Please note that this page has not been updated since 2012.

In July 2011 I switched to the GNU/Linux distribution CRUX from ArchLinux, desiring increased speed and stability, while maintaining customisability, which I got. I switched back to Debian Stable in January 2012.

There isn’t much non-official documentation for CRUX so I documented the entire setup here, for my own reference when reinstalling machines and for other beginners looking to try out CRUX. In particular I have detailed my setup for encrypting my hard drive, which is esoteric but the best way I can come up with for doing it on CRUX.

The CRUX handbook is what you should really be using for this, referring to my notes only when the handbook is a bit skimpy on detail. I’ll repeat an arbitrary selection of what that tells you to do.

My ports for CRUX are in the portdb; they’re used throughout this document.

I used CRUX 2.7 in preparing this.

  1. Installation
  2. mkfs.ext3 /dev/sda1
  3. mount /dev/sda1 /mnt
  4. setup
  5. localedef -i en_GB -f ISO-8859-1 en_GB
  6. localedef -i en_GB -f ISO-8859-1 en_GB.ISO-8859-1
  7. localedef -i en_GB -f UTF-8 en_GB.utf8
  8. !/bin/sh
  9. /etc/rc.d/net: start/stop network
  10. End of file
  11. !/bin/sh
  12. /etc/rc.d/net: start/stop network
  13. End of file
  14. nameserver 10.9.8.1
  15. make all && make modules_install
  16. cp arch/x86/boot/bzImage /boot/vmlinuz
  17. cp System.map /boot
  18. /etc/lilo.conf: lilo(8) configuration, see lilo.conf(5)
  19. End of file
  20. /etc/lilo.conf: lilo(8) configuration, see lilo.conf(5)
  21. End of file
  22. lilo
  23. reboot
  24. Post-install configuration
  25. groupadd pkgmk
  26. useradd swhitton -M -s /bin/zsh -G lp,wheel,audio,video,floppy,cdrom,scanner,tape,pkgmk
  27. useradd -m -d /var/pkgmk -g pkgmk pkgmk
  28. mkdir /var/pkgmk/{distfiles,packages,work}
  29. chown pkgmk:pkgmk /var/pkgmk/*
  30. chmod 775 /var/pkgmk/*
  31. mv /etc/ports/contrib.rsync.inactive /etc/ports/contrib.rsync
  32. ports -u contrib
  33. prt-get depinst mpup
  34. mv /etc/ports/meta.mpup.inactive /etc/ports/meta.mpup
  35. ports -u meta swhitton
  36. prt-get depinst zile emacs cryptsetup gnupg zsh screen mercurial git cvs subversion mr ca-certificates consoleswapcaps rxvt-unicode urxvtcd atd git-annex
  37. prt-get remove vim
  38. loadkeys uk.swapcaps
  39. cd ~
  40. rm -rf .ssh
  41. mr –trust-all bootstrap xyrael.net/mrconfig-crux
  42. chsh -s /bin/zsh
  43. zsh
  44. cryptsetup luksFormat /dev/sda2
  45. cryptsetup luksFormat /dev/sda3
  46. cryptsetup luksOpen /dev/sda2 artemis-var
  47. cryptsetup luksOpen /dev/sda2 artemis-home
  48. mkfs.reiserfs /dev/mapper/artemis-var
  49. mkfs.ext4 /dev/mapper/artemis-home
  50. mount /dev/mapper/artemis-home /home
  51. echo “it works!” > /home/test.txt
  52. Check filesystems
  53. SEAN DECRYPTION BEGIN
  54. we need to set the keymap early in order to be able to decrypt
  55. SEAN DECRYPTION END
  56. mkdir /mnt/tmp
  57. mount /dev/mapper/artemis-var /mnt/tmp
  58. /etc/rc.d/sysklogd stop
  59. /etc/rc.d/crond stop
  60. /etc/rc.d/net stop
  61. mv /var/* /mnt/tmp
  62. mv /var/.* /mnt/tmp
  63. reboot
  64. prt-get sysup
  65. prt-get update glib
  66. prt-get depinst wicd urwid
  67. /etc/rc.d/dbus start
  68. /etc/rc.d/wicd start
  69. prt-get depinst openntpd
  70. /etc/rc.d/ntpd start
  71. mkdir /home/swhitton
  72. chown swhitton:users /home/swhitton
  73. passwd swhitton
  74. prt-get depinst nvidia
  75. reboot
  76. nvidia-xconfig
  77. gl-select use nvidia
  78. prt-get depinst xorg-font-terminus console-font-terminus terminus-font
  79. prt-get remove freetype xorg-libxft cairo
  80. prt-get install freetype2-cleartype libxft-cleartype cairo-cleartype
  81. prt-get depinst sbcl texinfo
  82. wget beta.quicklisp.org/quicklisp.lisp
  83. sbcl –load quicklisp.lisp
  84. cd /usr/ports/swhitton/stumpwm
  85. pkgmk -d
  86. chown pkgmk:pkgmk stumpwm#git-1.pkg.tar.gz
  87. mv stumpwm#git-1.pkg.tar.gz /var/pkgmk/packages
  88. prt-get depinst xbindkeys avfs stumpwm
  89. echo “user_allow_other” >> /etc/fuse.conf
  90. prt-get depinst mingetty slim slimlock
  91. c1:2:respawn:/sbin/mingetty –noclear –loginpause –autologin swhitton tty1 linux
  92. c3:2:respawn:/sbin/agetty 38400 tty3 linux
  93. c4:2:respawn:/sbin/agetty 38400 tty4 linux
  94. c5:2:respawn:/sbin/agetty 38400 tty5 linux
  95. c6:2:respawn:/sbin/agetty 38400 tty6 linux
  96. s1:2:respawn:/sbin/agetty 38400 ttyS0 vt100
  97. prt-get depinst alsa-lib alsa-utils alsa-oss
  98. alsamixer
  99. aplay /home/swhitton/lib/beep.wav
  100. alsactl -f /var/lib/alsa/asound.state store
  101. /etc/rc.d/alsa start
  102. prt-get depinst libmms libfaac
  103. prt-get depinst mpd mpc ncmpcpp mpdscribble
  104. prt-get depinst unison
  105. chown swhitton.users /var/cache/mpdscribble/*.journal
  106. usermod -a -G audio swhitton
  107. prt-get depinst xpdf epdfview firefox feh gtk-chtheme gnome-themes
  108. mkdir -p /home/etc/openvpn
  109. ln -s /home/etc/openvpn /etc
  110. prt-get depinst openvpn
  111. !/bin/sh
  112. /etc/rc.d/openvpn: start/stop vpn daemon
  113. End of file
  114. /etc/rc.d/openvpn start
  115. pkgrm exim
  116. prt-get depinst dovecot postfix offlineimap
  117. /etc/rc.d/postfix start
  118. rm /etc/cron/daily/mlocate
  119. prt-get depinst powertop laptop-mode-tools pm-utils cpufrequtils acpi lm_sensors
  120. cd ~/local/src
  121. git clone git://github.com/tadzik/lenovo-sl-laptop.git
  122. cd lenovo-sl-laptop
  123. make
  124. mkdir /lib/modules/2.6.35.6/kernel/lenovo-sl-laptop
  125. cp lenovo-sl-laptop.ko /lib/modules/2.6.35.6/kernel/lenovo-sl-laptop
  126. echo “options lenovo-sl-laptop control_backlight=1” >> /etc/modprobe.d/modprobe.conf
  127. echo “modprobe lenovo-sl-laptop control_backlight=1” >> /etc/rc.autofs
  128. rm /var/run/pm-utils/locks/pm-suspend.lock
  129. prt-get depinst autofs
  130. rm /etc/autofs/auto.{master,net,media}
  131. prt-get depinst wine
  132. mount -o ro,unhide,uid=100 /dev/sr0 /mnt/cd
  133. umount /mnt/cd
  134. prt-get depinst virtualbox
  135. usermod -a -G vboxusers swhitton
  136. prt-get install gconf
  137. Miscellaneous notes
  138. prt-get depinst lighttpd php
  139. useradd -s /bin/false lighttpd
  140. groupadd lighttpd
  141. touch /var/www/logs/access_log
  142. touch /var/www/logs/error_log
  143. chown lighttpd:lighttpd /var/www/logs/*
  144. prt-get depinst mysql php-mysql php-mysqli php-fcgi
  145. mysql_install_db
  146. mysqladmin -u root password
  147. Other resources

