summaryrefslogtreecommitdiffhomepage
path: root/tech/crux.mdwn
blob: 177e578b07a66335f3c8b83cce839541286cf7e2 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
[[!template id=note text="""
Please note that this page has not been updated since 2012.
"""]]

In July 2011 I switched to the GNU/Linux distribution
[CRUX](http://crux.nu/) from ArchLinux, desiring increased speed and
stability, while maintaining customisability, which I got. I switched
back to Debian Stable in January 2012.

There isn’t much non-official documentation for CRUX so I documented the
entire setup here, for my own reference when reinstalling machines and
for other beginners looking to try out CRUX. In particular I have
detailed my setup for encrypting my hard drive, which is esoteric but
the best way I can come up with for doing it on CRUX.

The [CRUX handbook](http://crux.nu/Main/Handbook2-7) is what you should
really be using for this, referring to my notes only when the handbook
is a bit skimpy on detail. I’ll repeat an arbitrary selection of what
that tells you to do.

[My ports](http://spw.sdf.org/crux/) for CRUX are [in the
portdb](http://crux.nu/portdb/?a%3Drepo&q%3Dswhitton); they’re used
throughout this document.

I used CRUX 2.7 in preparing this.

[[!toc]]

Installation
============

Encryption strategy
-------------------

My paranoia levels are such that I want to set up enough encryption to
foil someone without a mainframe who acquires my laptop from getting at
my personal data, but I don’t take the steps necessary to stop someone
from inserting a keylogger into my machine, leaving it for me to pick up
again without me knowing it’s been gone, and then stealing my encryption
passphrase anyway.

Since `/boot` has to be unencrypted and I am not willing to carry it
around on a floppy or something, there is therefore no additional risk
in having the root partition unencrypted, so I just encrypt `/home`,
`/var`, have `/tmp` as a ramdisk, no swap and take steps to move
sensitive configuration files (*e.g.* OpenVPN) in `/etc` into
`/home/etc` so they are safe.

The reason I am not simply encrypting the root filesystem rather than
have these separate partitions is that that would slow down the boot
sequence substantially by requiring an initrd.

I don’t encrypt my desktop system at all anymore; the chances of it
being stolen are so very much smaller than those for my laptop, I trust
my family and LILO password is sufficient for LAN party security.

Partitions and formatting
-------------------------

Run `fdisk` as instructed. If dual-booting with Windows, remember that
it likes to be in the first partition. [A useful guide to
`fdisk`](http://tldp.org/HOWTO/Partition/fdisk_partitioning.html). Going
with 10GB for the root partition as the first time I did this I had 5
for that and 10 for `/var`, and I didn’t have enough space to install
TeX Live and had to do crazy repartitioning of encrypted partitions…

Here’s a summary of the sizes I choose for my partitions:

[[!table data="""
  Partition   |Size              |Filesystem
  `/`         |10GB              |ext3
  `/var`      |5GB               |ReiserFS
  `/home`     |remaining HDD     |ext4
  `/tmp`      |max. 50% of RAM   |tmpfs
"""]]

so

``` {.nil}
# mkfs.ext3 /dev/sda1
```

or, `mkfs.ext4` on my single-partition desktop.

Installing the CRUX distribution
--------------------------------

We don’t mount our partition for `/var` separately at this stage because
the live CD doesn’t have the tools needed to do disc encryption, and
it’s far easier to let (non-personal) data get written to `/var` now
that can later be moved into the encrypted partition, rather than
supplying the installation with the scripts and modules to encrypt now.

``` {.nil}
# mount /dev/sda1 /mnt
# setup
```

Select all three port collections and then **deselect** the following
packages from `opt`: `fetchmail`, `firefox`, `grub`, `lvm2`, `mdadm`,
`nano`, `openbox`, `procmail`, `rp-pppoe`, `wvdial`, `xterm`;
**deselect** the following packages from `xorg`: `xorg-xf86-video-*`
except for `vesa`.

