Pi

https://wiki.debian.org/RaspberryPi

https://wiki.debian.org/RaspberryPiImages

Actual images and instructions https://raspi.debian.net/. gwolf makes them, a Tor person!

Before first boot

The pi-init.sh script in gitolite:arduino/pi-playbooks.git does what is needed, assuming you have the image from above. What follows is some notes that were being taken while writing it.

Generate host SSH keys

# sudo is necessary if the pi's etc/ssh directory is owned by root
cd /path/to/piroot/etc/ssh
sudo ssh-keygen -t rsa -f ssh_host_rsa_key -C '' -P ''
sudo ssh-keygen -t ecdsa -f ssh_host_ecdsa_key -C '' -P ''
sudo ssh-keygen -t ed25519 -f ssh_host_ed25519_key -C '' -P ''

Configure internet

See /etc/network/interfaces.d/*

If only Ethernet is desired, then everything should work fine as-is.

If WiFi, then edit wlan0 to have the SSID and password. As of Debian 10 and the being generated by gwolf today, it should look like

allow-hotplug wlan0
iface wlan0 inet dhcp
    wpa-ssid A multi-word SSID need not quotes
    wpa-psk ThePassword

Use ifup/ifdown.

Pubkey auth for root

# Make sure you are root or chown everything done here to root
cd /path/to/piroot/root
mkdir .ssh
chmod 700 !$
cd !$
touch authorized_keys
chmod 600 !$
# Put the pubkey into authorized_keys. Using the key on horsehead in Decembmer 2020:
echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPjlOza4cGtHbh1P6c1x/BVd4G0TImR2i1u7uvGHsyXb arduino@horsehead' >> authorized_keys

On first boot

The majority of the repo gitolite:arduino/pi-playbooks.git handles this stuff.

Packages

To create a pi that acts as a hotspot/captive portal (so that you are forced to its web interface and can configure it or whatever), the key packages you need are:

  • nginx
  • dnsmasq
  • hostapd

Nginx for the webserver, obviously.

Dnsmasq resolves all DNS requests to the Pi's IP, which means when a device looks for a captive portal, e.g. with a request to http://captiveportal.example.com, they notice they didn't get what they expected and prompt the user to "login" using the pi's webserver.

Hostapd ... idk exactly how it does what it does, and I feel like I could have configured the WiFi interface myself, as I think that's all else that's needed. Regardless, it configures the WiFi interface to be an access point and sets the SSID, channel, etc.

No iptables or ipv4.ip_fowarding changes needed.

See the pi-playbooks repo for more details, but I wrote a very simple flask website that gets wifi creds from a web form. nginx and gunicorn were used, though neither are required I don't think. Not for something this simple.

Vestigial notes

Other packages to make sure are installed and configured: dnsmasq, hostapd. /etc/dnsmasq.conf (root:root 644) and /etc/hostapd/hostapd.conf (root:root 644)

net.ipv4.ip_forwarding does not seem to be needed.

Resolving all DNS requests to the pi's IP does seem to be needed. /etc/dnsmasq.conf should have address=/#/192.168.33.1 in it.

iptables rules do not seem to be needed.

/etc/network/interfaces.d/wlan0 root:root 600

Had to unmask hostapd before starting it.

This was the last webpage that I needed: https://www.cyberciti.biz/faq/debian-ubuntu-linux-setting-wireless-access-point/

TODO

Figure out the Pi's IP.

Run ansible playbook that does a bunch of stuff like update packages, install new packages, configure tor.