import more pages (badly)

1 files changed, 1959 insertions, 0 deletions

diff --git a/tech/crux.mdwn b/tech/crux.mdwn
new file mode 100644
index 0000000..c52fe3e
--- /dev/null
+++ b/tech/crux.mdwn
@@ -0,0 +1,1959 @@
+In July 2011 I switched to the GNU/Linux distribution
+[CRUX](http://crux.nu/) from ArchLinux, desiring increased speed and
+stability, while maintaining customisability, which I got. I switched
+back to Debian Stable in January 2012.
+
+There isn’t much non-official documentation for CRUX so I documented the
+entire setup here, for my own reference when reinstalling machines and
+for other beginners looking to try out CRUX. In particular I have
+detailed my setup for encrypting my hard drive, which is esoteric but
+the best way I can come up with for doing it on CRUX.
+
+The [CRUX handbook](http://crux.nu/Main/Handbook2-7) is what you should
+really be using for this, referring to my notes only when the handbook
+is a bit skimpy on detail. I’ll repeat an arbitrary selection of what
+that tells you to do.
+
+[My ports](http://spw.sdf.org/crux/) for CRUX are [in the
+portdb](http://crux.nu/portdb/?a%3Drepo&q%3Dswhitton); they’re used
+throughout this document.
+
+I used CRUX 2.7 in preparing this.
+
+Installation
+============
+
+Encryption strategy
+-------------------
+
+My paranoia levels are such that I want to set up enough encryption to
+foil someone without a mainframe who acquires my laptop from getting at
+my personal data, but I don’t take the steps necessary to stop someone
+from inserting a keylogger into my machine, leaving it for me to pick up
+again without me knowing it’s been gone, and then stealing my encryption
+passphrase anyway.
+
+Since `/boot` has to be unencrypted and I am not willing to carry it
+around on a floppy or something, there is therefore no additional risk
+in having the root partition unencrypted, so I just encrypt `/home`,
+`/var`, have `/tmp` as a ramdisk, no swap and take steps to move
+sensitive configuration files (*e.g.* OpenVPN) in `/etc` into
+`/home/etc` so they are safe.
+
+The reason I am not simply encrypting the root filesystem rather than
+have these separate partitions is that that would slow down the boot
+sequence substantially by requiring an initrd.
+
+I don’t encrypt my desktop system at all anymore; the chances of it
+being stolen are so very much smaller than those for my laptop, I trust
+my family and LILO password is sufficient for LAN party security.
+
+Partitions and formatting
+-------------------------
+
+Run `fdisk` as instructed. If dual-booting with Windows, remember that
+it likes to be in the first partition. [A useful guide to
+`fdisk`](http://tldp.org/HOWTO/Partition/fdisk_partitioning.html). Going
+with 10GB for the root partition as the first time I did this I had 5
+for that and 10 for `/var`, and I didn’t have enough space to install
+TeX Live and had to do crazy repartitioning of encrypted partitions…
+
+Here’s a summary of the sizes I choose for my partitions:
+
+  Partition   Size              Filesystem
+  ----------- ----------------- ------------
+  `/`         10GB              ext3
+  `/var`      5GB               ReiserFS
+  `/home`     remaining HDD     ext4
+  `/tmp`      max. 50% of RAM   tmpfs
+
+so
+
+``` {.nil}
+,# mkfs.ext3 /dev/sda1
+```
+
+or, `mkfs.ext4` on my single-partition desktop.
+
+Installing the CRUX distribution
+--------------------------------
+
+We don’t mount our partition for `/var` separately at this stage because
+the live CD doesn’t have the tools needed to do disc encryption, and
+it’s far easier to let (non-personal) data get written to `/var` now
+that can later be moved into the encrypted partition, rather than
+supplying the installation with the scripts and modules to encrypt now.
+
+``` {.nil}
+,# mount /dev/sda1 /mnt
+,# setup
+```
+
+Select all three port collections and then **deselect** the following
+packages from `opt`: `fetchmail`, `firefox`, `grub`, `lvm2`, `mdadm`,
+`nano`, `openbox`, `procmail`, `rp-pppoe`, `wvdial`, `xterm`;
+**deselect** the following packages from `xorg`: `xorg-xf86-video-*`
+except for `vesa`.
+
+Config files
+------------
+
+Chroot and set the root password as instructed.
+
+Lines for `/etc/fstab`; again this is simple as we’re going to add
+encrypted partitions later:
+
+``` {.nil}
+/dev/sda1   /   ext3    defaults,noatime    0   1
+tmp /tmp    tmpfs   defaults,nosuid,size=1024M,mode=1777    0   0
+usb /proc/bus/usb   usbfs   defaults    0   0
+/dev/sdaX   /mnt/seven  ntfs-3g defaults    0   0
+```
+
+We’ll use `autofs` for floppy and optical drives.
+
+In `/etc/rc.conf`, we change the keymap to `uk`, timezone to
+`Europe/London` and hostname to `artemis` for my laptop and `zephyr` for
+my desktop. Leave services and font as they are for now.
+
+Generate locales:
+
+``` {.nil}
+,# localedef -i en_GB -f ISO-8859-1 en_GB
+,# localedef -i en_GB -f ISO-8859-1 en_GB.ISO-8859-1
+,# localedef -i en_GB -f UTF-8 en_GB.utf8
+```
+
+### Temporary network setup
+
+We will need wired network access with which to get wireless working,
+and the way I do this is to tether one machine to the other. The
+following configuration achieves that:
+
+``` {.conf}
+#!/bin/sh
+#
+# /etc/rc.d/net: start/stop network
+#
+
+case $1 in
+    start)
+        # loopback
+        /sbin/ip addr add 127.0.0.1/8 dev lo broadcast + scope host
+        /sbin/ip link set lo up
+        # ethernet
+        /sbin/ip addr add 10.8.0.2/24 dev eth0 broadcast +
+        /sbin/ip link set eth0 up
+        # default route
+        /sbin/ip route add default via 10.8.0.1
+        ;;
+    stop)
+        /sbin/ip route del default
+        /sbin/ip link set eth0 down
+        /sbin/ip addr del 10.8.0.2/24 dev eth0
+        /sbin/ip link set lo down
+        /sbin/ip addr del 127.0.0.1/8 dev lo
+        ;;
+    restart)
+        $0 stop
+        $0 start
+        ;;
+    *)
+        echo "usage: $0 [start|stop|restart]"
+        ;;
+esac
+
+# End of file
+```
+
+Run these commands on the host machine to open up the target to the
+‘net:
+
+``` {.nil}
+$ echo "1" | sudo tee /proc/sys/net/ipv4/ip_forward
+$ sudo iptables -t nat -A POSTROUTING -s 10.8.0.2 -j MASQUERADE
+```
+
+and its config file (if it’s running CRUX; it’s quite easy to move to
+other distros):
+
+``` {.conf}
+#!/bin/sh
+#
+# /etc/rc.d/net: start/stop network
+#
+
+case $1 in
+    start)
+        # loopback
+        /sbin/ip addr add 127.0.0.1/8 dev lo broadcast + scope host
+        /sbin/ip link set lo up
+        # ethernet
+        /sbin/ip addr add 10.8.0.1/24 dev eth0 broadcast +
+        /sbin/ip link set eth0 up
+        # default route
+        #/sbin/ip route add default via 10.8.0.1
+        ;;
+    stop)
+        #/sbin/ip route del default
+        /sbin/ip link set eth0 down
+        /sbin/ip addr del 10.8.0.1/24 dev eth0
+        /sbin/ip link set lo down
+        /sbin/ip addr del 127.0.0.1/8 dev lo
+        ;;
+    restart)
+        $0 stop
+        $0 start
+        ;;
+    *)
+        echo "usage: $0 [start|stop|restart]"
+        ;;
+esac
+
+# End of file
+```
+
+This can be a bit flaky and doesn’t like hotplugging or rebooting so be
+willing to make liberal use of `/etc/rc.d/net restart`.
+
+`/etc/hosts`:
+
+``` {.conf}
+127.0.0.1          localhost
+127.0.1.1           artemis.silentflame.com          artemis
+
+193.1.193.66 download.sf.net dl.sourceforge.net dl.sf.net
+```
+
+`/etc/resolv.conf`:
+
+``` {.conf}
+search silentflame.com
+#nameserver 10.9.8.1
+nameserver 208.67.220.222
+nameserver 208.67.220.220
+```
+
+The commented out address will be of use once OpenVPN is operational.
+
+#### DONE Post other machines config too
+
+CLOSED: \[2011-08-29 Mon 14:56\]
+
+Also note need to restart on both ends after reboot.
+
+Compiling the kernel
+--------------------
+
+Here are changes I have made; everything else is left as-is.