Config files
------------

Chroot and set the root password as instructed.

Lines for `/etc/fstab`; again this is simple as we’re going to add
encrypted partitions later:

``` {.nil}
/dev/sda1   /   ext3    defaults,noatime    0   1
tmp /tmp    tmpfs   defaults,nosuid,size=1024M,mode=1777    0   0
usb /proc/bus/usb   usbfs   defaults    0   0
/dev/sdaX   /mnt/seven  ntfs-3g defaults    0   0
```

We’ll use `autofs` for floppy and optical drives.

In `/etc/rc.conf`, we change the keymap to `uk`, timezone to
`Europe/London` and hostname to `artemis` for my laptop and `zephyr` for
my desktop. Leave services and font as they are for now.

Generate locales:

``` {.nil}
# localedef -i en_GB -f ISO-8859-1 en_GB
# localedef -i en_GB -f ISO-8859-1 en_GB.ISO-8859-1
# localedef -i en_GB -f UTF-8 en_GB.utf8
```

### Temporary network setup

We will need wired network access with which to get wireless working,
and the way I do this is to tether one machine to the other. The
following configuration achieves that:

``` {.conf}
#!/bin/sh
#
# /etc/rc.d/net: start/stop network
#

case $1 in
    start)
        # loopback
        /sbin/ip addr add 127.0.0.1/8 dev lo broadcast + scope host
        /sbin/ip link set lo up
        # ethernet
        /sbin/ip addr add 10.8.0.2/24 dev eth0 broadcast +
        /sbin/ip link set eth0 up
        # default route
        /sbin/ip route add default via 10.8.0.1
        ;;
    stop)
        /sbin/ip route del default
        /sbin/ip link set eth0 down
        /sbin/ip addr del 10.8.0.2/24 dev eth0
        /sbin/ip link set lo down
        /sbin/ip addr del 127.0.0.1/8 dev lo
        ;;
    restart)
        $0 stop
        $0 start
        ;;
    *)
        echo "usage: $0 [start|stop|restart]"
        ;;
esac

# End of file
```

Run these commands on the host machine to open up the target to the
‘net:

``` {.nil}
$ echo "1" | sudo tee /proc/sys/net/ipv4/ip_forward
$ sudo iptables -t nat -A POSTROUTING -s 10.8.0.2 -j MASQUERADE
```

and its config file (if it’s running CRUX; it’s quite easy to move to
other distros):

``` {.conf}
#!/bin/sh
#
# /etc/rc.d/net: start/stop network
#

case $1 in
    start)
        # loopback
        /sbin/ip addr add 127.0.0.1/8 dev lo broadcast + scope host
        /sbin/ip link set lo up
        # ethernet
        /sbin/ip addr add 10.8.0.1/24 dev eth0 broadcast +
        /sbin/ip link set eth0 up
        # default route
        #/sbin/ip route add default via 10.8.0.1
        ;;
    stop)
        #/sbin/ip route del default
        /sbin/ip link set eth0 down
        /sbin/ip addr del 10.8.0.1/24 dev eth0
        /sbin/ip link set lo down
        /sbin/ip addr del 127.0.0.1/8 dev lo
        ;;
    restart)
        $0 stop
        $0 start
        ;;
    *)
        echo "usage: $0 [start|stop|restart]"
        ;;
esac

# End of file
```

This can be a bit flaky and doesn’t like hotplugging or rebooting so be
willing to make liberal use of `/etc/rc.d/net restart`.

`/etc/hosts`:

``` {.conf}
127.0.0.1          localhost
127.0.1.1           artemis.silentflame.com          artemis

193.1.193.66 download.sf.net dl.sourceforge.net dl.sf.net
```

`/etc/resolv.conf`:

``` {.conf}
search silentflame.com
#nameserver 10.9.8.1
nameserver 208.67.220.222
nameserver 208.67.220.220
```

The commented out address will be of use once OpenVPN is operational.

