IARC 207 Wiki - User contributions [en]

Initial Debian Server Setup

2018-07-19T23:02:33Z

172.20.235.108: /* Install additional packages */

[[IARC Server List]]
==Step by step (roughly) procedure for getting a Debian-ARM server up and running for remote deployment as a serial radio base or a number of other things==
Been meaning to put this together for a while.
===Download media===
A lot of these ARM based systems have a microSD or SD card image that can be flashed from an online source. I like to use the most recent stable version of Debian if it's available and also the minimum size image so that less extra cruft is installed (don't need a window manager etc) 
The RaspberryPis work well, too but have less horsepower under the hood: 
https://www.raspberrypi.org/downloads/raspbian/ 
This is more powerful but doesn't come with a vanilla kernel (this means long term updating is harder): 
http://wiki.solid-run.com/doku.php?id=products:imx6:overview:flashsdcard

We also have a few units (the DreamPlug and the GuruPlug) from GlobalScale but the power supplies have become flaky over time and I think the cubox-i is current favorite. 
https://www.globalscaletechnologies.com/ 

I guess in addition, also using intel based NUC which is slightly larger, maybe more powerful but the cpu instruction set is x86 rather than ARM. For Debian, that means nothing but it should also mean we can run loggernet for linux further afield. (this is on my later in the winter list).

===First step===
#Download the current image of the OS available online to your computer
## http://wiki.solid-run.com/doku.php?id=products:imx6:software:os:debian 
## https://www.raspberrypi.org/downloads/raspbian/ 
# Flash it to the appropriate media (microSD or SD card typically). Something like this:
## sudo dd if=~/Downloads/ignition.img of=/dev/rdisk2 bs=4096 ''' (cubox-i example)'''
## sudo dd if=2015-11-21-raspbian-jessie-lite.img of=/dev/rdisk2 bs=4096 '''(Raspberry Pi example)'''
# Look up online the default user / password to get into the system once it is up and running, too.
## A simple search for something like "''Raspberry pi default user name and password''" should get you close.
# Once you're up and running, log in as the default user and then let's do some set up in an interactive sudo session:
<pre> sudo -i</pre>

===For raspberry pi, change keyboard layout to US===
Default is UK English layout... before you change the passwords you should get a US layout keyboard. Here is a good resource 
https://wiki.debian.org/Keyboard 
<pre>dpkg-reconfigure keyboard-configuration</pre>
<pre> service keyboard-setup restart</pre>

=== Create user accounts===
(junk name here not what you might see on our systems)
<pre> adduser scientist</pre>

=== give the user extended permissions===
https://wiki.debian.org/sudo
<pre>adduser scientist sudo</pre>

===Tighten up remote ssh access===
Been having some issues with port scanning and automated log in attempts from all over the world. You can initially lock things down by disabling the default account from ssh login (after creating your first other user in the previous step). First up, edit the ssh server configuration. The file is found in ''/etc/ssh/sshd_config'':
<pre> editor /etc/ssh/sshd_config</pre>
Add these lines to that file (or verify that they are there / double check that you aren't duplicating and creating confusion for the daemon):
<pre>
## Disable root login:
PermitRootLogin no
##specify which users can log in over ssh:
AllowUsers scientist
</pre>
With that out of the way, restart the ssh server and you have taken a step towards better securing the system:
<pre>service ssh restart</pre>
===Update Firewall:===
Firewall is complicated. I'm not 100% I have this correct but it's quite a bit more secure than the defaults and such. It's worth its own entry though:
* [[IP Tables Firewall Example]]

===update apt & all packages===
<pre>
apt-get update
apt-get upgrade
</pre>

===Raspberry Pi specific: Resize Partition===
Run this utility as root:
<pre>raspi-config</pre>
One of the options (the first one) is:
<pre>1 Expand Filesystem Ensures that all of the SD card storage is available to the OS </pre>
Select that and the file system will go from the default, like 1.3 GB and expand to consume the whole card. See here for a bit more discussion: 
http://raspberrypi.stackexchange.com/questions/499/how-can-i-resize-my-root-partition

===Install additional packages===
Great, if you've made it this far then you should have a decently secure system, nearly ready for deployment. There are a few more pacakges it is smart to install... kind of depends on what you are doing whether you add all of them or not but there first are a good move.

apt-get install nmap ntp less imagemagick python mailutils fail2ban ser2net git telnet screen wget curl xdg zip net-tools
* '''nmap''' is useful for checking out the internet presence of your device. Kind of optional but nice to have installed if you need it at a later date.
** https://packages.debian.org/stable/nmap
* '''ntp''' is the time server, used to get internet time. It should be installed by default but I have found it isn't alway. So, best to be explicit and install it here.
** https://packages.debian.org/jessie/ntp
* '''less''' is a simple command line utility for reading text files. A gain, it should be installed by default but I have run into it not being installed.
** https://packages.debian.org/jessie/less
* '''imagemagick''' is a great command line based image manipulation library. Used by a few different utilities. I think we use it to resize / slice automatically generated plots, and to do some other stuff in Barrow.
** https://packages.debian.org/jessie/imagemagick
* '''python''' common programming language we use extensively and should be added to the system.
* '''mailutils''' is a simple email package. Used by crontab & the security updates system (as well as others I'm forgetting) to give you status information.
* '''fail2ban''' is used to lockdown ssh a bit further than the default ip tables rules. It blocks IP addresses that try to log in too often with a bad user/password. Intended to reduce workload of these simple computers handling garbage so they can focus on serving as a serial base station etc.
* '''ser2net''' pretty solid utility for getting serial port access (or usb to serial access) via sockets. This is the primary thing we use to handle getting data logger information available over the internet. For multipoint radios, there is also a '''ser2nets''' which can allow more than one LoggerNet instance to access the radio network simultaneously. I haven't used ser2nets but have thought about experimenting with it.
* '''git''' we use this for distributing datapro and other utilities
* ''telnet'' useful for testing ser2net's operation.
* ''screen'' useful for testing the usb to serial device
* ''curl'' utility for grabbing web pages / data from servers
* ''wget'' utility for grabbing web pages / data from servers

====Automatically install security updates:====
The last generally mandatory package to add is the Unattended security updates. There are couple packages to install but there are also some configs to modify It's best to just read this page. 
https://wiki.debian.org/UnattendedUpgrades 
But, I can also give you a hint that you'll need to do at least these three things from the command line:
<pre>apt-get install unattended-upgrades apt-listchanges</pre>
<pre>editor /etc/apt/apt.conf.d/50unattended-upgrades</pre>
<pre>editor /etc/apt/apt.conf.d/20auto-upgrades</pre>

===Other packages===
So, those are typically the base to get you up and running. Then, this next set are slightly more specialized. If you are going to do any data processing or use the WERC data retrieval tools these are good to install:
apt-get install build-essential libdbi-perl libconfig-yaml-perl python-numpy python-tz python-pandas liblockfile-simple-perl libdbi-perl bc
apt-get install python-gdal python-xlrd python-scipy autossh

===check timezone===
Important to confirm we are using UTC:
<pre>sudo dpkg-reconfigure tzdata </pre>