+-   General setup
+    -   Disable development/incomplete code/drivers
+    -   Disable swap support
+    -   Enable BSD Process Accounting
+    -   Disable kernel .config support
+    -   Enable UTS & IPC namespace support
+    -   Disable initramfs/initrd
+    -   Disable optimisation for size
+    -   On zephyr, enable configure standard kernel features (for
+        small systems) \[Apple keyboard\]
+-   Enable loadable module support
+    -   Disable unloading modules
+-   Processor type and features
+    -   Processor family: Core 2/newer Xeon
+    -   Maximum number of CPUs set to 2
+    -   Disable SMT (Hyperthreading) scheduler support
+    -   Enable machine check / overheating reporting
+        -   Disable AMD MCE features
+    -   High Memory Support: 4GB
+    -   Enable KSM for page merging
+    -   Enable Math emulation
+    -   Enable MTRR cleanup support
+    -   Enable -fstack-protector buffer overflow detection
+-   Power management and ACPI options
+    -   Enable power management support
+    -   Enable run-time PM core functionality
+    -   Enable APM for laptop (though this is known to be dodgy; care)
+    -   Enable CPU frequency scaling on artemis
+        -   Disable CPU frequency translation statistics
+        -   Enable the powersave, userspace, and conservative governors
+            on artemis, and ondemand instead of conservative on zephyr.
+            Set default governor to performance
+        -   Module ACPI Processor P-states driver
+-   Bus options
+    -   Enable Message Signaled Interrupts
+    -   Disable ISA support
+    -   PCMCIA—disable on zephyr
+        -   Disable Cirrus PD6729 compatible bridge support
+        -   Disable i82092 compatible bridge support
+-   Executable file formats / emulations
+    -   Enable kernel support for MISC binaries
+-   Networking support
+    -   Networking options
+        -   For the Oxford VPN, we will need to module these:
+            -   Transformation user configuration interface
+            -   PF~KEY~ sockets
+            -   IP: GRE tunnels over IP
+            -   IP: AH transformation
+            -   IP: ESP transformation
+            -   IP: IPComp transformation
+            -   IP: IPsec transport mode
+            -   IP: IPsec tunnel mode
+            -   IP: IPsec BEET mode
+        -   Enable INET: socket monitoring interface
+        -   Disable IPv6 (I’m never on a network that supports it)
+        -   Enable Netfilter
+            -   Core Netfilter Configuration
+                -   Enable Netfilter connection tracking support
+            -   IP: Netfilter configuration
+                -   Enable IPv4 connection tracking support
+                -   Enable IP tables support
+                -   Enable Full NAT
+                    -   Enable MASQUERADE target support
+                    -   Enable REDIRECT target support
+        -   Module 802.1d ethernet bridging
+    -   Wireless
+        -   Enable (*i.e.* not just module) cfg80211
+        -   Enable Generic IEEE 802.11 Networking Stack (mac80211)
+    -   Enable RF switch subsystem support on artemis
+-   Device drivers
+    -   Generic driver options
+        -   Enable maintain a devtmpfs filesystem to mount at /dev
+            -   Automount devtmpfs at /dev. after the kernel…
+        -   Enable include in-kernel firmware blobs in kernel binary
+    -   Enable connector—unified userspace <-> kernelspace linker
+    -   Plug and play support
+        -   Enable PNP debugging messages
+    -   Block devices
+        -   Module normal floppy disk support on artemis, enable on
+            zephyr
+        -   Disable Compaq SMART2 support
+        -   Disable Compaq Smart Array 5xxx support
+        -   Disable Mylex DAC960/DAC1100 PCI RAID controller support
+        -   Module loopback device support
+        -   Disable network block device support
+        -   Module RAM block device support (this may break tmpfs?)
+        -   Disable ATA over ethernet support
+    -   On zephyr enable ATA/ATAPI/MFM/RLL support (DEPRECATED) \[this
+        may or may not help failure to boot issue, really have no idea
+        atm\]
+        -   Enable support for SATA (deprecated; conflicts with libata
+            SATA driver)
+        -   Enable generic ATA/ATAPI disk support
+            -   Enable ATA disk support
+        -   Enable Include IDE/ATAPI CDROM support
+        -   Enable IDE ACPI support
+        -   Enable generic/default IDE chipset support
+        -   Enable Platform driver for IDE interfaces
+        -   Enable AMD and nVidia IDE support
+    -   SCSI device support
+        -   Enable SCSI disk support
+        -   Enable SCSI CDROM support
+            -   Enable vendor-specific extensions (for SCSI CDROM) on
+                zephyr only
+        -   Enable SCSI generic support
+        -   Probe all LUNs on each SCSI device
+        -   Enable asynchronous SCSI scanning
+    -   Enable serial ATA and parallel ATA drivers
+        -   Enable AHCI SATA support
+        -   Enable platform AHCI SATA support
+        -   On zephyr enable NVIDIA SATA support
+    -   Enable multiple devices driver support (RAID and LVM)
+        -   Enable device mapper support
+        -   Enable crypt target support
+        -   Enable snapshot target
+        -   Enable mirror target
+    -   Disable Fusion MPT device support
+    -   IEEE 1394 (FireWire) support
+        -   Disable FireWire driver stack
+    -   Enable Macintosh device drivers (hmm shouldn’t keyboard be
+        under here?)
+    -   Network device support
+        -   Module dummy net driver support
+        -   Module universal TUN/TAP device driver support
+        -   Wireless LAN
+            -   Enable Intel Wireless Wifi on artemis
+            -   Enable Intel Wireless WiFi Next Gen AGN (iwlagn) on
+                artemis
+                -   Enable Intel Wireless WiFi 5000AGN … on artemis
+            -   Enable Ralink driver support on zephyr
+                -   Enable rt2500 (USB) support
+                -   Enable rt2501/rt73 (USB) support
+                -   Enable Ralink debug output
+        -   Disable PPP support
+    -   Input device support
+        -   Disable support for memoryless force-feedback devices
+        -   Disable polled input device skeleton
+        -   Set horizontal and vertical screen resolution
+        -   Enable event interface
+        -   Mice
+            -   On zephyr, enable PS/2 mouse
+            -   Disable serial mouse
+            -   Disable Apple USB touchpad support
+            -   Disable Apple USB BCM5974 Multitouch trackpad support
+    -   Character devices
+        -   Serial drivers
+            -   Disable 8250/16550 and compatible serial support
+        -   Enable Timer IOMEM HW Random Number General support
+        -   Enable Intel HW Random Number Generator support
+        -   Disable AMD … random number generator support × 2
+        -   Enable /dev/nvram support
+    -   Enable SPI support
+    -   Power supply class support
+        -   Module test power driver
+        -   Module all battery types on artemis for now
+    -   Enable hardware monitoring support
+    -   Generic thermal sysfs driver
+        -   Enable hardware monitoring support
+    -   Disable multimedia support
+    -   Graphics support
+        -   Enable laptop hybrid graphics on artemis
+        -   Module direct rendering manager
+        -   Disable support for frame buffer devices
+        -   Enable backlight & LCD device support on artemis
+        -   Display device support
+            -   Enable display panel/monitor support
+        -   Console display driver support
+            -   Disable scrollback buffer in system RAM
+    -   Enable sound card support
+        -   Enable ALSA
+            -   Enable sequencer support
+            -   Enable OSS mixer API
+            -   Enable OSS PCM
+            -   Enable OSS sequencer API
+            -   Disable verbose procfs contents
+            -   PCI sound devices
+                -   Enable Intel HD Audio
+                    -   On artemis enable aggressive power-saving on
+                        HD-audio
+                        -   Default time-out for HD-audio power-save
+                            mode: 60
+                    -   On zephyr enable build nvidia HDMI HD-audio
+                        codec support
+    -   Disable HID drivers on artemis, enable on zephyr—enable/module
+        on artemis if want USB mouse support
+        -   Special HID drivers
+            -   Enable Apple
+    -   USB support
+        -   Enable support for host-side usb
+        -   Enable USB device filesystem
+        -   Enable WUSB cable based association
+        -   Enable EHCI HCD (USB 2.0) support
+        -   Disable USB modem support
+    -   Enable MMC/SD/SDIO card support on artemis