Installation

Encryption strategy

My paranoia levels are such that I want to set up enough encryption to foil someone without a mainframe who acquires my laptop from getting at my personal data, but I don’t take the steps necessary to stop someone from inserting a keylogger into my machine, leaving it for me to pick up again without me knowing it’s been gone, and then stealing my encryption passphrase anyway.

Since /boot has to be unencrypted and I am not willing to carry it around on a floppy or something, there is therefore no additional risk in having the root partition unencrypted, so I just encrypt /home, /var, have /tmp as a ramdisk, no swap and take steps to move sensitive configuration files (e.g. OpenVPN) in /etc into /home/etc so they are safe.

The reason I am not simply encrypting the root filesystem rather than have these separate partitions is that that would slow down the boot sequence substantially by requiring an initrd.

I don’t encrypt my desktop system at all anymore; the chances of it being stolen are so very much smaller than those for my laptop, I trust my family and LILO password is sufficient for LAN party security.

Partitions and formatting

Run fdisk as instructed. If dual-booting with Windows, remember that it likes to be in the first partition. A useful guide to fdisk. Going with 10GB for the root partition as the first time I did this I had 5 for that and 10 for /var, and I didn’t have enough space to install TeX Live and had to do crazy repartitioning of encrypted partitions…

Here’s a summary of the sizes I choose for my partitions:

Partition Size Filesystem
/ 10GB ext3
/var 5GB ReiserFS
/home remaining HDD ext4
/tmp max. 50% of RAM tmpfs

so

“` {.nil}

mkfs.ext3 /dev/sda1

“`

or, mkfs.ext4 on my single-partition desktop.

Installing the CRUX distribution

We don’t mount our partition for /var separately at this stage because the live CD doesn’t have the tools needed to do disc encryption, and it’s far easier to let (non-personal) data get written to /var now that can later be moved into the encrypted partition, rather than supplying the installation with the scripts and modules to encrypt now.

“` {.nil}

mount /dev/sda1 /mnt

setup

“`

Select all three port collections and then deselect the following packages from opt: fetchmail, firefox, grub, lvm2, mdadm, nano, openbox, procmail, rp-pppoe, wvdial, xterm; deselect the following packages from xorg: xorg-xf86-video-* except for vesa.

Config files

Chroot and set the root password as instructed.

Lines for /etc/fstab; again this is simple as we’re going to add encrypted partitions later:

{.nil} /dev/sda1 / ext3 defaults,noatime 0 1 tmp /tmp tmpfs defaults,nosuid,size=1024M,mode=1777 0 0 usb /proc/bus/usb usbfs defaults 0 0 /dev/sdaX /mnt/seven ntfs-3g defaults 0 0

We’ll use autofs for floppy and optical drives.

In /etc/rc.conf, we change the keymap to uk, timezone to Europe/London and hostname to artemis for my laptop and zephyr for my desktop. Leave services and font as they are for now.

Generate locales:

“` {.nil}

localedef -i en_GB -f ISO-8859-1 en_GB

localedef -i en_GB -f ISO-8859-1 en_GB.ISO-8859-1

localedef -i en_GB -f UTF-8 en_GB.utf8

“`

Temporary network setup

We will need wired network access with which to get wireless working, and the way I do this is to tether one machine to the other. The following configuration achieves that:

“` {.conf}

!/bin/sh

#

/etc/rc.d/net: start/stop network

#

case $1 in start) # loopback /sbin/ip addr add 127.0.0.1/8 dev lo broadcast + scope host /sbin/ip link set lo up # ethernet /sbin/ip addr add 10.8.0.2/24 dev eth0 broadcast + /sbin/ip link set eth0 up # default route /sbin/ip route add default via 10.8.0.1 ;; stop) /sbin/ip route del default /sbin/ip link set eth0 down /sbin/ip addr del 10.8.0.2/24 dev eth0 /sbin/ip link set lo down /sbin/ip addr del 127.0.0.1/8 dev lo ;; restart) $0 stop $0 start ;; *) echo “usage: $0 [start|stop|restart]” ;; esac

End of file

“`

Run these commands on the host machine to open up the target to the ‘net:

{.nil} $ echo "1" | sudo tee /proc/sys/net/ipv4/ip_forward $ sudo iptables -t nat -A POSTROUTING -s 10.8.0.2 -j MASQUERADE

and its config file (if it’s running CRUX; it’s quite easy to move to other distros):

“` {.conf}

!/bin/sh

#

/etc/rc.d/net: start/stop network

#

case $1 in start) # loopback /sbin/ip addr add 127.0.0.1/8 dev lo broadcast + scope host /sbin/ip link set lo up # ethernet /sbin/ip addr add 10.8.0.1/24 dev eth0 broadcast + /sbin/ip link set eth0 up # default route #/sbin/ip route add default via 10.8.0.1 ;; stop) #/sbin/ip route del default /sbin/ip link set eth0 down /sbin/ip addr del 10.8.0.1/24 dev eth0 /sbin/ip link set lo down /sbin/ip addr del 127.0.0.1/8 dev lo ;; restart) $0 stop $0 start ;; *) echo “usage: $0 [start|stop|restart]” ;; esac

End of file

“`

This can be a bit flaky and doesn’t like hotplugging or rebooting so be willing to make liberal use of /etc/rc.d/net restart.

/etc/hosts:

“` {.conf} 127.0.0.1 localhost 127.0.1.1 artemis.silentflame.com artemis

193.1.193.66 download.sf.net dl.sourceforge.net dl.sf.net “`

/etc/resolv.conf:

“` {.conf} search silentflame.com

nameserver 10.9.8.1

nameserver 208.67.220.222 nameserver 208.67.220.220 “`

The commented out address will be of use once OpenVPN is operational.

Compiling the kernel

Here are changes I have made; everything else is left as-is.