===Next steps===
So, at this point you have a system that has now been tailored to generic deployment. With that out of the way there are some specific things and tools / scripts that are nice to give you a bit more feedback. For example. it needs to tell you its IP address routinely so there are some things to set up in order to make that happen like:
* set up a private key in the ''scientist'' user account so you can automate the transfer
** follow this: http://troy.jdmz.net/rsync/index.html
** '''ssh-keygen -t rsa -b 2048 '''
** then, add the key to the server you want to push too:
*** '''ssh-copy-id scientist@ngeedata.iarc.uaf.edu'''
* set up the crontab so that the automated stuff is configured to happen... do all of this from your user account rather than your root account.
<pre>
mkdir ~/bin
nano ~/bin/main_cron
</pre>
* add something like this to the file main_cron to transmit the IP address every 10 minutes:
<pre>
*/10 * * * * /sbin/ifconfig > /home/scientist/grayling_ip.txt
*/10 * * * * scp -oport=2222 /home/scientist/grayling_ip.txt user@ngeedata.iarc.uaf.edu:/home/user/remote_ips/
</pre>
* add this to the crontab:
<pre> crontab ~/bin/main_cron</pre>
* confirm that it is in the crontab:
<pre> crontab -l</pre>
Great,
* set up a few more bash scripts... running out of steam here I'm just going to list commands for a bit and then annotate later.
* this gets Ross' csv utilities with datapro plus a number of other things installed
<pre>
cd ~/bin/
git clone https://github.com/rwspicer/csv_utilities.git
python ~/bin/csv_utilities/get_ip.py --infile=/home/scientist/extra/grayling_ip.txt --outfile=/home/scientist/grayling_ip
</pre>

* also need to configure ser2net:
<pre>sudo nano /etc/ser2net.conf</pre>
* remove the existing lines at the bottom of the configuration and add this:
** specifying the port as ''7808''
** data type is '''''raw''''' ''(default is telnet)''
** serial to usb device is ''/dev/ttyUSB0''
** speed and data information (this is standard of most of our serial things though the baud rate may change depending on application): ''115200 8DATABITS NONE 1STOPBIT''
** a few additional parameters to close the connection and reset the radio after each use: '' HANGUP_WHEN_DONE RTSCTS LOCAL''
<pre>
# IARC radio
7808:raw:25:/dev/ttyUSB0:115200 8DATABITS NONE 1STOPBIT HANGUP_WHEN_DONE RTSCTS LOCAL
</pre>
* now, reload ser2net daemon with new configuration:
<pre>service ser2net restart</pre>
* next, test your setup:
<pre> telnet localhost 7808</pre>
** then hit enter a bunch and watch for a reply from the data logger. If you see it, awesome. to close the program, hold down the control key and press the close bracket key. This will bring up a new prompt:
<pre><CONTROL><]></pre>
** then:
<pre>close</pre>
* if that works, fantastic. If that doesn't, try connecting directly to the serial port using ''screen'':
<pre>sudo screen /dev/ttyUSB0 9600</pre>
** If that works, awesome! To quit screen then enter:
<pre>
<CONTROL> - <A> (press and hold control, then press A)
<COLON>
<TYPE> quit </TYPE>
</pre>
* if that works, then you have a good serial connection and may just need to tweak the ser2net configuration.
** I just noticed here that <pre>service ser2net restart</pre> didn't properly reload the configuration file. However this did:
<pre>service ser2net stop
service ser2net start</pre>

===Yet to come===
So, at this point you have a solid serial server. There is often more functionality you can add though depending on how things go. For instance, the speed test bash script may need to be installed, there might be webcam
===Intel Nucs===
====BIOS Fixes====
* Power screen
** Secondary Power Settings:
*** After Power failure Power On
*** Wake System from S5
*****Wake daily
* Boot
** Boot Configureation
*** UEFI Boot OS Selection Linux
** Secure Boot
*** Secure Boot Disabled
* Devices and Peripherals
** Onboard Devices
*** Audio Disabled
*** HD-Audio Disabled
*** Microphone Disabled
*** WLAN Disabled
*** Bluetooth Disabled
** Legacy Device Configuration
*** Enhanced Consumer IR Disabled
*** HDMI CEC Control Disabled
===After Debian Install Fixes===
* Enable non-free in /etc/apt/sources.list
* install closed source firmware:
apt-get install firmware-realtek

Initial Debian Server Setup

2018-07-19T22:22:07Z

172.20.235.108: /* Install additional packages */

[[IARC Server List]]
==Step by step (roughly) procedure for getting a Debian-ARM server up and running for remote deployment as a serial radio base or a number of other things==
Been meaning to put this together for a while.
===Download media===
A lot of these ARM based systems have a microSD or SD card image that can be flashed from an online source. I like to use the most recent stable version of Debian if it's available and also the minimum size image so that less extra cruft is installed (don't need a window manager etc) 
The RaspberryPis work well, too but have less horsepower under the hood: 
https://www.raspberrypi.org/downloads/raspbian/ 
This is more powerful but doesn't come with a vanilla kernel (this means long term updating is harder): 
http://wiki.solid-run.com/doku.php?id=products:imx6:overview:flashsdcard

We also have a few units (the DreamPlug and the GuruPlug) from GlobalScale but the power supplies have become flaky over time and I think the cubox-i is current favorite. 
https://www.globalscaletechnologies.com/ 

I guess in addition, also using intel based NUC which is slightly larger, maybe more powerful but the cpu instruction set is x86 rather than ARM. For Debian, that means nothing but it should also mean we can run loggernet for linux further afield. (this is on my later in the winter list).

===First step===
#Download the current image of the OS available online to your computer
## http://wiki.solid-run.com/doku.php?id=products:imx6:software:os:debian 
## https://www.raspberrypi.org/downloads/raspbian/ 
# Flash it to the appropriate media (microSD or SD card typically). Something like this:
## sudo dd if=~/Downloads/ignition.img of=/dev/rdisk2 bs=4096 ''' (cubox-i example)'''
## sudo dd if=2015-11-21-raspbian-jessie-lite.img of=/dev/rdisk2 bs=4096 '''(Raspberry Pi example)'''
# Look up online the default user / password to get into the system once it is up and running, too.
## A simple search for something like "''Raspberry pi default user name and password''" should get you close.
# Once you're up and running, log in as the default user and then let's do some set up in an interactive sudo session:
<pre> sudo -i</pre>

===For raspberry pi, change keyboard layout to US===
Default is UK English layout... before you change the passwords you should get a US layout keyboard. Here is a good resource 
https://wiki.debian.org/Keyboard 
<pre>dpkg-reconfigure keyboard-configuration</pre>
<pre> service keyboard-setup restart</pre>

=== Create user accounts===
(junk name here not what you might see on our systems)
<pre> adduser scientist</pre>

=== give the user extended permissions===
https://wiki.debian.org/sudo
<pre>adduser scientist sudo</pre>