+        -   On artemis, enable Secure Digital host controller interface
+            support
+        -   On artemis enable SDHCI support on PCI bus
+            -   On artemis enable Ricoh MMC controller disabler
+    -   Disable Real Time Clock
+    -   Enable auxiliary display support
+    -   Disable X86 platform specific device drivers
+        -   ~~On artemis, module Acer WMI laptop extras, Asus laptop
+            extras and ThikPad ACPI laptop extras—don’t think it’s the
+            latter but one of three for SL300 which has IdeaPad
+            internals, not proper ThinkPad~~ —using `lenovo-sl-laptop`
+    -   On zephyr enable staging drivers
+        -   Disable exclude staging drivers from being built
+        -   Enable Ralink 2870/3070 wireless support
+-   File systems
+    -   Enable ext2
+    -   Enable ext3
+    -   Default to ‘data-ordered’ in ext3
+    -   Enable ext4
+    -   Enable reiserfs
+    -   Disable JFS
+    -   Disable XFS
+    -   Enable kernel automounter version 4 support (also supports v3)
+    -   Enable FUSE
+        -   Module character device in userpace \[sic\] suppose
+    -   CD-ROM/DVD filesystems
+        -   Enable ISO 9660 CDROM file system support
+        -   Enable Microsoft Joliet CDROM extensions
+        -   Enable transparent decompression extension
+        -   UDF file system support
+    -   DOS/FAT/NT filesystems
+        -   Disable MSDOC fs support
+        -   Enable VFAT (Windows-95) fs support
+        -   On zephyr, enable NTFS file system support; disable on
+            artemis
+        -   On zephyr enable NTFS write support
+    -   Network file systems
+        -   Enable NFS client support
+        -   Enable NFS client support for the NFSv3 ACL protocol
+            extension
+        -   Enable NFS server support for the NFSv3 ACL protocol
+            extension
+        -   Disable SMB file system support
+        -   Disable CIFS support
+-   Kernel hacking
+    -   Enable timing information on printks
+    -   Enable \_~mustcheck~ logic
+    -   Disable Magic SysRq key
+    -   Enable sysctl checks
+    -   Filter access to /dev/mem
+    -   Maybe enable verbose x86 bootup info messages
+-   Cryptographic API
+    -   Module null algorithms
+    -   Module CCM support (Oxford VPN)
+    -   Module GCM/GMAC support (Oxford VPN)
+    -   Enable SHA224 and SHA256 digest algorithm
+    -   Enable Zlib
+    -   Enable LZO
+    -   Enable pseudo random number generation for cryptographic modules
+-   Virtualisation
+    -   Enable KVM support
+        -   Enable KVM for Intel processors support
+    -   Module Virtio balloon driver
+
+Once done with `menuconfig`, we set things up:
+
+``` {.nil}
+,# make all && make modules_install
+,# cp arch/x86/boot/bzImage /boot/vmlinuz
+,# cp System.map /boot
+```
+
+nil
+
+Bootloader
+----------
+
+Set up lilo; for artemis:
+
+``` {.conf}
+#
+# /etc/lilo.conf: lilo(8) configuration, see lilo.conf(5)
+#
+
+lba32
+install=text
+compact
+boot=/dev/sda
+image=/boot/vmlinuz
+        label=CRUX
+        root=/dev/sda3
+        read-only
+        append="quiet acpi_backlight=vendor"
+
+# End of file
+```
+
+and for zephyr:
+
+``` {.conf}
+#
+# /etc/lilo.conf: lilo(8) configuration, see lilo.conf(5)
+#
+
+lba32
+install=text
+prompt
+timeout=30
+compact
+boot=/dev/sda
+image=/boot/vmlinuz
+    label=CRUX
+    root=/dev/sda3
+    read-only
+    append="quiet"
+other=/dev/sda2
+    label=dos
+
+# End of file
+```
+
+``` {.nil}
+# lilo
+# reboot
+```
+
+### DONE Actually fill this section in<span class="tag" data-tag-name="NOEXPORT"></span>
+
+CLOSED: \[2011-07-17 Sun 16:12\]
+
+Post-install configuration
+==========================
+
+Pre-encryption tweaks—stop building things as root
+--------------------------------------------------
+
+Following the advice [here](http://crux.nu/Wiki/PostInstallationNotes),
+we set up a non-priviledged user to build ports. This also moves port
+building out of `/usr` and into `/var` where it belongs.
+
+We create our user account here because otherwise pkgmk will get the
+first UID.
+
+``` {.nil}
+,# groupadd pkgmk
+,# useradd swhitton -M -s /bin/zsh -G lp,wheel,audio,video,floppy,cdrom,scanner,tape,pkgmk
+,# useradd -m -d /var/pkgmk -g pkgmk pkgmk
+,# mkdir /var/pkgmk/{distfiles,packages,work}
+,# chown pkgmk:pkgmk /var/pkgmk/*
+,# chmod 775 /var/pkgmk/*
+```
+
+`/etc/prt-get.conf`:
+
+``` {.conf}
+makecommand sudo -H -u pkgmk /usr/bin/fakeroot /usr/bin/pkgmk
+```
+
+`/etc/pkgmk.conf`:
+
+``` {.conf}
+PKGMK_SOURCE_DIR="/var/pkgmk/distfiles"
+PKGMK_PACKAGE_DIR="/var/pkgmk/packages"
+PKGMK_WORK_DIR="/var/pkgmk/work/$name"
+```
+
+`/etc/hosts`:
+
+``` {.conf}
+193.1.193.66 download.sf.net dl.sourceforge.net dl.sf.net
+```
+
+### CANCELLED Fix permissions for creating .md5sum (maybe) and also grok how this actually works<span class="tag" data-tag-name="NOEXPORT"></span>
+
+CLOSED: \[2011-08-29 Mon 14:55\]
+
+Pre-encryption tweaks—packages
+------------------------------
+
+We can’t do much until encryption is operational because we don’t want
+to introduce any kind of personal data to the system until then. However
+our lives in setting that up will be a lot easier with some additional
+packages to our very spartan system.
+
+If you see this on a bootup:
+
+``` {.nil}
+umount: /sys: device is busy.
+        (In some cases useful info about processes that use
+         the device is found by lsof(8) or fuser(1))
+mount: sysfs already mounted or /sys busy
+```
+
+then be assured that it may be safely ignored; I believe it’s a bug in
+the `/etc/rc` script.
+
+First we enable the `contrib` ports collection
+
+``` {.nil}
+,# mv /etc/ports/contrib.rsync.inactive /etc/ports/contrib.rsync
+,# ports -u contrib
+```
+
+We tell `prt-get` that we’ve done so by uncommenting the line
+
+``` {.conf}
+prtdir /usr/ports/contrib
+```
+
+near the start of `/etc/prt-get.conf`. Now we use the `mpup` utility to
+add some ports from third party repositories. `mpup` is like `ports -u`
+except only specific ports are fetched, rather than a whole irrelevant
+repository.
+
+``` {.nil}
+,# prt-get depinst mpup
+,# mv /etc/ports/meta.mpup.inactive /etc/ports/meta.mpup
+```
+
+Now we add my personal repository TODO and gnome and xfce TODO (gnome
+below contrib so guile installs right
+
+Add to `/etc/mpup.lst`:
+
+``` {.nil}
+httpup sync http://home.cc.umanitoba.ca/~fonsecah/crux/ports/#wicd wicd
+httpup sync http://home.cc.umanitoba.ca/~fonsecah/crux/ports/#urwid urwid
+rsync -aqz morpheus.net::cruxports/console-font-terminus/ console-font-terminus
+rsync -aqz morpheus.net::cruxports/xorg-font-terminus/ xorg-font-terminus
+httpup sync http://romster.dyndns.org:8080/linux/ports/crux/romster/#texinfo texinfo
+httpup sync http://sirmacik.net/static/download/cruxpl-ports/#ncmpcpp ncmpcpp
+httpup sync http://romster.dyndns.org:8080/linux/ports/crux/romster/#mpdscribble mpdscribble
+httpup sync http://sirmacik.net/static/download/cruxpl-ports/#xclip xclip
+httpup sync http://sirmacik.net/static/download/cruxpl-ports/#terminus-font terminus-font
+rsync -aqz morpheus.net::cruxports/mingetty/ mingetty
+httpup sync http://falcony.googlecode.com/svn/trunk/falcony/#laptop-mode-tools laptop-mode-tools
+httpup sync http://cruxab.comlu.com/crux/ports/#libtasn1 libtasn1
+httpup sync http://flaveur.googlecode.com/svn/trunk/ports/#policykit policykit
+httpup sync http://www.mizrahi.com.ve/crux/pkgs/#krb5 krb5
+httpup sync http://bdfy.googlecode.com/svn/trunk/#abiword abiword
+httpup sync http://tsubasa.googlecode.com/svn/trunk/tsubasa/#auctex auctex
+httpup sync http://www.mizrahi.com.ve/crux/pkgs/#autofs autofs
+httpup sync http://romster.dyndns.org:8080/linux/ports/crux/romster/#wine wine
+httpup sync http://www.landofbile.com/crux_ports/#gmime gmime
+httpup sync http://bdfy.googlecode.com/svn/trunk/#burn-cd burn-cd
+httpup sync http://vico.kleinplanet.de/files/repo/#abcde abcde
+httpup sync http://vico.kleinplanet.de/files/repo/#cd-discid cd-discid
+httpup sync http://vico.kleinplanet.de/files/repo/#id3v2 id3v2
+rsync -aqz rsync.clyl.net::crux-xen/vte-python/ vte-python
+httpup sync http://jue.li/crux/ports/#s3fs s3fs
+rsync -aqz sepen.mine.nu::ports/crux-2.7/sepen/uuid/ uuid
+```
+
+and add `prtdir /usr/ports/meta` to the beginning of
+`/etc/prt-get.conf`. Next we’ll install some basic utilities but before
+we do that we enable install scripts in `/etc/prt-get.conf`:
+
+``` {.conf}
+runscripts yes
+```
+
+now
+
+``` {.nil}
+,# ports -u meta swhitton
+,# prt-get depinst zile emacs cryptsetup gnupg zsh screen mercurial git cvs subversion mr ca-certificates consoleswapcaps rxvt-unicode urxvtcd atd git-annex
+,# prt-get remove vim
+```
+
+Change the keymap in `/etc/rc.conf` to `uk.swapcaps` and then
+
+``` {.nil}
+,# loadkeys uk.swapcaps
+```
+
+to make caps lock into a control key, as it should be.