  • General setup
    • Disable development/incomplete code/drivers
    • Disable swap support
    • Enable BSD Process Accounting
    • Disable kernel .config support
    • Enable UTS & IPC namespace support
    • Disable initramfs/initrd
    • Disable optimisation for size
    • On zephyr, enable configure standard kernel features (for small systems) [Apple keyboard]
  • Enable loadable module support
    • Disable unloading modules
  • Processor type and features
    • Processor family: Core 2/newer Xeon
    • Maximum number of CPUs set to 2
    • Disable SMT (Hyperthreading) scheduler support
    • Enable machine check / overheating reporting
      • Disable AMD MCE features
    • High Memory Support: 4GB
    • Enable KSM for page merging
    • Enable Math emulation
    • Enable MTRR cleanup support
    • Enable -fstack-protector buffer overflow detection
  • Power management and ACPI options
    • Enable power management support
    • Enable run-time PM core functionality
    • Enable APM for laptop (though this is known to be dodgy; care)
    • Enable CPU frequency scaling on artemis
      • Disable CPU frequency translation statistics
      • Enable the powersave, userspace, and conservative governors on artemis, and ondemand instead of conservative on zephyr. Set default governor to performance
      • Module ACPI Processor P-states driver
  • Bus options
    • Enable Message Signaled Interrupts
    • Disable ISA support
    • PCMCIA—disable on zephyr
      • Disable Cirrus PD6729 compatible bridge support
      • Disable i82092 compatible bridge support
  • Executable file formats / emulations
    • Enable kernel support for MISC binaries
  • Networking support
    • Networking options
      • For the Oxford VPN, we will need to module these:
        • Transformation user configuration interface
        • PF~KEY~ sockets
        • IP: GRE tunnels over IP
        • IP: AH transformation
        • IP: ESP transformation
        • IP: IPComp transformation
        • IP: IPsec transport mode
        • IP: IPsec tunnel mode
        • IP: IPsec BEET mode
      • Enable INET: socket monitoring interface
      • Disable IPv6 (I’m never on a network that supports it)
      • Enable Netfilter
        • Core Netfilter Configuration
          • Enable Netfilter connection tracking support
        • IP: Netfilter configuration
          • Enable IPv4 connection tracking support
          • Enable IP tables support
          • Enable Full NAT
            • Enable MASQUERADE target support
            • Enable REDIRECT target support
      • Module 802.1d ethernet bridging
    • Wireless
      • Enable (i.e. not just module) cfg80211
      • Enable Generic IEEE 802.11 Networking Stack (mac80211)
    • Enable RF switch subsystem support on artemis
  • Device drivers
    • Generic driver options
      • Enable maintain a devtmpfs filesystem to mount at /dev
        • Automount devtmpfs at /dev. after the kernel…
      • Enable include in-kernel firmware blobs in kernel binary
    • Enable connector—unified userspace <-> kernelspace linker
    • Plug and play support
      • Enable PNP debugging messages
    • Block devices
      • Module normal floppy disk support on artemis, enable on zephyr
      • Disable Compaq SMART2 support
      • Disable Compaq Smart Array 5xxx support
      • Disable Mylex DAC960/DAC1100 PCI RAID controller support
      • Module loopback device support
      • Disable network block device support
      • Module RAM block device support (this may break tmpfs?)
      • Disable ATA over ethernet support
    • On zephyr enable ATA/ATAPI/MFM/RLL support (DEPRECATED) [this may or may not help failure to boot issue, really have no idea atm]
      • Enable support for SATA (deprecated; conflicts with libata SATA driver)
      • Enable generic ATA/ATAPI disk support
        • Enable ATA disk support
      • Enable Include IDE/ATAPI CDROM support
      • Enable IDE ACPI support
      • Enable generic/default IDE chipset support
      • Enable Platform driver for IDE interfaces
      • Enable AMD and nVidia IDE support
    • SCSI device support
      • Enable SCSI disk support
      • Enable SCSI CDROM support
        • Enable vendor-specific extensions (for SCSI CDROM) on zephyr only
      • Enable SCSI generic support
      • Probe all LUNs on each SCSI device
      • Enable asynchronous SCSI scanning
    • Enable serial ATA and parallel ATA drivers
      • Enable AHCI SATA support
      • Enable platform AHCI SATA support
      • On zephyr enable NVIDIA SATA support
    • Enable multiple devices driver support (RAID and LVM)
      • Enable device mapper support
      • Enable crypt target support
      • Enable snapshot target
      • Enable mirror target
    • Disable Fusion MPT device support
    • IEEE 1394 (FireWire) support
      • Disable FireWire driver stack
    • Enable Macintosh device drivers (hmm shouldn’t keyboard be under here?)
    • Network device support
      • Module dummy net driver support
      • Module universal TUN/TAP device driver support
      • Wireless LAN
        • Enable Intel Wireless Wifi on artemis
        • Enable Intel Wireless WiFi Next Gen AGN (iwlagn) on artemis
          • Enable Intel Wireless WiFi 5000AGN … on artemis
        • Enable Ralink driver support on zephyr
          • Enable rt2500 (USB) support
          • Enable rt2501/rt73 (USB) support
          • Enable Ralink debug output
      • Disable PPP support
    • Input device support
      • Disable support for memoryless force-feedback devices
      • Disable polled input device skeleton
      • Set horizontal and vertical screen resolution
      • Enable event interface
      • Mice
        • On zephyr, enable PS/2 mouse
        • Disable serial mouse
        • Disable Apple USB touchpad support
        • Disable Apple USB BCM5974 Multitouch trackpad support
    • Character devices
      • Serial drivers
        • Disable 8250/16550 and compatible serial support
      • Enable Timer IOMEM HW Random Number General support
      • Enable Intel HW Random Number Generator support
      • Disable AMD … random number generator support × 2
      • Enable /dev/nvram support
    • Enable SPI support
    • Power supply class support
      • Module test power driver
      • Module all battery types on artemis for now
    • Enable hardware monitoring support
    • Generic thermal sysfs driver
      • Enable hardware monitoring support
    • Disable multimedia support
    • Graphics support
      • Enable laptop hybrid graphics on artemis
      • Module direct rendering manager
      • Disable support for frame buffer devices
      • Enable backlight & LCD device support on artemis
      • Display device support
        • Enable display panel/monitor support
      • Console display driver support
        • Disable scrollback buffer in system RAM
    • Enable sound card support
      • Enable ALSA
        • Enable sequencer support
        • Enable OSS mixer API
        • Enable OSS PCM
        • Enable OSS sequencer API
        • Disable verbose procfs contents
        • PCI sound devices
          • Enable Intel HD Audio
            • On artemis enable aggressive power-saving on HD-audio
              • Default time-out for HD-audio power-save mode: 60
            • On zephyr enable build nvidia HDMI HD-audio codec support
    • Disable HID drivers on artemis, enable on zephyr—enable/module on artemis if want USB mouse support
      • Special HID drivers
        • Enable Apple
    • USB support
      • Enable support for host-side usb
      • Enable USB device filesystem
      • Enable WUSB cable based association
      • Enable EHCI HCD (USB 2.0) support
      • Disable USB modem support
    • Enable MMC/SD/SDIO card support on artemis
      • On artemis, enable Secure Digital host controller interface support
      • On artemis enable SDHCI support on PCI bus
        • On artemis enable Ricoh MMC controller disabler
    • Disable Real Time Clock
    • Enable auxiliary display support
    • Disable X86 platform specific device drivers
      • On artemis, module Acer WMI laptop extras, Asus laptop extras and ThikPad ACPI laptop extras—don’t think it’s the latter but one of three for SL300 which has IdeaPad internals, not proper ThinkPad —using lenovo-sl-laptop
    • On zephyr enable staging drivers
      • Disable exclude staging drivers from being built
      • Enable Ralink 2870/3070 wireless support
  • File systems
    • Enable ext2
    • Enable ext3
    • Default to ‘data-ordered’ in ext3
    • Enable ext4
    • Enable reiserfs
    • Disable JFS
    • Disable XFS
    • Enable kernel automounter version 4 support (also supports v3)
    • Enable FUSE
      • Module character device in userpace [sic] suppose
    • CD-ROM/DVD filesystems
      • Enable ISO 9660 CDROM file system support
      • Enable Microsoft Joliet CDROM extensions
      • Enable transparent decompression extension
      • UDF file system support
    • DOS/FAT/NT filesystems
      • Disable MSDOC fs support
      • Enable VFAT (Windows-95) fs support
      • On zephyr, enable NTFS file system support; disable on artemis
      • On zephyr enable NTFS write support
    • Network file systems
      • Enable NFS client support
      • Enable NFS client support for the NFSv3 ACL protocol extension
      • Enable NFS server support for the NFSv3 ACL protocol extension
      • Disable SMB file system support
      • Disable CIFS support
  • Kernel hacking
    • Enable timing information on printks
    • Enable _~mustcheck~ logic
    • Disable Magic SysRq key
    • Enable sysctl checks
    • Filter access to /dev/mem
    • Maybe enable verbose x86 bootup info messages
  • Cryptographic API
    • Module null algorithms
    • Module CCM support (Oxford VPN)
    • Module GCM/GMAC support (Oxford VPN)
    • Enable SHA224 and SHA256 digest algorithm
    • Enable Zlib
    • Enable LZO
    • Enable pseudo random number generation for cryptographic modules
  • Virtualisation
    • Enable KVM support
      • Enable KVM for Intel processors support
    • Module Virtio balloon driver

