--- /dev/null
+# Zusätzliche Konfiguration für MaschinenplatzPi
+Ein MaschinenplatzPi erfüllt zusätzlich zum generischen ControlPi-Image die
+folgenden Funktionen:
+* Er verwaltet ein internes Netzwerk des Maschinenplatzes, in dem alle
+ weiteren ControlPis sich anmelden.
+* Er betreibt einen angeschlossenen Bildschirm mit Maus und numerischer
+ Tastatur als Kiosk-System.
+
+## Konfiguration des Netzwerk-Switches
+Wir verwenden einen [Netgear
+GS308E](https://www.netgear.de/support/product/gs308e.aspx) als
+VLAN-fähigen Switch.
+
+In der Web-Oberfläche des Switches wird zunächst das Default-Passwort
+(`password`) geändert und der Switch-Name auf den in unserem Netzwerk
+vergebenen angepasst.
+
+Im Bereich VLAN → 802.1Q → Advanced werden folgende Einstellungen
+vorgenommen:
+* Enable
+* VLAN Configuration VLAN ID 23 – Add
+* Port PVID für Ports 3–8 auf 23 – Apply
+* VLAN Membership VLAN ID 1, Port 1 U(ntagged), Port 2 T(agged),
+ Ports 3–8 nichts – Apply
+* VLAN Membershio VLAN ID 23, Port 1 nichts, Port 2 T(agged),
+ Ports 3–8 U(ntagged) – Apply
+
+An Port 1 soll also das externe Netzwerk, an Port 2 der MaschinenplatzPi
+und an Ports 3 bis 8 die weiteren ControlPis angeschlossen werden.
+Die Verbindung zwischen MaschinenplatzPi und externem Netzwerk bekommt die
+VLAN-ID 1 und das interne Netzwerk die VLAN-ID 23.
+
+## Internes Netz
+Der MaschinenplatzPi stellt den DHCP-Service und einen NTP-Server
+(`chrony`) für das interne Netzwerk bereit.
+Mit `networkctl status intern` können die im internen Netz aktuell
+vergebenen IP-Adressen angezeigt werden.
+
+Da keiner der User auf dem MaschinenplatzPi einen Private-Key für eine
+Verbindung zu den ControlPis in seinem internen Netz hat, muss für solche
+Verbindungen – von einem Account mit einer solchen Berechtigung aus – der
+MaschinenplatzPi als Jump-Host verwendet werden:
+```console
+ssh -J pi@maschinenplatzpi.site pi@192.168.23.23
+```
+
+Optional kann mit `systemctl start iptables` und `systemctl stop iptables`
+auf dem MaschinenplatzPi das Masqerading bzw. NAT für das interne Netz an-
+und ausgeschaltet werden, falls die ControlPis im internen Netz Verbindung
+zum externen Netz benötigen.
+
+## Kiosk-System
+Das Kiosk-System verwendet den Kiosk-Wayland-Compositor
+[Cage](https://github.com/Hjdskes/cage), um den Kiosk-Browser
+[qiosk](https://github.com/Salamek/qiosk) zu starten.
+
+Das Kiosk-System ist so eingerichtet, dass es beim Start des Pi automatisch
+die Datei `/home/pi/index.html` anzeigt (diese kann mit einem
+HTML-Meta-Refresh dann auf die tatsächlich anzuzeigende Webseite
+weiterleiten).
+Dies kann in einem nächsten Schritt durch eine von der lokal laufenden
+ControlPi-Instanz generierte Oberfläche geändert werden.
