Please note that this page has not been updated since 2012.

In July 2011 I switched to the GNU/Linux distribution CRUX from ArchLinux, desiring increased speed and stability, while maintaining customisability, which I got. I switched back to Debian Stable in January 2012.

There isn’t much non-official documentation for CRUX so I documented the entire setup here, for my own reference when reinstalling machines and for other beginners looking to try out CRUX. In particular I have detailed my setup for encrypting my hard drive, which is esoteric but the best way I can come up with for doing it on CRUX.

The CRUX handbook is what you should really be using for this, referring to my notes only when the handbook is a bit skimpy on detail. I’ll repeat an arbitrary selection of what that tells you to do.

My ports for CRUX are in the portdb; they’re used throughout this document.

I used CRUX 2.7 in preparing this.

Installation

Encryption strategy

My paranoia levels are such that I want to set up enough encryption to foil someone without a mainframe who acquires my laptop from getting at my personal data, but I don’t take the steps necessary to stop someone from inserting a keylogger into my machine, leaving it for me to pick up again without me knowing it’s been gone, and then stealing my encryption passphrase anyway.

Since /boot has to be unencrypted and I am not willing to carry it around on a floppy or something, there is therefore no additional risk in having the root partition unencrypted, so I just encrypt /home, /var, have /tmp as a ramdisk, no swap and take steps to move sensitive configuration files (e.g. OpenVPN) in /etc into /home/etc so they are safe.

The reason I am not simply encrypting the root filesystem rather than have these separate partitions is that that would slow down the boot sequence substantially by requiring an initrd.

I don’t encrypt my desktop system at all anymore; the chances of it being stolen are so very much smaller than those for my laptop, I trust my family and LILO password is sufficient for LAN party security.

Partitions and formatting

Run fdisk as instructed. If dual-booting with Windows, remember that it likes to be in the first partition. A useful guide to fdisk. Going with 10GB for the root partition as the first time I did this I had 5 for that and 10 for /var, and I didn’t have enough space to install TeX Live and had to do crazy repartitioning of encrypted partitions…

Here’s a summary of the sizes I choose for my partitions:

Partition Size Filesystem
/ 10GB ext3
/var 5GB ReiserFS
/home remaining HDD ext4
/tmp max. 50% of RAM tmpfs

so

# mkfs.ext3 /dev/sda1

or, mkfs.ext4 on my single-partition desktop.

Installing the CRUX distribution

We don’t mount our partition for /var separately at this stage because the live CD doesn’t have the tools needed to do disc encryption, and it’s far easier to let (non-personal) data get written to /var now that can later be moved into the encrypted partition, rather than supplying the installation with the scripts and modules to encrypt now.

# mount /dev/sda1 /mnt
# setup

Select all three port collections and then deselect the following packages from opt: fetchmail, firefox, grub, lvm2, mdadm, nano, openbox, procmail, rp-pppoe, wvdial, xterm; deselect the following packages from xorg: xorg-xf86-video-* except for vesa.

Config files

Chroot and set the root password as instructed.

Lines for /etc/fstab; again this is simple as we’re going to add encrypted partitions later:

/dev/sda1   /   ext3    defaults,noatime    0   1
tmp /tmp    tmpfs   defaults,nosuid,size=1024M,mode=1777    0   0
usb /proc/bus/usb   usbfs   defaults    0   0
/dev/sdaX   /mnt/seven  ntfs-3g defaults    0   0

We’ll use autofs for floppy and optical drives.

In /etc/rc.conf, we change the keymap to uk, timezone to Europe/London and hostname to artemis for my laptop and zephyr for my desktop. Leave services and font as they are for now.

Generate locales:

# localedef -i en_GB -f ISO-8859-1 en_GB
# localedef -i en_GB -f ISO-8859-1 en_GB.ISO-8859-1
# localedef -i en_GB -f UTF-8 en_GB.utf8

Temporary network setup

We will need wired network access with which to get wireless working, and the way I do this is to tether one machine to the other. The following configuration achieves that:

#!/bin/sh
#
# /etc/rc.d/net: start/stop network
#

case $1 in
    start)
        # loopback
        /sbin/ip addr add 127.0.0.1/8 dev lo broadcast + scope host
        /sbin/ip link set lo up
        # ethernet
        /sbin/ip addr add 10.8.0.2/24 dev eth0 broadcast +
        /sbin/ip link set eth0 up
        # default route
        /sbin/ip route add default via 10.8.0.1
        ;;
    stop)
        /sbin/ip route del default
        /sbin/ip link set eth0 down
        /sbin/ip addr del 10.8.0.2/24 dev eth0
        /sbin/ip link set lo down
        /sbin/ip addr del 127.0.0.1/8 dev lo
        ;;
    restart)
        $0 stop
        $0 start
        ;;
    *)
        echo "usage: $0 [start|stop|restart]"
        ;;
esac

# End of file

Run these commands on the host machine to open up the target to the ‘net:

$ echo "1" | sudo tee /proc/sys/net/ipv4/ip_forward
$ sudo iptables -t nat -A POSTROUTING -s 10.8.0.2 -j MASQUERADE

and its config file (if it’s running CRUX; it’s quite easy to move to other distros):

#!/bin/sh
#
# /etc/rc.d/net: start/stop network
#

case $1 in
    start)
        # loopback
        /sbin/ip addr add 127.0.0.1/8 dev lo broadcast + scope host
        /sbin/ip link set lo up
        # ethernet
        /sbin/ip addr add 10.8.0.1/24 dev eth0 broadcast +
        /sbin/ip link set eth0 up
        # default route
        #/sbin/ip route add default via 10.8.0.1
        ;;
    stop)
        #/sbin/ip route del default
        /sbin/ip link set eth0 down
        /sbin/ip addr del 10.8.0.1/24 dev eth0
        /sbin/ip link set lo down
        /sbin/ip addr del 127.0.0.1/8 dev lo
        ;;
    restart)
        $0 stop
        $0 start
        ;;
    *)
        echo "usage: $0 [start|stop|restart]"
        ;;
esac

# End of file

This can be a bit flaky and doesn’t like hotplugging or rebooting so be willing to make liberal use of /etc/rc.d/net restart.