===Tighten up remote ssh access===
Been having some issues with port scanning and automated log in attempts from all over the world. You can initially lock things down by disabling the default account from ssh login (after creating your first other user in the previous step). First up, edit the ssh server configuration. The file is found in ''/etc/ssh/sshd_config'':
<pre> editor /etc/ssh/sshd_config</pre>
Add these lines to that file (or verify that they are there / double check that you aren't duplicating and creating confusion for the daemon):
<pre>
## Disable root login:
PermitRootLogin no
##specify which users can log in over ssh:
AllowUsers scientist
</pre>
With that out of the way, restart the ssh server and you have taken a step towards better securing the system:
<pre>service ssh restart</pre>
===Update Firewall:===
Firewall is complicated. I'm not 100% I have this correct but it's quite a bit more secure than the defaults and such. It's worth its own entry though:
* [[IP Tables Firewall Example]]

===update apt & all packages===
<pre>
apt-get update
apt-get upgrade
</pre>

===Raspberry Pi specific: Resize Partition===
Run this utility as root:
<pre>raspi-config</pre>
One of the options (the first one) is:
<pre>1 Expand Filesystem Ensures that all of the SD card storage is available to the OS </pre>
Select that and the file system will go from the default, like 1.3 GB and expand to consume the whole card. See here for a bit more discussion: 
http://raspberrypi.stackexchange.com/questions/499/how-can-i-resize-my-root-partition

===Install additional packages===
Great, if you've made it this far then you should have a decently secure system, nearly ready for deployment. There are a few more pacakges it is smart to install... kind of depends on what you are doing whether you add all of them or not but there first are a good move.

<pre> apt-get install nmap ntp less imagemagick python mailutils fail2ban ser2net git telnet screen wget curl xdg zip</pre>
* '''nmap''' is useful for checking out the internet presence of your device. Kind of optional but nice to have installed if you need it at a later date.
** https://packages.debian.org/stable/nmap
* '''ntp''' is the time server, used to get internet time. It should be installed by default but I have found it isn't alway. So, best to be explicit and install it here.
** https://packages.debian.org/jessie/ntp
* '''less''' is a simple command line utility for reading text files. A gain, it should be installed by default but I have run into it not being installed.
** https://packages.debian.org/jessie/less
* '''imagemagick''' is a great command line based image manipulation library. Used by a few different utilities. I think we use it to resize / slice automatically generated plots, and to do some other stuff in Barrow.
** https://packages.debian.org/jessie/imagemagick
* '''python''' common programming language we use extensively and should be added to the system.
* '''mailutils''' is a simple email package. Used by crontab & the security updates system (as well as others I'm forgetting) to give you status information.
* '''fail2ban''' is used to lockdown ssh a bit further than the default ip tables rules. It blocks IP addresses that try to log in too often with a bad user/password. Intended to reduce workload of these simple computers handling garbage so they can focus on serving as a serial base station etc.
* '''ser2net''' pretty solid utility for getting serial port access (or usb to serial access) via sockets. This is the primary thing we use to handle getting data logger information available over the internet. For multipoint radios, there is also a '''ser2nets''' which can allow more than one LoggerNet instance to access the radio network simultaneously. I haven't used ser2nets but have thought about experimenting with it.
* '''git''' we use this for distributing datapro and other utilities
* ''telnet'' useful for testing ser2net's operation.
* ''screen'' useful for testing the usb to serial device
* ''curl'' utility for grabbing web pages / data from servers
* ''wget'' utility for grabbing web pages / data from servers

====Automatically install security updates:====
The last generally mandatory package to add is the Unattended security updates. There are couple packages to install but there are also some configs to modify It's best to just read this page. 
https://wiki.debian.org/UnattendedUpgrades 
But, I can also give you a hint that you'll need to do at least these three things from the command line:
<pre>apt-get install unattended-upgrades apt-listchanges</pre>
<pre>editor /etc/apt/apt.conf.d/50unattended-upgrades</pre>
<pre>editor /etc/apt/apt.conf.d/20auto-upgrades</pre>

===Other packages===
So, those are typically the base to get you up and running. Then, this next set are slightly more specialized. If you are going to do any data processing or use the WERC data retrieval tools these are good to install:
apt-get install build-essential libdbi-perl libconfig-yaml-perl python-numpy python-tz python-pandas liblockfile-simple-perl libdbi-perl bc
apt-get install python-gdal python-xlrd python-scipy autossh

===check timezone===
Important to confirm we are using UTC:
<pre>sudo dpkg-reconfigure tzdata </pre>

===Next steps===
So, at this point you have a system that has now been tailored to generic deployment. With that out of the way there are some specific things and tools / scripts that are nice to give you a bit more feedback. For example. it needs to tell you its IP address routinely so there are some things to set up in order to make that happen like:
* set up a private key in the ''scientist'' user account so you can automate the transfer
** follow this: http://troy.jdmz.net/rsync/index.html
** '''ssh-keygen -t rsa -b 2048 '''
** then, add the key to the server you want to push too:
*** '''ssh-copy-id scientist@ngeedata.iarc.uaf.edu'''
* set up the crontab so that the automated stuff is configured to happen... do all of this from your user account rather than your root account.
<pre>
mkdir ~/bin
nano ~/bin/main_cron
</pre>
* add something like this to the file main_cron to transmit the IP address every 10 minutes:
<pre>
*/10 * * * * /sbin/ifconfig > /home/scientist/grayling_ip.txt
*/10 * * * * scp -oport=2222 /home/scientist/grayling_ip.txt user@ngeedata.iarc.uaf.edu:/home/user/remote_ips/
</pre>
* add this to the crontab:
<pre> crontab ~/bin/main_cron</pre>
* confirm that it is in the crontab:
<pre> crontab -l</pre>
Great,
* set up a few more bash scripts... running out of steam here I'm just going to list commands for a bit and then annotate later.
* this gets Ross' csv utilities with datapro plus a number of other things installed
<pre>
cd ~/bin/
git clone https://github.com/rwspicer/csv_utilities.git
python ~/bin/csv_utilities/get_ip.py --infile=/home/scientist/extra/grayling_ip.txt --outfile=/home/scientist/grayling_ip
</pre>

* also need to configure ser2net:
<pre>sudo nano /etc/ser2net.conf</pre>
* remove the existing lines at the bottom of the configuration and add this:
** specifying the port as ''7808''
** data type is '''''raw''''' ''(default is telnet)''
** serial to usb device is ''/dev/ttyUSB0''
** speed and data information (this is standard of most of our serial things though the baud rate may change depending on application): ''115200 8DATABITS NONE 1STOPBIT''
** a few additional parameters to close the connection and reset the radio after each use: '' HANGUP_WHEN_DONE RTSCTS LOCAL''
<pre>
# IARC radio
7808:raw:25:/dev/ttyUSB0:115200 8DATABITS NONE 1STOPBIT HANGUP_WHEN_DONE RTSCTS LOCAL
</pre>
* now, reload ser2net daemon with new configuration:
<pre>service ser2net restart</pre>
* next, test your setup:
<pre> telnet localhost 7808</pre>
** then hit enter a bunch and watch for a reply from the data logger. If you see it, awesome. to close the program, hold down the control key and press the close bracket key. This will bring up a new prompt:
<pre><CONTROL><]></pre>
** then:
<pre>close</pre>
* if that works, fantastic. If that doesn't, try connecting directly to the serial port using ''screen'':
<pre>sudo screen /dev/ttyUSB0 9600</pre>
** If that works, awesome! To quit screen then enter:
<pre>
<CONTROL> - <A> (press and hold control, then press A)
<COLON>
<TYPE> quit </TYPE>
</pre>
* if that works, then you have a good serial connection and may just need to tweak the ser2net configuration.
** I just noticed here that <pre>service ser2net restart</pre> didn't properly reload the configuration file. However this did:
<pre>service ser2net stop
service ser2net start</pre>