+
+## Anpassungen gegenüber dem generischen Image
+`chrony` (der NTP-Server für das interne Netzwerk) und `cage` (der
+Kiosk-Wayland-Compositor) können direkt aus den Arch-Linux-ARM-Repositories
+installiert werden:
+```console
+# pacman -S chrony cage
+```
+
+Zum Zeitpunkt des Schreibens muss wegen eines Bugs (`qt5-webengine` nach
+Update von Abhängigkeiten nicht selbst geupdatet) noch `qt5-webengine`
+selbst gebaut werden (Achtung! Dauert sehr lange!):
+```console
+# pacman -S bison flex pkgconf debugedit
+# su - pi
+$ git clone https://github.com/archlinuxarm/PKGBUILDs.git
+$ cd PKGBUILDs/extra/qt5-webengine/
+$ makepkg -sA
+$ mv qt5-webengine-5.15.11-3-armv7h.pkg.tar.xz ~/
+$ cd ~/
+$ rm -r PKGBUILDs/
+$ exit
+# pacman -U /home/pi/qt5-webengine-5.15.11-3-armv7h.pkg.tar.xz
+```
+
+Jetzt kann `qiosk` kompiliert und installiert werden:
+```console
+# su - pi
+$ git clone https://github.com/Salamek/qiosk.git
+$ cd qiosk/archlinux/
+$ makepkg -sA
+$ mv qiosk-1.1.16-1-armv7h.pkg.tar.xz ~/
+$ cd ~/
+$ rm -r qiosk/
+$ exit
+# pacman -U /home/pi/qiosk-1.1.16-1-armv7h.pkg.tar.xz
+```
+
+Die Konfigurations-Dateien werden – wie auch beim generischen Image – aus
+diesem git-Repository synchronisiert:
+```console
+$ sudo rsync -rlp maschinenplatzpi/etc /tmp/controlpi/
+$ rsync -rlp maschinenplatzpi/home/pi /tmp/controlpi/home/
+```
+
+Im Einzelnen sind dies:
+```console
+maschinenplatzpi/
+├── etc
+│ ├── chrony.conf
+│ ├── iptables
+│ │ └── iptables.rules
+│ ├── pam.d
+│ │ └── cage
+│ ├── sysctl.d
+│ │ └── 60-router.conf
+│ └── systemd
+│ ├── network
+│ │ ├── 00-extern.netdev
+│ │ ├── 00-intern.netdev
+│ │ ├── 10-eth0.network
+│ │ ├── 20-extern.network
+│ │ └── 20-intern.network
+│ └── system
+│ ├── cage@.service
+│ ├── default.target -> /usr/lib/systemd/system/graphical.target
+│ ├── graphical.target.wants
+│ │ └── cage@tty1.service -> /etc/systemd/system/cage@.service
+│ └── multi-user.target.wants
+│ └── chronyd.service -> /usr/lib/systemd/system/chronyd.service
+└── home
+ └── pi
+ └── index.html
+```
+
+Das Erstellen und Aufspielen des Images funktioniert dann genau wie für das
+[generische Image](graphit/controlpi-image).
--- /dev/null
+#######################################################################
+#
+# This is an example chrony configuration file. You should copy it to
+# /etc/chrony.conf after uncommenting and editing the options that you
+# want to enable. The more obscure options are not included. Refer
+# to the documentation for these.
+#
+#######################################################################
+### COMMENTS
+# Any of the following lines are comments (you have a choice of
+# comment start character):
+# a comment
+% a comment
+! a comment
+; a comment
+#
+# Below, the '!' form is used for lines that you might want to
+# uncomment and edit to make your own chrony.conf file.
+#
+#######################################################################
+#######################################################################
+### SPECIFY YOUR NTP SERVERS
+# Most computers using chrony will send measurement requests to one or
+# more 'NTP servers'. You will probably find that your Internet Service
+# Provider or company have one or more NTP servers that you can specify.
+# Failing that, there are a lot of public NTP servers. There is a list
+# you can access at http://support.ntp.org/bin/view/Servers/WebHome or
+# you can use servers from the pool.ntp.org project.
+
+! server 0.arch.pool.ntp.org iburst
+! server 1.arch.pool.ntp.org iburst
+! server 3.arch.pool.ntp.org iburst
+
+pool 2.arch.pool.ntp.org iburst
+
+#######################################################################
+### AVOIDING POTENTIALLY BOGUS CHANGES TO YOUR CLOCK
+#
+# To avoid changes being made to your computer's gain/loss compensation
+# when the measurement history is too erratic, you might want to enable
+# one of the following lines. The first seems good with servers on the
+# Internet, the second seems OK for a LAN environment.
+
+! maxupdateskew 100
+! maxupdateskew 5
+
+# If you want to increase the minimum number of selectable sources
+# required to update the system clock in order to make the
+# synchronisation more reliable, uncomment (and edit) the following
+# line.
+
+! minsources 2
+
+# If your computer has a good stable clock (e.g. it is not a virtual
+# machine), you might also want to reduce the maximum assumed drift
+# (frequency error) of the clock (the value is specified in ppm).
+
+! maxdrift 100
+
+# By default, chronyd allows synchronisation to an unauthenticated NTP
+# source (i.e. specified without the nts and key options) if it agrees with
+# a majority of authenticated NTP sources, or if no authenticated source is
+# specified. If you don't want chronyd to ever synchronise to an
+# unauthenticated NTP source, uncomment the first from the following lines.
+# If you don't want to synchronise to an unauthenticated NTP source only
+# when an authenticated source is specified, uncomment the second line.
+# If you want chronyd to ignore authentication in the source selection,
+# uncomment the third line.
+
+! authselectmode require
+! authselectmode prefer
+! authselectmode ignore
+
+#######################################################################
+### FILENAMES ETC
+# Chrony likes to keep information about your computer's clock in files.
+# The 'driftfile' stores the computer's clock gain/loss rate in parts
+# per million. When chronyd starts, the system clock can be tuned
+# immediately so that it doesn't gain or lose any more time. You
+# generally want this, so it is uncommented.