/etc/hosts:

127.0.0.1          localhost
127.0.1.1           artemis.silentflame.com          artemis

193.1.193.66 download.sf.net dl.sourceforge.net dl.sf.net

/etc/resolv.conf:

search silentflame.com
#nameserver 10.9.8.1
nameserver 208.67.220.222
nameserver 208.67.220.220

The commented out address will be of use once OpenVPN is operational.

Compiling the kernel

Here are changes I have made; everything else is left as-is.

  • General setup
    • Disable development/incomplete code/drivers
    • Disable swap support
    • Enable BSD Process Accounting
    • Disable kernel .config support
    • Enable UTS & IPC namespace support
    • Disable initramfs/initrd
    • Disable optimisation for size
    • On zephyr, enable configure standard kernel features (for small systems) [Apple keyboard]
  • Enable loadable module support
    • Disable unloading modules
  • Processor type and features
    • Processor family: Core 2/newer Xeon
    • Maximum number of CPUs set to 2
    • Disable SMT (Hyperthreading) scheduler support
    • Enable machine check / overheating reporting
      • Disable AMD MCE features
    • High Memory Support: 4GB
    • Enable KSM for page merging
    • Enable Math emulation
    • Enable MTRR cleanup support
    • Enable -fstack-protector buffer overflow detection
  • Power management and ACPI options
    • Enable power management support
    • Enable run-time PM core functionality
    • Enable APM for laptop (though this is known to be dodgy; care)
    • Enable CPU frequency scaling on artemis
      • Disable CPU frequency translation statistics
      • Enable the powersave, userspace, and conservative governors on artemis, and ondemand instead of conservative on zephyr. Set default governor to performance
      • Module ACPI Processor P-states driver
  • Bus options
    • Enable Message Signaled Interrupts
    • Disable ISA support
    • PCMCIA—disable on zephyr
      • Disable Cirrus PD6729 compatible bridge support
      • Disable i82092 compatible bridge support
  • Executable file formats / emulations
    • Enable kernel support for MISC binaries
  • Networking support
    • Networking options
      • For the Oxford VPN, we will need to module these:
        • Transformation user configuration interface
        • PF~KEY~ sockets
        • IP: GRE tunnels over IP
        • IP: AH transformation
        • IP: ESP transformation
        • IP: IPComp transformation
        • IP: IPsec transport mode
        • IP: IPsec tunnel mode
        • IP: IPsec BEET mode
      • Enable INET: socket monitoring interface
      • Disable IPv6 (I’m never on a network that supports it)
      • Enable Netfilter
        • Core Netfilter Configuration
          • Enable Netfilter connection tracking support
        • IP: Netfilter configuration
          • Enable IPv4 connection tracking support
          • Enable IP tables support
          • Enable Full NAT
            • Enable MASQUERADE target support
            • Enable REDIRECT target support
      • Module 802.1d ethernet bridging
    • Wireless
      • Enable (i.e. not just module) cfg80211
      • Enable Generic IEEE 802.11 Networking Stack (mac80211)
    • Enable RF switch subsystem support on artemis
  • Device drivers
    • Generic driver options
      • Enable maintain a devtmpfs filesystem to mount at /dev
        • Automount devtmpfs at /dev. after the kernel…
      • Enable include in-kernel firmware blobs in kernel binary
    • Enable connector—unified userspace <-> kernelspace linker
    • Plug and play support
      • Enable PNP debugging messages
    • Block devices
      • Module normal floppy disk support on artemis, enable on zephyr
      • Disable Compaq SMART2 support
      • Disable Compaq Smart Array 5xxx support
      • Disable Mylex DAC960/DAC1100 PCI RAID controller support
      • Module loopback device support
      • Disable network block device support
      • Module RAM block device support (this may break tmpfs?)
      • Disable ATA over ethernet support
    • On zephyr enable ATA/ATAPI/MFM/RLL support (DEPRECATED) [this may or may not help failure to boot issue, really have no idea atm]
      • Enable support for SATA (deprecated; conflicts with libata SATA driver)
      • Enable generic ATA/ATAPI disk support
        • Enable ATA disk support
      • Enable Include IDE/ATAPI CDROM support
      • Enable IDE ACPI support
      • Enable generic/default IDE chipset support
      • Enable Platform driver for IDE interfaces
      • Enable AMD and nVidia IDE support
    • SCSI device support
      • Enable SCSI disk support
      • Enable SCSI CDROM support
        • Enable vendor-specific extensions (for SCSI CDROM) on zephyr only
      • Enable SCSI generic support
      • Probe all LUNs on each SCSI device
      • Enable asynchronous SCSI scanning
    • Enable serial ATA and parallel ATA drivers
      • Enable AHCI SATA support
      • Enable platform AHCI SATA support
      • On zephyr enable NVIDIA SATA support
    • Enable multiple devices driver support (RAID and LVM)
      • Enable device mapper support
      • Enable crypt target support
      • Enable snapshot target
      • Enable mirror target
    • Disable Fusion MPT device support
    • IEEE 1394 (FireWire) support
      • Disable FireWire driver stack
    • Enable Macintosh device drivers (hmm shouldn’t keyboard be under here?)
    • Network device support
      • Module dummy net driver support
      • Module universal TUN/TAP device driver support
      • Wireless LAN
        • Enable Intel Wireless Wifi on artemis
        • Enable Intel Wireless WiFi Next Gen AGN (iwlagn) on artemis
          • Enable Intel Wireless WiFi 5000AGN … on artemis
        • Enable Ralink driver support on zephyr
          • Enable rt2500 (USB) support
          • Enable rt2501/rt73 (USB) support
          • Enable Ralink debug output
      • Disable PPP support
    • Input device support
      • Disable support for memoryless force-feedback devices
      • Disable polled input device skeleton
      • Set horizontal and vertical screen resolution
      • Enable event interface
      • Mice
        • On zephyr, enable PS/2 mouse
        • Disable serial mouse
        • Disable Apple USB touchpad support
        • Disable Apple USB BCM5974 Multitouch trackpad support
    • Character devices
      • Serial drivers
        • Disable 8250/16550 and compatible serial support
      • Enable Timer IOMEM HW Random Number General support
      • Enable Intel HW Random Number Generator support
      • Disable AMD … random number generator support × 2
      • Enable /dev/nvram support
    • Enable SPI support
    • Power supply class support
      • Module test power driver
      • Module all battery types on artemis for now
    • Enable hardware monitoring support
    • Generic thermal sysfs driver
      • Enable hardware monitoring support
    • Disable multimedia support
    • Graphics support
      • Enable laptop hybrid graphics on artemis
      • Module direct rendering manager
      • Disable support for frame buffer devices
      • Enable backlight & LCD device support on artemis
      • Display device support
        • Enable display panel/monitor support
      • Console display driver support
        • Disable scrollback buffer in system RAM
    • Enable sound card support
      • Enable ALSA
        • Enable sequencer support
        • Enable OSS mixer API
        • Enable OSS PCM
        • Enable OSS sequencer API
        • Disable verbose procfs contents
        • PCI sound devices
          • Enable Intel HD Audio
            • On artemis enable aggressive power-saving on HD-audio
              • Default time-out for HD-audio power-save mode: 60
            • On zephyr enable build nvidia HDMI HD-audio codec support
    • Disable HID drivers on artemis, enable on zephyr—enable/module on artemis if want USB mouse support
      • Special HID drivers
        • Enable Apple
    • USB support
      • Enable support for host-side usb
      • Enable USB device filesystem
      • Enable WUSB cable based association
      • Enable EHCI HCD (USB 2.0) support
      • Disable USB modem support
    • Enable MMC/SD/SDIO card support on artemis
      • On artemis, enable Secure Digital host controller interface support
      • On artemis enable SDHCI support on PCI bus
        • On artemis enable Ricoh MMC controller disabler
    • Disable Real Time Clock
    • Enable auxiliary display support
    • Disable X86 platform specific device drivers
      • On artemis, module Acer WMI laptop extras, Asus laptop extras and ThikPad ACPI laptop extras—don’t think it’s the latter but one of three for SL300 which has IdeaPad internals, not proper ThinkPad —using lenovo-sl-laptop
    • On zephyr enable staging drivers
      • Disable exclude staging drivers from being built
      • Enable Ralink 2870/3070 wireless support
  • File systems
    • Enable ext2
    • Enable ext3
    • Default to ‘data-ordered’ in ext3
    • Enable ext4
    • Enable reiserfs
    • Disable JFS
    • Disable XFS
    • Enable kernel automounter version 4 support (also supports v3)
    • Enable FUSE
      • Module character device in userpace [sic] suppose
    • CD-ROM/DVD filesystems
      • Enable ISO 9660 CDROM file system support
      • Enable Microsoft Joliet CDROM extensions
      • Enable transparent decompression extension
      • UDF file system support
    • DOS/FAT/NT filesystems
      • Disable MSDOC fs support
      • Enable VFAT (Windows-95) fs support
      • On zephyr, enable NTFS file system support; disable on artemis
      • On zephyr enable NTFS write support
    • Network file systems
      • Enable NFS client support
      • Enable NFS client support for the NFSv3 ACL protocol extension
      • Enable NFS server support for the NFSv3 ACL protocol extension
      • Disable SMB file system support
      • Disable CIFS support
  • Kernel hacking
    • Enable timing information on printks
    • Enable _~mustcheck~ logic
    • Disable Magic SysRq key
    • Enable sysctl checks
    • Filter access to /dev/mem
    • Maybe enable verbose x86 bootup info messages
  • Cryptographic API
    • Module null algorithms
    • Module CCM support (Oxford VPN)
    • Module GCM/GMAC support (Oxford VPN)
    • Enable SHA224 and SHA256 digest algorithm
    • Enable Zlib
    • Enable LZO
    • Enable pseudo random number generation for cryptographic modules
  • Virtualisation
    • Enable KVM support
      • Enable KVM for Intel processors support
    • Module Virtio balloon driver