===Yet to come===
So, at this point you have a solid serial server. There is often more functionality you can add though depending on how things go. For instance, the speed test bash script may need to be installed, there might be webcam
===Intel Nucs===
====BIOS Fixes====
* Power screen
** Secondary Power Settings:
*** After Power failure Power On
*** Wake System from S5
*****Wake daily
* Boot
** Boot Configureation
*** UEFI Boot OS Selection Linux
** Secure Boot
*** Secure Boot Disabled
* Devices and Peripherals
** Onboard Devices
*** Audio Disabled
*** HD-Audio Disabled
*** Microphone Disabled
*** WLAN Disabled
*** Bluetooth Disabled
** Legacy Device Configuration
*** Enhanced Consumer IR Disabled
*** HDMI CEC Control Disabled
===After Debian Install Fixes===
* Enable non-free in /etc/apt/sources.list
* install closed source firmware:
apt-get install firmware-realtek

Initial Debian Server Setup

2018-07-19T22:08:30Z

172.20.235.108: /* Other packages */

[[IARC Server List]]
==Step by step (roughly) procedure for getting a Debian-ARM server up and running for remote deployment as a serial radio base or a number of other things==
Been meaning to put this together for a while.
===Download media===
A lot of these ARM based systems have a microSD or SD card image that can be flashed from an online source. I like to use the most recent stable version of Debian if it's available and also the minimum size image so that less extra cruft is installed (don't need a window manager etc) 
The RaspberryPis work well, too but have less horsepower under the hood: 
https://www.raspberrypi.org/downloads/raspbian/ 
This is more powerful but doesn't come with a vanilla kernel (this means long term updating is harder): 
http://wiki.solid-run.com/doku.php?id=products:imx6:overview:flashsdcard

We also have a few units (the DreamPlug and the GuruPlug) from GlobalScale but the power supplies have become flaky over time and I think the cubox-i is current favorite. 
https://www.globalscaletechnologies.com/ 

I guess in addition, also using intel based NUC which is slightly larger, maybe more powerful but the cpu instruction set is x86 rather than ARM. For Debian, that means nothing but it should also mean we can run loggernet for linux further afield. (this is on my later in the winter list).

===First step===
#Download the current image of the OS available online to your computer
## http://wiki.solid-run.com/doku.php?id=products:imx6:software:os:debian 
## https://www.raspberrypi.org/downloads/raspbian/ 
# Flash it to the appropriate media (microSD or SD card typically). Something like this:
## sudo dd if=~/Downloads/ignition.img of=/dev/rdisk2 bs=4096 ''' (cubox-i example)'''
## sudo dd if=2015-11-21-raspbian-jessie-lite.img of=/dev/rdisk2 bs=4096 '''(Raspberry Pi example)'''
# Look up online the default user / password to get into the system once it is up and running, too.
## A simple search for something like "''Raspberry pi default user name and password''" should get you close.
# Once you're up and running, log in as the default user and then let's do some set up in an interactive sudo session:
<pre> sudo -i</pre>

===For raspberry pi, change keyboard layout to US===
Default is UK English layout... before you change the passwords you should get a US layout keyboard. Here is a good resource 
https://wiki.debian.org/Keyboard 
<pre>dpkg-reconfigure keyboard-configuration</pre>
<pre> service keyboard-setup restart</pre>

=== Create user accounts===
(junk name here not what you might see on our systems)
<pre> adduser scientist</pre>

=== give the user extended permissions===
https://wiki.debian.org/sudo
<pre>adduser scientist sudo</pre>

===Tighten up remote ssh access===
Been having some issues with port scanning and automated log in attempts from all over the world. You can initially lock things down by disabling the default account from ssh login (after creating your first other user in the previous step). First up, edit the ssh server configuration. The file is found in ''/etc/ssh/sshd_config'':
<pre> editor /etc/ssh/sshd_config</pre>
Add these lines to that file (or verify that they are there / double check that you aren't duplicating and creating confusion for the daemon):
<pre>
## Disable root login:
PermitRootLogin no
##specify which users can log in over ssh:
AllowUsers scientist
</pre>
With that out of the way, restart the ssh server and you have taken a step towards better securing the system:
<pre>service ssh restart</pre>
===Update Firewall:===
Firewall is complicated. I'm not 100% I have this correct but it's quite a bit more secure than the defaults and such. It's worth its own entry though:
* [[IP Tables Firewall Example]]

===update apt & all packages===
<pre>
apt-get update
apt-get upgrade
</pre>

===Raspberry Pi specific: Resize Partition===
Run this utility as root:
<pre>raspi-config</pre>
One of the options (the first one) is:
<pre>1 Expand Filesystem Ensures that all of the SD card storage is available to the OS </pre>
Select that and the file system will go from the default, like 1.3 GB and expand to consume the whole card. See here for a bit more discussion: 
http://raspberrypi.stackexchange.com/questions/499/how-can-i-resize-my-root-partition

===Install additional packages===
Great, if you've made it this far then you should have a decently secure system, nearly ready for deployment. There are a few more pacakges it is smart to install... kind of depends on what you are doing whether you add all of them or not but there first are a good move.

<pre> apt-get install nmap ntp less imagemagick python mailutils fail2ban ser2net git telnet screen wget curl</pre>
* '''nmap''' is useful for checking out the internet presence of your device. Kind of optional but nice to have installed if you need it at a later date.
** https://packages.debian.org/stable/nmap
* '''ntp''' is the time server, used to get internet time. It should be installed by default but I have found it isn't alway. So, best to be explicit and install it here.
** https://packages.debian.org/jessie/ntp
* '''less''' is a simple command line utility for reading text files. A gain, it should be installed by default but I have run into it not being installed.
** https://packages.debian.org/jessie/less
* '''imagemagick''' is a great command line based image manipulation library. Used by a few different utilities. I think we use it to resize / slice automatically generated plots, and to do some other stuff in Barrow.
** https://packages.debian.org/jessie/imagemagick
* '''python''' common programming language we use extensively and should be added to the system.
* '''mailutils''' is a simple email package. Used by crontab & the security updates system (as well as others I'm forgetting) to give you status information.
* '''fail2ban''' is used to lockdown ssh a bit further than the default ip tables rules. It blocks IP addresses that try to log in too often with a bad user/password. Intended to reduce workload of these simple computers handling garbage so they can focus on serving as a serial base station etc.
* '''ser2net''' pretty solid utility for getting serial port access (or usb to serial access) via sockets. This is the primary thing we use to handle getting data logger information available over the internet. For multipoint radios, there is also a '''ser2nets''' which can allow more than one LoggerNet instance to access the radio network simultaneously. I haven't used ser2nets but have thought about experimenting with it.
* '''git''' we use this for distributing datapro and other utilities
* ''telnet'' useful for testing ser2net's operation.
* ''screen'' useful for testing the usb to serial device
* ''curl'' utility for grabbing web pages / data from servers
* ''wget'' utility for grabbing web pages / data from servers