<!-- #### DONE Post other machines config too -->

<!-- CLOSED: \[2011-08-29 Mon 14:56\] -->

<!-- Also note need to restart on both ends after reboot. -->

Compiling the kernel
--------------------

Here are changes I have made; everything else is left as-is.

*   General setup
    *   Disable development/incomplete code/drivers
    *   Disable swap support
    *   Enable BSD Process Accounting
    *   Disable kernel .config support
    *   Enable UTS & IPC namespace support
    *   Disable initramfs/initrd
    *   Disable optimisation for size
    *   On zephyr, enable configure standard kernel features (for
        small systems) \[Apple keyboard\]
*   Enable loadable module support
    *   Disable unloading modules
*   Processor type and features
    *   Processor family: Core 2/newer Xeon
    *   Maximum number of CPUs set to 2
    *   Disable SMT (Hyperthreading) scheduler support
    *   Enable machine check / overheating reporting
        *   Disable AMD MCE features
    *   High Memory Support: 4GB
    *   Enable KSM for page merging
    *   Enable Math emulation
    *   Enable MTRR cleanup support
    *   Enable -fstack-protector buffer overflow detection
*   Power management and ACPI options
    *   Enable power management support
    *   Enable run-time PM core functionality
    *   Enable APM for laptop (though this is known to be dodgy; care)
    *   Enable CPU frequency scaling on artemis
        *   Disable CPU frequency translation statistics
        *   Enable the powersave, userspace, and conservative governors
            on artemis, and ondemand instead of conservative on zephyr.
            Set default governor to performance
        *   Module ACPI Processor P-states driver
*   Bus options
    *   Enable Message Signaled Interrupts
    *   Disable ISA support
    *   PCMCIA—disable on zephyr
        *   Disable Cirrus PD6729 compatible bridge support
        *   Disable i82092 compatible bridge support
*   Executable file formats / emulations
    *   Enable kernel support for MISC binaries
*   Networking support
    *   Networking options
        *   For the Oxford VPN, we will need to module these:
            *   Transformation user configuration interface
            *   PF~KEY~ sockets
            *   IP: GRE tunnels over IP
            *   IP: AH transformation
            *   IP: ESP transformation
            *   IP: IPComp transformation
            *   IP: IPsec transport mode
            *   IP: IPsec tunnel mode
            *   IP: IPsec BEET mode
        *   Enable INET: socket monitoring interface
        *   Disable IPv6 (I’m never on a network that supports it)
        *   Enable Netfilter
            *   Core Netfilter Configuration
                *   Enable Netfilter connection tracking support
            *   IP: Netfilter configuration
                *   Enable IPv4 connection tracking support
                *   Enable IP tables support
                *   Enable Full NAT
                    *   Enable MASQUERADE target support
                    *   Enable REDIRECT target support
        *   Module 802.1d ethernet bridging
    *   Wireless
        *   Enable (*i.e.* not just module) cfg80211
        *   Enable Generic IEEE 802.11 Networking Stack (mac80211)
    *   Enable RF switch subsystem support on artemis
*   Device drivers
    *   Generic driver options
        *   Enable maintain a devtmpfs filesystem to mount at /dev
            *   Automount devtmpfs at /dev. after the kernel…
        *   Enable include in-kernel firmware blobs in kernel binary
    *   Enable connector—unified userspace &lt;-&gt; kernelspace linker
    *   Plug and play support
        *   Enable PNP debugging messages
    *   Block devices
        *   Module normal floppy disk support on artemis, enable on
            zephyr
        *   Disable Compaq SMART2 support
        *   Disable Compaq Smart Array 5xxx support
        *   Disable Mylex DAC960/DAC1100 PCI RAID controller support
        *   Module loopback device support
        *   Disable network block device support
        *   Module RAM block device support (this may break tmpfs?)
        *   Disable ATA over ethernet support
    *   On zephyr enable ATA/ATAPI/MFM/RLL support (DEPRECATED) \[this
        may or may not help failure to boot issue, really have no idea
        atm\]
        *   Enable support for SATA (deprecated; conflicts with libata
            SATA driver)
        *   Enable generic ATA/ATAPI disk support
            *   Enable ATA disk support
        *   Enable Include IDE/ATAPI CDROM support
        *   Enable IDE ACPI support
        *   Enable generic/default IDE chipset support
        *   Enable Platform driver for IDE interfaces
        *   Enable AMD and nVidia IDE support
    *   SCSI device support
        *   Enable SCSI disk support
        *   Enable SCSI CDROM support
            *   Enable vendor-specific extensions (for SCSI CDROM) on
                zephyr only
        *   Enable SCSI generic support
        *   Probe all LUNs on each SCSI device
        *   Enable asynchronous SCSI scanning
    *   Enable serial ATA and parallel ATA drivers
        *   Enable AHCI SATA support
        *   Enable platform AHCI SATA support
        *   On zephyr enable NVIDIA SATA support
    *   Enable multiple devices driver support (RAID and LVM)
        *   Enable device mapper support
        *   Enable crypt target support
        *   Enable snapshot target
        *   Enable mirror target
    *   Disable Fusion MPT device support
    *   IEEE 1394 (FireWire) support
        *   Disable FireWire driver stack
    *   Enable Macintosh device drivers (hmm shouldn’t keyboard be
        under here?)
    *   Network device support
        *   Module dummy net driver support