Once done with menuconfig, we set things up:

# make all && make modules_install
# cp arch/x86/boot/bzImage /boot/vmlinuz
# cp System.map /boot

Bootloader

Set up lilo; for artemis:

#
# /etc/lilo.conf: lilo(8) configuration, see lilo.conf(5)
#

lba32
install=text
compact
boot=/dev/sda
image=/boot/vmlinuz
        label=CRUX
        root=/dev/sda3
        read-only
        append="quiet acpi_backlight=vendor"

# End of file

and for zephyr:

#
# /etc/lilo.conf: lilo(8) configuration, see lilo.conf(5)
#

lba32
install=text
prompt
timeout=30
compact
boot=/dev/sda
image=/boot/vmlinuz
    label=CRUX
    root=/dev/sda3
    read-only
    append="quiet"
other=/dev/sda2
    label=dos

# End of file
# lilo
# reboot

Post-install configuration

Pre-encryption tweaks—stop building things as root

Following the advice here, we set up a non-priviledged user to build ports. This also moves port building out of /usr and into /var where it belongs.

We create our user account here because otherwise pkgmk will get the first UID.

# groupadd pkgmk
# useradd swhitton -M -s /bin/zsh -G lp,wheel,audio,video,floppy,cdrom,scanner,tape,pkgmk
# useradd -m -d /var/pkgmk -g pkgmk pkgmk
# mkdir /var/pkgmk/{distfiles,packages,work}
# chown pkgmk:pkgmk /var/pkgmk/*
# chmod 775 /var/pkgmk/*

/etc/prt-get.conf:

makecommand sudo -H -u pkgmk /usr/bin/fakeroot /usr/bin/pkgmk

/etc/pkgmk.conf:

PKGMK_SOURCE_DIR="/var/pkgmk/distfiles"
PKGMK_PACKAGE_DIR="/var/pkgmk/packages"
PKGMK_WORK_DIR="/var/pkgmk/work/$name"

/etc/hosts:

193.1.193.66 download.sf.net dl.sourceforge.net dl.sf.net

Pre-encryption tweaks—packages

We can’t do much until encryption is operational because we don’t want to introduce any kind of personal data to the system until then. However our lives in setting that up will be a lot easier with some additional packages to our very spartan system.

If you see this on a bootup:

umount: /sys: device is busy.
        (In some cases useful info about processes that use
         the device is found by lsof(8) or fuser(1))
mount: sysfs already mounted or /sys busy

then be assured that it may be safely ignored; I believe it’s a bug in the /etc/rc script.

First we enable the contrib ports collection

# mv /etc/ports/contrib.rsync.inactive /etc/ports/contrib.rsync
# ports -u contrib

We tell prt-get that we’ve done so by uncommenting the line

prtdir /usr/ports/contrib

near the start of /etc/prt-get.conf. Now we use the mpup utility to add some ports from third party repositories. mpup is like ports -u except only specific ports are fetched, rather than a whole irrelevant repository.