+
+This should be enough to bootstrap my standard CLI interface into
+`/root`, which’ll make things more comfortable.
+
+``` {.nil}
+,# cd ~
+,# rm -rf .ssh
+,# mr --trust-all bootstrap xyrael.net/mrconfig-crux
+,# chsh -s /bin/zsh
+,# zsh
+```
+
+### DONE Paste u/mount error<span class="tag" data-tag-name="NOEXPORT"></span>
+
+CLOSED: \[2011-08-29 Mon 15:01\]
+
+### DONE Fill in more from actual file<span class="tag" data-tag-name="NOEXPORT"></span>
+
+CLOSED: \[2011-08-29 Mon 14:53\]
+
+Encrypted partitions
+--------------------
+
+At long last we are ready to prepare our encrypted partitions, move our
+sensitive data into them and then to have them decrypted at boot.
+
+### Create partitions
+
+``` {.nil}
+,# cryptsetup luksFormat /dev/sda2
+,# cryptsetup luksFormat /dev/sda3
+,# cryptsetup luksOpen /dev/sda2 artemis-var
+,# cryptsetup luksOpen /dev/sda2 artemis-home
+,# mkfs.reiserfs /dev/mapper/artemis-var
+,# mkfs.ext4 /dev/mapper/artemis-home
+```
+
+We’ll mount up the home partition and put something in it for testing
+purposes.
+
+``` {.nil}
+,# mount /dev/mapper/artemis-home /home
+,# echo "it works\!" > /home/test.txt
+```
+
+### Decryption
+
+To confirm that things are working we’ll do `/home` first before `/var`,
+because the latter gets log files written to it that we’re going to have
+to be careful about moving.
+
+Open up `/etc/rc` and find the line
+
+``` {.bash}
+,# Check filesystems
+```
+
+Above the chunk of lines this line heralds the commencement of, we are
+going to add our decryption commands. These are
+
+``` {.bash}
+,# SEAN DECRYPTION BEGIN
+
+,# we need to set the keymap early in order to be able to decrypt
+if [ "$KEYMAP" ]; then
+        /usr/bin/loadkeys -q $KEYMAP
+fi
+
+/usr/bin/setfont $FONT
+
+echo ""
+echo -n "This is Sean's computer - enter system passphrase: "
+
+/bin/stty -echo; read PASSPHRASE; /bin/stty echo
+echo ""
+echo -n "$PASSPHRASE" | cryptsetup --key-file=- luksOpen /dev/sda2 artemis-var
+echo -n "$PASSPHRASE" | cryptsetup --key-file=- luksOpen /dev/sda3 artemis-home
+
+PASSPHRASE="ilikedmcryptoncruxreallyreallyreallalot"
+unset PASSPHRASE
+
+,# SEAN DECRYPTION END
+```
+
+The idea of this code is to stop someone from being able to do anything
+with the system without opening it up, which was considered to be an
+acceptable risk in our encryption strategy.
+
+Add this line to `/etc/fstab`:
+
+``` {.conf}
+/dev/mapper/artemis-home /home ext4 defaults 0 2
+```
+
+Reboot, and confirm our test file is still in place with the content we
+gave it. If so, it's time to move the files in `/var`. We stop daemons
+that might write there before doing so,[^1] move the data and then
+reboot and cross our fingers.
+
+First add this line to `/etc/fstab`:
+
+``` {.conf}
+/dev/mapper/artemis-var /var reiserfs defaults,noatime,notail 0 2
+```
+
+then
+
+``` {.nil}
+,# mkdir /mnt/tmp
+,# mount /dev/mapper/artemis-var /mnt/tmp
+,# /etc/rc.d/sysklogd stop
+,# /etc/rc.d/crond stop
+,# /etc/rc.d/net stop
+,# mv /var/* /mnt/tmp
+,# mv /var/.* /mnt/tmp
+,# reboot
+```
+
+This doesn't really require a reboot, but it's nice to see all the
+encryption stuff now fully working in tandem.
+
+### DONE On artemis, unmount /var in rc.shutdown to prevent reiserfs journal replay on every boot<span class="tag" data-tag-name="TechFix"></span><span class="tag" data-tag-name="NOEXPORT"></span>
+
+CLOSED: \[2011-08-29 Mon 14:53\]
+
+Post-encryption setup
+---------------------
+
+Whew, now that encryption’s done we’re safe to start setting up my
+environment.
+
+### Distribution update
+
+First bring the distribution up-to-date:
+
+``` {.nil}
+,# prt-get sysup
+```
+
+This will take a while since the packages will need to be compiled,
+unlike during the installation where this has already been done. Also
+=prt-get=’s dependency resolution isn’t perfect, and you may be required
+to intervene to upgrade some packages before others.
+
+Now we’ve hacked `/etc/rc` we need to lock it to prevent it being
+overwritten by updates, which would stop our system from starting up.
+Add this line to `/etc/pkgadd.conf`
+
+``` {.conf}
+UPGRADE         ^etc/rc$                NO
+```
+
+### Wireless
+
+Let’s stop dependency on another host for Internet access.
+
+For artemis, we need the wireless firmware from
+[here](http://intellinuxwireless.org/?n%3Ddownloads&f%3Ducodes_5000),
+and we need a release of the 5000 images (for our 5100AGN card) old
+enough to have -2 at the end, as our kernel version doesn’t seem to look
+for anything higher. 8.24.2.12.tgz appears to be the latest with this
+property. Extract the `.ucode` file into `/lib/firmware` and reboot and
+the hardware should be ready to go.
+
+For zephyr we need
+[rt2870.bin](http://www.ralinktech.com/support.php?s%3D2) which we can
+drop into `/lib/firmware`; we then need a symlink:
+`ln -s /lib/firmware/rt2870.bin
+/lib/firmware/rt3070.bin` because the rt2870.bin driver covers a lot of
+hardware and the kernel looks in the wrong place.
+
+Install `wicd` to manage network connections from now on. Somehow `glib`
+doesn’t get updated enough/at all in the sysup so do it again here
+(maybe).
+
+``` {.nil}
+,# prt-get update glib
+,# prt-get depinst wicd urwid
+,# /etc/rc.d/dbus start
+,# /etc/rc.d/wicd start
+```
+
+Add the `atd`, `dbus` and `wicd` daemons (in that order) to
+`/etc/rc.conf`, and comment out the gateway settings for `eth0` from
+`/etc/rc.d/net` (we can’t remove this daemon entirely because we need
+the loopback interface—discovered this the hard way when mpd wouldn’t
+work…). Fire up `wicd-curses` to connect to your wireless network.
+Remember to add `10.9.8.1` as first DNS server, globally, then OpenDNS.
+
+### ntp
+
+At this point I tend to notice my system clock drifting.
+
+``` {.nil}
+,# prt-get depinst openntpd
+,# /etc/rc.d/ntpd start
+```
+
+Add ntpd to list of daemons in `/etc/rc.conf`. In `/etc/rc.d/ntpd`, make
+the `-s` into `-S` so that ntp doesn’t even try to change the time on
+startup, which makes a big difference to boot speed.
+
+Add to `/etc/pkgadd.conf`:
+
+``` {.conf}
+UPGRADE         ^etc/rc\.d/ntpd$ NO
+```
+
+to protect our changes.
+
+#### DONE Exclude /etc/rc.d/ntpd from being changed on package updates<span class="tag" data-tag-name="NOEXPORT"></span>
+
+CLOSED: \[2011-08-29 Mon 14:58\]
+
+### User account
+
+``` {.nil}
+,# mkdir /home/swhitton
+,# chown swhitton:users /home/swhitton
+,# passwd swhitton
+```
+
+Log out and login again as the new user. Bootstrap its homedir:
+
+``` {.nil}
+$ mr --trust-all bootstrap xyrael.net/mrconfig-crux
+```
+
+### DONE Apple keyboard at console
+
+CLOSED: \[2011-08-29 Mon 14:59\]
+
+On zephyr, add to `/etc/rc.local`:
+
+``` {.bash}
+echo 2 | sudo tee /sys/module/hid_apple/parameters/fnmode > /dev/null
+```
+
+### X
+
+#### Setup
+
+We’re going with the non-free nVidia drivers since we have a nVidia card
+we want to make some use of:
+
+``` {.nil}
+,# prt-get depinst nvidia
+,# reboot
+,# nvidia-xconfig
+,# gl-select use nvidia
+```
+
+To test X, back as `swhitton`, we prepare a minimal `.xinitrc` with just
+the line `exec urxvt`, moving the usual file to `.xinitrc~`.
+
+``` {.nil}
+$ startx
+```
+
+If you get a terminal that you can type into, and the mouse moves
+around, we’re good to go. Run `exit` in the terminal to kill off X.
