Raspberry Pi 2 Thin Client Test VM Notes ======================================== Download Raspbian Jessie Lite. https://www.raspberrypi.org/downloads/raspbian/ Unzip the image, and write it to an SD card (double-check the device!): # dd status=progress if=raspbian.img of=/dev/sdd bs=1M Boot the Raspberry Pi. Log in with user "pi" and password "raspberry". Run `ip addr sh`. We can do much of the rest over ssh. Run this, and set the keyboard to a US layout: # dpkg-reconfigure keyboard-configuration In /boot/config.txt hdmi_group=2 hdmi_mode=82 See more about config.txt at: https://www.raspberrypi.org/documentation/configuration/config-txt.md Resize the partition and file system: # raspi-config If we're running an apt proxy server, edit or create /etc/apt/apt.conf.d/02proxy: Acquire::http::proxy "http://aptcache.example.com:3142"; Install packages: # apt-get update # apt-get upgrade # apt-get install xfce4 lightdm vim x11vnc ntpdate openntpd remmina conky iceweasel Configure OpenNTPd. Edit /etc/openntpd/ntpd.conf. Add these as the first servers: servers 10.0.0.1 servers 10.0.0.2 servers 10.0.0.3 Set the time zone: # dpkg-reconfigure tzdata Edit /etc/default/openntpd: DAEMON_OPTS="-s -f /etc/openntpd/ntpd.conf" (The -s flag lets it correct greater than 180 seconds of drift at startup. The Pi doesn't have a real time clock.) Select "en_US.UTF-8 UTF-8" from: # dpkg-reconfigure locales Set the default editor to vim.basic: # update-alternatives --config editor Enable autologin (example user is "pi"). Edit /etc/lightdm/lightdm.conf: [SeatDefaults] autologin-user=pi autologin-user-timeout=0 Configure x11vnc. # x11vnc -storepasswd ***passwd*** /etc/x11vnc.pass # chmod 600 /etc/x11vnc.pass Edit (create) /etc/systemd/system/x11vnc.service: [Unit] Description=VNC Server for X11 Requires=display-manager.service After=display-manager.service [Service] Type=forking ExecStart=/usr/bin/x11vnc -norc -forever -shared -bg -rfbauth /etc/x11vnc.pass -allow 10.0.0. -autoport 5900 -display :0.0 -auth /home/pi/.Xauthority -o /var/log/x11vnc.log Restart=on-failure RestartSec=10 [Install] WantedBy=graphical.target Enable the x11vnc service: # systemctl enable x11vnc.service Disable screen locking: - In the xfce Screensaver Preferences: - Blank Screen Only - Uncheck lock screen after (I believe this just gets saved as ~/.xscreensaver.) In the Action menu, remove everything except: - Shutdown - Restart Create /home/pi/terminal.remmina: [remmina] disableclipboard=0 ssh_auth=0 clientname= quality=1 ssh_charset= ssh_privatekey= sharesmartcard=0 resolution= group= password= name=Terminal ssh_loopback=0 shareprinter=0 ssh_username= ssh_server= security=tls protocol=RDP execpath= sound=off exec= ssh_enabled=0 username= sharefolder= console=0 domain=EXAMPLE server=terminal.example.com colordepth=16 window_maximize=0 window_height=1076 window_width=1916 viewmode=4 Create an xfce desktop launcher to run the command: remmina -c terminal.remmina Create desktop URL links to: - Time Clock: https://exampleinc.attendanceondemand.com/ess/ - Paycor: https://secure.paycor.com/Accounts/Authentication/Signin - Emergency News: http://emergency.example.com Remove the Home, File System, and Trash desktop icons in Desktop Settings. Set the custom desktop background. Edit ~/.conkyrc: own_window yes own_window_transparent yes own_window_hints undecorated,below,sticky,skip_taskbar,skip_pager alignment bottom_right double_buffer yes update_interval 10.0 total_run_times 0 use_xft yes TEXT IP Address: ${addr eth0} Make conky autostart with xfce: % mkdir -p /home/pi/.config/autostart % vim /home/pi/.config/autostart/Conky.desktop [Desktop Entry] Encoding=UTF-8 Version=0.9.4 Type=Application Name=Conky Comment= Exec=/usr/bin/conky -d