# prt-get depinst mpup
# mv /etc/ports/meta.mpup.inactive /etc/ports/meta.mpup

Now we add my personal repository TODO and gnome and xfce TODO (gnome below contrib so guile installs right

Add to /etc/mpup.lst:

httpup sync http://home.cc.umanitoba.ca/~fonsecah/crux/ports/#wicd wicd
httpup sync http://home.cc.umanitoba.ca/~fonsecah/crux/ports/#urwid urwid
rsync -aqz morpheus.net::cruxports/console-font-terminus/ console-font-terminus
rsync -aqz morpheus.net::cruxports/xorg-font-terminus/ xorg-font-terminus
httpup sync http://romster.dyndns.org:8080/linux/ports/crux/romster/#texinfo texinfo
httpup sync http://sirmacik.net/static/download/cruxpl-ports/#ncmpcpp ncmpcpp
httpup sync http://romster.dyndns.org:8080/linux/ports/crux/romster/#mpdscribble mpdscribble
httpup sync http://sirmacik.net/static/download/cruxpl-ports/#xclip xclip
httpup sync http://sirmacik.net/static/download/cruxpl-ports/#terminus-font terminus-font
rsync -aqz morpheus.net::cruxports/mingetty/ mingetty
httpup sync http://falcony.googlecode.com/svn/trunk/falcony/#laptop-mode-tools laptop-mode-tools
httpup sync http://cruxab.comlu.com/crux/ports/#libtasn1 libtasn1
httpup sync http://flaveur.googlecode.com/svn/trunk/ports/#policykit policykit
httpup sync http://www.mizrahi.com.ve/crux/pkgs/#krb5 krb5
httpup sync http://bdfy.googlecode.com/svn/trunk/#abiword abiword
httpup sync http://tsubasa.googlecode.com/svn/trunk/tsubasa/#auctex auctex
httpup sync http://www.mizrahi.com.ve/crux/pkgs/#autofs autofs
httpup sync http://romster.dyndns.org:8080/linux/ports/crux/romster/#wine wine
httpup sync http://www.landofbile.com/crux_ports/#gmime gmime
httpup sync http://bdfy.googlecode.com/svn/trunk/#burn-cd burn-cd
httpup sync http://vico.kleinplanet.de/files/repo/#abcde abcde
httpup sync http://vico.kleinplanet.de/files/repo/#cd-discid cd-discid
httpup sync http://vico.kleinplanet.de/files/repo/#id3v2 id3v2
rsync -aqz rsync.clyl.net::crux-xen/vte-python/ vte-python
httpup sync http://jue.li/crux/ports/#s3fs s3fs
rsync -aqz sepen.mine.nu::ports/crux-2.7/sepen/uuid/ uuid

and add prtdir /usr/ports/meta to the beginning of /etc/prt-get.conf. Next we’ll install some basic utilities but before we do that we enable install scripts in /etc/prt-get.conf:

runscripts yes

now

# ports -u meta swhitton
# prt-get depinst zile emacs cryptsetup gnupg zsh screen mercurial git cvs subversion mr ca-certificates consoleswapcaps rxvt-unicode urxvtcd atd git-annex
# prt-get remove vim

Change the keymap in /etc/rc.conf to uk.swapcaps and then

# loadkeys uk.swapcaps

to make caps lock into a control key, as it should be.

This should be enough to bootstrap my standard CLI interface into /root, which’ll make things more comfortable.

# cd ~
# rm -rf .ssh
# mr --trust-all bootstrap xyrael.net/mrconfig-crux
# chsh -s /bin/zsh
# zsh

Encrypted partitions

At long last we are ready to prepare our encrypted partitions, move our sensitive data into them and then to have them decrypted at boot.

Create partitions

# cryptsetup luksFormat /dev/sda2
# cryptsetup luksFormat /dev/sda3
# cryptsetup luksOpen /dev/sda2 artemis-var
# cryptsetup luksOpen /dev/sda2 artemis-home
# mkfs.reiserfs /dev/mapper/artemis-var
# mkfs.ext4 /dev/mapper/artemis-home

We’ll mount up the home partition and put something in it for testing purposes.

# mount /dev/mapper/artemis-home /home
# echo "it works\!" > /home/test.txt

Decryption

To confirm that things are working we’ll do /home first before /var, because the latter gets log files written to it that we’re going to have to be careful about moving.

Open up /etc/rc and find the line

# Check filesystems

Above the chunk of lines this line heralds the commencement of, we are going to add our decryption commands. These are

# SEAN DECRYPTION BEGIN

# we need to set the keymap early in order to be able to decrypt
if [ "$KEYMAP" ]; then
        /usr/bin/loadkeys -q $KEYMAP
fi

/usr/bin/setfont $FONT

echo ""
echo -n "This is Sean's computer - enter system passphrase: "

/bin/stty -echo; read PASSPHRASE; /bin/stty echo
echo ""
echo -n "$PASSPHRASE" | cryptsetup --key-file=- luksOpen /dev/sda2 artemis-var
echo -n "$PASSPHRASE" | cryptsetup --key-file=- luksOpen /dev/sda3 artemis-home

PASSPHRASE="ilikedmcryptoncruxreallyreallyreallalot"
unset PASSPHRASE

# SEAN DECRYPTION END

The idea of this code is to stop someone from being able to do anything with the system without opening it up, which was considered to be an acceptable risk in our encryption strategy.

Add this line to /etc/fstab:

/dev/mapper/artemis-home /home ext4 defaults 0 2

Reboot, and confirm our test file is still in place with the content we gave it. If so, it’s time to move the files in /var. We stop daemons that might write there before doing so,^1 move the data and then reboot and cross our fingers.

First add this line to /etc/fstab:

/dev/mapper/artemis-var /var reiserfs defaults,noatime,notail 0 2

then

# mkdir /mnt/tmp
# mount /dev/mapper/artemis-var /mnt/tmp
# /etc/rc.d/sysklogd stop
# /etc/rc.d/crond stop
# /etc/rc.d/net stop
# mv /var/* /mnt/tmp
# mv /var/.* /mnt/tmp
# reboot

This doesn’t really require a reboot, but it’s nice to see all the encryption stuff now fully working in tandem.

