Download Raspbian Jessie Lite. https://www.raspberrypi.org/downloads/raspbian/
Unzip the image, and write it to an SD card (double-check the device!):
# dd status=progress if=raspbian.img of=/dev/sdd bs=1M
Boot the Raspberry Pi. Log in with user “pi” and password “raspberry”.
Run ip addr sh. We can do much of the rest over ssh.
Run this, and set the keyboard to a US layout:
# dpkg-reconfigure keyboard-configuration
In /boot/config.txt
hdmi_group=2
hdmi_mode=82
See more about config.txt at: https://www.raspberrypi.org/documentation/configuration/config-txt.md
Resize the partition and file system:
# raspi-config
If we’re running an apt proxy server, edit or create /etc/apt/apt.conf.d/02proxy:
Acquire::http::proxy "http://aptcache.example.com:3142";
Install packages:
# apt-get update
# apt-get upgrade
# apt-get install xfce4 lightdm vim x11vnc ntpdate openntpd remmina conky iceweasel
Configure OpenNTPd. Edit /etc/openntpd/ntpd.conf. Add these as the first servers:
servers 10.0.0.1
servers 10.0.0.2
servers 10.0.0.3
Set the time zone:
# dpkg-reconfigure tzdata
Edit /etc/default/openntpd:
DAEMON_OPTS="-s -f /etc/openntpd/ntpd.conf"
(The -s flag lets it correct greater than 180 seconds of drift at startup. The Pi doesn’t have a real time clock.)
Select “en_US.UTF-8 UTF-8” from:
# dpkg-reconfigure locales
Set the default editor to vim.basic:
# update-alternatives --config editor
Enable autologin (example user is “pi”). Edit /etc/lightdm/lightdm.conf:
[SeatDefaults]
autologin-user=pi
autologin-user-timeout=0
Configure x11vnc.
# x11vnc -storepasswd ***passwd*** /etc/x11vnc.pass
# chmod 600 /etc/x11vnc.pass
Edit (create) /etc/systemd/system/x11vnc.service:
[Unit]
Description=VNC Server for X11
Requires=display-manager.service
After=display-manager.service
[Service]
Type=forking
ExecStart=/usr/bin/x11vnc -norc -forever -shared -bg -rfbauth /etc/x11vnc.pass -allow 10.0.0. -autoport 5900 -display :0.0 -auth /home/pi/.Xauthority -o /var/log/x11vnc.log
Restart=on-failure
RestartSec=10
[Install]
WantedBy=graphical.target
Enable the x11vnc service:
# systemctl enable x11vnc.service
Disable screen locking: - In the xfce Screensaver Preferences: - Blank Screen Only - Uncheck lock screen after
(I believe this just gets saved as ~/.xscreensaver.)
In the Action menu, remove everything except: - Shutdown - Restart
Create /home/pi/terminal.remmina:
[remmina]
disableclipboard=0
ssh_auth=0
clientname=
quality=1
ssh_charset=
ssh_privatekey=
sharesmartcard=0
resolution=
group=
password=
name=Terminal
ssh_loopback=0
shareprinter=0
ssh_username=
ssh_server=
security=tls
protocol=RDP
execpath=
sound=off
exec=
ssh_enabled=0
username=
sharefolder=
console=0
domain=EXAMPLE
server=terminal.example.com
colordepth=16
window_maximize=0
window_height=1076
window_width=1916
viewmode=4
Create an xfce desktop launcher to run the command:
remmina -c terminal.remmina
Create desktop URL links to:
- Time Clock: https://exampleinc.attendanceondemand.com/ess/
- Paycor: https://secure.paycor.com/Accounts/Authentication/Signin
- Emergency News: http://emergency.example.com
Remove the Home, File System, and Trash desktop icons in Desktop Settings.
Set the custom desktop background.
