summaryrefslogtreecommitdiffhomepage
path: root/tech/crux.mdwn
diff options
context:
space:
mode:
authorSean Whitton <spwhitton@spwhitton.name>2015-11-08 09:43:01 -0700
committerSean Whitton <spwhitton@spwhitton.name>2015-11-08 09:43:01 -0700
commit51b35a9669314710f0be0086de03933dd5ab0c37 (patch)
treea173dede85025d6233de5fad810a0026571fd7d1 /tech/crux.mdwn
parent6de270a7f15e6453c74fe11ef279ab93960591a8 (diff)
downloadwiki-51b35a9669314710f0be0086de03933dd5ab0c37.tar.gz
import more pages (badly)
Diffstat (limited to 'tech/crux.mdwn')
-rw-r--r--tech/crux.mdwn1959
1 files changed, 1959 insertions, 0 deletions
diff --git a/tech/crux.mdwn b/tech/crux.mdwn
new file mode 100644
index 0000000..c52fe3e
--- /dev/null
+++ b/tech/crux.mdwn
@@ -0,0 +1,1959 @@
+In July 2011 I switched to the GNU/Linux distribution
+[CRUX](http://crux.nu/) from ArchLinux, desiring increased speed and
+stability, while maintaining customisability, which I got. I switched
+back to Debian Stable in January 2012.
+
+There isn’t much non-official documentation for CRUX so I documented the
+entire setup here, for my own reference when reinstalling machines and
+for other beginners looking to try out CRUX. In particular I have
+detailed my setup for encrypting my hard drive, which is esoteric but
+the best way I can come up with for doing it on CRUX.
+
+The [CRUX handbook](http://crux.nu/Main/Handbook2-7) is what you should
+really be using for this, referring to my notes only when the handbook
+is a bit skimpy on detail. I’ll repeat an arbitrary selection of what
+that tells you to do.
+
+[My ports](http://spw.sdf.org/crux/) for CRUX are [in the
+portdb](http://crux.nu/portdb/?a%3Drepo&q%3Dswhitton); they’re used
+throughout this document.
+
+I used CRUX 2.7 in preparing this.
+
+Installation
+============
+
+Encryption strategy
+-------------------
+
+My paranoia levels are such that I want to set up enough encryption to
+foil someone without a mainframe who acquires my laptop from getting at
+my personal data, but I don’t take the steps necessary to stop someone
+from inserting a keylogger into my machine, leaving it for me to pick up
+again without me knowing it’s been gone, and then stealing my encryption
+passphrase anyway.
+
+Since `/boot` has to be unencrypted and I am not willing to carry it
+around on a floppy or something, there is therefore no additional risk
+in having the root partition unencrypted, so I just encrypt `/home`,
+`/var`, have `/tmp` as a ramdisk, no swap and take steps to move
+sensitive configuration files (*e.g.* OpenVPN) in `/etc` into
+`/home/etc` so they are safe.
+
+The reason I am not simply encrypting the root filesystem rather than
+have these separate partitions is that that would slow down the boot
+sequence substantially by requiring an initrd.
+
+I don’t encrypt my desktop system at all anymore; the chances of it
+being stolen are so very much smaller than those for my laptop, I trust
+my family and LILO password is sufficient for LAN party security.
+
+Partitions and formatting
+-------------------------
+
+Run `fdisk` as instructed. If dual-booting with Windows, remember that
+it likes to be in the first partition. [A useful guide to
+`fdisk`](http://tldp.org/HOWTO/Partition/fdisk_partitioning.html). Going
+with 10GB for the root partition as the first time I did this I had 5
+for that and 10 for `/var`, and I didn’t have enough space to install
+TeX Live and had to do crazy repartitioning of encrypted partitions…
+
+Here’s a summary of the sizes I choose for my partitions:
+
+ Partition Size Filesystem
+ ----------- ----------------- ------------
+ `/` 10GB ext3
+ `/var` 5GB ReiserFS
+ `/home` remaining HDD ext4
+ `/tmp` max. 50% of RAM tmpfs
+
+so
+
+``` {.nil}
+,# mkfs.ext3 /dev/sda1
+```
+
+or, `mkfs.ext4` on my single-partition desktop.
+
+Installing the CRUX distribution
+--------------------------------
+
+We don’t mount our partition for `/var` separately at this stage because
+the live CD doesn’t have the tools needed to do disc encryption, and
+it’s far easier to let (non-personal) data get written to `/var` now
+that can later be moved into the encrypted partition, rather than
+supplying the installation with the scripts and modules to encrypt now.
+
+``` {.nil}
+,# mount /dev/sda1 /mnt
+,# setup
+```
+
+Select all three port collections and then **deselect** the following
+packages from `opt`: `fetchmail`, `firefox`, `grub`, `lvm2`, `mdadm`,
+`nano`, `openbox`, `procmail`, `rp-pppoe`, `wvdial`, `xterm`;
+**deselect** the following packages from `xorg`: `xorg-xf86-video-*`
+except for `vesa`.
+
+Config files
+------------
+
+Chroot and set the root password as instructed.
+
+Lines for `/etc/fstab`; again this is simple as we’re going to add
+encrypted partitions later:
+
+``` {.nil}
+/dev/sda1 / ext3 defaults,noatime 0 1
+tmp /tmp tmpfs defaults,nosuid,size=1024M,mode=1777 0 0
+usb /proc/bus/usb usbfs defaults 0 0
+/dev/sdaX /mnt/seven ntfs-3g defaults 0 0
+```
+
+We’ll use `autofs` for floppy and optical drives.
+
+In `/etc/rc.conf`, we change the keymap to `uk`, timezone to
+`Europe/London` and hostname to `artemis` for my laptop and `zephyr` for
+my desktop. Leave services and font as they are for now.
+
+Generate locales:
+
+``` {.nil}
+,# localedef -i en_GB -f ISO-8859-1 en_GB
+,# localedef -i en_GB -f ISO-8859-1 en_GB.ISO-8859-1
+,# localedef -i en_GB -f UTF-8 en_GB.utf8
+```
+
+### Temporary network setup
+
+We will need wired network access with which to get wireless working,
+and the way I do this is to tether one machine to the other. The
+following configuration achieves that:
+
+``` {.conf}
+#!/bin/sh
+#
+# /etc/rc.d/net: start/stop network
+#
+
+case $1 in
+ start)
+ # loopback
+ /sbin/ip addr add 127.0.0.1/8 dev lo broadcast + scope host
+ /sbin/ip link set lo up
+ # ethernet
+ /sbin/ip addr add 10.8.0.2/24 dev eth0 broadcast +
+ /sbin/ip link set eth0 up
+ # default route
+ /sbin/ip route add default via 10.8.0.1
+ ;;
+ stop)
+ /sbin/ip route del default
+ /sbin/ip link set eth0 down
+ /sbin/ip addr del 10.8.0.2/24 dev eth0
+ /sbin/ip link set lo down
+ /sbin/ip addr del 127.0.0.1/8 dev lo
+ ;;
+ restart)
+ $0 stop
+ $0 start
+ ;;
+ *)
+ echo "usage: $0 [start|stop|restart]"
+ ;;
+esac
+
+# End of file
+```
+
+Run these commands on the host machine to open up the target to the
+‘net:
+
+``` {.nil}
+$ echo "1" | sudo tee /proc/sys/net/ipv4/ip_forward
+$ sudo iptables -t nat -A POSTROUTING -s 10.8.0.2 -j MASQUERADE
+```
+
+and its config file (if it’s running CRUX; it’s quite easy to move to
+other distros):
+
+``` {.conf}
+#!/bin/sh
+#
+# /etc/rc.d/net: start/stop network
+#
+
+case $1 in
+ start)
+ # loopback
+ /sbin/ip addr add 127.0.0.1/8 dev lo broadcast + scope host
+ /sbin/ip link set lo up
+ # ethernet
+ /sbin/ip addr add 10.8.0.1/24 dev eth0 broadcast +
+ /sbin/ip link set eth0 up
+ # default route
+ #/sbin/ip route add default via 10.8.0.1
+ ;;
+ stop)
+ #/sbin/ip route del default
+ /sbin/ip link set eth0 down
+ /sbin/ip addr del 10.8.0.1/24 dev eth0
+ /sbin/ip link set lo down
+ /sbin/ip addr del 127.0.0.1/8 dev lo
+ ;;
+ restart)
+ $0 stop
+ $0 start
+ ;;
+ *)
+ echo "usage: $0 [start|stop|restart]"
+ ;;
+esac
+
+# End of file
+```
+
+This can be a bit flaky and doesn’t like hotplugging or rebooting so be
+willing to make liberal use of `/etc/rc.d/net restart`.
+
+`/etc/hosts`:
+
+``` {.conf}
+127.0.0.1 localhost
+127.0.1.1 artemis.silentflame.com artemis
+
+193.1.193.66 download.sf.net dl.sourceforge.net dl.sf.net
+```
+
+`/etc/resolv.conf`:
+
+``` {.conf}
+search silentflame.com
+#nameserver 10.9.8.1
+nameserver 208.67.220.222
+nameserver 208.67.220.220
+```
+
+The commented out address will be of use once OpenVPN is operational.