Post-encryption setup

Whew, now that encryption’s done we’re safe to start setting up my environment.

Distribution update

First bring the distribution up-to-date:

# prt-get sysup

This will take a while since the packages will need to be compiled, unlike during the installation where this has already been done. Also prt-get’s dependency resolution isn’t perfect, and you may be required to intervene to upgrade some packages before others.

Now we’ve hacked /etc/rc we need to lock it to prevent it being overwritten by updates, which would stop our system from starting up. Add this line to /etc/pkgadd.conf

UPGRADE         ^etc/rc$                NO

Wireless

Let’s stop dependency on another host for Internet access.

For artemis, we need the wireless firmware from here, and we need a release of the 5000 images (for our 5100AGN card) old enough to have -2 at the end, as our kernel version doesn’t seem to look for anything higher. 8.24.2.12.tgz appears to be the latest with this property. Extract the .ucode file into /lib/firmware and reboot and the hardware should be ready to go.

For zephyr we need rt2870.bin which we can drop into /lib/firmware; we then need a symlink: ln -s /lib/firmware/rt2870.bin /lib/firmware/rt3070.bin because the rt2870.bin driver covers a lot of hardware and the kernel looks in the wrong place.

Install wicd to manage network connections from now on. Somehow glib doesn’t get updated enough/at all in the sysup so do it again here (maybe).

# prt-get update glib
# prt-get depinst wicd urwid
# /etc/rc.d/dbus start
# /etc/rc.d/wicd start

Add the atd, dbus and wicd daemons (in that order) to /etc/rc.conf, and comment out the gateway settings for eth0 from /etc/rc.d/net (we can’t remove this daemon entirely because we need the loopback interface—discovered this the hard way when mpd wouldn’t work…). Fire up wicd-curses to connect to your wireless network. Remember to add 10.9.8.1 as first DNS server, globally, then OpenDNS.

ntp

At this point I tend to notice my system clock drifting.

# prt-get depinst openntpd
# /etc/rc.d/ntpd start

Add ntpd to list of daemons in /etc/rc.conf. In /etc/rc.d/ntpd, make the -s into -S so that ntp doesn’t even try to change the time on startup, which makes a big difference to boot speed.

Add to /etc/pkgadd.conf:

UPGRADE         ^etc/rc\.d/ntpd$ NO

to protect our changes.

User account

# mkdir /home/swhitton
# chown swhitton:users /home/swhitton
# passwd swhitton

Log out and login again as the new user. Bootstrap its homedir:

$ mr --trust-all bootstrap xyrael.net/mrconfig-crux

On zephyr, add to /etc/rc.local:

echo 2 | sudo tee /sys/module/hid_apple/parameters/fnmode > /dev/null

X

Setup

We’re going with the non-free nVidia drivers since we have a nVidia card we want to make some use of:

# prt-get depinst nvidia
# reboot
# nvidia-xconfig
# gl-select use nvidia

To test X, back as swhitton, we prepare a minimal .xinitrc with just the line exec urxvt, moving the usual file to .xinitrc~.

$ startx

If you get a terminal that you can type into, and the mouse moves around, we’re good to go. Run exit in the terminal to kill off X.

Driver tweaks

Add the following lines to the Device section of /etc/X11/xorg.conf for some minor improvements (from Arch wiki):

Option "NoLogo" "1"
Option "RenderAccel" "1"
Option "ConnectedMonitor" "DFP"
Option "TripleBuffer" "1"
Option "DamageEvents" "1"
Option "DPS" "1"

Remove the third line for zephyr.

The almighty Terminus

We need three versions of Terminus: one which provides the traditional X font, one which provides the xft font and one for the console.

The Arch package provides all three at once, I believe, or at least the first two so should probably be looked into at some point.

# prt-get depinst xorg-font-terminus console-font-terminus terminus-font

In the Files section of /etc/X11/xorg.conf, add the line

FontPath "/usr/lib/X11/fonts/terminus"

and then my .Xresources should take care of the rest. For console, update /etc/rc.conf to use this new font, Lat2-Terminus16.

Font beautification

CRUX’s X11 fonts look pretty poor without tweaks, and there are various ways to improve the situation. After much messing around I reckon that the cleartype approach is the best, especially since the packages on the AUR were recently renewed and seem to be maintained. Links about this issue at the end of this document.

First we set up some package aliases so that our prt-get doesn’t think we’ve removed important dependencies. Append to /var/lib/pkg/prt-get.aliases

libxft-cleartype: xorg-libxft
freetype2-cleartype: freetype
cairo-cleartype: cairo
postfix: exim

and append to /etc/pkgadd.conf to protect this file from upgrades:

UPGRADE         ^var/lib/pkg/prt-get.aliases$ NO
# prt-get remove freetype xorg-libxft cairo
# prt-get install freetype2-cleartype libxft-cleartype cairo-cleartype

Taking the -ubuntu approach means no Xft Terminus so require the hacked TTF versions floating about, which means no smaller font in Conkeror minibuffer.

Check in /etc/fonts/fonts.conf that near the top there is

<dir>/usr/share/fonts</dir>
<dir>/usr/lib/X11/fonts</dir>
<dir>~/.fonts</dir>

as the second line might be missing. This should be packaged up/automated at some point.

Lisp

We are going to install the lisp environment to run my window manager, StumpWM, using the quicklisp approach from the ArchWiki. When my lisp knowledge improves I will make this into a package.

# prt-get depinst sbcl texinfo
# wget beta.quicklisp.org/quicklisp.lisp
# sbcl --load quicklisp.lisp

and then in the interactive shell

(quicklisp-quickstart:install)
(ql:add-to-init-file)
(ql:update-all-dists)
(ql:quickload "clx")
(ql:quickload "cl-ppcre")
(quit)

This relies on the environment variable we set in .zshrc, SBCL_HOME=/usr/lib/sbcl.

More building blocks

Unfortunately, stumpwm won’t build unless we’re root at the moment as I haven’t got the package set up right. So first we comment out the lines we added to /etc/prt-get.conf and /etc/pkgmk.conf and then

# cd /usr/ports/swhitton/stumpwm
# pkgmk -d
# chown pkgmk:pkgmk stumpwm\#git-1.pkg.tar.gz
# mv stumpwm\#git-1.pkg.tar.gz /var/pkgmk/packages

Now uncomment the lines again and

# prt-get depinst xbindkeys avfs stumpwm
$ mkdir .avfs
# echo "user_allow_other" >> /etc/fuse.conf

This should be enough to get a graphical environment up, so startx and open up a shell with the usual C-i C-t. If dual monitors need setting up, su to root and run nvidia-settings.