Once done with menuconfig, we set things up:

“` {.nil}

make all && make modules_install

cp arch/x86/boot/bzImage /boot/vmlinuz

cp System.map /boot

“`

Bootloader

Set up lilo; for artemis:

“` {.conf} #

/etc/lilo.conf: lilo(8) configuration, see lilo.conf(5)

#

lba32 install=text compact boot=/dev/sda image=/boot/vmlinuz label=CRUX root=/dev/sda3 read-only append=”quiet acpi_backlight=vendor”

End of file

“`

and for zephyr:

“` {.conf} #

/etc/lilo.conf: lilo(8) configuration, see lilo.conf(5)

#

lba32 install=text prompt timeout=30 compact boot=/dev/sda image=/boot/vmlinuz label=CRUX root=/dev/sda3 read-only append=”quiet” other=/dev/sda2 label=dos

End of file

“`

“` {.nil}

lilo

reboot

“`

Post-install configuration

Pre-encryption tweaks—stop building things as root

Following the advice here, we set up a non-priviledged user to build ports. This also moves port building out of /usr and into /var where it belongs.

We create our user account here because otherwise pkgmk will get the first UID.

“` {.nil}

groupadd pkgmk

useradd swhitton -M -s /bin/zsh -G lp,wheel,audio,video,floppy,cdrom,scanner,tape,pkgmk

useradd -m -d /var/pkgmk -g pkgmk pkgmk

mkdir /var/pkgmk/{distfiles,packages,work}

chown pkgmk:pkgmk /var/pkgmk/*

chmod 775 /var/pkgmk/*

“`

/etc/prt-get.conf:

{.conf} makecommand sudo -H -u pkgmk /usr/bin/fakeroot /usr/bin/pkgmk

/etc/pkgmk.conf:

{.conf} PKGMK_SOURCE_DIR="/var/pkgmk/distfiles" PKGMK_PACKAGE_DIR="/var/pkgmk/packages" PKGMK_WORK_DIR="/var/pkgmk/work/$name"

/etc/hosts:

{.conf} 193.1.193.66 download.sf.net dl.sourceforge.net dl.sf.net

Pre-encryption tweaks—packages

We can’t do much until encryption is operational because we don’t want to introduce any kind of personal data to the system until then. However our lives in setting that up will be a lot easier with some additional packages to our very spartan system.

If you see this on a bootup:

{.nil} umount: /sys: device is busy. (In some cases useful info about processes that use the device is found by lsof(8) or fuser(1)) mount: sysfs already mounted or /sys busy

then be assured that it may be safely ignored; I believe it’s a bug in the /etc/rc script.

First we enable the contrib ports collection

“` {.nil}

mv /etc/ports/contrib.rsync.inactive /etc/ports/contrib.rsync

ports -u contrib

“`

We tell prt-get that we’ve done so by uncommenting the line

{.conf} prtdir /usr/ports/contrib

near the start of /etc/prt-get.conf. Now we use the mpup utility to add some ports from third party repositories. mpup is like ports -u except only specific ports are fetched, rather than a whole irrelevant repository.

“` {.nil}

prt-get depinst mpup

mv /etc/ports/meta.mpup.inactive /etc/ports/meta.mpup

“`

Now we add my personal repository TODO and gnome and xfce TODO (gnome below contrib so guile installs right

Add to /etc/mpup.lst:

{.nil} httpup sync http://home.cc.umanitoba.ca/~fonsecah/crux/ports/#wicd wicd httpup sync http://home.cc.umanitoba.ca/~fonsecah/crux/ports/#urwid urwid rsync -aqz morpheus.net::cruxports/console-font-terminus/ console-font-terminus rsync -aqz morpheus.net::cruxports/xorg-font-terminus/ xorg-font-terminus httpup sync http://romster.dyndns.org:8080/linux/ports/crux/romster/#texinfo texinfo httpup sync http://sirmacik.net/static/download/cruxpl-ports/#ncmpcpp ncmpcpp httpup sync http://romster.dyndns.org:8080/linux/ports/crux/romster/#mpdscribble mpdscribble httpup sync http://sirmacik.net/static/download/cruxpl-ports/#xclip xclip httpup sync http://sirmacik.net/static/download/cruxpl-ports/#terminus-font terminus-font rsync -aqz morpheus.net::cruxports/mingetty/ mingetty httpup sync http://falcony.googlecode.com/svn/trunk/falcony/#laptop-mode-tools laptop-mode-tools httpup sync http://cruxab.comlu.com/crux/ports/#libtasn1 libtasn1 httpup sync http://flaveur.googlecode.com/svn/trunk/ports/#policykit policykit httpup sync http://www.mizrahi.com.ve/crux/pkgs/#krb5 krb5 httpup sync http://bdfy.googlecode.com/svn/trunk/#abiword abiword httpup sync http://tsubasa.googlecode.com/svn/trunk/tsubasa/#auctex auctex httpup sync http://www.mizrahi.com.ve/crux/pkgs/#autofs autofs httpup sync http://romster.dyndns.org:8080/linux/ports/crux/romster/#wine wine httpup sync http://www.landofbile.com/crux_ports/#gmime gmime httpup sync http://bdfy.googlecode.com/svn/trunk/#burn-cd burn-cd httpup sync http://vico.kleinplanet.de/files/repo/#abcde abcde httpup sync http://vico.kleinplanet.de/files/repo/#cd-discid cd-discid httpup sync http://vico.kleinplanet.de/files/repo/#id3v2 id3v2 rsync -aqz rsync.clyl.net::crux-xen/vte-python/ vte-python httpup sync http://jue.li/crux/ports/#s3fs s3fs rsync -aqz sepen.mine.nu::ports/crux-2.7/sepen/uuid/ uuid

and add prtdir /usr/ports/meta to the beginning of /etc/prt-get.conf. Next we’ll install some basic utilities but before we do that we enable install scripts in /etc/prt-get.conf:

{.conf} runscripts yes

now

“` {.nil}

ports -u meta swhitton

prt-get depinst zile emacs cryptsetup gnupg zsh screen mercurial git cvs subversion mr ca-certificates consoleswapcaps rxvt-unicode urxvtcd atd git-annex

prt-get remove vim

“`

Change the keymap in /etc/rc.conf to uk.swapcaps and then

“` {.nil}

loadkeys uk.swapcaps

“`

to make caps lock into a control key, as it should be.