OnlyShowIn=XFCE; StartupNotify=false Terminal=false Hidden=false Configure Firefox/Iceweasel setting: - General: When Iceweasel starts: Show my home page - General: Home page https://intranet.example.com - Privacy: History: Never remember history - about:config signon.autofillForms to false - about:config privacy.clearOnShutdown.passwords to true - about:config privacy.clearOnShutdown.formdata to true Set file permissions: # chown -R root:root /home/pi/terminal.remmina /home/pi/htdesktop.png /home/pi/Desktop/ /home/pi/.xscreensaver # chmod -R 755 /home/pi/Desktop/ # chmod 644 /home/pi/htdesktop.png /home/pi/terminal.remmina /home/pi/.xscreensaver Apparently, xfce _needs_ write permissions to ~/.config/xfce* to work, so we need to make our customized settings the system-wide default. # cp /home/pi/.config/xfce4/xfconf/xfce-perchannel-xml/* /etc/xdg/xfce4/xfconf/xfce-perchannel-xml/ # rm /home/pi/.config/xfce4/xfconfig/xfce-perchannel-xml/* # chown -R root:root /home/pi/.config # chmod -R 644 /home/pi/.config/ # chmod -R a+X /home/pi/.config/ Remmina (freerdp) nags about the server certificate if the user doesn't have this write permission: # chown pi:root /home/pi/.config/freerdp/known_hosts # sudo chmod 660 /home/pi/.config/freerdp/known_hosts Set up iptables firewall. # iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT # iptables -A INPUT -i lo -j ACCEPT # iptables -I INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT # iptables -A INPUT -p icmp -j ACCEPT # iptables -A INPUT -p udp --sport 123 -j ACCEPT # iptables -A INPUT -i eth0 -p tcp -s 10.0.0.0/24 --dport 5900 -m state --state NEW,ESTABLISHED -j ACCEPT # iptables -A INPUT -i eth0 -p tcp -s 10.0.0.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT # iptables --policy INPUT DROP # ip6tables --policy INPUT DROP # ip6tables -A INPUT -i lo -j ACCEPT # mkdir /etc/iptables # iptables-save > /etc/iptables/rules.v4 # ip6tables-save > /etc/iptables/rules.v6 # cat > /etc/network/if-pre-up.d/iptables << EOL #!/bin/bash /sbin/iptables-restore < /etc/iptables/rules.v4 /sbin/ip6tables-restore < /etc/iptables/rules.v6 EOL # chmod 0755 /etc/network/if-pre-up.d/iptables Make sudo ask for a password, except for shutdown and reboot: # visudo - pi ALL=(ALL) NOPASSWD: ALL + pi ALL=(ALL) ALL (Apparently, we don't need to allow the user to shutdown and reboot in sudoers, because systemd allows non-remote users to do so by default.) When we clone the SD cards, we want them to get a unique hostname and unique ssh keys. Create /root/bin/individualize_rpi_clone.sh: #!/bin/sh # /root/bin/individualize_rpi_clone.sh # Test if this Raspbian box is freshly cloned. # If it is, set the hostname and regenerate ssh keys. # Paul Gorman, February 2016 CURRENT_HOSTNAME=$(/bin/hostname) VIRGIN_HOSTNAME='raspberrypi' HOSTNAME_FILE='/etc/hostname' HOSTS_FILE='/etc/hosts' if [ $CURRENT_HOSTNAME = $VIRGIN_HOSTNAME ]; then NEW_HOSTNAME=rpi2-$(cat /sys/class/net/eth0/address | sed -e 's/://g') sed -i "s/${VIRGIN_HOSTNAME}/${NEW_HOSTNAME}/g" $HOSTNAME_FILE sed -i "s/${VIRGIN_HOSTNAME}/${NEW_HOSTNAME}/g" $HOSTS_FILE hostname $NEW_HOSTNAME yes | ssh-keygen -t dsa -N "" -f /etc/ssh/ssh_host_dsa_key yes | ssh-keygen -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key yes | ssh-keygen -t ecdsa -N "" -f /etc/ssh/ssh_host_ecdsa_key yes | ssh-keygen -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key fi Make it executable: # chmod 755 /root/bin/individualize_rpi_clone.sh Create the file /etc/systemd/system/individualize_rpi_clone.service: [Unit] Description=Individualize Raspberry Pi clone [Service] Type=oneshot ExecStart=/root/bin/individualize_rpi_clone.sh RemainAfterExit=yes [Install] WantedBy=basic.target Enable the service: # systemctl enable individualize_rpi_clone.service