SLiM

And changes to theme to make slimlock work and changes to slimlock.conf.

gettys & SLiM

Using a display manager is much neater than running startx from ~/.zshrc.

# prt-get depinst mingetty slim slimlock

We use mingetty because it allows autologin if we ever want it and it uses less resources than agetty. We don’t use autologin at the moment because we’re screenlocking with slimlock rather than vlock. One virtual console is sufficient.

#c1:2:respawn:/sbin/mingetty --noclear --loginpause --autologin swhitton tty1 linux
c2:2:respawn:/sbin/mingetty --noclear tty2 linux
#c3:2:respawn:/sbin/agetty 38400 tty3 linux
#c4:2:respawn:/sbin/agetty 38400 tty4 linux
#c5:2:respawn:/sbin/agetty 38400 tty5 linux
#c6:2:respawn:/sbin/agetty 38400 tty6 linux
#s1:2:respawn:/sbin/agetty 38400 ttyS0 vt100

x:2:respawn:/usr/bin/slim >& /dev/null

Amend these lines in /etc/slim.conf:

console_cmd         /usr/bin/urxvt -T "Console login" -e /bin/sh -c
"/bin/cat /etc/issue; exec /bin/login"
default_user swhitton
auto_login yes (on artemis)

and in /etc/slimlock.conf:

wrong_passwd_timeout            0
show_username                   1
show_welcome_msg                0

and a fix to /usr/share/slim/themes/crux-smooth/slim.theme:

username_x              170
password_x              170

ALSA

Let’s get sound operational.

# prt-get depinst alsa-lib alsa-utils alsa-oss
# alsamixer

Hit M to unmute the main channel. Raise the volume until the db gain is 0 and then play a sound to test. If it doesn’t play, raise the other sliders around a bit.

# aplay /home/swhitton/lib/beep.wav

Now add alsa to the daemons array in /etc/rc.conf and run

# alsactl -f /var/lib/alsa/asound.state store
# /etc/rc.d/alsa start

sshd

Add to /etc/hosts.allow:

sshd: 10.9.8. 192.168.0. 10.8.0.

We need sshd running all the time in order to have tramp working smoothly, it seems (not in find-file but in eshell).

mpd, ncmpcpp & mpdscribble

No reason to go any further without some tunes. We need to install libmms first in order to get proper streaming support.

# prt-get depinst libmms libfaac
# prt-get depinst mpd mpc ncmpcpp mpdscribble

Sync media library

One of unison’s dependencies, ocaml, will need a .footprint deleting.

# prt-get depinst unison

Reconnect ethernet cable and run /etc/rc.d/net restart on both machines to bring up the connection. Run

$ unison ~/var ssh://10.8.0.2/var

on host tethered artemis/zephyr to copy ~/var back over to new machine.

Configuration

We want mpd to run as swhitton. Uncomment loads of stuff in /etc/mpd.conf (and add mixer_type "software" to ALSA output to make mpd volume independent of everything else) make sensible edits and run

$ mkdir -p .mpd/playlists
# chown swhitton.users /var/cache/mpdscribble/*.journal
# usermod -a -G audio swhitton

At some point we should move the config we use inside /home/swhitton since everything happens there now.

Add this line to /etc/hosts.allow:

mpd: 127.0.0.1

Add this line to /etc/pkgadd.conf:

UPGRADE         ^var/cache/mpdscribble/.*\.journal$     NO

.xinitrc will take care of starting mpd and mpdscribble.

sudo

Execute visudo and uncomment the line

%wheel ALL=(ALL) NOPASSWD: ALL

conf and execute

usermod -a -G wheel swhitton

to give swhitton full sudo access.

Desktop software

# prt-get depinst xpdf epdfview firefox feh gtk-chtheme gnome-themes
flash-player-plugin texlive-full auctex sshfs-fuse mplayer vlock gimp
xclip libreoffice scrot shared-mime-info gnome-mime-data htop at
filezilla abook libogg flac libvorbis easytag unzip imagemagick bc
aspell-en unrar w3m conkeror yapet x11-fonts-dejavu abiword emacs-w3m
dvd+rw-tools cdrkit prt-utils xorg-font-msttcorefonts urw-fonts
ttf-vista-fonts pinentry pinentry-gtk2 bbdb org-mode ntfs-3g_ntfsprogs
notmuch rtorrent ncdu pm-utils mkvtoolnix ffmpeg dvdauthor gtypist
guile normalize abcde cd-discid eject terminator vte-python xchat s3fs
service psi-im vcdimager subversion xfce-mcs-manager thunar

Select a theme with gtk-chtheme.

Do not be tempted to install the packages xorg-font-adobe-100dpi & xorg-font-adobe-75dpi. They take priority over other fonts and look rubbish, screwing things up in general.

At some point I should write a Pkgbuild to install pdftk, but this is a nightmare because gcj is a nightmare to build, so for now I’ll just use the pdftk on athena.

Conkeror relies on xulrunner, which at present comes with the CRUX 2.7 installation CD but as Firefox now includes it is not available in the ports database. If needed in the future, the CRUX git repository history contain the Pkgfile: link 1, 2, 3.

OpenVPN

We want the OpenVPN configuration files to be encrypted.

# mkdir -p /home/etc/openvpn
# ln -s /home/etc/openvpn /etc
# prt-get depinst openvpn

Copy into /etc/openvpn the files ca.crt, artemis.crt and artemis.key and then create /etc/openvpn/tap.conf:

client
remote 212.13.194.60 1194
dev tap
proto tcp
resolv-retry infinite
nobind
persist-remote-ip
persist-local-ip
ping 5
ping-restart 10
ping-timer-rem
persist-key
persist-tun
verb 2
ca /etc/openvpn/ca.crt
cert /etc/openvpn/artemis.crt
key /etc/openvpn/artemis.key
comp-lzo
;redirect-gateway def1

where the final line is to be uncommented when on my untrusted university LAN. Add openvpn to the daemons started in /etc/rc.conf. Use udp rather than tcp on desktop.

