Pre-configuring a secure Manjaro XFCE on the RPI 4

Hi Everyone,

This account was made for this exact purpose, and depending on how far I get, I will have to stay as a permanent member.

The situation is as follows:
Our CEO asked my junior (he interned in my department, but moved to a different department now) to setup infographic screens in our office. Six screens (to start with) displaying relevant growth numbers. Since I work at the security department, and my colleague remembered that I am basically the only non-dev (which means that I sometimes actually have time) with Linux know-how, he asked me to help him out choosing a setup.

Good on him, since devices that enter our office need to be setup/managed by security anyways.

The CEO is paying for a good deal of R&D so I got us a Raspberry Pi and a NUC. For the Pi I was thinking of setting up Raspbian, until I found Manjaro to be cleaner. I only have two problems to solve:
Automatic updates (I have absolutely no time to baby-sit these things). Is there a better way to set that up besides a daily pacman cronjob? The boxes will only run Chromium to display the website with the data, and nothing critical.
And automatic setup of the RPI image. That one really has me googling around. Is there a way to pre-configure the setup and load SSH keys so that when I shove the SD card in the pi and boot it, I can SSH using my private key and run all the script I need to get the device secured and ready?

I know raspbian has unattended-upgrades, and because the Pi-user is preconfigured I can just go in there, and sudo my way through everything before abolishing that user and setting up whatever I want. But if I can either pre-configure the setup part of Manjaro, or setup the whole system even (that would be ideal, to just write the image and have it unfold into beauty at first boot) that would be better, because what I have seen in my Manjaro test-drive a few days ago makes me think it is the better option for a professional environment :slight_smile:

Please let me know your thoughts or if you have made something like this. I have extensive knowledge of Debian (Long-time Debian server and Mint XFCE desktop user) so feel free to hit me with the more technical tips. I’ll manage.

I think this is something the business part of Manjaro can be hired to do - that is if you want to skip the tedious work to set an environment up. @philm

You should absolutely use Raspberry Pi OS- not that I want to spoil your joy about Manjaro - but you will have to babysit the device in terms of updates. I will come back to the updates scenario.

You can create your images of manjaro-arm using the manjaro-arm-tools.

This allows you to create your own predefined setup - you could even label them and have a profile for each device.

If you firewall the device using the firewalld service - preconfigured in your tools profile - and your own ssh-key based auth then I’d suggest you - instead of babysitting the device - creates a schedule for swapping the cards with a new image.

An 8G card every 2-3 months is pennies in terms of man hours to baby-sit the devices with updates. Creating the images can be done using e.g. a github runner - like the ones used to created the official x86_64 images - and I bet @Strit has something automated already.

As you are using these babies in a closed environment you could get your IT to setup a VLAN a separate circuit for the devices - keeping them separate from the office LAN.

It is possible to have a similar functionality as Raspberry Pi Os but the possible change in packages during an update - e.g. replacement - cannot be scripted - but must be done hands’on - ssh terminal.

You can create a service which runs pacman -Syu --no-confirm as root but this only get’s you as far as defaulting the answer - so if the default is ‘N’ the transaction is cancelled automatically.

1 Like

It’s known as Raspberry pi os

The part of post

Both our 32-bit and 64-bit operating system images have a new name: Raspberry Pi OS. As our community grows, we want to make sure it’s as easy as possible for new users to find our recommended operating system for Raspberry Pi. We think the new name will help more people feel confident in using our computers and our software. An update to the Raspberry Pi Desktop for all our operating system images is also out today, and we’ll have more on that in tomorrow’s blog post.

Welcome to the world of business applications for the pi4. Unfortunately, the RPI4 lacks security measures that will need to be addressed. First, there is no bios, so you can not password protect the boot configuration. The SD drive can not be disabled but there are cases which enclose the SD drive (Argon One + M.2). And you would likely want to disable mass storage on the USB ports. So the NUC has some advantages and likely better suited.

That said, the pi4 is a wonderful little device which is more capable than most people would think. It can be made to be fairly secure, with some effort. As for installation and setup, if you use (and modify) manjaro-arm-installer, you can create your pi4 image in as much detail as you like. And then only update when the “stable” releases are released by creating a fresh image, it should prove to be fairly stable.

I applaud your efforts and hope you succeed.

We are exploring their use in a secure business environment, so it can be done… but it is not without ongoing effort.

1 Like

We do have automated Raspberry Pi 4 image creation with Github Actions.

We have weekly builds based on Unstable branch, and manually triggered release builds based on stable branch.

Here’s the workflow files for that:

1 Like