        *   Module universal TUN/TAP device driver support
        *   Wireless LAN
            *   Enable Intel Wireless Wifi on artemis
            *   Enable Intel Wireless WiFi Next Gen AGN (iwlagn) on
                artemis
                *   Enable Intel Wireless WiFi 5000AGN … on artemis
            *   Enable Ralink driver support on zephyr
                *   Enable rt2500 (USB) support
                *   Enable rt2501/rt73 (USB) support
                *   Enable Ralink debug output
        *   Disable PPP support
    *   Input device support
        *   Disable support for memoryless force-feedback devices
        *   Disable polled input device skeleton
        *   Set horizontal and vertical screen resolution
        *   Enable event interface
        *   Mice
            *   On zephyr, enable PS/2 mouse
            *   Disable serial mouse
            *   Disable Apple USB touchpad support
            *   Disable Apple USB BCM5974 Multitouch trackpad support
    *   Character devices
        *   Serial drivers
            *   Disable 8250/16550 and compatible serial support
        *   Enable Timer IOMEM HW Random Number General support
        *   Enable Intel HW Random Number Generator support
        *   Disable AMD … random number generator support × 2
        *   Enable /dev/nvram support
    *   Enable SPI support
    *   Power supply class support
        *   Module test power driver
        *   Module all battery types on artemis for now
    *   Enable hardware monitoring support
    *   Generic thermal sysfs driver
        *   Enable hardware monitoring support
    *   Disable multimedia support
    *   Graphics support
        *   Enable laptop hybrid graphics on artemis
        *   Module direct rendering manager
        *   Disable support for frame buffer devices
        *   Enable backlight & LCD device support on artemis
        *   Display device support
            *   Enable display panel/monitor support
        *   Console display driver support
            *   Disable scrollback buffer in system RAM
    *   Enable sound card support
        *   Enable ALSA
            *   Enable sequencer support
            *   Enable OSS mixer API
            *   Enable OSS PCM
            *   Enable OSS sequencer API
            *   Disable verbose procfs contents
            *   PCI sound devices
                *   Enable Intel HD Audio
                    *   On artemis enable aggressive power-saving on
                        HD-audio
                        *   Default time-out for HD-audio power-save
                            mode: 60
                    *   On zephyr enable build nvidia HDMI HD-audio
                        codec support
    *   Disable HID drivers on artemis, enable on zephyr—enable/module
        on artemis if want USB mouse support
        *   Special HID drivers
            *   Enable Apple
    *   USB support
        *   Enable support for host-side usb
        *   Enable USB device filesystem
        *   Enable WUSB cable based association
        *   Enable EHCI HCD (USB 2.0) support
        *   Disable USB modem support
    *   Enable MMC/SD/SDIO card support on artemis
        *   On artemis, enable Secure Digital host controller interface
            support
        *   On artemis enable SDHCI support on PCI bus
            *   On artemis enable Ricoh MMC controller disabler
    *   Disable Real Time Clock
    *   Enable auxiliary display support
    *   Disable X86 platform specific device drivers
        *   ~~On artemis, module Acer WMI laptop extras, Asus laptop
            extras and ThikPad ACPI laptop extras—don’t think it’s the
            latter but one of three for SL300 which has IdeaPad
            internals, not proper ThinkPad~~ —using `lenovo-sl-laptop`
    *   On zephyr enable staging drivers
        *   Disable exclude staging drivers from being built
        *   Enable Ralink 2870/3070 wireless support
*   File systems
    *   Enable ext2
    *   Enable ext3
    *   Default to ‘data-ordered’ in ext3
    *   Enable ext4
    *   Enable reiserfs
    *   Disable JFS
    *   Disable XFS
    *   Enable kernel automounter version 4 support (also supports v3)
    *   Enable FUSE
        *   Module character device in userpace \[sic\] suppose
    *   CD-ROM/DVD filesystems
        *   Enable ISO 9660 CDROM file system support
        *   Enable Microsoft Joliet CDROM extensions
        *   Enable transparent decompression extension
        *   UDF file system support
    *   DOS/FAT/NT filesystems
        *   Disable MSDOC fs support
        *   Enable VFAT (Windows-95) fs support
        *   On zephyr, enable NTFS file system support; disable on
            artemis
        *   On zephyr enable NTFS write support
    *   Network file systems
        *   Enable NFS client support
        *   Enable NFS client support for the NFSv3 ACL protocol
            extension
        *   Enable NFS server support for the NFSv3 ACL protocol
            extension
        *   Disable SMB file system support
        *   Disable CIFS support
*   Kernel hacking
    *   Enable timing information on printks
    *   Enable \_~mustcheck~ logic
    *   Disable Magic SysRq key
    *   Enable sysctl checks
    *   Filter access to /dev/mem
    *   Maybe enable verbose x86 bootup info messages
*   Cryptographic API
    *   Module null algorithms
    *   Module CCM support (Oxford VPN)
    *   Module GCM/GMAC support (Oxford VPN)
    *   Enable SHA224 and SHA256 digest algorithm
    *   Enable Zlib
    *   Enable LZO
    *   Enable pseudo random number generation for cryptographic modules
*   Virtualisation
    *   Enable KVM support
        *   Enable KVM for Intel processors support
    *   Module Virtio balloon driver