Create the /etc/rc.d/openvpn script (stolen from Arch):

#!/bin/sh
#
# /etc/rc.d/openvpn: start/stop vpn daemon
#

CFGDIR="/etc/openvpn"
STATEDIR="/var/run/openvpn"

case $1 in
start)
        mkdir -p "${STATEDIR}"
        for cfg in "${CFGDIR}"/*.conf; do
          /usr/sbin/openvpn --daemon --writepid "${STATEDIR}"/"$(basename "${cfg}" .conf)".pid --cd "${CFGDIR}" --config "${cfg}"
        done
    ;;
stop)
        for pidfile in "${STATEDIR}"/*.pid; do
          kill $(cat "${pidfile}" 2>/dev/null) 2>/dev/null
          rm -f "${pidfile}"
        done
    ;;
restart)
    $0 stop
    sleep 1
    $0 start
    ;;
*)
    echo "usage: $0 [start|stop|restart]"
    ;;
esac

# End of file

and fire her up:

# /etc/rc.d/openvpn start

SSH configuration

Download the keys desktop-key and key into ~/.ssh, and in ~/.ssh/config replace athena.silentflame.com with athena.athenet and add

Host selene
User root
HostName selene.silentflame.com
IdentityFile ~/.ssh/desktop-key

Host raven
User ball3162
HostName linux.ox.ac.uk
IdentityFile ~/.ssh/desktop-key

E-mail

Our first real encounter with pre-install scripts. prt-get readme dovecot/postfix will provide an explanation.

# pkgrm exim
# prt-get depinst dovecot postfix offlineimap

We add the following line in /etc/dovecot/conf.d/10-mail.conf:

mail_location = maildir:~/.gnus.d/Maildir

and the following in /etc/postfix/main.cf:

relayhost = [10.9.8.1]:25

and we’re done. We may now run

# /etc/rc.d/postfix start
$ offlineimap

to do the initial download of my e-mail. Add the postfix daemon to /etc/rc.conf (but not dovecot). You might want to test that e-mail goes where it should via telnet:

~ # telnet localhost 25
Trying 127.0.0.1…
erase character is '^H'.
Connected to localhost.
Escape character is '^]'.
220 artemis.localdomain ESMTP Postfix
>>> EHLO localhost
250-artemis.localdomain
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
>>> mail from:<sean.whitton AT-NOSPAMPLZ balliol.ox.ac.uk>
250 2.1.0 Ok
>>> rcpt to:<spwhitton AT-NOSPAMHEREEITHERPLZ gmail.com>
250 2.1.5 Ok
>>> data
354 End data with <CR><LF>.<CR><LF>
>>> Dear Sean,

>>> This is my test message.  Thanks.

>>> Thanks.
>>> .
250 2.0.0 Ok: queued as C0CEFB9
quit
221 2.0.0 Bye
Connection closed by foreign host

where >>> prefixes a line I typed. This is the most esoteric e-mail route I can come up with, where the mail goes local -> athena -> Oxford smtp -> gmail -> athena -> local, so check the headers to make sure it’s gone everywhere it should.

Now that ~/.newsrc.eld isn’t synced between machines, recreate Gnus group tree as follows (^ opens tree and u subscribes to items; Tn to create new topics and GV and Gv to manipulate virtual groups; u to kill off things like gnus-help):

[ Gnus -- 54 ]
       0 / 19   / 1199 : INBOX
       0 / 1    / 2423 : Notices & updates
       9 / 16   / 2408 : Feeds & lists
         0 / *    / 0    : feeds.Guardian
  [ Listservs -- 1 ]
         0 / 1    / 372  : lists.BitFolk
*        0 / 0    / 140  : lists.VCS-Home
         0 / 0    / 27   : lists.Wikizine
  [ Feeds -- 16 ]
         1 / 4    / 595  : feeds.Blogs
         7 / 7    / 1320 : feeds.Comics
         1 / 3    / 253  : feeds.Friends
         0 / 2    / 240  : feeds.Tech
  [ Personal -- 1 ]
*        0 / 0    / 5080 : archive
         0 / 0    / 99   : drafts
         0 / 0    / 1735 : notices
         0 / 0    / 2245 : sent
*        0 / 0    / 40   : temptodo
         0 / 1    / 688  : updates

crontab

*/5 * * * * /usr/bin/offlineimap -o -u Noninteractive.Quiet 1>/dev/null 2>/dev/null
0 * * * * /home/swhitton/bin/doccheckin >/dev/null

acpid & laptop-mode

Most of this is only on artemis. First we disable updatedb which can block suspend (on zephyr & artemis).

laptop-mode

# rm /etc/cron/daily/mlocate
# prt-get depinst powertop laptop-mode-tools pm-utils cpufrequtils acpi lm_sensors

Add the acpid and laptop-mode daemons to /etc/rc.conf (in that order).

I am not sure laptop mode is doing everything it can to save power because /etc/laptop-mode/conf.d/ doesn’t exist, as it does on Arch. At some point may wish to look into improving things, using the Arch wiki (two links).

lenovo-sl-laptop

The lenovo-sl-laptop module provides control of the backlight and access to various hotkeys from X. Recompiling the kernel wipes it out so remember to re-add it should you need to do that.

# cd ~/local/src
# git clone git://github.com/tadzik/lenovo-sl-laptop.git
# cd lenovo-sl-laptop
# make
# mkdir /lib/modules/2.6.35.6/kernel/lenovo-sl-laptop
# cp lenovo-sl-laptop.ko /lib/modules/2.6.35.6/kernel/lenovo-sl-laptop
# echo "options lenovo-sl-laptop control_backlight=1" >> /etc/modprobe.d/modprobe.conf
# echo "modprobe lenovo-sl-laptop control_backlight=1" >> /etc/rc.autofs

nil

Add add acpi~backlight~=vendor to the kernel boot line in /etc/lilo.conf and run lilo to put in place.