+
+##### Driver tweaks
+
+Add the following lines to the `Device` section of `/etc/X11/xorg.conf`
+for some minor improvements (from Arch wiki):
+
+``` {.conf}
+Option "NoLogo" "1"
+Option "RenderAccel" "1"
+Option "ConnectedMonitor" "DFP"
+Option "TripleBuffer" "1"
+Option "DamageEvents" "1"
+Option "DPS" "1"
+```
+
+Remove the third line for zephyr.
+
+#### The almighty Terminus
+
+We need three versions of Terminus: one which provides the traditional X
+font, one which provides the xft font and one for the console.
+
+The Arch package provides all three at once, I believe, or at least the
+first two so should probably be looked into at some point.
+
+``` {.nil}
+,# prt-get depinst xorg-font-terminus console-font-terminus terminus-font
+```
+
+In the `Files` section of `/etc/X11/xorg.conf`, add the line
+
+``` {.conf}
+FontPath "/usr/lib/X11/fonts/terminus"
+```
+
+and then my `.Xresources` should take care of the rest. For console,
+update `/etc/rc.conf` to use this new font, `Lat2-Terminus16`.
+
+#### Font beautification
+
+CRUX’s X11 fonts look pretty poor without tweaks, and there are various
+ways to improve the situation. After much messing around I reckon that
+the cleartype approach is the best, especially since the packages on the
+AUR were recently renewed and seem to be maintained. Links about this
+issue at the end of this document.
+
+First we set up some package aliases so that our prt-get doesn’t think
+we’ve removed important dependencies. Append to
+`/var/lib/pkg/prt-get.aliases`
+
+``` {.conf-colon}
+libxft-cleartype: xorg-libxft
+freetype2-cleartype: freetype
+cairo-cleartype: cairo
+postfix: exim
+```
+
+and append to `/etc/pkgadd.conf` to protect this file from upgrades:
+
+``` {.conf}
+UPGRADE         ^var/lib/pkg/prt-get.aliases$ NO
+```
+
+``` {.nil}
+,# prt-get remove freetype xorg-libxft cairo
+,# prt-get install freetype2-cleartype libxft-cleartype cairo-cleartype
+```
+
+Taking the -ubuntu approach means no Xft Terminus so require the hacked
+TTF versions floating about, which means no smaller font in Conkeror
+minibuffer.
+
+Check in `/etc/fonts/fonts.conf` that near the top there is
+
+``` {.xml}
+<dir>/usr/share/fonts</dir>
+<dir>/usr/lib/X11/fonts</dir>
+<dir>~/.fonts</dir>
+```
+
+as the second line might be missing. This should be packaged
+up/automated at some point.
+
+##### DONE Tidy up dependency installation around this stuff<span class="tag" data-tag-name="NOEXPORT"></span>
+
+CLOSED: \[2011-07-17 Sun 21:48\]
+
+Atm there will be clashes, particularly concerning the freetype files.
+
+&lt;Romster&gt; edit /var/lib/pkg/prt-get.aliases and add your port as
+an alias \[16:50\] &lt;Romster&gt; be sure to add that file to
+/etc/pkgadd.conf else changes will be gone should you ever
+reinstall/update prt-get.
+
+##### DONE Add `--install-scripts` throughout this file, as probably needed in lots of places<span class="tag" data-tag-name="NOEXPORT"></span>
+
+CLOSED: \[2011-07-17 Sun 21:48\]
+
+Or just use prt-get config variable `runscripts`
+
+#### Lisp
+
+We are going to install the lisp environment to run my window manager,
+StumpWM, using the [quicklisp approach from the
+ArchWiki](https://wiki.archlinux.org/index.php/Stumpwm#With_Quicklisp_.28recommended.29).
+When my lisp knowledge improves I will make this into a package.
+
+``` {.nil}
+,# prt-get depinst sbcl texinfo
+,# wget beta.quicklisp.org/quicklisp.lisp
+,# sbcl --load quicklisp.lisp
+```
+
+and then in the interactive shell
+
+``` {.commonlisp}
+(quicklisp-quickstart:install)
+(ql:add-to-init-file)
+(ql:update-all-dists)
+(ql:quickload "clx")
+(ql:quickload "cl-ppcre")
+(quit)
+```
+
+This relies on the environment variable we set in `.zshrc`,
+`SBCL_HOME=/usr/lib/sbcl`.
+
+#### More building blocks
+
+Unfortunately, stumpwm won’t build unless we’re root at the moment as I
+haven’t got the package set up right. So first we comment out the lines
+we added to `/etc/prt-get.conf` and `/etc/pkgmk.conf` and then
+
+``` {.nil}
+,# cd /usr/ports/swhitton/stumpwm
+,# pkgmk -d
+,# chown pkgmk:pkgmk stumpwm\#git-1.pkg.tar.gz
+,# mv stumpwm\#git-1.pkg.tar.gz /var/pkgmk/packages
+```
+
+Now uncomment the lines again and
+
+``` {.nil}
+,# prt-get depinst xbindkeys avfs stumpwm
+$ mkdir .avfs
+# echo "user_allow_other" >> /etc/fuse.conf
+```
+
+This should be enough to get a graphical environment up, so `startx` and
+open up a shell with the usual `C-i C-t`. If dual monitors need setting
+up, su to root and run `nvidia-settings`.
+
+#### SLiM
+
+And changes to theme to make slimlock work and changes to slimlock.conf.
+
+#### gettys & SLiM
+
+Using a display manager is much neater than running startx from
+`~/.zshrc`.
+
+``` {.nil}
+,# prt-get depinst mingetty slim slimlock
+```
+
+We use mingetty because it allows autologin if we ever want it and it
+uses less resources than agetty. We don’t use autologin at the moment
+because we’re screenlocking with slimlock rather than vlock. One virtual
+console is sufficient.
+
+``` {.conf}
+#c1:2:respawn:/sbin/mingetty --noclear --loginpause --autologin swhitton tty1 linux
+c2:2:respawn:/sbin/mingetty --noclear tty2 linux
+#c3:2:respawn:/sbin/agetty 38400 tty3 linux
+#c4:2:respawn:/sbin/agetty 38400 tty4 linux
+#c5:2:respawn:/sbin/agetty 38400 tty5 linux
+#c6:2:respawn:/sbin/agetty 38400 tty6 linux
+#s1:2:respawn:/sbin/agetty 38400 ttyS0 vt100
+
+x:2:respawn:/usr/bin/slim >& /dev/null
+```
+
+Amend these lines in `/etc/slim.conf`:
+
+``` {.conf}
+console_cmd         /usr/bin/urxvt -T "Console login" -e /bin/sh -c
+"/bin/cat /etc/issue; exec /bin/login"
+default_user swhitton
+auto_login yes (on artemis)
+```
+
+and in `/etc/slimlock.conf`:
+
+``` {.conf}
+wrong_passwd_timeout            0
+show_username                   1
+show_welcome_msg                0
+```
+
+and a fix to `/usr/share/slim/themes/crux-smooth/slim.theme`:
+
+``` {.conf}
+username_x              170
+password_x              170
+```
+
+##### CANCELLED Make this fix a patched version of the package
+
+CLOSED: \[2011-08-29 Mon 12:20\]
+
+### ALSA
+
+Let’s get sound operational.
+
+``` {.nil}
+,# prt-get depinst alsa-lib alsa-utils alsa-oss
+,# alsamixer
+```
+
+Hit `M` to unmute the main channel. Raise the volume until the db gain
+is 0 and then play a sound to test. If it doesn’t play, raise the other
+sliders around a bit.
+
+``` {.nil}
+,# aplay /home/swhitton/lib/beep.wav
+```
+
+Now add alsa to the daemons array in `/etc/rc.conf` and run
+
+``` {.nil}
+,# alsactl -f /var/lib/alsa/asound.state store
+,# /etc/rc.d/alsa start
+```
+
+### sshd
+
+Add to `/etc/hosts.allow`:
+
+``` {.conf}
+sshd: 10.9.8. 192.168.0. 10.8.0.
+```
+
+We need sshd running all the time in order to have tramp working
+smoothly, it seems (not in find-file but in eshell).
+
+### mpd, ncmpcpp & mpdscribble
+
+No reason to go any further without some tunes. We need to install
+`libmms` first in order to get proper streaming support.
+
+``` {.nil}
+,# prt-get depinst libmms libfaac
+,# prt-get depinst mpd mpc ncmpcpp mpdscribble
+```
+
+#### Sync media library
+
+One of unison’s dependencies, ocaml, will need a .footprint deleting.
+
+``` {.nil}
+,# prt-get depinst unison
+```
+
+Reconnect ethernet cable and run `/etc/rc.d/net restart` on both
+machines to bring up the connection. Run
+
+``` {.nil}
+$ unison ~/var ssh://10.8.0.2/var
+```
+
+on host tethered artemis/zephyr to copy `~/var` back over to new
+machine.