====Automatically install security updates:====
The last generally mandatory package to add is the Unattended security updates. There are couple packages to install but there are also some configs to modify It's best to just read this page. 
https://wiki.debian.org/UnattendedUpgrades 
But, I can also give you a hint that you'll need to do at least these three things from the command line:
<pre>apt-get install unattended-upgrades apt-listchanges</pre>
<pre>editor /etc/apt/apt.conf.d/50unattended-upgrades</pre>
<pre>editor /etc/apt/apt.conf.d/20auto-upgrades</pre>

===Other packages===
So, those are typically the base to get you up and running. Then, this next set are slightly more specialized. If you are going to do any data processing or use the WERC data retrieval tools these are good to install:
apt-get install build-essential libdbi-perl libconfig-yaml-perl python-numpy python-tz python-pandas liblockfile-simple-perl libdbi-perl bc
apt-get install python-gdal python-xlrd python-scipy autossh

===check timezone===
Important to confirm we are using UTC:
<pre>sudo dpkg-reconfigure tzdata </pre>

===Next steps===
So, at this point you have a system that has now been tailored to generic deployment. With that out of the way there are some specific things and tools / scripts that are nice to give you a bit more feedback. For example. it needs to tell you its IP address routinely so there are some things to set up in order to make that happen like:
* set up a private key in the ''scientist'' user account so you can automate the transfer
** follow this: http://troy.jdmz.net/rsync/index.html
** '''ssh-keygen -t rsa -b 2048 '''
** then, add the key to the server you want to push too:
*** '''ssh-copy-id scientist@ngeedata.iarc.uaf.edu'''
* set up the crontab so that the automated stuff is configured to happen... do all of this from your user account rather than your root account.
<pre>
mkdir ~/bin
nano ~/bin/main_cron
</pre>
* add something like this to the file main_cron to transmit the IP address every 10 minutes:
<pre>
*/10 * * * * /sbin/ifconfig > /home/scientist/grayling_ip.txt
*/10 * * * * scp -oport=2222 /home/scientist/grayling_ip.txt user@ngeedata.iarc.uaf.edu:/home/user/remote_ips/
</pre>
* add this to the crontab:
<pre> crontab ~/bin/main_cron</pre>
* confirm that it is in the crontab:
<pre> crontab -l</pre>
Great,
* set up a few more bash scripts... running out of steam here I'm just going to list commands for a bit and then annotate later.
* this gets Ross' csv utilities with datapro plus a number of other things installed
<pre>
cd ~/bin/
git clone https://github.com/rwspicer/csv_utilities.git
python ~/bin/csv_utilities/get_ip.py --infile=/home/scientist/extra/grayling_ip.txt --outfile=/home/scientist/grayling_ip
</pre>

* also need to configure ser2net:
<pre>sudo nano /etc/ser2net.conf</pre>
* remove the existing lines at the bottom of the configuration and add this:
** specifying the port as ''7808''
** data type is '''''raw''''' ''(default is telnet)''
** serial to usb device is ''/dev/ttyUSB0''
** speed and data information (this is standard of most of our serial things though the baud rate may change depending on application): ''115200 8DATABITS NONE 1STOPBIT''
** a few additional parameters to close the connection and reset the radio after each use: '' HANGUP_WHEN_DONE RTSCTS LOCAL''
<pre>
# IARC radio
7808:raw:25:/dev/ttyUSB0:115200 8DATABITS NONE 1STOPBIT HANGUP_WHEN_DONE RTSCTS LOCAL
</pre>
* now, reload ser2net daemon with new configuration:
<pre>service ser2net restart</pre>
* next, test your setup:
<pre> telnet localhost 7808</pre>
** then hit enter a bunch and watch for a reply from the data logger. If you see it, awesome. to close the program, hold down the control key and press the close bracket key. This will bring up a new prompt:
<pre><CONTROL><]></pre>
** then:
<pre>close</pre>
* if that works, fantastic. If that doesn't, try connecting directly to the serial port using ''screen'':
<pre>sudo screen /dev/ttyUSB0 9600</pre>
** If that works, awesome! To quit screen then enter:
<pre>
<CONTROL> - <A> (press and hold control, then press A)
<COLON>
<TYPE> quit </TYPE>
</pre>
* if that works, then you have a good serial connection and may just need to tweak the ser2net configuration.
** I just noticed here that <pre>service ser2net restart</pre> didn't properly reload the configuration file. However this did:
<pre>service ser2net stop
service ser2net start</pre>

===Yet to come===
So, at this point you have a solid serial server. There is often more functionality you can add though depending on how things go. For instance, the speed test bash script may need to be installed, there might be webcam
===Intel Nucs===
====BIOS Fixes====
* Power screen
** Secondary Power Settings:
*** After Power failure Power On
*** Wake System from S5
*****Wake daily
* Boot
** Boot Configureation
*** UEFI Boot OS Selection Linux
** Secure Boot
*** Secure Boot Disabled
* Devices and Peripherals
** Onboard Devices
*** Audio Disabled
*** HD-Audio Disabled
*** Microphone Disabled
*** WLAN Disabled
*** Bluetooth Disabled
** Legacy Device Configuration
*** Enhanced Consumer IR Disabled
*** HDMI CEC Control Disabled
===After Debian Install Fixes===
* Enable non-free in /etc/apt/sources.list
* install closed source firmware:
apt-get install firmware-realtek

Initial Debian Server Setup

2018-07-19T22:06:53Z

172.20.235.108: /* Intel Nucs */

[[IARC Server List]]
==Step by step (roughly) procedure for getting a Debian-ARM server up and running for remote deployment as a serial radio base or a number of other things==
Been meaning to put this together for a while.
===Download media===
A lot of these ARM based systems have a microSD or SD card image that can be flashed from an online source. I like to use the most recent stable version of Debian if it's available and also the minimum size image so that less extra cruft is installed (don't need a window manager etc) 
The RaspberryPis work well, too but have less horsepower under the hood: 
https://www.raspberrypi.org/downloads/raspbian/ 
This is more powerful but doesn't come with a vanilla kernel (this means long term updating is harder): 
http://wiki.solid-run.com/doku.php?id=products:imx6:overview:flashsdcard

We also have a few units (the DreamPlug and the GuruPlug) from GlobalScale but the power supplies have become flaky over time and I think the cubox-i is current favorite. 
https://www.globalscaletechnologies.com/ 

I guess in addition, also using intel based NUC which is slightly larger, maybe more powerful but the cpu instruction set is x86 rather than ARM. For Debian, that means nothing but it should also mean we can run loggernet for linux further afield. (this is on my later in the winter list).