This should be enough to bootstrap my standard CLI interface into /root, which’ll make things more comfortable.

“` {.nil}

cd ~

rm -rf .ssh

mr –trust-all bootstrap xyrael.net/mrconfig-crux

chsh -s /bin/zsh

zsh

“`

Encrypted partitions

At long last we are ready to prepare our encrypted partitions, move our sensitive data into them and then to have them decrypted at boot.

Create partitions

“` {.nil}

cryptsetup luksFormat /dev/sda2

cryptsetup luksFormat /dev/sda3

cryptsetup luksOpen /dev/sda2 artemis-var

cryptsetup luksOpen /dev/sda2 artemis-home

mkfs.reiserfs /dev/mapper/artemis-var

mkfs.ext4 /dev/mapper/artemis-home

“`

We’ll mount up the home partition and put something in it for testing purposes.

“` {.nil}

mount /dev/mapper/artemis-home /home

echo “it works!” > /home/test.txt

“`

Decryption

To confirm that things are working we’ll do /home first before /var, because the latter gets log files written to it that we’re going to have to be careful about moving.

Open up /etc/rc and find the line

“` {.bash}

Check filesystems

“`

Above the chunk of lines this line heralds the commencement of, we are going to add our decryption commands. These are

“` {.bash}

SEAN DECRYPTION BEGIN

we need to set the keymap early in order to be able to decrypt

if [ ”$KEYMAP” ]; then /usr/bin/loadkeys -q $KEYMAP fi

/usr/bin/setfont $FONT

echo “” echo -n “This is Sean’s computer - enter system passphrase: ”

/bin/stty -echo; read PASSPHRASE; /bin/stty echo echo “” echo -n ”$PASSPHRASE” | cryptsetup –key-file=- luksOpen /dev/sda2 artemis-var echo -n ”$PASSPHRASE” | cryptsetup –key-file=- luksOpen /dev/sda3 artemis-home

PASSPHRASE=”ilikedmcryptoncruxreallyreallyreallalot” unset PASSPHRASE

SEAN DECRYPTION END

“`

The idea of this code is to stop someone from being able to do anything with the system without opening it up, which was considered to be an acceptable risk in our encryption strategy.

Add this line to /etc/fstab:

{.conf} /dev/mapper/artemis-home /home ext4 defaults 0 2

Reboot, and confirm our test file is still in place with the content we gave it. If so, it’s time to move the files in /var. We stop daemons that might write there before doing so,^1 move the data and then reboot and cross our fingers.

First add this line to /etc/fstab:

{.conf} /dev/mapper/artemis-var /var reiserfs defaults,noatime,notail 0 2

then

“` {.nil}

mkdir /mnt/tmp

mount /dev/mapper/artemis-var /mnt/tmp

/etc/rc.d/sysklogd stop

/etc/rc.d/crond stop

/etc/rc.d/net stop

mv /var/* /mnt/tmp

mv /var/.* /mnt/tmp

reboot

“`

This doesn’t really require a reboot, but it’s nice to see all the encryption stuff now fully working in tandem.

Post-encryption setup

Whew, now that encryption’s done we’re safe to start setting up my environment.

Distribution update

First bring the distribution up-to-date:

“` {.nil}

prt-get sysup

“`

This will take a while since the packages will need to be compiled, unlike during the installation where this has already been done. Also prt-get’s dependency resolution isn’t perfect, and you may be required to intervene to upgrade some packages before others.

Now we’ve hacked /etc/rc we need to lock it to prevent it being overwritten by updates, which would stop our system from starting up. Add this line to /etc/pkgadd.conf

{.conf} UPGRADE ^etc/rc$ NO

Wireless

Let’s stop dependency on another host for Internet access.

For artemis, we need the wireless firmware from here, and we need a release of the 5000 images (for our 5100AGN card) old enough to have -2 at the end, as our kernel version doesn’t seem to look for anything higher. 8.24.2.12.tgz appears to be the latest with this property. Extract the .ucode file into /lib/firmware and reboot and the hardware should be ready to go.

For zephyr we need rt2870.bin which we can drop into /lib/firmware; we then need a symlink: ln -s /lib/firmware/rt2870.bin /lib/firmware/rt3070.bin because the rt2870.bin driver covers a lot of hardware and the kernel looks in the wrong place.

Install wicd to manage network connections from now on. Somehow glib doesn’t get updated enough/at all in the sysup so do it again here (maybe).

“` {.nil}

prt-get update glib

prt-get depinst wicd urwid

/etc/rc.d/dbus start

/etc/rc.d/wicd start

“`

Add the atd, dbus and wicd daemons (in that order) to /etc/rc.conf, and comment out the gateway settings for eth0 from /etc/rc.d/net (we can’t remove this daemon entirely because we need the loopback interface—discovered this the hard way when mpd wouldn’t work…). Fire up wicd-curses to connect to your wireless network. Remember to add 10.9.8.1 as first DNS server, globally, then OpenDNS.

ntp

At this point I tend to notice my system clock drifting.

“` {.nil}

prt-get depinst openntpd

/etc/rc.d/ntpd start

“`

Add ntpd to list of daemons in /etc/rc.conf. In /etc/rc.d/ntpd, make the -s into -S so that ntp doesn’t even try to change the time on startup, which makes a big difference to boot speed.

Add to /etc/pkgadd.conf:

{.conf} UPGRADE ^etc/rc\.d/ntpd$ NO

to protect our changes.

User account

“` {.nil}

mkdir /home/swhitton

chown swhitton:users /home/swhitton

passwd swhitton

“`

Log out and login again as the new user. Bootstrap its homedir:

{.nil} $ mr --trust-all bootstrap xyrael.net/mrconfig-crux

On zephyr, add to /etc/rc.local:

{.bash} echo 2 | sudo tee /sys/module/hid_apple/parameters/fnmode > /dev/null

X

Setup

We’re going with the non-free nVidia drivers since we have a nVidia card we want to make some use of:

“` {.nil}

prt-get depinst nvidia

reboot

nvidia-xconfig

gl-select use nvidia

“`

To test X, back as swhitton, we prepare a minimal .xinitrc with just the line exec urxvt, moving the usual file to .xinitrc~.

{.nil} $ startx

If you get a terminal that you can type into, and the mouse moves around, we’re good to go. Run exit in the terminal to kill off X.

Driver tweaks

Add the following lines to the Device section of /etc/X11/xorg.conf for some minor improvements (from Arch wiki):

{.conf} Option "NoLogo" "1" Option "RenderAccel" "1" Option "ConnectedMonitor" "DFP" Option "TripleBuffer" "1" Option "DamageEvents" "1" Option "DPS" "1"

Remove the third line for zephyr.

