This is a solution to the biblebox-pi challenge as a part of Indigitous #hack taking place on Nov 4-6 2016. If you're a part of the hack, and would like to collaborate, I'm @edwin on Kingdom Builders slack, or via email at: [email protected].
There's a TODO section at the bottom of this document of tasks that I still need to work through if you're looking for an area to contribute.
How to deploy what's in this repo.
This project uses Ansible v2.1+. Install it however you wish. I use a python virtualenv:
$ mkdir ~/.virtualenvs
$ mkvirtualenv ~/.virtualenvs/ansible
$ . ~/.virtualenvs/ansible/bin/activate
$ pip install ansible==2.1.2.0
Follow the Raspberry Pi install instructions. Boot the Raspberry Pi with the image. This assumes that your Pi is attached to the network via its ethernet port, so that the wifi interface can be configured as an AP. Make a note of the IP address associated with the ethernet interface when it boots.
- cd into the
ansibledirectory in this project. - Edit
inventoryand replace whatever IP address is listed with the IP address of the Pi ethernet interface. - Confirm connectivity by running
ansible --ask-pass -i inventory all -m ping. You will be prompted for the password for the pi user, which is still the default of raspberry . If you do not see a pong response, then you'll have to revisit your connectivity before continuing. - Optional: If you're developing and want to avoid entering the password for each ansible run, use/reuse an ssh key pair. I'm reusing one:
ssh [email protected] "mkdir /home/pi/.ssh; chmod 700 /home/pi/.ssh"andscp ~/.ssh/id_rsa.pub [email protected]:/home/pi/.ssh/authorized_keys(192.168.20.183is the IP of my Pi) - Commands assume ssh keys are setup from here. If you haven't set them up, just add
--ask-passto theansibleoransible-playbookcommand line and you'll be right. - Run the playbook:
ansible-playbook -i inventory site.yml. No tasks should fail.
- Search for, and connect to the WiFi point named "BibleBox - Free Media"
- Open your browser, go somewhere (anywhere)
The foundation of documentation and other stuff.
Useful references:
- https://www.pi-point.co.uk/closedcloud-walkthrough/
- https://wiki.alpinelinux.org/wiki/Raspberry_Pi_3_-_Configuring_it_as_wireless_access_point_-AP_Mode
- https://learn.adafruit.com/setting-up-a-raspberry-pi-as-a-wifi-access-point/install-software (uses isc-dhcp-server instead of dnsmasq)
- Alter the ipv4 config on the WLAN side by overriding the ipv4 variables in
ansible/roles/network-interfaces/defaults - Firewall rules only allow traffic from the LAN side. SSH access is denied from the WLAN
- Firewall rules only allow http, dhcp and dns from the WLAN
- Override SSID on ansible command line with
-e ssid="some ssid"(or use other ansible methods likehost_vars)
- The DHCP lease period is 1h. This may be too long given the device is only serving a /24.
- Currently
dnsmasqlogs MAC addresses of the requesting device in/var/log/daemon.logwhen it receives a DHCP request. This can be incriminating, and should be scrubbed or better still, not logged at all. Also need to deal with the DHCP lease file/var/lib/misc/dnsmasq.leasesand/var/log/syslog dnsmasqtells the biblebox to use it as the DNS resolver, so even when you have a connection via the ethernet port, it cannot resolve names. To alter this, change/etc/resolv.confand replace127.0.0.1with a real nameserver in thenameserverline.
- Content on the first usb drive is exposed to the webserver in the content directory. The drive is auto-mounted.
- Automatically redirect to content having connected to the WiFi
All moved to https://trello.com/b/mX028IJz/hack-on-bibleboxpi