+
+#### Configuration
+
+We want mpd to run as swhitton. Uncomment loads of stuff in
+`/etc/mpd.conf` (and add `mixer_type "software"` to ALSA output to make
+mpd volume independent of everything else) make sensible edits and run
+
+``` {.nil}
+$ mkdir -p .mpd/playlists
+,# chown swhitton.users /var/cache/mpdscribble/*.journal
+,# usermod -a -G audio swhitton
+```
+
+At some point we should move the config we use inside `/home/swhitton`
+since everything happens there now.
+
+Add this line to `/etc/hosts.allow`:
+
+``` {.conf}
+mpd: 127.0.0.1
+```
+
+Add this line to `/etc/pkgadd.conf`:
+
+``` {.conf}
+UPGRADE         ^var/cache/mpdscribble/.*\.journal$     NO
+```
+
+`.xinitrc` will take care of starting mpd and mpdscribble.
+
+### sudo
+
+Execute `visudo` and uncomment the line
+
+``` {.conf}
+%wheel ALL=(ALL) NOPASSWD: ALL
+```
+
+conf and execute
+
+``` {.nil}
+usermod -a -G wheel swhitton
+```
+
+to give swhitton full sudo access.
+
+### Desktop software
+
+``` {.nil}
+,# prt-get depinst xpdf epdfview firefox feh gtk-chtheme gnome-themes
+flash-player-plugin texlive-full auctex sshfs-fuse mplayer vlock gimp
+xclip libreoffice scrot shared-mime-info gnome-mime-data htop at
+filezilla abook libogg flac libvorbis easytag unzip imagemagick bc
+aspell-en unrar w3m conkeror yapet x11-fonts-dejavu abiword emacs-w3m
+dvd+rw-tools cdrkit prt-utils xorg-font-msttcorefonts urw-fonts
+ttf-vista-fonts pinentry pinentry-gtk2 bbdb org-mode ntfs-3g_ntfsprogs
+notmuch rtorrent ncdu pm-utils mkvtoolnix ffmpeg dvdauthor gtypist
+guile normalize abcde cd-discid eject terminator vte-python xchat s3fs
+service psi-im vcdimager subversion xfce-mcs-manager thunar
+```
+
+Select a theme with `gtk-chtheme`.
+
+Do *not* be tempted to install the packages `xorg-font-adobe-100dpi` &
+`xorg-font-adobe-75dpi`. They take priority over other fonts and look
+rubbish, screwing things up in general.
+
+At some point I should write a Pkgbuild to install
+[pdftk](http://www.pdflabs.com/tools/pdftk-the-pdf-toolkit/), but this
+is a nightmare because `gcj` is a nightmare to build, so for now I’ll
+just use the pdftk on athena.
+
+Conkeror relies on xulrunner, which at present comes with the CRUX 2.7
+installation CD but as Firefox now includes it is not available in the
+ports database. If needed in the future, the CRUX git repository history
+contain the Pkgfile: link
+[1](http://crux.nu/gitweb/?p%3Dports/opt.git%3Ba%3Dblob%3Bf%3Dxulrunner/Pkgfile%3Bh%3D15c0967f212611b544da5381f135460b3a7f6c75%3Bhb%3D765241f5fc2ef30ca99e643ea667930f6e8e163f),
+[2](http://crux.nu/gitweb/?p%3Dports/opt.git%3Ba%3Dblob%3Bf%3Dxulrunner/mozconfig%3Bh%3D411ffaf26f2e0456c2c313e688cbc0c7bcfbfe7f%3Bhb%3D765241f5fc2ef30ca99e643ea667930f6e8e163f),
+[3](http://crux.nu/gitweb/?p%3Dports/opt.git%3Ba%3Dblob%3Bf%3Dxulrunner/xulrunner.diff%3Bh%3D5503c8d399a8ba9af88790d2c9c64de38e191ddc%3Bhb%3D765241f5fc2ef30ca99e643ea667930f6e8e163f).
+
+#### DONE Fix lack of `conkeror-spawn-helper`<span class="tag" data-tag-name="NOEXPORT"></span>
+
+CLOSED: \[2011-07-14 Thu 16:42\]
+
+#### CANCELLED Write Pkgfile for TeX Live<span class="tag" data-tag-name="NOEXPORT"></span>
+
+CLOSED: \[2011-08-29 Mon 14:50\]
+
+This will need these pages:
+<http://www.tug.org/texlive/quickinstall.html>
+<http://www.tug.org/texlive/acquire-netinstall.html> and then some way
+of telling the install script what to do without doing so interactively.
+-profile seems to be the way to go. Symlinks for manpages, infopages and
+the binaries, too.
+
+#### DONE Investigate `xulrunner`<span class="tag" data-tag-name="NOEXPORT"></span>
+
+CLOSED: \[2011-08-29 Mon 19:11\]
+
+It seems to be installed when the distro was installed yet isn’t in the
+ports db? Removed intentionally.
+
+#### CANCELLED Add xfce repository in order to install xfburn<span class="tag" data-tag-name="NOEXPORT"></span>
+
+CLOSED: \[2011-08-29 Mon 14:50\]
+
+Don’t really want to do this until dealt with freetype issue. Maybe a
+dummy package?
+
+xcdroast? Tried to install it…
+
+At the moment we just use: genisoimage -o tmp/dvd.iso local/toburn
+growisofs -Z /dev/sr0=/home/swhitton/tmp/dvd.iso
+
+prt-get readme cdrkit explains why burndir won’t work: growisofs is
+looking for mkisofs instead of genisoimage.
+
+#### CANCELLED Make abiword work<span class="tag" data-tag-name="NOEXPORT"></span>
+
+CLOSED: \[2011-08-29 Mon 14:50\]
+
+gnome-keyring will need fixing/version bumping as it looks for a version
+of libtasn that is too old.
+
+#### DONE Fix /usr/share ownership when installing my recently created packages<span class="tag" data-tag-name="NOEXPORT"></span>
+
+CLOSED: \[2011-08-29 Mon 20:24\]
+
+I think it has something to do with a package installing some zsh
+completions.
+
+#### DONE Fix mpdscribble & xbindkeys<span class="tag" data-tag-name="TechFix"></span><span class="tag" data-tag-name="NOEXPORT"></span>
+
+CLOSED: \[2011-07-20 Wed 19:47\] SCHEDULED: &lt;2011-07-15 Fri&gt;
+
+### OpenVPN
+
+We want the OpenVPN configuration files to be encrypted.
+
+``` {.nil}
+,# mkdir -p /home/etc/openvpn
+,# ln -s /home/etc/openvpn /etc
+,# prt-get depinst openvpn
+```
+
+Copy into `/etc/openvpn` the files `ca.crt`, `artemis.crt` and
+`artemis.key` and then create `/etc/openvpn/tap.conf`:
+
+``` {.conf}
+client
+remote 212.13.194.60 1194
+dev tap
+proto tcp
+resolv-retry infinite
+nobind
+persist-remote-ip
+persist-local-ip
+ping 5
+ping-restart 10
+ping-timer-rem
+persist-key
+persist-tun
+verb 2
+ca /etc/openvpn/ca.crt
+cert /etc/openvpn/artemis.crt
+key /etc/openvpn/artemis.key
+comp-lzo
+;redirect-gateway def1
+```
+
+where the final line is to be uncommented when on my untrusted
+university LAN. Add `openvpn` to the daemons started in `/etc/rc.conf`.
+Use udp rather than tcp on desktop.
+
+Create the `/etc/rc.d/openvpn` script (stolen from Arch):
+
+``` {.bash}
+#!/bin/sh
+#
+# /etc/rc.d/openvpn: start/stop vpn daemon
+#
+
+CFGDIR="/etc/openvpn"
+STATEDIR="/var/run/openvpn"
+
+case $1 in
+start)
+        mkdir -p "${STATEDIR}"
+        for cfg in "${CFGDIR}"/*.conf; do
+          /usr/sbin/openvpn --daemon --writepid "${STATEDIR}"/"$(basename "${cfg}" .conf)".pid --cd "${CFGDIR}" --config "${cfg}"
+        done
+    ;;
+stop)
+        for pidfile in "${STATEDIR}"/*.pid; do
+          kill $(cat "${pidfile}" 2>/dev/null) 2>/dev/null
+          rm -f "${pidfile}"
+        done
+    ;;
+restart)
+    $0 stop
+    sleep 1
+    $0 start
+    ;;
+*)
+    echo "usage: $0 [start|stop|restart]"
+    ;;
+esac
+
+# End of file
+```
+
+and fire her up:
+
+``` {.nil}
+,# /etc/rc.d/openvpn start
+```
+
+#### DONE Paste the `/etc/rc.d/openvpn` script<span class="tag" data-tag-name="NOEXPORT"></span>
+
+CLOSED: \[2011-07-17 Sun 22:58\]
+
+### SSH configuration
+
+Download the keys `desktop-key` and `key` into `~/.ssh`, and in
+`~/.ssh/config` replace `athena.silentflame.com` with `athena.athenet`
+and add
+
+``` {.conf}
+Host selene
+User root
+HostName selene.silentflame.com
+IdentityFile ~/.ssh/desktop-key
+
+Host raven
+User ball3162
+HostName linux.ox.ac.uk
+IdentityFile ~/.ssh/desktop-key
+```
+
+### E-mail
+
+Our first real encounter with pre-install scripts. `prt-get readme
+dovecot/postfix` will provide an explanation.