===First step===
#Download the current image of the OS available online to your computer
## http://wiki.solid-run.com/doku.php?id=products:imx6:software:os:debian 
## https://www.raspberrypi.org/downloads/raspbian/ 
# Flash it to the appropriate media (microSD or SD card typically). Something like this:
## sudo dd if=~/Downloads/ignition.img of=/dev/rdisk2 bs=4096 ''' (cubox-i example)'''
## sudo dd if=2015-11-21-raspbian-jessie-lite.img of=/dev/rdisk2 bs=4096 '''(Raspberry Pi example)'''
# Look up online the default user / password to get into the system once it is up and running, too.
## A simple search for something like "''Raspberry pi default user name and password''" should get you close.
# Once you're up and running, log in as the default user and then let's do some set up in an interactive sudo session:
<pre> sudo -i</pre>

===For raspberry pi, change keyboard layout to US===
Default is UK English layout... before you change the passwords you should get a US layout keyboard. Here is a good resource 
https://wiki.debian.org/Keyboard 
<pre>dpkg-reconfigure keyboard-configuration</pre>
<pre> service keyboard-setup restart</pre>

=== Create user accounts===
(junk name here not what you might see on our systems)
<pre> adduser scientist</pre>

=== give the user extended permissions===
https://wiki.debian.org/sudo
<pre>adduser scientist sudo</pre>

===Tighten up remote ssh access===
Been having some issues with port scanning and automated log in attempts from all over the world. You can initially lock things down by disabling the default account from ssh login (after creating your first other user in the previous step). First up, edit the ssh server configuration. The file is found in ''/etc/ssh/sshd_config'':
<pre> editor /etc/ssh/sshd_config</pre>
Add these lines to that file (or verify that they are there / double check that you aren't duplicating and creating confusion for the daemon):
<pre>
## Disable root login:
PermitRootLogin no
##specify which users can log in over ssh:
AllowUsers scientist
</pre>
With that out of the way, restart the ssh server and you have taken a step towards better securing the system:
<pre>service ssh restart</pre>
===Update Firewall:===
Firewall is complicated. I'm not 100% I have this correct but it's quite a bit more secure than the defaults and such. It's worth its own entry though:
* [[IP Tables Firewall Example]]

===update apt & all packages===
<pre>
apt-get update
apt-get upgrade
</pre>

===Raspberry Pi specific: Resize Partition===
Run this utility as root:
<pre>raspi-config</pre>
One of the options (the first one) is:
<pre>1 Expand Filesystem Ensures that all of the SD card storage is available to the OS </pre>
Select that and the file system will go from the default, like 1.3 GB and expand to consume the whole card. See here for a bit more discussion: 
http://raspberrypi.stackexchange.com/questions/499/how-can-i-resize-my-root-partition

===Install additional packages===
Great, if you've made it this far then you should have a decently secure system, nearly ready for deployment. There are a few more pacakges it is smart to install... kind of depends on what you are doing whether you add all of them or not but there first are a good move.

<pre> apt-get install nmap ntp less imagemagick python mailutils fail2ban ser2net git telnet screen wget curl</pre>
* '''nmap''' is useful for checking out the internet presence of your device. Kind of optional but nice to have installed if you need it at a later date.
** https://packages.debian.org/stable/nmap
* '''ntp''' is the time server, used to get internet time. It should be installed by default but I have found it isn't alway. So, best to be explicit and install it here.
** https://packages.debian.org/jessie/ntp
* '''less''' is a simple command line utility for reading text files. A gain, it should be installed by default but I have run into it not being installed.
** https://packages.debian.org/jessie/less
* '''imagemagick''' is a great command line based image manipulation library. Used by a few different utilities. I think we use it to resize / slice automatically generated plots, and to do some other stuff in Barrow.
** https://packages.debian.org/jessie/imagemagick
* '''python''' common programming language we use extensively and should be added to the system.
* '''mailutils''' is a simple email package. Used by crontab & the security updates system (as well as others I'm forgetting) to give you status information.
* '''fail2ban''' is used to lockdown ssh a bit further than the default ip tables rules. It blocks IP addresses that try to log in too often with a bad user/password. Intended to reduce workload of these simple computers handling garbage so they can focus on serving as a serial base station etc.
* '''ser2net''' pretty solid utility for getting serial port access (or usb to serial access) via sockets. This is the primary thing we use to handle getting data logger information available over the internet. For multipoint radios, there is also a '''ser2nets''' which can allow more than one LoggerNet instance to access the radio network simultaneously. I haven't used ser2nets but have thought about experimenting with it.
* '''git''' we use this for distributing datapro and other utilities
* ''telnet'' useful for testing ser2net's operation.
* ''screen'' useful for testing the usb to serial device
* ''curl'' utility for grabbing web pages / data from servers
* ''wget'' utility for grabbing web pages / data from servers

====Automatically install security updates:====
The last generally mandatory package to add is the Unattended security updates. There are couple packages to install but there are also some configs to modify It's best to just read this page. 
https://wiki.debian.org/UnattendedUpgrades 
But, I can also give you a hint that you'll need to do at least these three things from the command line:
<pre>apt-get install unattended-upgrades apt-listchanges</pre>
<pre>editor /etc/apt/apt.conf.d/50unattended-upgrades</pre>
<pre>editor /etc/apt/apt.conf.d/20auto-upgrades</pre>

===Other packages===
So, those are typically the base to get you up and running. Then, this next set are slightly more specialized. If you are going to do any data processing or use the WERC data retrieval tools these are good to install:
apt-get install build-essential libdbi-perl libconfig-yaml-perl python-numpy python-tz python-pandas liblockfile-simple-perl libdbi-perl bc
apt-get install python-gdal python-xlrd python-scipy

===check timezone===
Important to confirm we are using UTC:
<pre>sudo dpkg-reconfigure tzdata </pre>

===Next steps===
So, at this point you have a system that has now been tailored to generic deployment. With that out of the way there are some specific things and tools / scripts that are nice to give you a bit more feedback. For example. it needs to tell you its IP address routinely so there are some things to set up in order to make that happen like:
* set up a private key in the ''scientist'' user account so you can automate the transfer
** follow this: http://troy.jdmz.net/rsync/index.html
** '''ssh-keygen -t rsa -b 2048 '''
** then, add the key to the server you want to push too:
*** '''ssh-copy-id scientist@ngeedata.iarc.uaf.edu'''
* set up the crontab so that the automated stuff is configured to happen... do all of this from your user account rather than your root account.
<pre>
mkdir ~/bin
nano ~/bin/main_cron
</pre>
* add something like this to the file main_cron to transmit the IP address every 10 minutes:
<pre>
*/10 * * * * /sbin/ifconfig > /home/scientist/grayling_ip.txt
*/10 * * * * scp -oport=2222 /home/scientist/grayling_ip.txt user@ngeedata.iarc.uaf.edu:/home/user/remote_ips/
</pre>
* add this to the crontab:
<pre> crontab ~/bin/main_cron</pre>
* confirm that it is in the crontab:
<pre> crontab -l</pre>
Great,
* set up a few more bash scripts... running out of steam here I'm just going to list commands for a bit and then annotate later.
* this gets Ross' csv utilities with datapro plus a number of other things installed
<pre>
cd ~/bin/
git clone https://github.com/rwspicer/csv_utilities.git
python ~/bin/csv_utilities/get_ip.py --infile=/home/scientist/extra/grayling_ip.txt --outfile=/home/scientist/grayling_ip
</pre>

