# how the gold image was created
- use base-image that was created with pi-gen_auracaster
sudo apt update && sudo apt upgrade -y

git clone https://gitea.pstruebi.xyz/auracaster/bumble-auracast

sudo apt install -y pipewire wireplumber pipewire-audio-client-libraries rtkit cpufrequtils

mkdir -p ~/.config/pipewire/pipewire.conf.d
cp ~/bumble-auracast/src/service/pipewire/99-lowlatency.conf ~/.config/pipewire/pipewire.conf.d/

sudo cpufreq-set -g performance
poetry config virtualenvs.in-project true

sudo cp ~/bumble-auracast/src/service/aes67/90-pipewire-aes67-ptp.rules /etc/udev/rules.d/
sudo udevadm control --log-priority=debug --reload-rules
sudo udevadm trigger

sudo bash ~/bumble-auracast/src/auracast/server/provision_domain_hostname.sh castbox-summitwave local

- password was changed to something secure - stored in bitwarden

sudo tee /etc/ssh/sshd_config.d/10-disable-passwords.conf >/dev/null <<'EOF'
PubkeyAuthentication yes
PasswordAuthentication no
KbdInteractiveAuthentication no
ChallengeResponseAuthentication no
PermitRootLogin no
EOF

sudo systemctl reload ssh
ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no pi@raspi.local

sudo apt-get install \
   python3-dev python3.11-dev \
   libsamplerate0-dev \
   build-essential cmake pkg-config

sudo apt install i2c-tools

sudo tee /etc/security/limits.d/99-realtime.conf >/dev/null <<'EOF'
caster   -   rtprio   99
caster   -   memlock  unlimited
EOF

# per-device Provisioning
For production, the devices need to be provisoned uniquely
- provision with rpi-sb-provisioner - tested with 2.0.5, 2.0.4 did not work
    - access the webinterface with ssh -L 3142:127.0.0.1:3142 pi@192.168.178.52
    - http://localhost:3142
- after initial provisioning using ssh:
    - install vpn with a unique configuration under /etc/wireguard/wg0.conf
    - wg-quick up wg0
    - enable wg0 service
    - set the hostname
    - if custom device without ui:
        - set channel name etc. in bumble-auracast/src/auracast/.env
    - execute the update service scripts
    - start the application (script if custom device, server and frontend if ui version)
    - set mac add of secondary eth port in /etc/systemd/network/10-eth1-mac.link
    - activate overlayfs (?) -probably not because we need persistent storage for stream states

## Secure-boot CM4: unlock secure USB mass-storage
git clone https://github.com/raspberrypi/usbboot
bash gen-secure-msd-sig.sh
bash rpi-boot-secure.sh