The almighty Terminus

We need three versions of Terminus: one which provides the traditional X font, one which provides the xft font and one for the console.

The Arch package provides all three at once, I believe, or at least the first two so should probably be looked into at some point.

“` {.nil}

prt-get depinst xorg-font-terminus console-font-terminus terminus-font

“`

In the Files section of /etc/X11/xorg.conf, add the line

{.conf} FontPath "/usr/lib/X11/fonts/terminus"

and then my .Xresources should take care of the rest. For console, update /etc/rc.conf to use this new font, Lat2-Terminus16.

Font beautification

CRUX’s X11 fonts look pretty poor without tweaks, and there are various ways to improve the situation. After much messing around I reckon that the cleartype approach is the best, especially since the packages on the AUR were recently renewed and seem to be maintained. Links about this issue at the end of this document.

First we set up some package aliases so that our prt-get doesn’t think we’ve removed important dependencies. Append to /var/lib/pkg/prt-get.aliases

{.conf-colon} libxft-cleartype: xorg-libxft freetype2-cleartype: freetype cairo-cleartype: cairo postfix: exim

and append to /etc/pkgadd.conf to protect this file from upgrades:

{.conf} UPGRADE ^var/lib/pkg/prt-get.aliases$ NO

“` {.nil}

prt-get remove freetype xorg-libxft cairo

prt-get install freetype2-cleartype libxft-cleartype cairo-cleartype

“`

Taking the -ubuntu approach means no Xft Terminus so require the hacked TTF versions floating about, which means no smaller font in Conkeror minibuffer.

Check in /etc/fonts/fonts.conf that near the top there is

{.xml} <dir>/usr/share/fonts</dir> <dir>/usr/lib/X11/fonts</dir> <dir>~/.fonts</dir>

as the second line might be missing. This should be packaged up/automated at some point.

Lisp

We are going to install the lisp environment to run my window manager, StumpWM, using the quicklisp approach from the ArchWiki. When my lisp knowledge improves I will make this into a package.

“` {.nil}

prt-get depinst sbcl texinfo

wget beta.quicklisp.org/quicklisp.lisp

sbcl –load quicklisp.lisp

“`

and then in the interactive shell

{.commonlisp} (quicklisp-quickstart:install) (ql:add-to-init-file) (ql:update-all-dists) (ql:quickload "clx") (ql:quickload "cl-ppcre") (quit)

This relies on the environment variable we set in .zshrc, SBCL_HOME=/usr/lib/sbcl.

More building blocks

Unfortunately, stumpwm won’t build unless we’re root at the moment as I haven’t got the package set up right. So first we comment out the lines we added to /etc/prt-get.conf and /etc/pkgmk.conf and then

“` {.nil}

cd /usr/ports/swhitton/stumpwm

pkgmk -d

chown pkgmk:pkgmk stumpwm#git-1.pkg.tar.gz

mv stumpwm#git-1.pkg.tar.gz /var/pkgmk/packages

“`

Now uncomment the lines again and

“` {.nil}

prt-get depinst xbindkeys avfs stumpwm

$ mkdir .avfs

echo “user_allow_other” >> /etc/fuse.conf

“`

This should be enough to get a graphical environment up, so startx and open up a shell with the usual C-i C-t. If dual monitors need setting up, su to root and run nvidia-settings.

SLiM

And changes to theme to make slimlock work and changes to slimlock.conf.

gettys & SLiM

Using a display manager is much neater than running startx from ~/.zshrc.

“` {.nil}

prt-get depinst mingetty slim slimlock

“`

We use mingetty because it allows autologin if we ever want it and it uses less resources than agetty. We don’t use autologin at the moment because we’re screenlocking with slimlock rather than vlock. One virtual console is sufficient.

“` {.conf}

c1:2:respawn:/sbin/mingetty –noclear –loginpause –autologin swhitton tty1 linux

c2:2:respawn:/sbin/mingetty –noclear tty2 linux

c3:2:respawn:/sbin/agetty 38400 tty3 linux

c4:2:respawn:/sbin/agetty 38400 tty4 linux

c5:2:respawn:/sbin/agetty 38400 tty5 linux

c6:2:respawn:/sbin/agetty 38400 tty6 linux

s1:2:respawn:/sbin/agetty 38400 ttyS0 vt100

x:2:respawn:/usr/bin/slim >& /dev/null “`

Amend these lines in /etc/slim.conf:

{.conf} console_cmd /usr/bin/urxvt -T "Console login" -e /bin/sh -c "/bin/cat /etc/issue; exec /bin/login" default_user swhitton auto_login yes (on artemis)

and in /etc/slimlock.conf:

{.conf} wrong_passwd_timeout 0 show_username 1 show_welcome_msg 0

and a fix to /usr/share/slim/themes/crux-smooth/slim.theme:

{.conf} username_x 170 password_x 170

ALSA

Let’s get sound operational.

“` {.nil}

prt-get depinst alsa-lib alsa-utils alsa-oss

alsamixer

“`

Hit M to unmute the main channel. Raise the volume until the db gain is 0 and then play a sound to test. If it doesn’t play, raise the other sliders around a bit.

“` {.nil}

aplay /home/swhitton/lib/beep.wav

“`

Now add alsa to the daemons array in /etc/rc.conf and run

“` {.nil}

alsactl -f /var/lib/alsa/asound.state store

/etc/rc.d/alsa start

“`

sshd

Add to /etc/hosts.allow:

{.conf} sshd: 10.9.8. 192.168.0. 10.8.0.

We need sshd running all the time in order to have tramp working smoothly, it seems (not in find-file but in eshell).

mpd, ncmpcpp & mpdscribble

No reason to go any further without some tunes. We need to install libmms first in order to get proper streaming support.

“` {.nil}

prt-get depinst libmms libfaac

prt-get depinst mpd mpc ncmpcpp mpdscribble

“`

Sync media library

One of unison’s dependencies, ocaml, will need a .footprint deleting.

“` {.nil}

prt-get depinst unison

“`

Reconnect ethernet cable and run /etc/rc.d/net restart on both machines to bring up the connection. Run

{.nil} $ unison ~/var ssh://10.8.0.2/var

on host tethered artemis/zephyr to copy ~/var back over to new machine.

Configuration

We want mpd to run as swhitton. Uncomment loads of stuff in /etc/mpd.conf (and add mixer_type "software" to ALSA output to make mpd volume independent of everything else) make sensible edits and run

“` {.nil} $ mkdir -p .mpd/playlists

chown swhitton.users /var/cache/mpdscribble/*.journal

usermod -a -G audio swhitton

“`

At some point we should move the config we use inside /home/swhitton since everything happens there now.

Add this line to /etc/hosts.allow:

{.conf} mpd: 127.0.0.1

Add this line to /etc/pkgadd.conf:

{.conf} UPGRADE ^var/cache/mpdscribble/.*\.journal$ NO

.xinitrc will take care of starting mpd and mpdscribble.

sudo

Execute visudo and uncomment the line

{.conf} %wheel ALL=(ALL) NOPASSWD: ALL

conf and execute

{.nil} usermod -a -G wheel swhitton

to give swhitton full sudo access.

