I grabbed a couple of these, one with NAND flash and one without. Both have Wifi/BT/POE support, and I bought the POE hats because that's a damn good idea.

https://shop.allnetchina.cn/collections/frontpage/products/rock-pi-s?variant=29067635458150

= Setup =

I'm using their Ubuntu image here, it's "focal" (20.04 LTS).

== Initial image and packages ==

 * Image the SD card and boot it as normal, get a console either with adb or SSH
  * Default SSH creds are rock//rock, there's no root password set but you can sudo up
  * SSH is enabled by default
 * Login as rock, sudo to root
 * Set hostname: `hostnamectl set-hostname wag1.thighhighs.top`
 * Regenerate SSH host keys {{{
rm /etc/ssh/ssh_host_*
dpkg-reconfigure openssh-server

# As an alternative, though this will generate DSA keys as well
ssh-keygen -A
}}}
 * Packages {{{
apt update
apt install -y vim screen locales bash-completion lsof tcpdump netcat strace nmap less bsdmainutils tzdata whiptail
#dpkg-reconfigure locales
apt full-upgrade
reboot
}}}
 * Delete the entries from your known_hosts then SSH again as rock@host, accepting new keys

Fix your keys
 * ssh-copy-id rock@host
 * ssh rock@host  # login again
 * passwd  # set a strong random password, this will be used for both rock and root
 * sudo -i
 * passwd  # set the same for root now
 * record the new password somewhere
 * Lock the rock account now: usermod -L rock  # this still permits key access
 * Grab the authorized_keys so root can use it
  * mkdir -m 0700 /root/.ssh
  * cp /home/rock/.ssh/authorized_keys /root/.ssh/
  * chown root:root /root/.ssh/authorized_keys ; chmod 0600 /root/.ssh/authorized_keys
 * Logout as rock, login again as root this time


== Network config ==

 * Disable IPv6 privacy addresses {{{
# It's enabled by default on Ubuntu focal
sed -r -i 's/tempaddr = 2/tempaddr = 0/' /etc/sysctl.d/10-ipv6-privacy.conf
systemctl restart procps

# This is a nifty site for testing: http://ip.bieringer.net/
# Look at EUI64_SCOPE and see if it's random/privacy/global. Global is what we want for servers (probably).
}}}

== More config ==

 * Set timezone {{{
timedatectl set-timezone Australia/Sydney
}}}
 * Set editor {{{
echo "export EDITOR=vim" > /etc/profile.d/editor-vim.sh
}}}
 * Python {{{
apt install python-is-python3
}}}
 * Disable HashKnownHosts {{{
echo -e "Host *\n    HashKnownHosts no" > /etc/ssh/ssh_config.d/99-global.conf
}}}
 * Configure screen and top {{{
curl -o ~/.screenrc https://gist.githubusercontent.com/barneydesmond/d16c5201ed9d2280251dfca7c620bb86/raw/.screenrc
curl -o ~/.config/procps/toprc https://gist.githubusercontent.com/barneydesmond/d16c5201ed9d2280251dfca7c620bb86/raw/.toprc
}}}
 * More packages {{{
apt install wget curl net-tools ack jq make mlocate elinks nmap whois
updatedb
reboot
}}}


== Faff with networking ==

We'd like static IP but dynamic IPv6 {{{
apt install netplan.io
}}}

Criteria is:
 * Get NTP servers from DHCP if possible
 * Static IPv4 addressing
 * Global static IPv6 addresses (I guess)
 * Add a locally-defined static IPv6 address, that other hosts can refer to via DNS etc
 * DNS resolvers can come from DHCP or be manually defined
 * Use networkd instead of network-manager, remove unneeded packages {{{
apt purge network-manager networkmanager-patch
apt autoremove
}}}

This'll do:
{{{
network:
    version: 2
    renderer: networkd

    ethernets:
        eth0:
            critical: true
            dhcp-identifier: mac
            dhcp4: false
            dhcp6: true
            dhcp6-overrides:
                use-dns: false
            ipv6-privacy: false
            addresses:
                - "192.168.1.26/24"
                # 26 for the .26 IPv4, ca6c == 51820, the default Wireguard port
                - "2404:e80:42e3:0:26:0:0:ca6c/64"
            routes:
                - to: 0.0.0.0/0
                  via: 192.168.1.1
                  on-link: true
            nameservers:
                addresses:
                    - 192.168.1.20
                    - 192.168.1.24
                    - fe80::e65f:1ff:fe1c:c6ea
                    - fe80::ba27:ebff:fe8c:f4f8
                search:
                    - thighhighs.top.
}}}

== Disable wifi ==

I don't need it and it slows down boot.
{{{
systemctl disable wpa_supplicant.service --now
}}}


= OS =

I installed their provided image of Debian buster, balena Etcher'd straight onto a spare SD card and inserted. Used adb shell to get initial connectivity to set it up and inspect things.

The root filesystem is all of ~500 MiB, which is great for compactness and speed. It auto-grows on first boot by the looks of it.
{{{
[   11.091476] EXT4-fs (mmcblk0p2): resizing filesystem from 199161 to 7835148 blocks
[   11.518063] EXT4-fs (mmcblk0p2): resized filesystem to 7835148
}}}

== Disk usage ==
{{{
root@rockpis:/# df -hl
Filesystem      Size  Used Avail Use% Mounted on
udev            210M     0  210M   0% /dev
tmpfs            43M  296K   43M   1% /run
/dev/mmcblk0p2   30G  511M   28G   2% /
tmpfs           213M     0  213M   0% /dev/shm
tmpfs           5.0M     0  5.0M   0% /run/lock
tmpfs           213M     0  213M   0% /sys/fs/cgroup
}}}

== Block devices ==
 * mmcblk0 is the SD card
 * mmcblk1 is the onboard NAND flash
{{{
root@rockpis:/# lsblk
NAME        MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
mmcblk0     179:0    0   30G  0 disk 
├─mmcblk0p1 179:1    0  112M  0 part 
└─mmcblk0p2 179:2    0 29.9G  0 part /
mmcblk1     179:32   0  3.6G  0 disk 
└─mmcblk1p1 179:33   0  3.6G  0 part 
}}}

== CPU ==
{{{
root@rockpis:/# lscpu 
Architecture:        aarch64
Byte Order:          Little Endian
CPU(s):              4
On-line CPU(s) list: 0-3
Thread(s) per core:  1
Core(s) per socket:  4
Socket(s):           1
Vendor ID:           ARM
Model:               2
Model name:          Cortex-A35
Stepping:            r0p2
CPU max MHz:         1296.0000
CPU min MHz:         408.0000
BogoMIPS:            48.00
Flags:               fp asimd aes pmull sha1 sha2 crc32
}}}

== Network interfaces ==
{{{
root@rockpis:/# ifconfig 
eth0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 4e:43:df:6b:85:ff  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 6  bytes 752 (752.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 26  

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 2  bytes 106 (106.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2  bytes 106 (106.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

p2p0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 1a:77:e9:6d:75:84  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether e6:a6:66:59:15:ed  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
}}}