After running PiServer for a few years now, we have the process of adjusting our client images fairly well documented. I thought I would share that process here for others making the move from PiNet to PiServer.
Some of the packages we install / uninstall may not be relevant to you; please adjust accordingly!
After installing PiServer certain software needs installing and uninstalling from the standard Raspbian Full image (1). First make a clone (2) of the Raspbian Full image in PiServer and then open a shell (4) for the new software image.
Adjust existing software / configs
Perform these following steps inside the shell (4) for the operating system you have just cloned.
APT Sources
We run an APT Cache server in our school, here we update the APT sources to use the cache server.
sed -i 's+http://+http://<APT Cache Server FQDN>:3142/+g' /etc/apt/sources.list
sed -i 's+http://+http://<APT Cache Server FQDN>:3142/+g' /etc/apt/sources.list.d/raspi.list
Now update and upgrade through APT:
apt update && apt dist-upgrade -y
Enable BASH Tab Completion
Open the bash.bashrc file for editing in nano:
nano /etc/bash.bashrc
Uncomment the “# enable bash completion in interactive shells” section:
# enable bash completion in interactive shells
if ! shopt -oq posix; then
if [ -f /usr/share/bash-completion/bash_completion ]; then
. /usr/share/bash-completion/bash_completion
elif [ -f /etc/bash_completion ]; then
. /etc/bash_completion
fi
fi
“Ctrl + o” followed by “Enter” to write the file, “Ctrl + x” to exit. Now close and reopen your CHROOT shell.
Turn off screen blanking
raspi-config
- Select “Display Options”
- Select “D4 Screen Blanking”
- Select “<No>”
- Select “<OK>”
- Select “<Finish>”
- Select “<Yes>”
Chromium Managed Policy
We now apply a custom json policy file to the Chromium install on the clients. There is absolutely loads that you can set here; you should probably go and read over here to work what you need to set in your environment!
nano /etc/chromium-browser/policies/managed/sch-policy.json
Add the following to the file and save:
{
"HomepageLocation": "https://<Home Page URL>",
"BrowserGuestModeEnabled": false,
"IncognitoModeAvailability": 1,
"RestoreOnStartup": 1,
"PopupsAllowedForUrls": [
"http://<Smoothwall FQDN>",
"https://<Smoothwall FQDN>"
]
}
Install Smoothwall SSL certs
We run Smoothwall for our filtering and have it set to use IDex agents running on our Domain Controllers for authentication. The great thing with this is that as users are logging into the Raspberry Pi devices using their AD credentials, the IDex agent on the DCs sees the log on as a standard log in and filters all access for the Raspberry Pi devices as if they were Windows devices on the network… I might do another write-up with more detail about this later!
As well as setting up IDex for filtering, we also install the Smoothwall’s root CA certificate on the Raspberry Pi devices.
- Download the root CA certificate from Smoothwall here: https://<smoothwall FQDN>:441/ui/admin/trust
- Rename the file to: smoothwall-<YYYY>.crt
- SCP this to the PiServer pi user’s home directory
- Copy it to this directory in each OS image from a SSH connection directly to the PiServer:
sudo cp /home/pi/smoothwall-<YYYY>.crt /var/lib/piserver/os/<CLIENT OS NAME>/usr/local/share/ca-certificates/
Pi Dual Monitor fix
Using dual monitors on the Raspberry Pi with an image from PiServer does not quite work… I have my teacher’s Raspberry Pi connected to a monitor and the projector!
Back in the CHROOT shell for your new OS:
mv /usr/share/X11/xorg.conf.d/99-fbturbo.conf /usr/share/X11/xorg.conf.d/99-fbturbo.conf.fubar
Disable Overscan
echo "disable_overscan=1" >> /boot/config.txt
Enable the camera module
raspi-config
- Select option 3 “Interface Options”
- Select option P1 “Camera”
- Select “Yes”, then “OK” then “Finish”
- Select “No” when asked to reboot
Install new software
Aptitude installs
apt update && apt install gimp sl imagemagick gpac gnome-screenshot python3-matplotlib blender inkscape libnss3-tools mariadb-client dia dia-shapes gsfonts-x11 -y
Python 3 PIP Installs
pip3 install bluedot Pillow guizero network
FanShim library and service
All our Pi 4 devices use the Pimoroni Fan SHIM for cooling; so here we install and configure the software.
git clone https://github.com/pimoroni/fanshim-python
cd fanshim-python
./install.sh
cd examples
./install-service.sh --on-threshold 65 --off-threshold 55 --delay 2
User login scripts
In this section we create logon scripts that run each time a user logs into the Raspberry Pi devices.
Smoothwall Cert install
Create the user login script to import the Smoothwall cert:
nano /etc/profile.d/import-Smoothwall-SSL.sh
Enter the following into this file:
certutil -d sql:$HOME/.pki/nssdb -A -n "Smoothwall <YYYY>" -t "TCu,Cu,Tu" -i /usr/local/share/ca-certificates/smothwall-<YYYY>.crt
Apache User Dir setup
Create the user login script to create the public_html directory and fix permissions for Apache to read it:
nano /etc/profile.d/apache-user-dir.sh
Enter the following into this file:
mkdir $HOME/public_html
chmod 711 $HOME
chmod 711 $HOME/public_html
Uninstall software
apt update && apt remove bluej greenfoot-unbundled wolfram-engine wolframscript nodered claws-mail realvnc-vnc-viewer realvnc-vnc-server -y && apt autoremove -y
Overclock the Pi 4
These settings in the config.txt file overclock the PI 4. The [pi4] and [all] ensure that older Pis do not get these settings applied.
echo -e "\n\n# Pi 4 Overclock\n[pi4]\nover_voltage=6\narm_freq=2100\ngpu_freq=750\n[all]" >> /boot/config.txt
Teacher’s RPi Image
If you are setting up a teacher’s Raspberry Pi Image then follow these additional steps:
Install Remmina
Adjust the URL that is being echoed to match your APT Cache server…
apt update && apt install dirmngr fswebcam -y
apt-key adv --fetch-keys https://www.remmina.org/raspbian/remmina_raspbian.asc
echo "deb http://<APT Cache Server FQDN>:3142/www.remmina.org/raspbian/ buster main" > /etc/apt/sources.list.d/remmina_raspbian.list
apt update && apt install remmina -y