Edit ~/.conkyrc:
own_window yes
own_window_transparent yes
own_window_hints undecorated,below,sticky,skip_taskbar,skip_pager
alignment bottom_right
double_buffer yes
update_interval 10.0
total_run_times 0
use_xft yes
TEXT
IP Address: ${addr eth0}
Make conky autostart with xfce:
% mkdir -p /home/pi/.config/autostart
% vim /home/pi/.config/autostart/Conky.desktop
[Desktop Entry]
Encoding=UTF-8
Version=0.9.4
Type=Application
Name=Conky
Comment=
Exec=/usr/bin/conky -d
OnlyShowIn=XFCE;
StartupNotify=false
Terminal=false
Hidden=false
Configure Firefox/Iceweasel setting:
- General: When Iceweasel starts: Show my home page
- General: Home page https://intranet.example.com
- Privacy: History: Never remember history
- about:config signon.autofillForms to false
- about:config privacy.clearOnShutdown.passwords to true
- about:config privacy.clearOnShutdown.formdata to true
Set file permissions:
# chown -R root:root /home/pi/terminal.remmina /home/pi/htdesktop.png /home/pi/Desktop/ /home/pi/.xscreensaver
# chmod -R 755 /home/pi/Desktop/
# chmod 644 /home/pi/htdesktop.png /home/pi/terminal.remmina /home/pi/.xscreensaver
Apparently, xfce needs write permissions to ~/.config/xfce* to work, so we need to make our customized settings the system-wide default.
# cp /home/pi/.config/xfce4/xfconf/xfce-perchannel-xml/* /etc/xdg/xfce4/xfconf/xfce-perchannel-xml/
# rm /home/pi/.config/xfce4/xfconfig/xfce-perchannel-xml/*
# chown -R root:root /home/pi/.config
# chmod -R 644 /home/pi/.config/
# chmod -R a+X /home/pi/.config/
Remmina (freerdp) nags about the server certificate if the user doesn’t have this write permission:
# chown pi:root /home/pi/.config/freerdp/known_hosts
# sudo chmod 660 /home/pi/.config/freerdp/known_hosts
Set up iptables firewall.
# iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
# iptables -A INPUT -i lo -j ACCEPT
# iptables -I INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT
# iptables -A INPUT -p icmp -j ACCEPT
# iptables -A INPUT -p udp --sport 123 -j ACCEPT
# iptables -A INPUT -i eth0 -p tcp -s 10.0.0.0/24 --dport 5900 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A INPUT -i eth0 -p tcp -s 10.0.0.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables --policy INPUT DROP
# ip6tables --policy INPUT DROP
# ip6tables -A INPUT -i lo -j ACCEPT
# mkdir /etc/iptables
# iptables-save > /etc/iptables/rules.v4
# ip6tables-save > /etc/iptables/rules.v6
# cat > /etc/network/if-pre-up.d/iptables << EOL
#!/bin/bash /sbin/iptables-restore < /etc/iptables/rules.v4 /sbin/ip6tables-restore < /etc/iptables/rules.v6 EOL # chmod 0755 /etc/network/if-pre-up.d/iptables
Make sudo ask for a password, except for shutdown and reboot:
# visudo
- pi ALL=(ALL) NOPASSWD: ALL
+ pi ALL=(ALL) ALL
(Apparently, we don’t need to allow the user to shutdown and reboot in sudoers, because systemd allows non-remote users to do so by default.)
When we clone the SD cards, we want them to get a unique hostname and unique ssh keys. Create /root/bin/individualize_rpi_clone.sh:
#!/bin/sh
# /root/bin/individualize_rpi_clone.sh
# Test if this Raspbian box is freshly cloned.
# If it is, set the hostname and regenerate ssh keys.
# Paul Gorman, February 2016
CURRENT_HOSTNAME=$(/bin/hostname)
VIRGIN_HOSTNAME='raspberrypi'
HOSTNAME_FILE='/etc/hostname'
HOSTS_FILE='/etc/hosts'
if [ $CURRENT_HOSTNAME = $VIRGIN_HOSTNAME ]; then
NEW_HOSTNAME=rpi2-$(cat /sys/class/net/eth0/address | sed -e 's/://g')
sed -i "s/${VIRGIN_HOSTNAME}/${NEW_HOSTNAME}/g" $HOSTNAME_FILE
sed -i "s/${VIRGIN_HOSTNAME}/${NEW_HOSTNAME}/g" $HOSTS_FILE
hostname $NEW_HOSTNAME
yes | ssh-keygen -t dsa -N "" -f /etc/ssh/ssh_host_dsa_key
yes | ssh-keygen -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key
yes | ssh-keygen -t ecdsa -N "" -f /etc/ssh/ssh_host_ecdsa_key
yes | ssh-keygen -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key
fi
Make it executable:
# chmod 755 /root/bin/individualize_rpi_clone.sh
Create the file /etc/systemd/system/individualize_rpi_clone.service:
[Unit]
Description=Individualize Raspberry Pi clone
[Service]
Type=oneshot
ExecStart=/root/bin/individualize_rpi_clone.sh
RemainAfterExit=yes
[Install]
WantedBy=basic.target
Enable the service:
# systemctl enable individualize_rpi_clone.service