update/iterate

1 files changed, 81 insertions, 11 deletions

diff --git a/device_setup.md b/device_setup.md
index 00d5101..4912d2f 100644
--- a/device_setup.md
+++ b/device_setup.md
@@ -9,22 +9,14 @@ OS: Ubuntu 16.04 "xenial" (as per EOTK supported)
 
 ## OS Install
 
-Download an Ubuntu 16.04 server .iso file, verify checksup, and `dd` it to a USB thumbdrive.
+Download an Ubuntu 18.04 server .iso file, verify checksup, and `dd` it to a USB thumbdrive.
 
 Power on the Intel NUC with keyboard and monitor attached, hold F10 to get boot
 menu and select the USB drive (I didn't use UEFI).
 
 Install as english/USA.
 
-Hostname: ia-onion1
-
-User: eotk
-Password: eotk-changeme
-
-Did not encrypt homedir; want device to come back up automatically after a
-power fault.
-
-Select unencrypted full LVM volume.
+Select use whole disk with LVM.
 
 Select "install security upgrades automatically".
 
@@ -32,6 +24,11 @@ Install:
 - standard system utilities
 - OpenSSH server
 
+Hostname: ia-onion1
+
+User: eotk
+Password: eotk-changeme
+
 Have grub overwrite MBR
 
 Reboot, pull USB drive, login as eotk.
@@ -90,4 +87,77 @@ passwd) to install your personal SSH key in `authorized_keys2`.
 TODO: should probably just disable password login entirely, and use root shell
 in person if we need to recover?
 
-Ok, now ready for service setup following `prototyping.md`.
+Install tor to set up remote SSH access:
+
+    # follow directions at https://2019.www.torproject.org/docs/debian.html.en
+    # for bionic upstream
+    # should get tor 0.4 or newer
+
+    sudo apt install tor
+
+Add to /etc/tor/torrc (for v3 onion service):
+
+    HiddenServiceDir /var/lib/tor/ssh_hidden_service
+    HiddenServiceVersion 3
+    HiddenServicePort 22 127.0.0.1:22
+
+    # uncomment this one
+    Log notice file /var/log/tor/notices.log
+
+Restart tor (`sudo service tor restart`). Get hidden service/secret:
+
+    sudo cat /var/lib/tor/ssh_hidden_service/hostname
+
+Add to your local (laptop) torbrowser (or whatever) config:
+
+    HidServAuth <hostname>.onion <stealth_secret>
+
+Add to local (laptop) ssh config:
+
+    Host ia-onion1
+        HostName <hostname>.onion
+        User eotk
+        proxyCommand ncat --proxy 127.0.0.1:9150 --proxy-type socks5 %h %p
+
+Or:
+
+    torsocks ssh eotk@<hostname>.onion
+
+Note that the Tor Browser Bundle default local proxy port is now 9150; the
+regular tor daemon when run as itself (not part of TBB) listens on port 9050.
+
+Ok, now set up a 1GByte encrypted partition for EOTK et al, using LUKS:
+
+    sudo mkdir -p /private
+    sudo dd if=/dev/urandom of=/private.img bs=1M count=1000
+    sudo cryptsetup luksFormat /private.img
+    # YES
+    # enter strong/long password
+
+    sudo cryptsetup luksOpen /private.img eotk_private_volume
+    sudo mkfs.ext4 /dev/mapper/eotk_private_volume
+    sudo mount /dev/mapper/eotk_private_volume /private
+    sudo chown -R eotk:eotk /private
+
+To mount/unlock the partition (eg, after a reboot):
+
+    sudo cryptsetup luksOpen /private.img eotk_private_volume
+    sudo mount /dev/mapper/eotk_private_volume /private
+    sudo /etc/init.d/eotk-init.sh stop
+    sudo /etc/init.d/eotk-init.sh start
+
+These commands should be put in an `~/after_reboot.sh` file on the device.
+
+Ensure that you can SSH in over tor, then reboot the NUC and make sure you can
+still SSH in.
+
+Install mkcert:
+
+    sudo apt install libnss3-tools
+    # download from https://github.com/FiloSottile/mkcert/releases
+    # install in /usr/local/bin
+
+    mkcert -install
+
+Ok, now ready for service setup following `prototyping.md` (bionic section).
+