+
+#### DONE Post other machines config too
+
+CLOSED: \[2011-08-29 Mon 14:56\]
+
+Also note need to restart on both ends after reboot.
+
+Compiling the kernel
+--------------------
+
+Here are changes I have made; everything else is left as-is.
+- General setup
+ - Disable development/incomplete code/drivers
+ - Disable swap support
+ - Enable BSD Process Accounting
+ - Disable kernel .config support
+ - Enable UTS & IPC namespace support
+ - Disable initramfs/initrd
+ - Disable optimisation for size
+ - On zephyr, enable configure standard kernel features (for
+ small systems) \[Apple keyboard\]
+- Enable loadable module support
+ - Disable unloading modules
+- Processor type and features
+ - Processor family: Core 2/newer Xeon
+ - Maximum number of CPUs set to 2
+ - Disable SMT (Hyperthreading) scheduler support
+ - Enable machine check / overheating reporting
+ - Disable AMD MCE features
+ - High Memory Support: 4GB
+ - Enable KSM for page merging
+ - Enable Math emulation
+ - Enable MTRR cleanup support
+ - Enable -fstack-protector buffer overflow detection
+- Power management and ACPI options
+ - Enable power management support
+ - Enable run-time PM core functionality
+ - Enable APM for laptop (though this is known to be dodgy; care)
+ - Enable CPU frequency scaling on artemis
+ - Disable CPU frequency translation statistics
+ - Enable the powersave, userspace, and conservative governors
+ on artemis, and ondemand instead of conservative on zephyr.
+ Set default governor to performance
+ - Module ACPI Processor P-states driver
+- Bus options
+ - Enable Message Signaled Interrupts
+ - Disable ISA support
+ - PCMCIA—disable on zephyr
+ - Disable Cirrus PD6729 compatible bridge support
+ - Disable i82092 compatible bridge support
+- Executable file formats / emulations
+ - Enable kernel support for MISC binaries
+- Networking support
+ - Networking options
+ - For the Oxford VPN, we will need to module these:
+ - Transformation user configuration interface
+ - PF~KEY~ sockets
+ - IP: GRE tunnels over IP
+ - IP: AH transformation
+ - IP: ESP transformation
+ - IP: IPComp transformation
+ - IP: IPsec transport mode
+ - IP: IPsec tunnel mode
+ - IP: IPsec BEET mode
+ - Enable INET: socket monitoring interface
+ - Disable IPv6 (I’m never on a network that supports it)
+ - Enable Netfilter
+ - Core Netfilter Configuration
+ - Enable Netfilter connection tracking support
+ - IP: Netfilter configuration
+ - Enable IPv4 connection tracking support
+ - Enable IP tables support
+ - Enable Full NAT
+ - Enable MASQUERADE target support
+ - Enable REDIRECT target support
+ - Module 802.1d ethernet bridging
+ - Wireless
+ - Enable (*i.e.* not just module) cfg80211
+ - Enable Generic IEEE 802.11 Networking Stack (mac80211)
+ - Enable RF switch subsystem support on artemis
+- Device drivers
+ - Generic driver options
+ - Enable maintain a devtmpfs filesystem to mount at /dev
+ - Automount devtmpfs at /dev. after the kernel…
+ - Enable include in-kernel firmware blobs in kernel binary
+ - Enable connector—unified userspace &lt;-&gt; kernelspace linker
+ - Plug and play support
+ - Enable PNP debugging messages
+ - Block devices
+ - Module normal floppy disk support on artemis, enable on
+ zephyr
+ - Disable Compaq SMART2 support
+ - Disable Compaq Smart Array 5xxx support
+ - Disable Mylex DAC960/DAC1100 PCI RAID controller support
+ - Module loopback device support
+ - Disable network block device support
+ - Module RAM block device support (this may break tmpfs?)
+ - Disable ATA over ethernet support
+ - On zephyr enable ATA/ATAPI/MFM/RLL support (DEPRECATED) \[this
+ may or may not help failure to boot issue, really have no idea
+ atm\]
+ - Enable support for SATA (deprecated; conflicts with libata
+ SATA driver)
+ - Enable generic ATA/ATAPI disk support
+ - Enable ATA disk support
+ - Enable Include IDE/ATAPI CDROM support
+ - Enable IDE ACPI support
+ - Enable generic/default IDE chipset support
+ - Enable Platform driver for IDE interfaces
+ - Enable AMD and nVidia IDE support
+ - SCSI device support
+ - Enable SCSI disk support
+ - Enable SCSI CDROM support
+ - Enable vendor-specific extensions (for SCSI CDROM) on
+ zephyr only
+ - Enable SCSI generic support
+ - Probe all LUNs on each SCSI device
+ - Enable asynchronous SCSI scanning
+ - Enable serial ATA and parallel ATA drivers
+ - Enable AHCI SATA support
+ - Enable platform AHCI SATA support
+ - On zephyr enable NVIDIA SATA support
+ - Enable multiple devices driver support (RAID and LVM)
+ - Enable device mapper support
+ - Enable crypt target support
+ - Enable snapshot target
+ - Enable mirror target
+ - Disable Fusion MPT device support
+ - IEEE 1394 (FireWire) support
+ - Disable FireWire driver stack
+ - Enable Macintosh device drivers (hmm shouldn’t keyboard be
+ under here?)
+ - Network device support
+ - Module dummy net driver support
+ - Module universal TUN/TAP device driver support
+ - Wireless LAN
+ - Enable Intel Wireless Wifi on artemis
+ - Enable Intel Wireless WiFi Next Gen AGN (iwlagn) on
+ artemis
+ - Enable Intel Wireless WiFi 5000AGN … on artemis
+ - Enable Ralink driver support on zephyr
+ - Enable rt2500 (USB) support
+ - Enable rt2501/rt73 (USB) support
+ - Enable Ralink debug output
+ - Disable PPP support
+ - Input device support
+ - Disable support for memoryless force-feedback devices
+ - Disable polled input device skeleton
+ - Set horizontal and vertical screen resolution
+ - Enable event interface
+ - Mice
+ - On zephyr, enable PS/2 mouse
+ - Disable serial mouse
+ - Disable Apple USB touchpad support
+ - Disable Apple USB BCM5974 Multitouch trackpad support
+ - Character devices
+ - Serial drivers
+ - Disable 8250/16550 and compatible serial support
+ - Enable Timer IOMEM HW Random Number General support
+ - Enable Intel HW Random Number Generator support
+ - Disable AMD … random number generator support × 2
+ - Enable /dev/nvram support
+ - Enable SPI support
+ - Power supply class support
+ - Module test power driver
+ - Module all battery types on artemis for now
+ - Enable hardware monitoring support
+ - Generic thermal sysfs driver
+ - Enable hardware monitoring support
+ - Disable multimedia support
+ - Graphics support
+ - Enable laptop hybrid graphics on artemis
+ - Module direct rendering manager
+ - Disable support for frame buffer devices
+ - Enable backlight & LCD device support on artemis
+ - Display device support
+ - Enable display panel/monitor support
+ - Console display driver support
+ - Disable scrollback buffer in system RAM
+ - Enable sound card support
+ - Enable ALSA
+ - Enable sequencer support
+ - Enable OSS mixer API
+ - Enable OSS PCM
+ - Enable OSS sequencer API
+ - Disable verbose procfs contents
+ - PCI sound devices
+ - Enable Intel HD Audio
+ - On artemis enable aggressive power-saving on
+ HD-audio
+ - Default time-out for HD-audio power-save
+ mode: 60
+ - On zephyr enable build nvidia HDMI HD-audio
+ codec support
+ - Disable HID drivers on artemis, enable on zephyr—enable/module
+ on artemis if want USB mouse support
+ - Special HID drivers
+ - Enable Apple
+ - USB support
+ - Enable support for host-side usb
+ - Enable USB device filesystem
+ - Enable WUSB cable based association
+ - Enable EHCI HCD (USB 2.0) support
+ - Disable USB modem support
+ - Enable MMC/SD/SDIO card support on artemis
+ - On artemis, enable Secure Digital host controller interface
+ support
+ - On artemis enable SDHCI support on PCI bus
+ - On artemis enable Ricoh MMC controller disabler
+ - Disable Real Time Clock
+ - Enable auxiliary display support
+ - Disable X86 platform specific device drivers
+ - ~~On artemis, module Acer WMI laptop extras, Asus laptop
+ extras and ThikPad ACPI laptop extras—don’t think it’s the
+ latter but one of three for SL300 which has IdeaPad
+ internals, not proper ThinkPad~~ —using `lenovo-sl-laptop`