Desktop software

“` {.nil}

prt-get depinst xpdf epdfview firefox feh gtk-chtheme gnome-themes

flash-player-plugin texlive-full auctex sshfs-fuse mplayer vlock gimp xclip libreoffice scrot shared-mime-info gnome-mime-data htop at filezilla abook libogg flac libvorbis easytag unzip imagemagick bc aspell-en unrar w3m conkeror yapet x11-fonts-dejavu abiword emacs-w3m dvd+rw-tools cdrkit prt-utils xorg-font-msttcorefonts urw-fonts ttf-vista-fonts pinentry pinentry-gtk2 bbdb org-mode ntfs-3g_ntfsprogs notmuch rtorrent ncdu pm-utils mkvtoolnix ffmpeg dvdauthor gtypist guile normalize abcde cd-discid eject terminator vte-python xchat s3fs service psi-im vcdimager subversion xfce-mcs-manager thunar “`

Select a theme with gtk-chtheme.

Do not be tempted to install the packages xorg-font-adobe-100dpi & xorg-font-adobe-75dpi. They take priority over other fonts and look rubbish, screwing things up in general.

At some point I should write a Pkgbuild to install pdftk, but this is a nightmare because gcj is a nightmare to build, so for now I’ll just use the pdftk on athena.

Conkeror relies on xulrunner, which at present comes with the CRUX 2.7 installation CD but as Firefox now includes it is not available in the ports database. If needed in the future, the CRUX git repository history contain the Pkgfile: link 1, 2, 3.

OpenVPN

We want the OpenVPN configuration files to be encrypted.

“` {.nil}

mkdir -p /home/etc/openvpn

ln -s /home/etc/openvpn /etc

prt-get depinst openvpn

“`

Copy into /etc/openvpn the files ca.crt, artemis.crt and artemis.key and then create /etc/openvpn/tap.conf:

{.conf} client remote 212.13.194.60 1194 dev tap proto tcp resolv-retry infinite nobind persist-remote-ip persist-local-ip ping 5 ping-restart 10 ping-timer-rem persist-key persist-tun verb 2 ca /etc/openvpn/ca.crt cert /etc/openvpn/artemis.crt key /etc/openvpn/artemis.key comp-lzo ;redirect-gateway def1

where the final line is to be uncommented when on my untrusted university LAN. Add openvpn to the daemons started in /etc/rc.conf. Use udp rather than tcp on desktop.

Create the /etc/rc.d/openvpn script (stolen from Arch):

“` {.bash}

!/bin/sh

#

/etc/rc.d/openvpn: start/stop vpn daemon

#

CFGDIR=”/etc/openvpn” STATEDIR=”/var/run/openvpn”

case $1 in start) mkdir -p ”${STATEDIR}” for cfg in ”${CFGDIR}”/.conf; do /usr/sbin/openvpn –daemon –writepid ”${STATEDIR}”/”$(basename ”${cfg}” .conf)”.pid –cd ”${CFGDIR}” –config ”${cfg}” done ;; stop) for pidfile in ”${STATEDIR}”/.pid; do kill $(cat ”${pidfile}” 2>/dev/null) 2>/dev/null rm -f ”${pidfile}” done ;; restart) $0 stop sleep 1 $0 start ;; *) echo “usage: $0 [start|stop|restart]” ;; esac

End of file

“`

and fire her up:

“` {.nil}

/etc/rc.d/openvpn start

“`

SSH configuration

Download the keys desktop-key and key into ~/.ssh, and in ~/.ssh/config replace athena.silentflame.com with athena.athenet and add

“` {.conf} Host selene User root HostName selene.silentflame.com IdentityFile ~/.ssh/desktop-key

Host raven User ball3162 HostName linux.ox.ac.uk IdentityFile ~/.ssh/desktop-key “`

E-mail

Our first real encounter with pre-install scripts. prt-get readme dovecot/postfix will provide an explanation.

“` {.nil}

pkgrm exim

prt-get depinst dovecot postfix offlineimap

“`

We add the following line in /etc/dovecot/conf.d/10-mail.conf:

{.conf} mail_location = maildir:~/.gnus.d/Maildir

and the following in /etc/postfix/main.cf:

{.conf} relayhost = [10.9.8.1]:25

and we’re done. We may now run

“` {.nil}

/etc/rc.d/postfix start

$ offlineimap “`

to do the initial download of my e-mail. Add the postfix daemon to /etc/rc.conf (but not dovecot). You might want to test that e-mail goes where it should via telnet:

“` {.nil} ~ # telnet localhost 25 Trying 127.0.0.1… erase character is ’^H’. Connected to localhost. Escape character is ’^]’. 220 artemis.localdomain ESMTP Postfix

EHLO localhost 250-artemis.localdomain 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN mail from:<sean.whitton AT-NOSPAMPLZ balliol.ox.ac.uk> 250 2.1.0 Ok rcpt to: 250 2.1.5 Ok data 354 End data with . Dear Sean,

This is my test message. Thanks.

Thanks. . 250 2.0.0 Ok: queued as C0CEFB9 quit 221 2.0.0 Bye Connection closed by foreign host “`

where >>> prefixes a line I typed. This is the most esoteric e-mail route I can come up with, where the mail goes local -> athena -> Oxford smtp -> gmail -> athena -> local, so check the headers to make sure it’s gone everywhere it should.

Now that ~/.newsrc.eld isn’t synced between machines, recreate Gnus group tree as follows (^ opens tree and u subscribes to items; Tn to create new topics and GV and Gv to manipulate virtual groups; u to kill off things like gnus-help):

{.nil} [ Gnus -- 54 ] 0 / 19 / 1199 : INBOX 0 / 1 / 2423 : Notices & updates 9 / 16 / 2408 : Feeds & lists 0 / * / 0 : feeds.Guardian [ Listservs -- 1 ] 0 / 1 / 372 : lists.BitFolk * 0 / 0 / 140 : lists.VCS-Home 0 / 0 / 27 : lists.Wikizine [ Feeds -- 16 ] 1 / 4 / 595 : feeds.Blogs 7 / 7 / 1320 : feeds.Comics 1 / 3 / 253 : feeds.Friends 0 / 2 / 240 : feeds.Tech [ Personal -- 1 ] * 0 / 0 / 5080 : archive 0 / 0 / 99 : drafts 0 / 0 / 1735 : notices 0 / 0 / 2245 : sent * 0 / 0 / 40 : temptodo 0 / 1 / 688 : updates

crontab

{.cron} */5 * * * * /usr/bin/offlineimap -o -u Noninteractive.Quiet 1>/dev/null 2>/dev/null 0 * * * * /home/swhitton/bin/doccheckin >/dev/null

acpid & laptop-mode

Most of this is only on artemis. First we disable updatedb which can block suspend (on zephyr & artemis).

laptop-mode

“` {.nil}

rm /etc/cron/daily/mlocate

prt-get depinst powertop laptop-mode-tools pm-utils cpufrequtils acpi lm_sensors

“`

Add the acpid and laptop-mode daemons to /etc/rc.conf (in that order).

I am not sure laptop mode is doing everything it can to save power because /etc/laptop-mode/conf.d/ doesn’t exist, as it does on Arch. At some point may wish to look into improving things, using the Arch wiki (two links).

lenovo-sl-laptop

The lenovo-sl-laptop module provides control of the backlight and access to various hotkeys from X. Recompiling the kernel wipes it out so remember to re-add it should you need to do that.

