Minimized web app image

Hello, I recently bought a BeagleBone Black and have been having fun working with it for gaming software development purposes. It seems like a good host for testing my multiplayer web app game with friends and family and for doing benchmarks.

For security on local networks possibly connected to the Internet I’ve started with the latest console image (bone-eMMC-flasher-debian-10.5-console-armhf-2020-08-12-1gb.img) and made a script to customize it after it’s installed.

Any ideas of steps to add for security, or feedback about the ones I’m doing already? These are highlights:

Change debian and root user passwords.

echo “/dev/mmcblk0 /media/sd ext4 noatime 0 2” >> /etc/fstab

adduser --system --group --no-create-home --disabled-login myapp

Install the postgres database via apt-get, change the cluster to be on the SD card, minimally configure it using the postgres user, and give the myapp user access to the app’s tables.

Make my server program a systemd service owned by myapp:myapp with the executable and served files on the SD card.

Remove unused packages:

apt-get -y purge bb-bbai-firmware bb-wl18xx-firmware bluez bsdmainutils btrfs-progs
cloud-guest-utils crda dirmngr firmware-atheros firmware-brcm80211 firmware-iwlwifi
firmware-libertas firmware-misc-nonfree firmware-realtek firmware-zd1211 gdbm-l10n
gnupg-l10n gnupg-utils gpg-agent gpg gpgconf hostapd iputils-ping iw nano-tiny nano
patch perl-modules-5.28 perl pinentry-curses rfkill wget whiptail
wireless-regdb wireless-tools wpasupplicant ca-certificates sudo

Some hypothetical steps now are to add firewall rules (only allow inbound on port 80 for the app), remove SSH, and remove the debian user. The final system is just used by web browsers and maybe an SD card swap, no need to access the OS.