+ - On zephyr enable staging drivers
+ - Disable exclude staging drivers from being built
+ - Enable Ralink 2870/3070 wireless support
+- File systems
+ - Enable ext2
+ - Enable ext3
+ - Default to ‘data-ordered’ in ext3
+ - Enable ext4
+ - Enable reiserfs
+ - Disable JFS
+ - Disable XFS
+ - Enable kernel automounter version 4 support (also supports v3)
+ - Enable FUSE
+ - Module character device in userpace \[sic\] suppose
+ - CD-ROM/DVD filesystems
+ - Enable ISO 9660 CDROM file system support
+ - Enable Microsoft Joliet CDROM extensions
+ - Enable transparent decompression extension
+ - UDF file system support
+ - DOS/FAT/NT filesystems
+ - Disable MSDOC fs support
+ - Enable VFAT (Windows-95) fs support
+ - On zephyr, enable NTFS file system support; disable on
+ artemis
+ - On zephyr enable NTFS write support
+ - Network file systems
+ - Enable NFS client support
+ - Enable NFS client support for the NFSv3 ACL protocol
+ extension
+ - Enable NFS server support for the NFSv3 ACL protocol
+ extension
+ - Disable SMB file system support
+ - Disable CIFS support
+- Kernel hacking
+ - Enable timing information on printks
+ - Enable \_~mustcheck~ logic
+ - Disable Magic SysRq key
+ - Enable sysctl checks
+ - Filter access to /dev/mem
+ - Maybe enable verbose x86 bootup info messages
+- Cryptographic API
+ - Module null algorithms
+ - Module CCM support (Oxford VPN)
+ - Module GCM/GMAC support (Oxford VPN)
+ - Enable SHA224 and SHA256 digest algorithm
+ - Enable Zlib
+ - Enable LZO
+ - Enable pseudo random number generation for cryptographic modules
+- Virtualisation
+ - Enable KVM support
+ - Enable KVM for Intel processors support
+ - Module Virtio balloon driver
+
+Once done with `menuconfig`, we set things up:
+
+``` {.nil}
+,# make all && make modules_install
+,# cp arch/x86/boot/bzImage /boot/vmlinuz
+,# cp System.map /boot
+```
+
+nil
+
+Bootloader
+----------
+
+Set up lilo; for artemis:
+
+``` {.conf}
+#
+# /etc/lilo.conf: lilo(8) configuration, see lilo.conf(5)
+#
+
+lba32
+install=text
+compact
+boot=/dev/sda
+image=/boot/vmlinuz
+ label=CRUX
+ root=/dev/sda3
+ read-only
+ append="quiet acpi_backlight=vendor"
+
+# End of file
+```
+
+and for zephyr:
+
+``` {.conf}
+#
+# /etc/lilo.conf: lilo(8) configuration, see lilo.conf(5)
+#
+
+lba32
+install=text
+prompt
+timeout=30
+compact
+boot=/dev/sda
+image=/boot/vmlinuz
+ label=CRUX
+ root=/dev/sda3
+ read-only
+ append="quiet"
+other=/dev/sda2
+ label=dos
+
+# End of file
+```
+
+``` {.nil}
+# lilo
+# reboot
+```
+
+### DONE Actually fill this section in<span class="tag" data-tag-name="NOEXPORT"></span>
+
+CLOSED: \[2011-07-17 Sun 16:12\]
+
+Post-install configuration
+==========================
+
+Pre-encryption tweaks—stop building things as root
+--------------------------------------------------
+
+Following the advice [here](http://crux.nu/Wiki/PostInstallationNotes),
+we set up a non-priviledged user to build ports. This also moves port
+building out of `/usr` and into `/var` where it belongs.
+
+We create our user account here because otherwise pkgmk will get the
+first UID.
+
+``` {.nil}
+,# groupadd pkgmk
+,# useradd swhitton -M -s /bin/zsh -G lp,wheel,audio,video,floppy,cdrom,scanner,tape,pkgmk
+,# useradd -m -d /var/pkgmk -g pkgmk pkgmk
+,# mkdir /var/pkgmk/{distfiles,packages,work}
+,# chown pkgmk:pkgmk /var/pkgmk/*
+,# chmod 775 /var/pkgmk/*
+```
+
+`/etc/prt-get.conf`:
+
+``` {.conf}
+makecommand sudo -H -u pkgmk /usr/bin/fakeroot /usr/bin/pkgmk
+```
+
+`/etc/pkgmk.conf`:
+
+``` {.conf}
+PKGMK_SOURCE_DIR="/var/pkgmk/distfiles"
+PKGMK_PACKAGE_DIR="/var/pkgmk/packages"
+PKGMK_WORK_DIR="/var/pkgmk/work/$name"
+```
+
+`/etc/hosts`:
+
+``` {.conf}
+193.1.193.66 download.sf.net dl.sourceforge.net dl.sf.net
+```
+
+### CANCELLED Fix permissions for creating .md5sum (maybe) and also grok how this actually works<span class="tag" data-tag-name="NOEXPORT"></span>
+
+CLOSED: \[2011-08-29 Mon 14:55\]
+
+Pre-encryption tweaks—packages
+------------------------------
+
+We can’t do much until encryption is operational because we don’t want
+to introduce any kind of personal data to the system until then. However
+our lives in setting that up will be a lot easier with some additional
+packages to our very spartan system.
+
+If you see this on a bootup:
+
+``` {.nil}
+umount: /sys: device is busy.
+ (In some cases useful info about processes that use
+ the device is found by lsof(8) or fuser(1))
+mount: sysfs already mounted or /sys busy
+```
+
+then be assured that it may be safely ignored; I believe it’s a bug in
+the `/etc/rc` script.
+
+First we enable the `contrib` ports collection
+
+``` {.nil}
+,# mv /etc/ports/contrib.rsync.inactive /etc/ports/contrib.rsync
+,# ports -u contrib
+```
+
+We tell `prt-get` that we’ve done so by uncommenting the line
+
+``` {.conf}
+prtdir /usr/ports/contrib
+```
+
+near the start of `/etc/prt-get.conf`. Now we use the `mpup` utility to
+add some ports from third party repositories. `mpup` is like `ports -u`
+except only specific ports are fetched, rather than a whole irrelevant
+repository.
+
+``` {.nil}
+,# prt-get depinst mpup
+,# mv /etc/ports/meta.mpup.inactive /etc/ports/meta.mpup
+```
+
+Now we add my personal repository TODO and gnome and xfce TODO (gnome
+below contrib so guile installs right
+
+Add to `/etc/mpup.lst`:
+
+``` {.nil}
+httpup sync http://home.cc.umanitoba.ca/~fonsecah/crux/ports/#wicd wicd
+httpup sync http://home.cc.umanitoba.ca/~fonsecah/crux/ports/#urwid urwid
+rsync -aqz morpheus.net::cruxports/console-font-terminus/ console-font-terminus
+rsync -aqz morpheus.net::cruxports/xorg-font-terminus/ xorg-font-terminus
+httpup sync http://romster.dyndns.org:8080/linux/ports/crux/romster/#texinfo texinfo
+httpup sync http://sirmacik.net/static/download/cruxpl-ports/#ncmpcpp ncmpcpp
+httpup sync http://romster.dyndns.org:8080/linux/ports/crux/romster/#mpdscribble mpdscribble
+httpup sync http://sirmacik.net/static/download/cruxpl-ports/#xclip xclip
+httpup sync http://sirmacik.net/static/download/cruxpl-ports/#terminus-font terminus-font
+rsync -aqz morpheus.net::cruxports/mingetty/ mingetty
+httpup sync http://falcony.googlecode.com/svn/trunk/falcony/#laptop-mode-tools laptop-mode-tools
+httpup sync http://cruxab.comlu.com/crux/ports/#libtasn1 libtasn1
+httpup sync http://flaveur.googlecode.com/svn/trunk/ports/#policykit policykit
+httpup sync http://www.mizrahi.com.ve/crux/pkgs/#krb5 krb5
+httpup sync http://bdfy.googlecode.com/svn/trunk/#abiword abiword
+httpup sync http://tsubasa.googlecode.com/svn/trunk/tsubasa/#auctex auctex
+httpup sync http://www.mizrahi.com.ve/crux/pkgs/#autofs autofs
+httpup sync http://romster.dyndns.org:8080/linux/ports/crux/romster/#wine wine
+httpup sync http://www.landofbile.com/crux_ports/#gmime gmime
+httpup sync http://bdfy.googlecode.com/svn/trunk/#burn-cd burn-cd
+httpup sync http://vico.kleinplanet.de/files/repo/#abcde abcde
+httpup sync http://vico.kleinplanet.de/files/repo/#cd-discid cd-discid
+httpup sync http://vico.kleinplanet.de/files/repo/#id3v2 id3v2
+rsync -aqz rsync.clyl.net::crux-xen/vte-python/ vte-python
+httpup sync http://jue.li/crux/ports/#s3fs s3fs
+rsync -aqz sepen.mine.nu::ports/crux-2.7/sepen/uuid/ uuid
+```
+
+and add `prtdir /usr/ports/meta` to the beginning of
+`/etc/prt-get.conf`. Next we’ll install some basic utilities but before
+we do that we enable install scripts in `/etc/prt-get.conf`:
+
+``` {.conf}
+runscripts yes
+```
+
+now
+
+``` {.nil}
+,# ports -u meta swhitton
+,# prt-get depinst zile emacs cryptsetup gnupg zsh screen mercurial git cvs subversion mr ca-certificates consoleswapcaps rxvt-unicode urxvtcd atd git-annex
+,# prt-get remove vim
+```
+
+Change the keymap in `/etc/rc.conf` to `uk.swapcaps` and then
+
+``` {.nil}
+,# loadkeys uk.swapcaps
+```
+
+to make caps lock into a control key, as it should be.