+
+``` {.nil}
+,# pkgrm exim
+,# prt-get depinst dovecot postfix offlineimap
+```
+
+We add the following line in `/etc/dovecot/conf.d/10-mail.conf`:
+
+``` {.conf}
+mail_location = maildir:~/.gnus.d/Maildir
+```
+
+and the following in `/etc/postfix/main.cf`:
+
+``` {.conf}
+relayhost = [10.9.8.1]:25
+```
+
+and we’re done. We may now run
+
+``` {.nil}
+,# /etc/rc.d/postfix start
+$ offlineimap
+```
+
+to do the initial download of my e-mail. Add the postfix daemon to
+`/etc/rc.conf` (but not dovecot). You might want to test that e-mail
+goes where it should via telnet:
+
+``` {.nil}
+~ # telnet localhost 25
+Trying 127.0.0.1…
+erase character is '^H'.
+Connected to localhost.
+Escape character is '^]'.
+220 artemis.localdomain ESMTP Postfix
+>>> EHLO localhost
+250-artemis.localdomain
+250-PIPELINING
+250-SIZE 10240000
+250-VRFY
+250-ETRN
+250-ENHANCEDSTATUSCODES
+250-8BITMIME
+250 DSN
+>>> mail from:<sean.whitton AT-NOSPAMPLZ balliol.ox.ac.uk>
+250 2.1.0 Ok
+>>> rcpt to:<spwhitton AT-NOSPAMHEREEITHERPLZ gmail.com>
+250 2.1.5 Ok
+>>> data
+354 End data with <CR><LF>.<CR><LF>
+>>> Dear Sean,
+
+>>> This is my test message.  Thanks.
+
+>>> Thanks.
+>>> .
+250 2.0.0 Ok: queued as C0CEFB9
+quit
+221 2.0.0 Bye
+Connection closed by foreign host
+```
+
+where `>>>` prefixes a line I typed. This is the most esoteric e-mail
+route I can come up with, where the mail goes local -&gt; athena -&gt;
+Oxford smtp -&gt; gmail -&gt; athena -&gt; local, so check the headers
+to make sure it’s gone everywhere it should.
+
+Now that `~/.newsrc.eld` isn’t synced between machines, recreate Gnus
+group tree as follows (`^` opens tree and `u` subscribes to items; `Tn`
+to create new topics and `GV` and `Gv` to manipulate virtual groups; `u`
+to kill off things like `gnus-help`):
+
+``` {.nil}
+[ Gnus -- 54 ]
+       0 / 19   / 1199 : INBOX
+       0 / 1    / 2423 : Notices & updates
+       9 / 16   / 2408 : Feeds & lists
+         0 / *    / 0    : feeds.Guardian
+  [ Listservs -- 1 ]
+         0 / 1    / 372  : lists.BitFolk
+*        0 / 0    / 140  : lists.VCS-Home
+         0 / 0    / 27   : lists.Wikizine
+  [ Feeds -- 16 ]
+         1 / 4    / 595  : feeds.Blogs
+         7 / 7    / 1320 : feeds.Comics
+         1 / 3    / 253  : feeds.Friends
+         0 / 2    / 240  : feeds.Tech
+  [ Personal -- 1 ]
+*        0 / 0    / 5080 : archive
+         0 / 0    / 99   : drafts
+         0 / 0    / 1735 : notices
+         0 / 0    / 2245 : sent
+*        0 / 0    / 40   : temptodo
+         0 / 1    / 688  : updates
+```
+
+### crontab
+
+``` {.cron}
+*/5 * * * * /usr/bin/offlineimap -o -u Noninteractive.Quiet 1>/dev/null 2>/dev/null
+0 * * * * /home/swhitton/bin/doccheckin >/dev/null
+```
+
+### acpid & laptop-mode
+
+Most of this is only on artemis. First we disable updatedb which can
+block suspend (on zephyr & artemis).
+
+#### laptop-mode
+
+``` {.nil}
+,# rm /etc/cron/daily/mlocate
+,# prt-get depinst powertop laptop-mode-tools pm-utils cpufrequtils acpi lm_sensors
+```
+
+Add the acpid and laptop-mode daemons to `/etc/rc.conf` (in that order).
+
+I am not sure laptop mode is doing everything it can to save power
+because `/etc/laptop-mode/conf.d/` doesn’t exist, as it does on Arch. At
+some point may wish to look into improving things, using the
+[Arch](https://wiki.archlinux.org/index.php/Laptop_Mode_Tools)
+[wiki](https://wiki.archlinux.org/index.php/Laptop_Mode_Tools) (two
+links).
+
+##### CANCELLED Make `laptop-mode` actually work<span class="tag" data-tag-name="NOEXPORT"></span>
+
+CLOSED: \[2011-08-30 Tue 16:48\]
+
+#### =lenovo-sl-laptop=
+
+The `lenovo-sl-laptop` module provides control of the backlight and
+access to various hotkeys from X. Recompiling the kernel wipes it out so
+remember to re-add it should you need to do that.
+
+``` {.nil}
+,# cd ~/local/src
+,# git clone git://github.com/tadzik/lenovo-sl-laptop.git
+,# cd lenovo-sl-laptop
+,# make
+,# mkdir /lib/modules/2.6.35.6/kernel/lenovo-sl-laptop
+,# cp lenovo-sl-laptop.ko /lib/modules/2.6.35.6/kernel/lenovo-sl-laptop
+,# echo "options lenovo-sl-laptop control_backlight=1" >> /etc/modprobe.d/modprobe.conf
+,# echo "modprobe lenovo-sl-laptop control_backlight=1" >> /etc/rc.autofs
+```
+
+nil
+
+Add add acpi~backlight~=vendor to the kernel boot line in
+`/etc/lilo.conf` and run `lilo` to put in place.
+
+#### Suspend on lid closure
+
+Edit the file `/etc/acpi/actions/lm_lid.sh` and add this block to the
+top:
+
+``` {.bash}
+if grep -q closed /proc/acpi/button/lid/LID/state; then
+    sudo -u swhitton /home/swhitton/bin/dwm-suspcmd nolock
+fi
+```
+
+Sometimes a stale lock file prevents `pm-suspend` from working with no
+errors or log messages. To deal with this:
+
+``` {.nil}
+,# rm /var/run/pm-utils/locks/pm-suspend.lock
+```
+
+### autofs & NFS
+
+``` {.nil}
+,# prt-get depinst autofs
+,# rm /etc/autofs/auto.{master,net,media}
+```
+
+`/etc/autofs/auto.master`:
+
+``` {.conf}
+/media /etc/autofs/auto.media
+/net /etc/autofs/auto.net --timeout=30
+```
+
+`/etc/autofs/auto.net`:
+
+``` {.conf}
+athena -fstype=nfs,rw,async,vers=3 10.9.8.1:/home/swhitton/tmp
+share -fstype=nfs,rw,async,vers=3 10.9.8.1:/srv/files
+```
+
+`/etc/autofs/auto.media`:
+
+``` {.conf}
+cd -fstype=auto,ro,sync,nodev,nosuid :/dev/sr0
+usb -fstype=auto,async,nodev,nosuid,umask=000 :/dev/sdb1
+sd -fstype=auto,async,nodev,nosuid,umask=000 :/dev/mmcblk0p1
+```
+
+Add rpcbind, nfs and autofs to the daemons array in `/etc/rc.conf`, in
+that order.
+
+Should now have in that array, in this order: acpid, laptop-mode, alsa,
+net, rpcbind, nfs, autofs, crond, atd, ntpd, dbus, wicd, openvpn,
+postfix, sshd.
+
+Protect these configs in `/etc/pkgadd.conf`:
+
+``` {.conf}
+UPGRADE         ^etc/autofs/auto\..*$ NO
+```
+
+#### DONE Lock these config files<span class="tag" data-tag-name="NOEXPORT"></span>
+
+CLOSED: \[2011-08-29 Mon 19:08\]
+
+### DONE Warcraft III, wine etc. (/opt in general)
+
+CLOSED: \[2011-08-29 Mon 14:54\]
+
+``` {.nil}
+,# prt-get depinst wine
+```
+
+The AcceptEx patch has now been merged with Wine so you should just be
+able to install Warcraft III and its expansion and then update right off
+Battle.net. And it seems Wine is able to trap the mouse inside the
+window now too. Still rename Movies to Moviez, but the patch sorts out
+resolution issues. Nice.
+
+`winecfg` and enable emulate virtual desktop to play.