Once done with `menuconfig`, we set things up:

``` {.nil}
# make all && make modules_install
# cp arch/x86/boot/bzImage /boot/vmlinuz
# cp System.map /boot
```
Bootloader
----------

Set up lilo; for artemis:

``` {.conf}
#
# /etc/lilo.conf: lilo(8) configuration, see lilo.conf(5)
#

lba32
install=text
compact
boot=/dev/sda
image=/boot/vmlinuz
        label=CRUX
        root=/dev/sda3
        read-only
        append="quiet acpi_backlight=vendor"

# End of file
```

and for zephyr:

``` {.conf}
#
# /etc/lilo.conf: lilo(8) configuration, see lilo.conf(5)
#

lba32
install=text
prompt
timeout=30
compact
boot=/dev/sda
image=/boot/vmlinuz
    label=CRUX
    root=/dev/sda3
    read-only
    append="quiet"
other=/dev/sda2
    label=dos

# End of file
```

``` {.nil}
# lilo
# reboot
```

<!-- ### DONE Actually fill this section in<span class="tag" data-tag-name="NOEXPORT"></span> -->

<!-- CLOSED: \[2011-07-17 Sun 16:12\] -->

Post-install configuration
==========================

Pre-encryption tweaks—stop building things as root
--------------------------------------------------

Following the advice [here](http://crux.nu/Wiki/PostInstallationNotes),
we set up a non-priviledged user to build ports. This also moves port
building out of `/usr` and into `/var` where it belongs.