+
+This should be enough to bootstrap my standard CLI interface into
+`/root`, which’ll make things more comfortable.
+
+``` {.nil}
+,# cd ~
+,# rm -rf .ssh
+,# mr --trust-all bootstrap xyrael.net/mrconfig-crux
+,# chsh -s /bin/zsh
+,# zsh
+```
+
+### DONE Paste u/mount error<span class="tag" data-tag-name="NOEXPORT"></span>
+
+CLOSED: \[2011-08-29 Mon 15:01\]
+
+### DONE Fill in more from actual file<span class="tag" data-tag-name="NOEXPORT"></span>
+
+CLOSED: \[2011-08-29 Mon 14:53\]
+
+Encrypted partitions
+--------------------
+
+At long last we are ready to prepare our encrypted partitions, move our
+sensitive data into them and then to have them decrypted at boot.
+
+### Create partitions
+
+``` {.nil}
+,# cryptsetup luksFormat /dev/sda2
+,# cryptsetup luksFormat /dev/sda3
+,# cryptsetup luksOpen /dev/sda2 artemis-var
+,# cryptsetup luksOpen /dev/sda2 artemis-home
+,# mkfs.reiserfs /dev/mapper/artemis-var
+,# mkfs.ext4 /dev/mapper/artemis-home
+```
+
+We’ll mount up the home partition and put something in it for testing
+purposes.
+
+``` {.nil}
+,# mount /dev/mapper/artemis-home /home
+,# echo "it works\!" > /home/test.txt
+```
+
+### Decryption
+
+To confirm that things are working we’ll do `/home` first before `/var`,
+because the latter gets log files written to it that we’re going to have
+to be careful about moving.
+
+Open up `/etc/rc` and find the line
+
+``` {.bash}
+,# Check filesystems
+```
+
+Above the chunk of lines this line heralds the commencement of, we are
+going to add our decryption commands. These are
+
+``` {.bash}
+,# SEAN DECRYPTION BEGIN
+
+,# we need to set the keymap early in order to be able to decrypt
+if [ "$KEYMAP" ]; then
+ /usr/bin/loadkeys -q $KEYMAP
+fi
+
+/usr/bin/setfont $FONT
+
+echo ""
+echo -n "This is Sean's computer - enter system passphrase: "
+
+/bin/stty -echo; read PASSPHRASE; /bin/stty echo
+echo ""
+echo -n "$PASSPHRASE" | cryptsetup --key-file=- luksOpen /dev/sda2 artemis-var
+echo -n "$PASSPHRASE" | cryptsetup --key-file=- luksOpen /dev/sda3 artemis-home
+
+PASSPHRASE="ilikedmcryptoncruxreallyreallyreallalot"
+unset PASSPHRASE
+
+,# SEAN DECRYPTION END
+```
+
+The idea of this code is to stop someone from being able to do anything
+with the system without opening it up, which was considered to be an
+acceptable risk in our encryption strategy.
+
+Add this line to `/etc/fstab`:
+
+``` {.conf}
+/dev/mapper/artemis-home /home ext4 defaults 0 2
+```
+
+Reboot, and confirm our test file is still in place with the content we
+gave it. If so, it's time to move the files in `/var`. We stop daemons
+that might write there before doing so,[^1] move the data and then
+reboot and cross our fingers.
+
+First add this line to `/etc/fstab`:
+
+``` {.conf}
+/dev/mapper/artemis-var /var reiserfs defaults,noatime,notail 0 2
+```
+
+then
+
+``` {.nil}
+,# mkdir /mnt/tmp
+,# mount /dev/mapper/artemis-var /mnt/tmp
+,# /etc/rc.d/sysklogd stop
+,# /etc/rc.d/crond stop
+,# /etc/rc.d/net stop
+,# mv /var/* /mnt/tmp
+,# mv /var/.* /mnt/tmp
+,# reboot
+```
+
+This doesn't really require a reboot, but it's nice to see all the
+encryption stuff now fully working in tandem.
+
+### DONE On artemis, unmount /var in rc.shutdown to prevent reiserfs journal replay on every boot<span class="tag" data-tag-name="TechFix"></span><span class="tag" data-tag-name="NOEXPORT"></span>
+
+CLOSED: \[2011-08-29 Mon 14:53\]
+
+Post-encryption setup
+---------------------
+
+Whew, now that encryption’s done we’re safe to start setting up my
+environment.
+
+### Distribution update
+
+First bring the distribution up-to-date:
+
+``` {.nil}
+,# prt-get sysup
+```
+
+This will take a while since the packages will need to be compiled,
+unlike during the installation where this has already been done. Also
+=prt-get=’s dependency resolution isn’t perfect, and you may be required
+to intervene to upgrade some packages before others.
+
+Now we’ve hacked `/etc/rc` we need to lock it to prevent it being
+overwritten by updates, which would stop our system from starting up.
+Add this line to `/etc/pkgadd.conf`
+
+``` {.conf}
+UPGRADE ^etc/rc$ NO
+```
+
+### Wireless
+
+Let’s stop dependency on another host for Internet access.
+
+For artemis, we need the wireless firmware from
+[here](http://intellinuxwireless.org/?n%3Ddownloads&f%3Ducodes_5000),
+and we need a release of the 5000 images (for our 5100AGN card) old
+enough to have -2 at the end, as our kernel version doesn’t seem to look
+for anything higher. 8.24.2.12.tgz appears to be the latest with this
+property. Extract the `.ucode` file into `/lib/firmware` and reboot and
+the hardware should be ready to go.
+
+For zephyr we need
+[rt2870.bin](http://www.ralinktech.com/support.php?s%3D2) which we can
+drop into `/lib/firmware`; we then need a symlink:
+`ln -s /lib/firmware/rt2870.bin
+/lib/firmware/rt3070.bin` because the rt2870.bin driver covers a lot of
+hardware and the kernel looks in the wrong place.
+
+Install `wicd` to manage network connections from now on. Somehow `glib`
+doesn’t get updated enough/at all in the sysup so do it again here
+(maybe).
+
+``` {.nil}
+,# prt-get update glib
+,# prt-get depinst wicd urwid
+,# /etc/rc.d/dbus start
+,# /etc/rc.d/wicd start
+```
+
+Add the `atd`, `dbus` and `wicd` daemons (in that order) to
+`/etc/rc.conf`, and comment out the gateway settings for `eth0` from
+`/etc/rc.d/net` (we can’t remove this daemon entirely because we need
+the loopback interface—discovered this the hard way when mpd wouldn’t
+work…). Fire up `wicd-curses` to connect to your wireless network.
+Remember to add `10.9.8.1` as first DNS server, globally, then OpenDNS.
+
+### ntp
+
+At this point I tend to notice my system clock drifting.
+
+``` {.nil}
+,# prt-get depinst openntpd
+,# /etc/rc.d/ntpd start
+```
+
+Add ntpd to list of daemons in `/etc/rc.conf`. In `/etc/rc.d/ntpd`, make
+the `-s` into `-S` so that ntp doesn’t even try to change the time on
+startup, which makes a big difference to boot speed.
+
+Add to `/etc/pkgadd.conf`:
+
+``` {.conf}
+UPGRADE ^etc/rc\.d/ntpd$ NO
+```
+
+to protect our changes.
+
+#### DONE Exclude /etc/rc.d/ntpd from being changed on package updates<span class="tag" data-tag-name="NOEXPORT"></span>
+
+CLOSED: \[2011-08-29 Mon 14:58\]
+
+### User account
+
+``` {.nil}
+,# mkdir /home/swhitton
+,# chown swhitton:users /home/swhitton
+,# passwd swhitton
+```
+
+Log out and login again as the new user. Bootstrap its homedir:
+
+``` {.nil}
+$ mr --trust-all bootstrap xyrael.net/mrconfig-crux
+```
+
+### DONE Apple keyboard at console
+
+CLOSED: \[2011-08-29 Mon 14:59\]
+
+On zephyr, add to `/etc/rc.local`:
+
+``` {.bash}
+echo 2 | sudo tee /sys/module/hid_apple/parameters/fnmode > /dev/null
+```
+
+### X
+
+#### Setup
+
+We’re going with the non-free nVidia drivers since we have a nVidia card
+we want to make some use of:
+
+``` {.nil}
+,# prt-get depinst nvidia
+,# reboot
+,# nvidia-xconfig
+,# gl-select use nvidia
+```
+
+To test X, back as `swhitton`, we prepare a minimal `.xinitrc` with just
+the line `exec urxvt`, moving the usual file to `.xinitrc~`.
