[[!toc levels=3]] Pi 4 w/1GB of RAM is $30 , which is ~the same price as buying older models. Pi 4 has dual-band WiFi # Debian on Raspberry Pi Actual images and instructions . gwolf makes them, a Tor person! ## Before first boot The `pi-init.sh` script in `gitolite:arduino/pi-playbooks.git` does what is needed, assuming you have the image from above. What follows is some notes that were being taken while writing it. ### Generate host SSH keys ``` # sudo is necessary if the pi's etc/ssh directory is owned by root cd /path/to/piroot/etc/ssh sudo ssh-keygen -t rsa -f ssh_host_rsa_key -C '' -P '' sudo ssh-keygen -t ecdsa -f ssh_host_ecdsa_key -C '' -P '' sudo ssh-keygen -t ed25519 -f ssh_host_ed25519_key -C '' -P '' ``` ### Configure internet See `/etc/network/interfaces.d/*` If only Ethernet is desired, then everything should work fine as-is. If WiFi, then edit `wlan0` to have the SSID and password. As of Debian 10 and the being generated by gwolf today, it should look like ``` allow-hotplug wlan0 iface wlan0 inet dhcp wpa-ssid A multi-word SSID need not quotes wpa-psk ThePassword ``` Use ifup/ifdown. ### Pubkey auth for root ``` # Make sure you are root or chown everything done here to root cd /path/to/piroot/root mkdir .ssh chmod 700 !$ cd !$ touch authorized_keys chmod 600 !$ # Put the pubkey into authorized_keys. Using the key on horsehead in Decembmer 2020: echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPjlOza4cGtHbh1P6c1x/BVd4G0TImR2i1u7uvGHsyXb arduino@horsehead' >> authorized_keys ``` ## On first boot The majority of the repo `gitolite:arduino/pi-playbooks.git` handles this stuff. ### Packages To create a pi that acts as a hotspot/captive portal (so that you are forced to its web interface and can configure it or whatever), the key packages you need are: - nginx - dnsmasq - hostapd Nginx for the webserver, obviously. Dnsmasq resolves all DNS requests to the Pi's IP, which means when a device looks for a captive portal, e.g. with a request to http://captiveportal.example.com, they notice they didn't get what they expected and prompt the user to "login" using the pi's webserver. Hostapd ... idk exactly how it does what it does, and I feel like I could have configured the WiFi interface myself, as I **think** that's all else that's needed. Regardless, it configures the WiFi interface to be an access point and sets the SSID, channel, etc. No iptables or ipv4.ip_fowarding changes needed. See the pi-playbooks repo for more details, but I wrote a very simple flask website that gets wifi creds from a web form. nginx and gunicorn were used, though neither are required I don't think. Not for something this simple. ### Vestigial notes Other packages to make sure are installed and configured: dnsmasq, hostapd. /etc/dnsmasq.conf (root:root 644) and /etc/hostapd/hostapd.conf (root:root 644) net.ipv4.ip_forwarding does *not* seem to be needed. Resolving all DNS requests to the pi's IP **does** seem to be needed. `/etc/dnsmasq.conf` should have `address=/#/192.168.33.1` in it. iptables rules do *not* seem to be needed. /etc/network/interfaces.d/wlan0 root:root 600 Had to unmask hostapd before starting it. This was the last webpage that I needed: **TODO** Figure out the Pi's IP. Run ansible playbook that does a bunch of stuff like update packages, install new packages, configure tor.