+
+driftfile /var/lib/chrony/drift
+
+# If you want to enable NTP authentication with symmetric keys, you will need
+# to uncomment the following line and edit the file to set up the keys.
+
+! keyfile /etc/chrony.keys
+
+# If you specify an NTP server with the nts option to enable authentication
+# with the Network Time Security (NTS) mechanism, or enable server NTS with
+# the ntsservercert and ntsserverkey directives below, the following line will
+# allow the client/server to save the NTS keys and cookies in order to reduce
+# the number of key establishments (NTS-KE sessions).
+
+ntsdumpdir /var/lib/chrony
+
+# If chronyd is configured to act as an NTP server and you want to enable NTS
+# for its clients, you will need a TLS certificate and private key. Uncomment
+# and edit the following lines to specify the locations of the certificate and
+# key.
+
+! ntsservercert /etc/.../foo.example.net.crt
+! ntsserverkey /etc/.../foo.example.net.key
+
+# chronyd can save the measurement history for the servers to files when
+# it exits. This is useful in 2 situations:
+#
+# 1. If you stop chronyd and restart it with the '-r' option (e.g. after
+# an upgrade), the old measurements will still be relevant when chronyd
+# is restarted. This will reduce the time needed to get accurate
+# gain/loss measurements.
+#
+# 2. On Linux, if you use the RTC support and start chronyd with
+# '-r -s' on bootup, measurements from the last boot will still be
+# useful (the real time clock is used to 'flywheel' chronyd between
+# boots).
+#
+# Uncomment the following line to use this.
+
+! dumpdir /var/lib/chrony
+
+# chronyd writes its process ID to a file. If you try to start a second
+# copy of chronyd, it will detect that the process named in the file is
+# still running and bail out. If you want to change the path to the PID
+# file, uncomment this line and edit it. The default path is shown.
+
+! pidfile /var/run/chrony/chronyd.pid
+
+# If the system timezone database is kept up to date and includes the
+# right/UTC timezone, chronyd can use it to determine the current
+# TAI-UTC offset and when will the next leap second occur.
+
+leapsectz right/UTC
+
+#######################################################################
+### INITIAL CLOCK CORRECTION
+# This option is useful to quickly correct the clock on start if it's
+# off by a large amount. The value '1.0' means that if the error is less
+# than 1 second, it will be gradually removed by speeding up or slowing
+# down your computer's clock until it is correct. If the error is above
+# 1 second, an immediate time jump will be applied to correct it. The
+# value '3' means the step is allowed only in the first three updates of
+# the clock. Some software can get upset if the system clock jumps
+# (especially backwards), so be careful!
+
+makestep 1.0 3
+
+#######################################################################
+### LEAP SECONDS
+# A leap second is an occasional one-second correction of the UTC
+# time scale. By default, chronyd tells the kernel to insert/delete
+# the leap second, which makes a backward/forward step to correct the
+# clock for it. As with the makestep directive, this jump can upset
+# some applications. If you prefer chronyd to make a gradual
+# correction, causing the clock to be off for a longer time, uncomment
+# the following line.
+
+! leapsecmode slew
+
+#######################################################################
+### LOGGING
+# If you want to log information about the time measurements chronyd has
+# gathered, you might want to enable the following lines. You probably
+# only need this if you really enjoy looking at the logs, you want to
+# produce some graphs of your system's timekeeping performance, or you
+# need help in debugging a problem.
+
+! logdir /var/log/chrony
+! log measurements statistics tracking
+
+# If you have real time clock support enabled (see below), you might want
+# this line instead:
+
+! log measurements statistics tracking rtc
+
+#######################################################################
+### ACTING AS AN NTP SERVER
+# You might want the computer to be an NTP server for other computers.
+#
+# By default, chronyd does not allow any clients to access it. You need
+# to explicitly enable access using 'allow' and 'deny' directives.
+#
+# e.g. to enable client access from the 192.168.*.* class B subnet,
+
+! allow 192.168/16
+allow 192.168.23/24
+
+# .. but disallow the 192.168.100.* subnet of that,
+
+! deny 192.168.100/24
+
+# You can have as many allow and deny directives as you need. The order
+# is unimportant.
+
+# If you want to present your computer's time for others to synchronise
+# with, even if you don't seem to be synchronised to any NTP servers
+# yourself, enable the following line. The value 10 may be varied
+# between 1 and 15. You should avoid small values because you will look
+# like a real NTP server. The value 10 means that you appear to be 10
+# NTP 'hops' away from an authoritative source (atomic clock, GPS
+# receiver, radio clock etc).
+
+! local stratum 10
+
+# Normally, chronyd will keep track of how many times each client
+# machine accesses it. The information can be accessed by the 'clients'
+# command of chronyc. You can disable this facility by uncommenting the
+# following line. This will save a bit of memory if you have many
+# clients and it will also disable support for the interleaved mode.