* also need to configure ser2net:
<pre>sudo nano /etc/ser2net.conf</pre>
* remove the existing lines at the bottom of the configuration and add this:
** specifying the port as ''7808''
** data type is '''''raw''''' ''(default is telnet)''
** serial to usb device is ''/dev/ttyUSB0''
** speed and data information (this is standard of most of our serial things though the baud rate may change depending on application): ''115200 8DATABITS NONE 1STOPBIT''
** a few additional parameters to close the connection and reset the radio after each use: '' HANGUP_WHEN_DONE RTSCTS LOCAL''
<pre>
# IARC radio
7808:raw:25:/dev/ttyUSB0:115200 8DATABITS NONE 1STOPBIT HANGUP_WHEN_DONE RTSCTS LOCAL
</pre>
* now, reload ser2net daemon with new configuration:
<pre>service ser2net restart</pre>
* next, test your setup:
<pre> telnet localhost 7808</pre>
** then hit enter a bunch and watch for a reply from the data logger. If you see it, awesome. to close the program, hold down the control key and press the close bracket key. This will bring up a new prompt:
<pre><CONTROL><]></pre>
** then:
<pre>close</pre>
* if that works, fantastic. If that doesn't, try connecting directly to the serial port using ''screen'':
<pre>sudo screen /dev/ttyUSB0 9600</pre>
** If that works, awesome! To quit screen then enter:
<pre>
<CONTROL> - <A> (press and hold control, then press A)
<COLON>
<TYPE> quit </TYPE>
</pre>
* if that works, then you have a good serial connection and may just need to tweak the ser2net configuration.
** I just noticed here that <pre>service ser2net restart</pre> didn't properly reload the configuration file. However this did:
<pre>service ser2net stop
service ser2net start</pre>

===Yet to come===
So, at this point you have a solid serial server. There is often more functionality you can add though depending on how things go. For instance, the speed test bash script may need to be installed, there might be webcam
===Intel Nucs===
====BIOS Fixes====
* Power screen
** Secondary Power Settings:
*** After Power failure Power On
*** Wake System from S5
*****Wake daily
* Boot
** Boot Configureation
*** UEFI Boot OS Selection Linux
** Secure Boot
*** Secure Boot Disabled
* Devices and Peripherals
** Onboard Devices
*** Audio Disabled
*** HD-Audio Disabled
*** Microphone Disabled
*** WLAN Disabled
*** Bluetooth Disabled
** Legacy Device Configuration
*** Enhanced Consumer IR Disabled
*** HDMI CEC Control Disabled
===After Debian Install Fixes===
* Enable non-free in /etc/apt/sources.list
* install closed source firmware:
apt-get install firmware-realtek

Initial Debian Server Setup

2018-07-19T21:32:46Z

172.20.235.108:

[[IARC Server List]]
==Step by step (roughly) procedure for getting a Debian-ARM server up and running for remote deployment as a serial radio base or a number of other things==
Been meaning to put this together for a while.
===Download media===
A lot of these ARM based systems have a microSD or SD card image that can be flashed from an online source. I like to use the most recent stable version of Debian if it's available and also the minimum size image so that less extra cruft is installed (don't need a window manager etc) 
The RaspberryPis work well, too but have less horsepower under the hood: 
https://www.raspberrypi.org/downloads/raspbian/ 
This is more powerful but doesn't come with a vanilla kernel (this means long term updating is harder): 
http://wiki.solid-run.com/doku.php?id=products:imx6:overview:flashsdcard

We also have a few units (the DreamPlug and the GuruPlug) from GlobalScale but the power supplies have become flaky over time and I think the cubox-i is current favorite. 
https://www.globalscaletechnologies.com/ 

I guess in addition, also using intel based NUC which is slightly larger, maybe more powerful but the cpu instruction set is x86 rather than ARM. For Debian, that means nothing but it should also mean we can run loggernet for linux further afield. (this is on my later in the winter list).

===First step===
#Download the current image of the OS available online to your computer
## http://wiki.solid-run.com/doku.php?id=products:imx6:software:os:debian 
## https://www.raspberrypi.org/downloads/raspbian/ 
# Flash it to the appropriate media (microSD or SD card typically). Something like this:
## sudo dd if=~/Downloads/ignition.img of=/dev/rdisk2 bs=4096 ''' (cubox-i example)'''
## sudo dd if=2015-11-21-raspbian-jessie-lite.img of=/dev/rdisk2 bs=4096 '''(Raspberry Pi example)'''
# Look up online the default user / password to get into the system once it is up and running, too.
## A simple search for something like "''Raspberry pi default user name and password''" should get you close.
# Once you're up and running, log in as the default user and then let's do some set up in an interactive sudo session:
<pre> sudo -i</pre>

===For raspberry pi, change keyboard layout to US===
Default is UK English layout... before you change the passwords you should get a US layout keyboard. Here is a good resource 
https://wiki.debian.org/Keyboard 
<pre>dpkg-reconfigure keyboard-configuration</pre>
<pre> service keyboard-setup restart</pre>

=== Create user accounts===
(junk name here not what you might see on our systems)
<pre> adduser scientist</pre>

=== give the user extended permissions===
https://wiki.debian.org/sudo
<pre>adduser scientist sudo</pre>

===Tighten up remote ssh access===
Been having some issues with port scanning and automated log in attempts from all over the world. You can initially lock things down by disabling the default account from ssh login (after creating your first other user in the previous step). First up, edit the ssh server configuration. The file is found in ''/etc/ssh/sshd_config'':
<pre> editor /etc/ssh/sshd_config</pre>
Add these lines to that file (or verify that they are there / double check that you aren't duplicating and creating confusion for the daemon):
<pre>
## Disable root login:
PermitRootLogin no
##specify which users can log in over ssh:
AllowUsers scientist
</pre>
With that out of the way, restart the ssh server and you have taken a step towards better securing the system:
<pre>service ssh restart</pre>
===Update Firewall:===
Firewall is complicated. I'm not 100% I have this correct but it's quite a bit more secure than the defaults and such. It's worth its own entry though:
* [[IP Tables Firewall Example]]

===update apt & all packages===
<pre>
apt-get update
apt-get upgrade
</pre>

===Raspberry Pi specific: Resize Partition===
Run this utility as root:
<pre>raspi-config</pre>
One of the options (the first one) is:
<pre>1 Expand Filesystem Ensures that all of the SD card storage is available to the OS </pre>
Select that and the file system will go from the default, like 1.3 GB and expand to consume the whole card. See here for a bit more discussion: 
http://raspberrypi.stackexchange.com/questions/499/how-can-i-resize-my-root-partition

===Install additional packages===
Great, if you've made it this far then you should have a decently secure system, nearly ready for deployment. There are a few more pacakges it is smart to install... kind of depends on what you are doing whether you add all of them or not but there first are a good move.