+
+``` {.nil}
+$ startx
+```
+
+If you get a terminal that you can type into, and the mouse moves
+around, we’re good to go. Run `exit` in the terminal to kill off X.
+
+##### Driver tweaks
+
+Add the following lines to the `Device` section of `/etc/X11/xorg.conf`
+for some minor improvements (from Arch wiki):
+
+``` {.conf}
+Option "NoLogo" "1"
+Option "RenderAccel" "1"
+Option "ConnectedMonitor" "DFP"
+Option "TripleBuffer" "1"
+Option "DamageEvents" "1"
+Option "DPS" "1"
+```
+
+Remove the third line for zephyr.
+
+#### The almighty Terminus
+
+We need three versions of Terminus: one which provides the traditional X
+font, one which provides the xft font and one for the console.
+
+The Arch package provides all three at once, I believe, or at least the
+first two so should probably be looked into at some point.
+
+``` {.nil}
+,# prt-get depinst xorg-font-terminus console-font-terminus terminus-font
+```
+
+In the `Files` section of `/etc/X11/xorg.conf`, add the line
+
+``` {.conf}
+FontPath "/usr/lib/X11/fonts/terminus"
+```
+
+and then my `.Xresources` should take care of the rest. For console,
+update `/etc/rc.conf` to use this new font, `Lat2-Terminus16`.
+
+#### Font beautification
+
+CRUX’s X11 fonts look pretty poor without tweaks, and there are various
+ways to improve the situation. After much messing around I reckon that
+the cleartype approach is the best, especially since the packages on the
+AUR were recently renewed and seem to be maintained. Links about this
+issue at the end of this document.
+
+First we set up some package aliases so that our prt-get doesn’t think
+we’ve removed important dependencies. Append to
+`/var/lib/pkg/prt-get.aliases`
+
+``` {.conf-colon}
+libxft-cleartype: xorg-libxft
+freetype2-cleartype: freetype
+cairo-cleartype: cairo
+postfix: exim
+```
+
+and append to `/etc/pkgadd.conf` to protect this file from upgrades:
+
+``` {.conf}
+UPGRADE ^var/lib/pkg/prt-get.aliases$ NO
+```
+
+``` {.nil}
+,# prt-get remove freetype xorg-libxft cairo
+,# prt-get install freetype2-cleartype libxft-cleartype cairo-cleartype
+```
+
+Taking the -ubuntu approach means no Xft Terminus so require the hacked
+TTF versions floating about, which means no smaller font in Conkeror
+minibuffer.
+
+Check in `/etc/fonts/fonts.conf` that near the top there is
+
+``` {.xml}
+<dir>/usr/share/fonts</dir>
+<dir>/usr/lib/X11/fonts</dir>
+<dir>~/.fonts</dir>
+```
+
+as the second line might be missing. This should be packaged
+up/automated at some point.
+
+##### DONE Tidy up dependency installation around this stuff<span class="tag" data-tag-name="NOEXPORT"></span>
+
+CLOSED: \[2011-07-17 Sun 21:48\]
+
+Atm there will be clashes, particularly concerning the freetype files.
+
+&lt;Romster&gt; edit /var/lib/pkg/prt-get.aliases and add your port as
+an alias \[16:50\] &lt;Romster&gt; be sure to add that file to
+/etc/pkgadd.conf else changes will be gone should you ever
+reinstall/update prt-get.
+
+##### DONE Add `--install-scripts` throughout this file, as probably needed in lots of places<span class="tag" data-tag-name="NOEXPORT"></span>
+
+CLOSED: \[2011-07-17 Sun 21:48\]
+
+Or just use prt-get config variable `runscripts`
+
+#### Lisp
+
+We are going to install the lisp environment to run my window manager,
+StumpWM, using the [quicklisp approach from the
+ArchWiki](https://wiki.archlinux.org/index.php/Stumpwm#With_Quicklisp_.28recommended.29).
+When my lisp knowledge improves I will make this into a package.
+
+``` {.nil}
+,# prt-get depinst sbcl texinfo
+,# wget beta.quicklisp.org/quicklisp.lisp
+,# sbcl --load quicklisp.lisp
+```
+
+and then in the interactive shell
+
+``` {.commonlisp}
+(quicklisp-quickstart:install)
+(ql:add-to-init-file)
+(ql:update-all-dists)
+(ql:quickload "clx")
+(ql:quickload "cl-ppcre")
+(quit)
+```
+
+This relies on the environment variable we set in `.zshrc`,
+`SBCL_HOME=/usr/lib/sbcl`.
+
+#### More building blocks
+
+Unfortunately, stumpwm won’t build unless we’re root at the moment as I
+haven’t got the package set up right. So first we comment out the lines
+we added to `/etc/prt-get.conf` and `/etc/pkgmk.conf` and then
+
+``` {.nil}
+,# cd /usr/ports/swhitton/stumpwm
+,# pkgmk -d
+,# chown pkgmk:pkgmk stumpwm\#git-1.pkg.tar.gz
+,# mv stumpwm\#git-1.pkg.tar.gz /var/pkgmk/packages
+```
+
+Now uncomment the lines again and
+
+``` {.nil}
+,# prt-get depinst xbindkeys avfs stumpwm
+$ mkdir .avfs
+# echo "user_allow_other" >> /etc/fuse.conf
+```
+
+This should be enough to get a graphical environment up, so `startx` and
+open up a shell with the usual `C-i C-t`. If dual monitors need setting
+up, su to root and run `nvidia-settings`.
+
+#### SLiM
+
+And changes to theme to make slimlock work and changes to slimlock.conf.
+
+#### gettys & SLiM
+
+Using a display manager is much neater than running startx from
+`~/.zshrc`.
+
+``` {.nil}
+,# prt-get depinst mingetty slim slimlock
+```
+
+We use mingetty because it allows autologin if we ever want it and it
+uses less resources than agetty. We don’t use autologin at the moment
+because we’re screenlocking with slimlock rather than vlock. One virtual
+console is sufficient.
+
+``` {.conf}
+#c1:2:respawn:/sbin/mingetty --noclear --loginpause --autologin swhitton tty1 linux
+c2:2:respawn:/sbin/mingetty --noclear tty2 linux
+#c3:2:respawn:/sbin/agetty 38400 tty3 linux
+#c4:2:respawn:/sbin/agetty 38400 tty4 linux
+#c5:2:respawn:/sbin/agetty 38400 tty5 linux
+#c6:2:respawn:/sbin/agetty 38400 tty6 linux
+#s1:2:respawn:/sbin/agetty 38400 ttyS0 vt100
+
+x:2:respawn:/usr/bin/slim >& /dev/null
+```
+
+Amend these lines in `/etc/slim.conf`:
+
+``` {.conf}
+console_cmd /usr/bin/urxvt -T "Console login" -e /bin/sh -c
+"/bin/cat /etc/issue; exec /bin/login"
+default_user swhitton
+auto_login yes (on artemis)
+```
+
+and in `/etc/slimlock.conf`:
+
+``` {.conf}
+wrong_passwd_timeout 0
+show_username 1
+show_welcome_msg 0
+```
+
+and a fix to `/usr/share/slim/themes/crux-smooth/slim.theme`:
+
+``` {.conf}
+username_x 170
+password_x 170
+```
+
+##### CANCELLED Make this fix a patched version of the package
+
+CLOSED: \[2011-08-29 Mon 12:20\]
+
+### ALSA
+
+Let’s get sound operational.
+
+``` {.nil}
+,# prt-get depinst alsa-lib alsa-utils alsa-oss
+,# alsamixer
+```
+
+Hit `M` to unmute the main channel. Raise the volume until the db gain
+is 0 and then play a sound to test. If it doesn’t play, raise the other
+sliders around a bit.
+
+``` {.nil}
+,# aplay /home/swhitton/lib/beep.wav
+```
+
+Now add alsa to the daemons array in `/etc/rc.conf` and run
+
+``` {.nil}
+,# alsactl -f /var/lib/alsa/asound.state store
+,# /etc/rc.d/alsa start
+```
+
+### sshd
+
+Add to `/etc/hosts.allow`:
+
+``` {.conf}
+sshd: 10.9.8. 192.168.0. 10.8.0.
+```
+
+We need sshd running all the time in order to have tramp working
+smoothly, it seems (not in find-file but in eshell).
+
+### mpd, ncmpcpp & mpdscribble
+
+No reason to go any further without some tunes. We need to install
+`libmms` first in order to get proper streaming support.
+
+``` {.nil}
+,# prt-get depinst libmms libfaac
+,# prt-get depinst mpd mpc ncmpcpp mpdscribble
+```
+
+#### Sync media library
+
+One of unison’s dependencies, ocaml, will need a .footprint deleting.
+
+``` {.nil}
+,# prt-get depinst unison
+```
+
+Reconnect ethernet cable and run `/etc/rc.d/net restart` on both
+machines to bring up the connection. Run
+
+``` {.nil}
+$ unison ~/var ssh://10.8.0.2/var
+```
+
+on host tethered artemis/zephyr to copy `~/var` back over to new
+machine.