+
+### DONE StarCraft II
+
+CLOSED: \[2011-08-29 Mon 18:16\]
+
+The most recent versions of wine allow you to get your mouse pointed
+trapped in the window and work great with fullscreen windowed, but an
+older version of wine is required for installation—at the time of
+writing the most recent that works is 1.2.3. Begin by copying the two
+wine package files of 1.2.3 and the most recent version (at the time of
+writing, 1.3.24) into `/var/pkgmk/packages`. Mount the StarCraft II DVD
+and copy the files to home directory to install:
+
+``` {.nil}
+,# mount -o ro,unhide,uid=100 /dev/sr0 /mnt/cd
+$ mkdir ~/tmp/sc2
+$ cp -R /mnt/cd/* ~/tmp/sc2
+$ wine start ~/tmp/sc2/Installer.exe
+```
+
+Run `winecfg` and disable `mmdevapi` completely under the Library tab.
+After the game has finished installing and patching (takes forever),
+switch the wine version (with `pkgadd -u /var/pkgmk/packages/…`) and set
+the game to lowish graphics and select fullscreen windowed (lower than
+what you’d have in Windows on the same hardware). Run `winecfg` again
+and tick the trap mouse in full screen checkbox under the Graphics tab.
+
+Cleanup:
+
+``` {.nil}
+,# umount /mnt/cd
+$ rm -rf ~/tmp/sc2
+```
+
+#### USB mouse
+
+For StarCraft II on artemis you will want a USB mouse. This requires
+`usbhid` to be compiled into the kernel, and then edit
+`/etc/X11/xorg.conf`; replace the entire mouse section:
+
+``` {.conf-space}
+Section "InputDevice"
+    Identifier     "Mouse0"
+    Driver         "mouse"
+    Option         "Protocol" "IMPS/2"
+    Option         "Device" "/dev/input/mice"
+    Option         "ZAxisMapping" "4 5"
+EndSection
+```
+
+and then add to the `ServerLayout` section:
+
+``` {.conf-space}
+Option "AllowEmptyInput" "false"
+```
+
+### DONE VirtualBox
+
+CLOSED: \[2011-08-30 Tue 15:49\]
+
+This need only be done on zephyr (since it’s more powerful).
+
+``` {.nil}
+,# prt-get depinst virtualbox
+,# usermod -a -G vboxusers swhitton
+```
+
+Worth setting up an Ubuntu VPS for testing. Remember to modprobe
+`vboxdrv` before running VirtualBox.
+
+### Browser plugins
+
+Install Firemacs into Firefox, and change (some of the) bindings to
+match Conkeror. Add AdBlockPlus to Conkeror but not no script as the
+glue (`require("noscript");`) doesn’t work very well.
+
+### Emacs keys in GTK apps
+
+``` {.nil}
+,# prt-get install gconf
+$ echo 'gtk-key-theme-name = "Emacs"' >>~/.gtkrc-2.0
+$ gconftool-2 -t string --set /desktop/gnome/interface/gtk_key_theme Emacs
+```
+
+We don’t seem to have backward-delete-word on `C-w` with this, though.
+
+Miscellaneous notes
+===================
+
+Backup strategy
+---------------
+
+All information to set the system up is in this document, so only the
+contents of `/home/swhitton` need to be backed up, assuming, that is,
+that all Pkgfiles have been uploaded to my CRUX repository. Of this
+-   most directories are synced with my mr/git/gitosis setup;
+-   `~/var` may be synced using Unison;
+-   `~/local` and `~/tmp` need to be backed up manually;
+-   check for any leftover non-hidden files in `~`;
+-   dotfiles in `~` should already be checked into version control;
+    those that are not are probably safe to discard;
+-   any custom ports in `/usr/ports/local` that have not yet been
+    transitioned into `~/src/ports`.
+
+The only other place there may be things to be saved are in `/srv`
+(should be symlinked into `/home` so that it’s encrypted, though),
+`/var` (unlikely) and of course the Windows partition.
+
+Ports repository
+----------------
+
+### DONE Set up `crux.sean.whitton.me` httpup ports repo<span class="tag" data-tag-name="ProjectIdea"></span><span class="tag" data-tag-name="NOEXPORT"></span>
+
+CLOSED: \[2011-08-30 Tue 16:56\]
+
+<http://crux.nu/Wiki/SettingUpAnHttpupRepo>
+
+#### DONE [CRUX ports](http://obra.se/)<span class="tag" data-tag-name="ToRead"></span><span class="tag" data-tag-name="NOEXPORT"></span>
+
+CLOSED: \[2011-07-17 Sun 22:43\]
+
+portspage script
+
+Local LAMP setup for development
+--------------------------------
+
+### lighttpd & PHP
+
+``` {.nil}
+,# prt-get depinst lighttpd php
+,# useradd -s /bin/false lighttpd
+,# groupadd lighttpd
+,# touch /var/www/logs/access_log
+,# touch /var/www/logs/error_log
+,# chown lighttpd:lighttpd /var/www/logs/*
+```
+
+Add `mod_fastcgi` to modules listing and switch to the non-chroot setup.
+Add to the end of config file
+
+``` {.conf}
+fastcgi.server    = ( ".php" => 
+    ((
+        "bin-path" => "/usr/bin/php-cgi",
+        "socket" => "/tmp/php.socket",
+        "max-procs" => 1, # default: 2
+        "idle-timeout" => 20,
+        "bin-environment" => ( 
+            "PHP_FCGI_CHILDREN" => "3", # default: 4
+            "PHP_FCGI_MAX_REQUESTS" => "10000"
+        ),
+        "bin-copy-environment" => (
+            "PATH", "SHELL", "USER"
+        ),
+        "broken-scriptfilename" => "enable"
+    )))
+```
+
+Add to `/etc/hosts.allow`
+
+``` {.conf-colon}
+www: 127.0.0.1
+```
+
+When you want to use the web server, call `/etc/rc.d/lighttpd start`.
+
+### MySQL
+
+``` {.nil}
+,# prt-get depinst mysql php-mysql php-mysqli php-fcgi
+,# mysql_install_db
+,# mysqladmin -u root password <password_here>
+```
+
+Comment out `skip-innodb` and `skip-networking` in `/etc/my.cnf`. Start
+the daemon when needed.
+
+DONE ioquake setup
+------------------
+
+CLOSED: \[2011-08-29 Mon 15:11\]
+
+ioquake installs per-user, so this is very neat. Visit [the
+website](http://ioquake3.org/get-it/) and download the engine download
+and the data installer. Use install path `~/local/bin` and binary path
+`~/bin`. Install the data files with the same settings (leave tick boxes
+as they are). Then take pak0.pk3 from copy of Quake III Arena and drop
+this into `~/local/bin/ioquake3/baseq3`. To run, edit .xinitrc to set
+ioquake3 as window manager and re-login.
+
+DONE <http://crux.nu/ports/crux-2.7/opt/service/Pkgfile><span class="tag" data-tag-name="ToRead"></span>
+--------------------------------------------------------------------------------------------------------
+
+CLOSED: \[2011-08-29 Mon 14:49\]
+
+Other resources
+===============
+
+-   [The CRUX handbook](http://crux.nu/Main/Handbook2-7), of course
+-   [An alternative installation
+    guide](http://www.linuxforums.org/forum/coffee-lounge/121441-how-install-crux.html)
+    by Dapper Dan
+-   [The only other CRUX
+    thread](http://www.linuxforums.org/forum/installation/129422-solved-crux-install-problem.html)
+    on Linux Forums, afaict
+-   [The only information I can find on setting up full disc encryption
+    with CRUX](http://crux.nu/Wiki/Cryptsetup)
+-   [K.Mandla’s blog](http://kmandla.wordpress.com/), who inspired me to
+    try out CRUX
+    -   K.Mandla on [building an ultralight
+        kernel](http://kmandla.wordpress.com/2010/07/02/configuring-an-ultralight-2-6-34-kernel/)
+-   The [Arch wiki](http://wiki.archlinux.org/), the best place guides
+    on for this semi-minimalist style of GNU/Linux computing
+-   On X11 font rendering:
+    -   [Arch
+        wiki](https://wiki.archlinux.org/index.php/Font_Configuration#Patched_packages)
+    -   [K.Mandla](http://kmandla.wordpress.com/2008/10/29/fonts-as-sharp-as-razors-crux-ports-for-lcd-patches/)
+    -   Arch BBS:
+        [1](https://bbs.archlinux.org/viewtopic.php?id%3D16372),
+        [2](https://bbs.archlinux.org/viewtopic.php?id%3D108884),
+        [3](https://bbs.archlinux.org/viewtopic.php?id%3D105839)
+    -   [Gentoo
+        forums](http://forums.gentoo.org/viewtopic-t-723341.html)
+    -   [Infinality
+        forums](http://www.infinality.net/forum/viewtopic.php?f%3D2&t%3D74)
+    -   [about all » Xft, Fonts X11,
+        Terminus](http://wp.psyx.us/?p%3D235)
+-   [Password-protecting LILO at various
+    levels](http://www.brunolinux.com/05-Configuring_Your_System/Password_Protect_Lilo.html)
+-   [StarCraft II on the Arch
+    wiki](https://wiki.archlinux.org/index.php/Starcraft2)
+
+[^1]: Some daemons may still write some logs; if this happens, nuke them
+    and hope they weren't important. Yes, there are probably better
+    approaches.