We create our user account here because otherwise pkgmk will get the
first UID.

``` {.nil}
# groupadd pkgmk
# useradd swhitton -M -s /bin/zsh -G lp,wheel,audio,video,floppy,cdrom,scanner,tape,pkgmk
# useradd -m -d /var/pkgmk -g pkgmk pkgmk
# mkdir /var/pkgmk/{distfiles,packages,work}
# chown pkgmk:pkgmk /var/pkgmk/*
# chmod 775 /var/pkgmk/*
```

`/etc/prt-get.conf`:

``` {.conf}
makecommand sudo -H -u pkgmk /usr/bin/fakeroot /usr/bin/pkgmk
```

`/etc/pkgmk.conf`:

``` {.conf}
PKGMK_SOURCE_DIR="/var/pkgmk/distfiles"
PKGMK_PACKAGE_DIR="/var/pkgmk/packages"
PKGMK_WORK_DIR="/var/pkgmk/work/$name"
```

`/etc/hosts`:

``` {.conf}
193.1.193.66 download.sf.net dl.sourceforge.net dl.sf.net
```

<!-- ### CANCELLED Fix permissions for creating .md5sum (maybe) and also grok how this actually works<span class="tag" data-tag-name="NOEXPORT"></span> -->

<!-- CLOSED: \[2011-08-29 Mon 14:55\] -->

Pre-encryption tweaks—packages
------------------------------

We can’t do much until encryption is operational because we don’t want
to introduce any kind of personal data to the system until then. However
our lives in setting that up will be a lot easier with some additional
packages to our very spartan system.

If you see this on a bootup:

``` {.nil}
umount: /sys: device is busy.
        (In some cases useful info about processes that use
         the device is found by lsof(8) or fuser(1))
mount: sysfs already mounted or /sys busy
```

then be assured that it may be safely ignored; I believe it’s a bug in
the `/etc/rc` script.

First we enable the `contrib` ports collection

``` {.nil}
# mv /etc/ports/contrib.rsync.inactive /etc/ports/contrib.rsync
# ports -u contrib
```

We tell `prt-get` that we’ve done so by uncommenting the line

``` {.conf}
prtdir /usr/ports/contrib
```

near the start of `/etc/prt-get.conf`. Now we use the `mpup` utility to
add some ports from third party repositories. `mpup` is like `ports -u`
except only specific ports are fetched, rather than a whole irrelevant
repository.

``` {.nil}
# prt-get depinst mpup
# mv /etc/ports/meta.mpup.inactive /etc/ports/meta.mpup
```

Now we add my personal repository TODO and gnome and xfce TODO (gnome
below contrib so guile installs right