Suspend on lid closure

Edit the file /etc/acpi/actions/lm_lid.sh and add this block to the top:

if grep -q closed /proc/acpi/button/lid/LID/state; then
    sudo -u swhitton /home/swhitton/bin/dwm-suspcmd nolock
fi

Sometimes a stale lock file prevents pm-suspend from working with no errors or log messages. To deal with this:

# rm /var/run/pm-utils/locks/pm-suspend.lock

autofs & NFS

# prt-get depinst autofs
# rm /etc/autofs/auto.{master,net,media}

/etc/autofs/auto.master:

/media /etc/autofs/auto.media
/net /etc/autofs/auto.net --timeout=30

/etc/autofs/auto.net:

athena -fstype=nfs,rw,async,vers=3 10.9.8.1:/home/swhitton/tmp
share -fstype=nfs,rw,async,vers=3 10.9.8.1:/srv/files

/etc/autofs/auto.media:

cd -fstype=auto,ro,sync,nodev,nosuid :/dev/sr0
usb -fstype=auto,async,nodev,nosuid,umask=000 :/dev/sdb1
sd -fstype=auto,async,nodev,nosuid,umask=000 :/dev/mmcblk0p1

Add rpcbind, nfs and autofs to the daemons array in /etc/rc.conf, in that order.

Should now have in that array, in this order: acpid, laptop-mode, alsa, net, rpcbind, nfs, autofs, crond, atd, ntpd, dbus, wicd, openvpn, postfix, sshd.

Protect these configs in /etc/pkgadd.conf:

UPGRADE         ^etc/autofs/auto\..*$ NO
# prt-get depinst wine

The AcceptEx patch has now been merged with Wine so you should just be able to install Warcraft III and its expansion and then update right off Battle.net. And it seems Wine is able to trap the mouse inside the window now too. Still rename Movies to Moviez, but the patch sorts out resolution issues. Nice.

winecfg and enable emulate virtual desktop to play.

StarCraft II

The most recent versions of wine allow you to get your mouse pointed trapped in the window and work great with fullscreen windowed, but an older version of wine is required for installation—at the time of writing the most recent that works is 1.2.3. Begin by copying the two wine package files of 1.2.3 and the most recent version (at the time of writing, 1.3.24) into /var/pkgmk/packages. Mount the StarCraft II DVD and copy the files to home directory to install:

# mount -o ro,unhide,uid=100 /dev/sr0 /mnt/cd
$ mkdir ~/tmp/sc2
$ cp -R /mnt/cd/* ~/tmp/sc2
$ wine start ~/tmp/sc2/Installer.exe

Run winecfg and disable mmdevapi completely under the Library tab. After the game has finished installing and patching (takes forever), switch the wine version (with pkgadd -u /var/pkgmk/packages/…) and set the game to lowish graphics and select fullscreen windowed (lower than what you’d have in Windows on the same hardware). Run winecfg again and tick the trap mouse in full screen checkbox under the Graphics tab.

Cleanup:

# umount /mnt/cd
$ rm -rf ~/tmp/sc2

USB mouse

For StarCraft II on artemis you will want a USB mouse. This requires usbhid to be compiled into the kernel, and then edit /etc/X11/xorg.conf; replace the entire mouse section:

Section "InputDevice"
    Identifier     "Mouse0"
    Driver         "mouse"
    Option         "Protocol" "IMPS/2"
    Option         "Device" "/dev/input/mice"
    Option         "ZAxisMapping" "4 5"
EndSection

and then add to the ServerLayout section:

Option "AllowEmptyInput" "false"

VirtualBox

This need only be done on zephyr (since it’s more powerful).

# prt-get depinst virtualbox
# usermod -a -G vboxusers swhitton

Worth setting up an Ubuntu VPS for testing. Remember to modprobe vboxdrv before running VirtualBox.

Browser plugins

Install Firemacs into Firefox, and change (some of the) bindings to match Conkeror. Add AdBlockPlus to Conkeror but not no script as the glue (require("noscript");) doesn’t work very well.

Emacs keys in GTK apps

# prt-get install gconf
$ echo 'gtk-key-theme-name = "Emacs"' >>~/.gtkrc-2.0
$ gconftool-2 -t string --set /desktop/gnome/interface/gtk_key_theme Emacs

We don’t seem to have backward-delete-word on C-w with this, though.

Miscellaneous notes

Backup strategy

All information to set the system up is in this document, so only the contents of /home/swhitton need to be backed up, assuming, that is, that all Pkgfiles have been uploaded to my CRUX repository. Of this - most directories are synced with my mr/git/gitosis setup; - ~/var may be synced using Unison; - ~/local and ~/tmp need to be backed up manually; - check for any leftover non-hidden files in ~; - dotfiles in ~ should already be checked into version control; those that are not are probably safe to discard; - any custom ports in /usr/ports/local that have not yet been transitioned into ~/src/ports.

The only other place there may be things to be saved are in /srv (should be symlinked into /home so that it’s encrypted, though), /var (unlikely) and of course the Windows partition.

Local LAMP setup for development

lighttpd & PHP

# prt-get depinst lighttpd php
# useradd -s /bin/false lighttpd
# groupadd lighttpd
# touch /var/www/logs/access_log
# touch /var/www/logs/error_log
# chown lighttpd:lighttpd /var/www/logs/*

Add mod_fastcgi to modules listing and switch to the non-chroot setup. Add to the end of config file

fastcgi.server    = ( ".php" => 
    ((
        "bin-path" => "/usr/bin/php-cgi",
        "socket" => "/tmp/php.socket",
        "max-procs" => 1, # default: 2
        "idle-timeout" => 20,
        "bin-environment" => ( 
            "PHP_FCGI_CHILDREN" => "3", # default: 4
            "PHP_FCGI_MAX_REQUESTS" => "10000"
        ),
        "bin-copy-environment" => (
            "PATH", "SHELL", "USER"
        ),
        "broken-scriptfilename" => "enable"
    )))

Add to /etc/hosts.allow

www: 127.0.0.1

When you want to use the web server, call /etc/rc.d/lighttpd start.

MySQL

# prt-get depinst mysql php-mysql php-mysqli php-fcgi
# mysql_install_db
# mysqladmin -u root password <password_here>

Comment out skip-innodb and skip-networking in /etc/my.cnf. Start the daemon when needed.

ioquake setup

ioquake installs per-user, so this is very neat. Visit the website and download the engine download and the data installer. Use install path ~/local/bin and binary path ~/bin. Install the data files with the same settings (leave tick boxes as they are). Then take pak0.pk3 from copy of Quake III Arena and drop this into ~/local/bin/ioquake3/baseq3. To run, edit .xinitrc to set ioquake3 as window manager and re-login.

Other resources