+
+#### Configuration
+
+We want mpd to run as swhitton. Uncomment loads of stuff in
+`/etc/mpd.conf` (and add `mixer_type "software"` to ALSA output to make
+mpd volume independent of everything else) make sensible edits and run
+
+``` {.nil}
+$ mkdir -p .mpd/playlists
+,# chown swhitton.users /var/cache/mpdscribble/*.journal
+,# usermod -a -G audio swhitton
+```
+
+At some point we should move the config we use inside `/home/swhitton`
+since everything happens there now.
+
+Add this line to `/etc/hosts.allow`:
+
+``` {.conf}
+mpd: 127.0.0.1
+```
+
+Add this line to `/etc/pkgadd.conf`:
+
+``` {.conf}
+UPGRADE ^var/cache/mpdscribble/.*\.journal$ NO
+```
+
+`.xinitrc` will take care of starting mpd and mpdscribble.
+
+### sudo
+
+Execute `visudo` and uncomment the line
+
+``` {.conf}
+%wheel ALL=(ALL) NOPASSWD: ALL
+```
+
+conf and execute
+
+``` {.nil}
+usermod -a -G wheel swhitton
+```
+
+to give swhitton full sudo access.
+
+### Desktop software
+
+``` {.nil}
+,# prt-get depinst xpdf epdfview firefox feh gtk-chtheme gnome-themes
+flash-player-plugin texlive-full auctex sshfs-fuse mplayer vlock gimp
+xclip libreoffice scrot shared-mime-info gnome-mime-data htop at
+filezilla abook libogg flac libvorbis easytag unzip imagemagick bc
+aspell-en unrar w3m conkeror yapet x11-fonts-dejavu abiword emacs-w3m
+dvd+rw-tools cdrkit prt-utils xorg-font-msttcorefonts urw-fonts
+ttf-vista-fonts pinentry pinentry-gtk2 bbdb org-mode ntfs-3g_ntfsprogs
+notmuch rtorrent ncdu pm-utils mkvtoolnix ffmpeg dvdauthor gtypist
+guile normalize abcde cd-discid eject terminator vte-python xchat s3fs
+service psi-im vcdimager subversion xfce-mcs-manager thunar
+```
+
+Select a theme with `gtk-chtheme`.
+
+Do *not* be tempted to install the packages `xorg-font-adobe-100dpi` &
+`xorg-font-adobe-75dpi`. They take priority over other fonts and look
+rubbish, screwing things up in general.
+
+At some point I should write a Pkgbuild to install
+[pdftk](http://www.pdflabs.com/tools/pdftk-the-pdf-toolkit/), but this
+is a nightmare because `gcj` is a nightmare to build, so for now I’ll
+just use the pdftk on athena.
+
+Conkeror relies on xulrunner, which at present comes with the CRUX 2.7
+installation CD but as Firefox now includes it is not available in the
+ports database. If needed in the future, the CRUX git repository history
+contain the Pkgfile: link
+[1](http://crux.nu/gitweb/?p%3Dports/opt.git%3Ba%3Dblob%3Bf%3Dxulrunner/Pkgfile%3Bh%3D15c0967f212611b544da5381f135460b3a7f6c75%3Bhb%3D765241f5fc2ef30ca99e643ea667930f6e8e163f),
+[2](http://crux.nu/gitweb/?p%3Dports/opt.git%3Ba%3Dblob%3Bf%3Dxulrunner/mozconfig%3Bh%3D411ffaf26f2e0456c2c313e688cbc0c7bcfbfe7f%3Bhb%3D765241f5fc2ef30ca99e643ea667930f6e8e163f),
+[3](http://crux.nu/gitweb/?p%3Dports/opt.git%3Ba%3Dblob%3Bf%3Dxulrunner/xulrunner.diff%3Bh%3D5503c8d399a8ba9af88790d2c9c64de38e191ddc%3Bhb%3D765241f5fc2ef30ca99e643ea667930f6e8e163f).
+
+#### DONE Fix lack of `conkeror-spawn-helper`<span class="tag" data-tag-name="NOEXPORT"></span>
+
+CLOSED: \[2011-07-14 Thu 16:42\]
+
+#### CANCELLED Write Pkgfile for TeX Live<span class="tag" data-tag-name="NOEXPORT"></span>
+
+CLOSED: \[2011-08-29 Mon 14:50\]
+
+This will need these pages:
+<http://www.tug.org/texlive/quickinstall.html>
+<http://www.tug.org/texlive/acquire-netinstall.html> and then some way
+of telling the install script what to do without doing so interactively.
+-profile seems to be the way to go. Symlinks for manpages, infopages and
+the binaries, too.
+
+#### DONE Investigate `xulrunner`<span class="tag" data-tag-name="NOEXPORT"></span>
+
+CLOSED: \[2011-08-29 Mon 19:11\]
+
+It seems to be installed when the distro was installed yet isn’t in the
+ports db? Removed intentionally.
+
+#### CANCELLED Add xfce repository in order to install xfburn<span class="tag" data-tag-name="NOEXPORT"></span>
+
+CLOSED: \[2011-08-29 Mon 14:50\]
+
+Don’t really want to do this until dealt with freetype issue. Maybe a
+dummy package?
+
+xcdroast? Tried to install it…
+
+At the moment we just use: genisoimage -o tmp/dvd.iso local/toburn
+growisofs -Z /dev/sr0=/home/swhitton/tmp/dvd.iso
+
+prt-get readme cdrkit explains why burndir won’t work: growisofs is
+looking for mkisofs instead of genisoimage.
+
+#### CANCELLED Make abiword work<span class="tag" data-tag-name="NOEXPORT"></span>
+
+CLOSED: \[2011-08-29 Mon 14:50\]
+
+gnome-keyring will need fixing/version bumping as it looks for a version
+of libtasn that is too old.
+
+#### DONE Fix /usr/share ownership when installing my recently created packages<span class="tag" data-tag-name="NOEXPORT"></span>
+
+CLOSED: \[2011-08-29 Mon 20:24\]
+
+I think it has something to do with a package installing some zsh
+completions.
+
+#### DONE Fix mpdscribble & xbindkeys<span class="tag" data-tag-name="TechFix"></span><span class="tag" data-tag-name="NOEXPORT"></span>
+
+CLOSED: \[2011-07-20 Wed 19:47\] SCHEDULED: &lt;2011-07-15 Fri&gt;
+
+### OpenVPN
+
+We want the OpenVPN configuration files to be encrypted.
+
+``` {.nil}
+,# mkdir -p /home/etc/openvpn
+,# ln -s /home/etc/openvpn /etc
+,# prt-get depinst openvpn
+```
+
+Copy into `/etc/openvpn` the files `ca.crt`, `artemis.crt` and
+`artemis.key` and then create `/etc/openvpn/tap.conf`:
+
+``` {.conf}
+client
+remote 212.13.194.60 1194
+dev tap
+proto tcp
+resolv-retry infinite
+nobind
+persist-remote-ip
+persist-local-ip
+ping 5
+ping-restart 10
+ping-timer-rem
+persist-key
+persist-tun
+verb 2
+ca /etc/openvpn/ca.crt
+cert /etc/openvpn/artemis.crt
+key /etc/openvpn/artemis.key
+comp-lzo
+;redirect-gateway def1
+```
+
+where the final line is to be uncommented when on my untrusted
+university LAN. Add `openvpn` to the daemons started in `/etc/rc.conf`.
+Use udp rather than tcp on desktop.
+
+Create the `/etc/rc.d/openvpn` script (stolen from Arch):
+
+``` {.bash}
+#!/bin/sh
+#
+# /etc/rc.d/openvpn: start/stop vpn daemon
+#
+
+CFGDIR="/etc/openvpn"
+STATEDIR="/var/run/openvpn"
+
+case $1 in
+start)
+ mkdir -p "${STATEDIR}"
+ for cfg in "${CFGDIR}"/*.conf; do
+ /usr/sbin/openvpn --daemon --writepid "${STATEDIR}"/"$(basename "${cfg}" .conf)".pid --cd "${CFGDIR}" --config "${cfg}"
+ done
+ ;;
+stop)
+ for pidfile in "${STATEDIR}"/*.pid; do
+ kill $(cat "${pidfile}" 2>/dev/null) 2>/dev/null
+ rm -f "${pidfile}"
+ done
+ ;;
+restart)
+ $0 stop
+ sleep 1
+ $0 start
+ ;;
+*)
+ echo "usage: $0 [start|stop|restart]"
+ ;;
+esac
+
+# End of file
+```
+
+and fire her up:
+
+``` {.nil}
+,# /etc/rc.d/openvpn start
+```
+
+#### DONE Paste the `/etc/rc.d/openvpn` script<span class="tag" data-tag-name="NOEXPORT"></span>
+
+CLOSED: \[2011-07-17 Sun 22:58\]
+
+### SSH configuration
+
+Download the keys `desktop-key` and `key` into `~/.ssh`, and in
+`~/.ssh/config` replace `athena.silentflame.com` with `athena.athenet`
+and add
+
+``` {.conf}
+Host selene
+User root
+HostName selene.silentflame.com
+IdentityFile ~/.ssh/desktop-key
+
+Host raven
+User ball3162
+HostName linux.ox.ac.uk
+IdentityFile ~/.ssh/desktop-key
+```
+
+### E-mail
+
+Our first real encounter with pre-install scripts. `prt-get readme
+dovecot/postfix` will provide an explanation.