“` {.nil}

cd ~/local/src

git clone git://github.com/tadzik/lenovo-sl-laptop.git

cd lenovo-sl-laptop

make

mkdir /lib/modules/2.6.35.6/kernel/lenovo-sl-laptop

cp lenovo-sl-laptop.ko /lib/modules/2.6.35.6/kernel/lenovo-sl-laptop

echo “options lenovo-sl-laptop control_backlight=1” >> /etc/modprobe.d/modprobe.conf

echo “modprobe lenovo-sl-laptop control_backlight=1” >> /etc/rc.autofs

“`

nil

Add add acpi~backlight~=vendor to the kernel boot line in /etc/lilo.conf and run lilo to put in place.

Suspend on lid closure

Edit the file /etc/acpi/actions/lm_lid.sh and add this block to the top:

{.bash} if grep -q closed /proc/acpi/button/lid/LID/state; then sudo -u swhitton /home/swhitton/bin/dwm-suspcmd nolock fi

Sometimes a stale lock file prevents pm-suspend from working with no errors or log messages. To deal with this:

“` {.nil}

rm /var/run/pm-utils/locks/pm-suspend.lock

“`

autofs & NFS

“` {.nil}

prt-get depinst autofs

rm /etc/autofs/auto.{master,net,media}

“`

/etc/autofs/auto.master:

{.conf} /media /etc/autofs/auto.media /net /etc/autofs/auto.net --timeout=30

/etc/autofs/auto.net:

{.conf} athena -fstype=nfs,rw,async,vers=3 10.9.8.1:/home/swhitton/tmp share -fstype=nfs,rw,async,vers=3 10.9.8.1:/srv/files

/etc/autofs/auto.media:

{.conf} cd -fstype=auto,ro,sync,nodev,nosuid :/dev/sr0 usb -fstype=auto,async,nodev,nosuid,umask=000 :/dev/sdb1 sd -fstype=auto,async,nodev,nosuid,umask=000 :/dev/mmcblk0p1

Add rpcbind, nfs and autofs to the daemons array in /etc/rc.conf, in that order.

Should now have in that array, in this order: acpid, laptop-mode, alsa, net, rpcbind, nfs, autofs, crond, atd, ntpd, dbus, wicd, openvpn, postfix, sshd.

Protect these configs in /etc/pkgadd.conf:

{.conf} UPGRADE ^etc/autofs/auto\..*$ NO

“` {.nil}

prt-get depinst wine

“`

The AcceptEx patch has now been merged with Wine so you should just be able to install Warcraft III and its expansion and then update right off Battle.net. And it seems Wine is able to trap the mouse inside the window now too. Still rename Movies to Moviez, but the patch sorts out resolution issues. Nice.

winecfg and enable emulate virtual desktop to play.

StarCraft II

The most recent versions of wine allow you to get your mouse pointed trapped in the window and work great with fullscreen windowed, but an older version of wine is required for installation—at the time of writing the most recent that works is 1.2.3. Begin by copying the two wine package files of 1.2.3 and the most recent version (at the time of writing, 1.3.24) into /var/pkgmk/packages. Mount the StarCraft II DVD and copy the files to home directory to install:

“` {.nil}

mount -o ro,unhide,uid=100 /dev/sr0 /mnt/cd

$ mkdir ~/tmp/sc2 $ cp -R /mnt/cd/* ~/tmp/sc2 $ wine start ~/tmp/sc2/Installer.exe “`

Run winecfg and disable mmdevapi completely under the Library tab. After the game has finished installing and patching (takes forever), switch the wine version (with pkgadd -u /var/pkgmk/packages/…) and set the game to lowish graphics and select fullscreen windowed (lower than what you’d have in Windows on the same hardware). Run winecfg again and tick the trap mouse in full screen checkbox under the Graphics tab.

Cleanup:

“` {.nil}

umount /mnt/cd

$ rm -rf ~/tmp/sc2 “`

USB mouse

For StarCraft II on artemis you will want a USB mouse. This requires usbhid to be compiled into the kernel, and then edit /etc/X11/xorg.conf; replace the entire mouse section:

{.conf-space} Section "InputDevice" Identifier "Mouse0" Driver "mouse" Option "Protocol" "IMPS/2" Option "Device" "/dev/input/mice" Option "ZAxisMapping" "4 5" EndSection

and then add to the ServerLayout section:

{.conf-space} Option "AllowEmptyInput" "false"

VirtualBox

This need only be done on zephyr (since it’s more powerful).

“` {.nil}

prt-get depinst virtualbox

usermod -a -G vboxusers swhitton

“`

Worth setting up an Ubuntu VPS for testing. Remember to modprobe vboxdrv before running VirtualBox.

Browser plugins

Install Firemacs into Firefox, and change (some of the) bindings to match Conkeror. Add AdBlockPlus to Conkeror but not no script as the glue (require("noscript");) doesn’t work very well.

Emacs keys in GTK apps

“` {.nil}

prt-get install gconf

$ echo ‘gtk-key-theme-name = “Emacs”’ >>~/.gtkrc-2.0 $ gconftool-2 -t string –set /desktop/gnome/interface/gtk_key_theme Emacs “`

We don’t seem to have backward-delete-word on C-w with this, though.

Miscellaneous notes

Backup strategy

All information to set the system up is in this document, so only the contents of /home/swhitton need to be backed up, assuming, that is, that all Pkgfiles have been uploaded to my CRUX repository. Of this - most directories are synced with my mr/git/gitosis setup; - ~/var may be synced using Unison; - ~/local and ~/tmp need to be backed up manually; - check for any leftover non-hidden files in ~; - dotfiles in ~ should already be checked into version control; those that are not are probably safe to discard; - any custom ports in /usr/ports/local that have not yet been transitioned into ~/src/ports.

The only other place there may be things to be saved are in /srv (should be symlinked into /home so that it’s encrypted, though), /var (unlikely) and of course the Windows partition.

Local LAMP setup for development

lighttpd & PHP

“` {.nil}

prt-get depinst lighttpd php

useradd -s /bin/false lighttpd

groupadd lighttpd

touch /var/www/logs/access_log

touch /var/www/logs/error_log

chown lighttpd:lighttpd /var/www/logs/*

“`

Add mod_fastcgi to modules listing and switch to the non-chroot setup. Add to the end of config file

{.conf} fastcgi.server = ( ".php" => (( "bin-path" => "/usr/bin/php-cgi", "socket" => "/tmp/php.socket", "max-procs" => 1, # default: 2 "idle-timeout" => 20, "bin-environment" => ( "PHP_FCGI_CHILDREN" => "3", # default: 4 "PHP_FCGI_MAX_REQUESTS" => "10000" ), "bin-copy-environment" => ( "PATH", "SHELL", "USER" ), "broken-scriptfilename" => "enable" )))

Add to /etc/hosts.allow

{.conf-colon} www: 127.0.0.1

When you want to use the web server, call /etc/rc.d/lighttpd start.

MySQL

“` {.nil}

prt-get depinst mysql php-mysql php-mysqli php-fcgi

mysql_install_db

mysqladmin -u root password

“`

Comment out skip-innodb and skip-networking in /etc/my.cnf. Start the daemon when needed.

ioquake setup ——————

ioquake installs per-user, so this is very neat. Visit the website and download the engine download and the data installer. Use install path ~/local/bin and binary path ~/bin. Install the data files with the same settings (leave tick boxes as they are). Then take pak0.pk3 from copy of Quake III Arena and drop this into ~/local/bin/ioquake3/baseq3. To run, edit .xinitrc to set ioquake3 as window manager and re-login.

Other resources