<pre> apt-get install nmap ntp less imagemagick python mailutils fail2ban ser2net git telnet screen wget curl</pre>
* '''nmap''' is useful for checking out the internet presence of your device. Kind of optional but nice to have installed if you need it at a later date.
** https://packages.debian.org/stable/nmap
* '''ntp''' is the time server, used to get internet time. It should be installed by default but I have found it isn't alway. So, best to be explicit and install it here.
** https://packages.debian.org/jessie/ntp
* '''less''' is a simple command line utility for reading text files. A gain, it should be installed by default but I have run into it not being installed.
** https://packages.debian.org/jessie/less
* '''imagemagick''' is a great command line based image manipulation library. Used by a few different utilities. I think we use it to resize / slice automatically generated plots, and to do some other stuff in Barrow.
** https://packages.debian.org/jessie/imagemagick
* '''python''' common programming language we use extensively and should be added to the system.
* '''mailutils''' is a simple email package. Used by crontab & the security updates system (as well as others I'm forgetting) to give you status information.
* '''fail2ban''' is used to lockdown ssh a bit further than the default ip tables rules. It blocks IP addresses that try to log in too often with a bad user/password. Intended to reduce workload of these simple computers handling garbage so they can focus on serving as a serial base station etc.
* '''ser2net''' pretty solid utility for getting serial port access (or usb to serial access) via sockets. This is the primary thing we use to handle getting data logger information available over the internet. For multipoint radios, there is also a '''ser2nets''' which can allow more than one LoggerNet instance to access the radio network simultaneously. I haven't used ser2nets but have thought about experimenting with it.
* '''git''' we use this for distributing datapro and other utilities
* ''telnet'' useful for testing ser2net's operation.
* ''screen'' useful for testing the usb to serial device
* ''curl'' utility for grabbing web pages / data from servers
* ''wget'' utility for grabbing web pages / data from servers

====Automatically install security updates:====
The last generally mandatory package to add is the Unattended security updates. There are couple packages to install but there are also some configs to modify It's best to just read this page. 
https://wiki.debian.org/UnattendedUpgrades 
But, I can also give you a hint that you'll need to do at least these three things from the command line:
<pre>apt-get install unattended-upgrades apt-listchanges</pre>
<pre>editor /etc/apt/apt.conf.d/50unattended-upgrades</pre>
<pre>editor /etc/apt/apt.conf.d/20auto-upgrades</pre>

===Other packages===
So, those are typically the base to get you up and running. Then, this next set are slightly more specialized. If you are going to do any data processing or use the WERC data retrieval tools these are good to install:
apt-get install build-essential libdbi-perl libconfig-yaml-perl python-numpy python-tz python-pandas liblockfile-simple-perl libdbi-perl bc
apt-get install python-gdal python-xlrd python-scipy

===check timezone===
Important to confirm we are using UTC:
<pre>sudo dpkg-reconfigure tzdata </pre>

===Next steps===
So, at this point you have a system that has now been tailored to generic deployment. With that out of the way there are some specific things and tools / scripts that are nice to give you a bit more feedback. For example. it needs to tell you its IP address routinely so there are some things to set up in order to make that happen like:
* set up a private key in the ''scientist'' user account so you can automate the transfer
** follow this: http://troy.jdmz.net/rsync/index.html
** '''ssh-keygen -t rsa -b 2048 '''
** then, add the key to the server you want to push too:
*** '''ssh-copy-id scientist@ngeedata.iarc.uaf.edu'''
* set up the crontab so that the automated stuff is configured to happen... do all of this from your user account rather than your root account.
<pre>
mkdir ~/bin
nano ~/bin/main_cron
</pre>
* add something like this to the file main_cron to transmit the IP address every 10 minutes:
<pre>
*/10 * * * * /sbin/ifconfig > /home/scientist/grayling_ip.txt
*/10 * * * * scp -oport=2222 /home/scientist/grayling_ip.txt user@ngeedata.iarc.uaf.edu:/home/user/remote_ips/
</pre>
* add this to the crontab:
<pre> crontab ~/bin/main_cron</pre>
* confirm that it is in the crontab:
<pre> crontab -l</pre>
Great,
* set up a few more bash scripts... running out of steam here I'm just going to list commands for a bit and then annotate later.
* this gets Ross' csv utilities with datapro plus a number of other things installed
<pre>
cd ~/bin/
git clone https://github.com/rwspicer/csv_utilities.git
python ~/bin/csv_utilities/get_ip.py --infile=/home/scientist/extra/grayling_ip.txt --outfile=/home/scientist/grayling_ip
</pre>

* also need to configure ser2net:
<pre>sudo nano /etc/ser2net.conf</pre>
* remove the existing lines at the bottom of the configuration and add this:
** specifying the port as ''7808''
** data type is '''''raw''''' ''(default is telnet)''
** serial to usb device is ''/dev/ttyUSB0''
** speed and data information (this is standard of most of our serial things though the baud rate may change depending on application): ''115200 8DATABITS NONE 1STOPBIT''
** a few additional parameters to close the connection and reset the radio after each use: '' HANGUP_WHEN_DONE RTSCTS LOCAL''
<pre>
# IARC radio
7808:raw:25:/dev/ttyUSB0:115200 8DATABITS NONE 1STOPBIT HANGUP_WHEN_DONE RTSCTS LOCAL
</pre>
* now, reload ser2net daemon with new configuration:
<pre>service ser2net restart</pre>
* next, test your setup:
<pre> telnet localhost 7808</pre>
** then hit enter a bunch and watch for a reply from the data logger. If you see it, awesome. to close the program, hold down the control key and press the close bracket key. This will bring up a new prompt:
<pre><CONTROL><]></pre>
** then:
<pre>close</pre>
* if that works, fantastic. If that doesn't, try connecting directly to the serial port using ''screen'':
<pre>sudo screen /dev/ttyUSB0 9600</pre>
** If that works, awesome! To quit screen then enter:
<pre>
<CONTROL> - <A> (press and hold control, then press A)
<COLON>
<TYPE> quit </TYPE>
</pre>
* if that works, then you have a good serial connection and may just need to tweak the ser2net configuration.
** I just noticed here that <pre>service ser2net restart</pre> didn't properly reload the configuration file. However this did:
<pre>service ser2net stop
service ser2net start</pre>

===Yet to come===
So, at this point you have a solid serial server. There is often more functionality you can add though depending on how things go. For instance, the speed test bash script may need to be installed, there might be webcam
===Intel Nucs===
====BIOS Fixes====
* Power screen
** Secondary Power Settings:
*** After Power failure Power On
*** Wake System from S5
*****Wake daily
* Boot
** Boot Configureation
*** UEFI Boot OS Selection Linux
** Secure Boot
*** Secure Boot Disabled
* Devices and Peripherals
** Onboard Devices
*** Audio Disabled
*** HD-Audio Disabled
*** Microphone Disabled
*** WLAN Disabled
*** Bluetooth Disabled
** Legacy Device Configuration
*** Enhanced Consumer IR Disabled
*** HDMI CEC Control Disabled