auracaster/castbox-provisioning
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
108beaf9f7e3672f6c8db36b31c56c506780592f
castbox-provisioning/README.md
pstruebi fc0b75af8f feat: add secure boot USB mass storage scripts for CM4 
- Added gen-secure-msd-sig.sh to sign boot.img with private key using rpi-eeprom-digest
- Added rpi-boot-secure.sh to load signed secure-boot mass storage gadget via rpiboot
- Updated .gitignore to exclude usbboot/ directory
- Updated README with secure boot CM4 unlock instructions
2025-11-25 10:32:46 +01:00

60 lines
2.2 KiB
Markdown
Raw Blame History

# how the gold image was created
- use base-image that was created with pi-gen_auracaster
sudo apt update && sudo apt upgrade -y
git clone https://gitea.pstruebi.xyz/auracaster/bumble-auracast
sudo apt install -y pipewire wireplumber pipewire-audio-client-libraries rtkit cpufrequtils
mkdir -p ~/.config/pipewire/pipewire.conf.d
cp ~/bumble-auracast/src/service/pipewire/99-lowlatency.conf ~/.config/pipewire/pipewire.conf.d/
sudo cpufreq-set -g performance
poetry config virtualenvs.in-project true
sudo cp ~/bumble-auracast/src/service/aes67/90-pipewire-aes67-ptp.rules /etc/udev/rules.d/
sudo udevadm control --log-priority=debug --reload-rules
sudo udevadm trigger
/etc/modprobe.d/usb-audio-lowlatency.conf
option snd_usb_audio nrpacks=1
sudo bash ~/bumble-auracast/src/auracast/server/provision_domain_hostname.sh castbox-summitwave local
- password was changed to something secure - stored in bitwarden
sudo tee /etc/ssh/sshd_config.d/10-disable-passwords.conf >/dev/null <<'EOF'
PubkeyAuthentication yes
PasswordAuthentication no
KbdInteractiveAuthentication no
ChallengeResponseAuthentication no
PermitRootLogin no
EOF
sudo systemctl reload ssh
ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no pi@raspi.local
# per-device Provisioning
For production, the devices need to be provisoned uniquely
- provision with rpi-sb-provisioner - tested with 2.0.5, 2.0.4 did not work
- access the webinterface with ssh -L 3142:127.0.0.1:3142 pi@192.168.178.52
- http://localhost:3142
- after initial provisioning using ssh:
- install vpn with a unique configuration under /etc/wireguard/wg0.conf
- wg-quick up wg0
- enable wg0 service
- set the hostname
- if custom device without ui:
- set channel name etc. in bumble-auracast/src/auracast/.env
- execute the update service scripts
- start the application (script if custom device, server and frontend if ui version)
- set mac add of secondary eth port in /etc/systemd/network/10-eth1-mac.link
- activate overlayfs (?) -probably not because we need persistent storage for stream states
## Secure-boot CM4: unlock secure USB mass-storage
bash gen-secure-msd-sig.sh
bash rpi-boot-secure.sh
Reference in New Issue View Git Blame Copy Permalink