+
+``` {.nil}
+,# pkgrm exim
+,# prt-get depinst dovecot postfix offlineimap
+```
+
+We add the following line in `/etc/dovecot/conf.d/10-mail.conf`:
+
+``` {.conf}
+mail_location = maildir:~/.gnus.d/Maildir
+```
+
+and the following in `/etc/postfix/main.cf`:
+
+``` {.conf}
+relayhost = [10.9.8.1]:25
+```
+
+and we’re done. We may now run
+
+``` {.nil}
+,# /etc/rc.d/postfix start
+$ offlineimap
+```
+
+to do the initial download of my e-mail. Add the postfix daemon to
+`/etc/rc.conf` (but not dovecot). You might want to test that e-mail
+goes where it should via telnet:
+
+``` {.nil}
+~ # telnet localhost 25
+Trying 127.0.0.1…
+erase character is '^H'.
+Connected to localhost.
+Escape character is '^]'.
+220 artemis.localdomain ESMTP Postfix
+>>> EHLO localhost
+250-artemis.localdomain
+250-PIPELINING
+250-SIZE 10240000
+250-VRFY
+250-ETRN
+250-ENHANCEDSTATUSCODES
+250-8BITMIME
+250 DSN
+>>> mail from:<sean.whitton AT-NOSPAMPLZ balliol.ox.ac.uk>
+250 2.1.0 Ok
+>>> rcpt to:<spwhitton AT-NOSPAMHEREEITHERPLZ gmail.com>
+250 2.1.5 Ok
+>>> data
+354 End data with <CR><LF>.<CR><LF>
+>>> Dear Sean,
+
+>>> This is my test message. Thanks.
+
+>>> Thanks.
+>>> .
+250 2.0.0 Ok: queued as C0CEFB9
+quit
+221 2.0.0 Bye
+Connection closed by foreign host
+```
+
+where `>>>` prefixes a line I typed. This is the most esoteric e-mail
+route I can come up with, where the mail goes local -&gt; athena -&gt;
+Oxford smtp -&gt; gmail -&gt; athena -&gt; local, so check the headers
+to make sure it’s gone everywhere it should.
+
+Now that `~/.newsrc.eld` isn’t synced between machines, recreate Gnus
+group tree as follows (`^` opens tree and `u` subscribes to items; `Tn`
+to create new topics and `GV` and `Gv` to manipulate virtual groups; `u`
+to kill off things like `gnus-help`):
+
+``` {.nil}
+[ Gnus -- 54 ]
+ 0 / 19 / 1199 : INBOX
+ 0 / 1 / 2423 : Notices & updates
+ 9 / 16 / 2408 : Feeds & lists
+ 0 / * / 0 : feeds.Guardian
+ [ Listservs -- 1 ]
+ 0 / 1 / 372 : lists.BitFolk
+* 0 / 0 / 140 : lists.VCS-Home
+ 0 / 0 / 27 : lists.Wikizine
+ [ Feeds -- 16 ]
+ 1 / 4 / 595 : feeds.Blogs
+ 7 / 7 / 1320 : feeds.Comics
+ 1 / 3 / 253 : feeds.Friends
+ 0 / 2 / 240 : feeds.Tech
+ [ Personal -- 1 ]
+* 0 / 0 / 5080 : archive
+ 0 / 0 / 99 : drafts
+ 0 / 0 / 1735 : notices
+ 0 / 0 / 2245 : sent
+* 0 / 0 / 40 : temptodo
+ 0 / 1 / 688 : updates
+```
+
+### crontab
+
+``` {.cron}
+*/5 * * * * /usr/bin/offlineimap -o -u Noninteractive.Quiet 1>/dev/null 2>/dev/null
+0 * * * * /home/swhitton/bin/doccheckin >/dev/null
+```
+
+### acpid & laptop-mode
+
+Most of this is only on artemis. First we disable updatedb which can
+block suspend (on zephyr & artemis).
+
+#### laptop-mode
+
+``` {.nil}
+,# rm /etc/cron/daily/mlocate
+,# prt-get depinst powertop laptop-mode-tools pm-utils cpufrequtils acpi lm_sensors
+```
+
+Add the acpid and laptop-mode daemons to `/etc/rc.conf` (in that order).
+
+I am not sure laptop mode is doing everything it can to save power
+because `/etc/laptop-mode/conf.d/` doesn’t exist, as it does on Arch. At
+some point may wish to look into improving things, using the
+[Arch](https://wiki.archlinux.org/index.php/Laptop_Mode_Tools)
+[wiki](https://wiki.archlinux.org/index.php/Laptop_Mode_Tools) (two
+links).
+
+##### CANCELLED Make `laptop-mode` actually work<span class="tag" data-tag-name="NOEXPORT"></span>
+
+CLOSED: \[2011-08-30 Tue 16:48\]
+
+#### =lenovo-sl-laptop=
+
+The `lenovo-sl-laptop` module provides control of the backlight and
+access to various hotkeys from X. Recompiling the kernel wipes it out so
+remember to re-add it should you need to do that.
+
+``` {.nil}
+,# cd ~/local/src
+,# git clone git://github.com/tadzik/lenovo-sl-laptop.git
+,# cd lenovo-sl-laptop
+,# make
+,# mkdir /lib/modules/2.6.35.6/kernel/lenovo-sl-laptop
+,# cp lenovo-sl-laptop.ko /lib/modules/2.6.35.6/kernel/lenovo-sl-laptop
+,# echo "options lenovo-sl-laptop control_backlight=1" >> /etc/modprobe.d/modprobe.conf
+,# echo "modprobe lenovo-sl-laptop control_backlight=1" >> /etc/rc.autofs
+```
+
+nil
+
+Add add acpi~backlight~=vendor to the kernel boot line in
+`/etc/lilo.conf` and run `lilo` to put in place.
+
+#### Suspend on lid closure
+
+Edit the file `/etc/acpi/actions/lm_lid.sh` and add this block to the
+top:
+
+``` {.bash}
+if grep -q closed /proc/acpi/button/lid/LID/state; then
+ sudo -u swhitton /home/swhitton/bin/dwm-suspcmd nolock
+fi
+```
+
+Sometimes a stale lock file prevents `pm-suspend` from working with no
+errors or log messages. To deal with this:
+
+``` {.nil}
+,# rm /var/run/pm-utils/locks/pm-suspend.lock
+```
+
+### autofs & NFS
+
+``` {.nil}
+,# prt-get depinst autofs
+,# rm /etc/autofs/auto.{master,net,media}
+```
+
+`/etc/autofs/auto.master`:
+
+``` {.conf}
+/media /etc/autofs/auto.media
+/net /etc/autofs/auto.net --timeout=30
+```
+
+`/etc/autofs/auto.net`:
+
+``` {.conf}
+athena -fstype=nfs,rw,async,vers=3 10.9.8.1:/home/swhitton/tmp
+share -fstype=nfs,rw,async,vers=3 10.9.8.1:/srv/files
+```
+
+`/etc/autofs/auto.media`:
+
+``` {.conf}
+cd -fstype=auto,ro,sync,nodev,nosuid :/dev/sr0
+usb -fstype=auto,async,nodev,nosuid,umask=000 :/dev/sdb1
+sd -fstype=auto,async,nodev,nosuid,umask=000 :/dev/mmcblk0p1
+```
+
+Add rpcbind, nfs and autofs to the daemons array in `/etc/rc.conf`, in
+that order.
+
+Should now have in that array, in this order: acpid, laptop-mode, alsa,
+net, rpcbind, nfs, autofs, crond, atd, ntpd, dbus, wicd, openvpn,
+postfix, sshd.
+
+Protect these configs in `/etc/pkgadd.conf`:
+
+``` {.conf}
+UPGRADE ^etc/autofs/auto\..*$ NO
+```
+
+#### DONE Lock these config files<span class="tag" data-tag-name="NOEXPORT"></span>
+
+CLOSED: \[2011-08-29 Mon 19:08\]
+
+### DONE Warcraft III, wine etc. (/opt in general)
+
+CLOSED: \[2011-08-29 Mon 14:54\]
+
+``` {.nil}
+,# prt-get depinst wine
+```
+
+The AcceptEx patch has now been merged with Wine so you should just be
+able to install Warcraft III and its expansion and then update right off
+Battle.net. And it seems Wine is able to trap the mouse inside the
+window now too. Still rename Movies to Moviez, but the patch sorts out
+resolution issues. Nice.
+
+`winecfg` and enable emulate virtual desktop to play.