+
+! noclientlog
+
+# The clientlog size is limited to 512KB by default. If you have many
+# clients, you might want to increase the limit.
+
+! clientloglimit 4194304
+
+# By default, chronyd tries to respond to all valid NTP requests from
+# allowed addresses. If you want to limit the response rate for NTP
+# clients that are sending requests too frequently, uncomment and edit
+# the following line.
+
+! ratelimit interval 3 burst 8
+
+#######################################################################
+### REPORTING BIG CLOCK CHANGES
+# Perhaps you want to know if chronyd suddenly detects any large error
+# in your computer's clock. This might indicate a fault or a problem
+# with the server(s) you are using, for example.
+#
+# The next option causes a message to be written to syslog when chronyd
+# has to correct an error above 0.5 seconds (you can use any amount you
+# like).
+
+! logchange 0.5
+
+# The next option will send email to the named person when chronyd has
+# to correct an error above 0.5 seconds. (If you need to send mail to
+# several people, you need to set up a mailing list or sendmail alias
+# for them and use the address of that.)
+
+! mailonchange wibble@foo.example.net 0.5
+
+#######################################################################
+### COMMAND ACCESS
+# The program chronyc is used to show the current operation of chronyd
+# and to change parts of its configuration whilst it is running.
+
+# By default chronyd binds to the loopback interface. Uncomment the
+# following lines to allow receiving command packets from remote hosts.
+
+! bindcmdaddress 0.0.0.0
+! bindcmdaddress ::
+
+# Normally, chronyd will only allow connections from chronyc on the same
+# machine as itself. This is for security. If you have a subnet
+# 192.168.*.* and you want to be able to use chronyc from any machine on
+# it, you could uncomment the following line. (Edit this to your own
+# situation.)
+
+! cmdallow 192.168/16
+
+# You can add as many 'cmdallow' and 'cmddeny' lines as you like. The
+# syntax and meaning is the same as for 'allow' and 'deny', except that
+# 'cmdallow' and 'cmddeny' control access to the chronyd's command port.
+
+# Rate limiting can be enabled also for command packets. (Note,
+# commands from localhost are never limited.)
+
+! cmdratelimit interval -4 burst 16
+
+#######################################################################
+### HARDWARE TIMESTAMPING
+# On Linux, if the network interface controller and its driver support
+# hardware timestamping, it can significantly improve the accuracy of
+# synchronisation. It can be enabled on specified interfaces only, or it
+# can be enabled on all interfaces that support it.
+
+! hwtimestamp eth0
+! hwtimestamp *
+
+#######################################################################
+### REAL TIME CLOCK
+# chronyd can characterise the system's real-time clock. This is the
+# clock that keeps running when the power is turned off, so that the
+# machine knows the approximate time when it boots again. The error at
+# a particular epoch and gain/loss rate can be written to a file and
+# used later by chronyd when it is started with the '-s' option.
+#
+# You need to have 'enhanced RTC support' compiled into your Linux
+# kernel. (Note, these options apply only to Linux.)
+
+! rtcfile /var/lib/chrony/rtc
+
+# Your RTC can be set to keep Universal Coordinated Time (UTC) or local
+# time. (Local time means UTC +/- the effect of your timezone.) If you
+# use UTC, chronyd will function correctly even if the computer is off
+# at the epoch when you enter or leave summer time (aka daylight saving
+# time). However, if you dual boot your system with Microsoft Windows,
+# that will work better if your RTC maintains local time. You take your
+# pick!
+
+! rtconutc
+
+# By default chronyd assumes that the enhanced RTC device is accessed as
+# /dev/rtc. If it's accessed somewhere else on your system (e.g. you're
+# using devfs), uncomment and edit the following line.
+
+! rtcdevice /dev/misc/rtc
+
+# Alternatively, if not using the -s option, this directive can be used
+# to enable a mode in which the RTC is periodically set to the system
+# time, with no tracking of its drift.
+
+rtcsync
+
+#######################################################################
+### REAL TIME SCHEDULER
+# This directive tells chronyd to use the real-time FIFO scheduler with the
+# specified priority (which must be between 0 and 100). This should result
+# in reduced latency. You don't need it unless you really have a requirement
+# for extreme clock stability. Works only on Linux. Note that the "-P"
+# command-line switch will override this.
+
+! sched_priority 1
+
+#######################################################################
+### LOCKING CHRONYD INTO RAM
+# This directive tells chronyd to use the mlockall() syscall to lock itself
+# into RAM so that it will never be paged out. This should result in reduced
+# latency. You don't need it unless you really have a requirement
+# for extreme clock stability. Works only on Linux. Note that the "-m"
+# command-line switch will also enable this feature.
+
+! lock_all
git.graph-it.com / graphit / controlpi-image.git / commitdiff