+
+### DONE StarCraft II
+
+CLOSED: \[2011-08-29 Mon 18:16\]
+
+The most recent versions of wine allow you to get your mouse pointed
+trapped in the window and work great with fullscreen windowed, but an
+older version of wine is required for installation—at the time of
+writing the most recent that works is 1.2.3. Begin by copying the two
+wine package files of 1.2.3 and the most recent version (at the time of
+writing, 1.3.24) into `/var/pkgmk/packages`. Mount the StarCraft II DVD
+and copy the files to home directory to install:
+
+``` {.nil}
+,# mount -o ro,unhide,uid=100 /dev/sr0 /mnt/cd
+$ mkdir ~/tmp/sc2
+$ cp -R /mnt/cd/* ~/tmp/sc2
+$ wine start ~/tmp/sc2/Installer.exe
+```
+
+Run `winecfg` and disable `mmdevapi` completely under the Library tab.
+After the game has finished installing and patching (takes forever),
+switch the wine version (with `pkgadd -u /var/pkgmk/packages/…`) and set
+the game to lowish graphics and select fullscreen windowed (lower than
+what you’d have in Windows on the same hardware). Run `winecfg` again
+and tick the trap mouse in full screen checkbox under the Graphics tab.
+
+Cleanup:
+
+``` {.nil}
+,# umount /mnt/cd
+$ rm -rf ~/tmp/sc2
+```
+
+#### USB mouse
+
+For StarCraft II on artemis you will want a USB mouse. This requires
+`usbhid` to be compiled into the kernel, and then edit
+`/etc/X11/xorg.conf`; replace the entire mouse section:
+
+``` {.conf-space}
+Section "InputDevice"
+ Identifier "Mouse0"
+ Driver "mouse"
+ Option "Protocol" "IMPS/2"
+ Option "Device" "/dev/input/mice"
+ Option "ZAxisMapping" "4 5"
+EndSection
+```
+
+and then add to the `ServerLayout` section:
+
+``` {.conf-space}
+Option "AllowEmptyInput" "false"
+```
+
+### DONE VirtualBox
+
+CLOSED: \[2011-08-30 Tue 15:49\]
+
+This need only be done on zephyr (since it’s more powerful).
+
+``` {.nil}
+,# prt-get depinst virtualbox
+,# usermod -a -G vboxusers swhitton
+```
+
+Worth setting up an Ubuntu VPS for testing. Remember to modprobe
+`vboxdrv` before running VirtualBox.
+
+### Browser plugins
+
+Install Firemacs into Firefox, and change (some of the) bindings to
+match Conkeror. Add AdBlockPlus to Conkeror but not no script as the
+glue (`require("noscript");`) doesn’t work very well.
+
+### Emacs keys in GTK apps
+
+``` {.nil}
+,# prt-get install gconf
+$ echo 'gtk-key-theme-name = "Emacs"' >>~/.gtkrc-2.0
+$ gconftool-2 -t string --set /desktop/gnome/interface/gtk_key_theme Emacs
+```
+
+We don’t seem to have backward-delete-word on `C-w` with this, though.
+
+Miscellaneous notes
+===================
+
+Backup strategy
+---------------
+
+All information to set the system up is in this document, so only the
+contents of `/home/swhitton` need to be backed up, assuming, that is,
+that all Pkgfiles have been uploaded to my CRUX repository. Of this
+- most directories are synced with my mr/git/gitosis setup;
+- `~/var` may be synced using Unison;
+- `~/local` and `~/tmp` need to be backed up manually;
+- check for any leftover non-hidden files in `~`;
+- dotfiles in `~` should already be checked into version control;
+ those that are not are probably safe to discard;
+- any custom ports in `/usr/ports/local` that have not yet been
+ transitioned into `~/src/ports`.
+
+The only other place there may be things to be saved are in `/srv`
+(should be symlinked into `/home` so that it’s encrypted, though),
+`/var` (unlikely) and of course the Windows partition.
+
+Ports repository
+----------------
+
+### DONE Set up `crux.sean.whitton.me` httpup ports repo<span class="tag" data-tag-name="ProjectIdea"></span><span class="tag" data-tag-name="NOEXPORT"></span>
+
+CLOSED: \[2011-08-30 Tue 16:56\]
+
+<http://crux.nu/Wiki/SettingUpAnHttpupRepo>
+
+#### DONE [CRUX ports](http://obra.se/)<span class="tag" data-tag-name="ToRead"></span><span class="tag" data-tag-name="NOEXPORT"></span>
+
+CLOSED: \[2011-07-17 Sun 22:43\]
+
+portspage script
+
+Local LAMP setup for development
+--------------------------------
+
+### lighttpd & PHP
+
+``` {.nil}
+,# prt-get depinst lighttpd php
+,# useradd -s /bin/false lighttpd
+,# groupadd lighttpd
+,# touch /var/www/logs/access_log
+,# touch /var/www/logs/error_log
+,# chown lighttpd:lighttpd /var/www/logs/*
+```
+
+Add `mod_fastcgi` to modules listing and switch to the non-chroot setup.
+Add to the end of config file
+
+``` {.conf}
+fastcgi.server = ( ".php" =>
+ ((
+ "bin-path" => "/usr/bin/php-cgi",
+ "socket" => "/tmp/php.socket",
+ "max-procs" => 1, # default: 2
+ "idle-timeout" => 20,
+ "bin-environment" => (
+ "PHP_FCGI_CHILDREN" => "3", # default: 4
+ "PHP_FCGI_MAX_REQUESTS" => "10000"
+ ),
+ "bin-copy-environment" => (
+ "PATH", "SHELL", "USER"
+ ),
+ "broken-scriptfilename" => "enable"
+ )))
+```
+
+Add to `/etc/hosts.allow`
+
+``` {.conf-colon}
+www: 127.0.0.1
+```
+
+When you want to use the web server, call `/etc/rc.d/lighttpd start`.
+
+### MySQL
+
+``` {.nil}
+,# prt-get depinst mysql php-mysql php-mysqli php-fcgi
+,# mysql_install_db
+,# mysqladmin -u root password <password_here>
+```
+
+Comment out `skip-innodb` and `skip-networking` in `/etc/my.cnf`. Start
+the daemon when needed.
+
+DONE ioquake setup
+------------------
+
+CLOSED: \[2011-08-29 Mon 15:11\]
+
+ioquake installs per-user, so this is very neat. Visit [the
+website](http://ioquake3.org/get-it/) and download the engine download
+and the data installer. Use install path `~/local/bin` and binary path
+`~/bin`. Install the data files with the same settings (leave tick boxes
+as they are). Then take pak0.pk3 from copy of Quake III Arena and drop
+this into `~/local/bin/ioquake3/baseq3`. To run, edit .xinitrc to set
+ioquake3 as window manager and re-login.
+
+DONE <http://crux.nu/ports/crux-2.7/opt/service/Pkgfile><span class="tag" data-tag-name="ToRead"></span>
+--------------------------------------------------------------------------------------------------------
+
+CLOSED: \[2011-08-29 Mon 14:49\]
+
+Other resources
+===============
+
+- [The CRUX handbook](http://crux.nu/Main/Handbook2-7), of course
+- [An alternative installation
+ guide](http://www.linuxforums.org/forum/coffee-lounge/121441-how-install-crux.html)
+ by Dapper Dan
+- [The only other CRUX
+ thread](http://www.linuxforums.org/forum/installation/129422-solved-crux-install-problem.html)
+ on Linux Forums, afaict
+- [The only information I can find on setting up full disc encryption
+ with CRUX](http://crux.nu/Wiki/Cryptsetup)
+- [K.Mandla’s blog](http://kmandla.wordpress.com/), who inspired me to
+ try out CRUX
+ - K.Mandla on [building an ultralight
+ kernel](http://kmandla.wordpress.com/2010/07/02/configuring-an-ultralight-2-6-34-kernel/)
+- The [Arch wiki](http://wiki.archlinux.org/), the best place guides
+ on for this semi-minimalist style of GNU/Linux computing
+- On X11 font rendering:
+ - [Arch
+ wiki](https://wiki.archlinux.org/index.php/Font_Configuration#Patched_packages)
+ - [K.Mandla](http://kmandla.wordpress.com/2008/10/29/fonts-as-sharp-as-razors-crux-ports-for-lcd-patches/)
+ - Arch BBS:
+ [1](https://bbs.archlinux.org/viewtopic.php?id%3D16372),
+ [2](https://bbs.archlinux.org/viewtopic.php?id%3D108884),
+ [3](https://bbs.archlinux.org/viewtopic.php?id%3D105839)
+ - [Gentoo
+ forums](http://forums.gentoo.org/viewtopic-t-723341.html)
+ - [Infinality
+ forums](http://www.infinality.net/forum/viewtopic.php?f%3D2&t%3D74)
+ - [about all » Xft, Fonts X11,
+ Terminus](http://wp.psyx.us/?p%3D235)
+- [Password-protecting LILO at various
+ levels](http://www.brunolinux.com/05-Configuring_Your_System/Password_Protect_Lilo.html)
+- [StarCraft II on the Arch
+ wiki](https://wiki.archlinux.org/index.php/Starcraft2)
+
+[^1]: Some daemons may still write some logs; if this happens, nuke them
+ and hope they weren't important. Yes, there are probably better
+ approaches.