Add to `/etc/mpup.lst`:

``` {.nil}
httpup sync http://home.cc.umanitoba.ca/~fonsecah/crux/ports/#wicd wicd
httpup sync http://home.cc.umanitoba.ca/~fonsecah/crux/ports/#urwid urwid
rsync -aqz morpheus.net::cruxports/console-font-terminus/ console-font-terminus
rsync -aqz morpheus.net::cruxports/xorg-font-terminus/ xorg-font-terminus
httpup sync http://romster.dyndns.org:8080/linux/ports/crux/romster/#texinfo texinfo
httpup sync http://sirmacik.net/static/download/cruxpl-ports/#ncmpcpp ncmpcpp
httpup sync http://romster.dyndns.org:8080/linux/ports/crux/romster/#mpdscribble mpdscribble
httpup sync http://sirmacik.net/static/download/cruxpl-ports/#xclip xclip
httpup sync http://sirmacik.net/static/download/cruxpl-ports/#terminus-font terminus-font
rsync -aqz morpheus.net::cruxports/mingetty/ mingetty
httpup sync http://falcony.googlecode.com/svn/trunk/falcony/#laptop-mode-tools laptop-mode-tools
httpup sync http://cruxab.comlu.com/crux/ports/#libtasn1 libtasn1
httpup sync http://flaveur.googlecode.com/svn/trunk/ports/#policykit policykit
httpup sync http://www.mizrahi.com.ve/crux/pkgs/#krb5 krb5
httpup sync http://bdfy.googlecode.com/svn/trunk/#abiword abiword
httpup sync http://tsubasa.googlecode.com/svn/trunk/tsubasa/#auctex auctex
httpup sync http://www.mizrahi.com.ve/crux/pkgs/#autofs autofs
httpup sync http://romster.dyndns.org:8080/linux/ports/crux/romster/#wine wine
httpup sync http://www.landofbile.com/crux_ports/#gmime gmime
httpup sync http://bdfy.googlecode.com/svn/trunk/#burn-cd burn-cd
httpup sync http://vico.kleinplanet.de/files/repo/#abcde abcde
httpup sync http://vico.kleinplanet.de/files/repo/#cd-discid cd-discid
httpup sync http://vico.kleinplanet.de/files/repo/#id3v2 id3v2
rsync -aqz rsync.clyl.net::crux-xen/vte-python/ vte-python
httpup sync http://jue.li/crux/ports/#s3fs s3fs
rsync -aqz sepen.mine.nu::ports/crux-2.7/sepen/uuid/ uuid
```

and add `prtdir /usr/ports/meta` to the beginning of
`/etc/prt-get.conf`. Next we’ll install some basic utilities but before
we do that we enable install scripts in `/etc/prt-get.conf`:

``` {.conf}
runscripts yes
```

now

``` {.nil}
# ports -u meta swhitton
# prt-get depinst zile emacs cryptsetup gnupg zsh screen mercurial git cvs subversion mr ca-certificates consoleswapcaps rxvt-unicode urxvtcd atd git-annex
# prt-get remove vim
```

Change the keymap in `/etc/rc.conf` to `uk.swapcaps` and then

``` {.nil}
# loadkeys uk.swapcaps
```

to make caps lock into a control key, as it should be.

This should be enough to bootstrap my standard CLI interface into
`/root`, which’ll make things more comfortable.

``` {.nil}
# cd ~
# rm -rf .ssh
# mr --trust-all bootstrap xyrael.net/mrconfig-crux
# chsh -s /bin/zsh
# zsh
```

<!-- ### DONE Paste u/mount error<span class="tag" data-tag-name="NOEXPORT"></span> -->

<!-- CLOSED: \[2011-08-29 Mon 15:01\] -->

<!-- ### DONE Fill in more from actual file<span class="tag" data-tag-name="NOEXPORT"></span> -->

<!-- CLOSED: \[2011-08-29 Mon 14:53\] -->

Encrypted partitions
--------------------

At long last we are ready to prepare our encrypted partitions, move our
sensitive data into them and then to have them decrypted at boot.

### Create partitions

``` {.nil}
# cryptsetup luksFormat /dev/sda2
# cryptsetup luksFormat /dev/sda3
# cryptsetup luksOpen /dev/sda2 artemis-var
# cryptsetup luksOpen /dev/sda2 artemis-home
# mkfs.reiserfs /dev/mapper/artemis-var
# mkfs.ext4 /dev/mapper/artemis-home
```

We’ll mount up the home partition and put something in it for testing
purposes.

``` {.nil}
# mount /dev/mapper/artemis-home /home
# echo "it works\!" > /home/test.txt
```

### Decryption

To confirm that things are working we’ll do `/home` first before `/var`,
because the latter gets log files written to it that we’re going to have
to be careful about moving.

Open up `/etc/rc` and find the line

``` {.bash}
# Check filesystems
```

Above the chunk of lines this line heralds the commencement of, we are
going to add our decryption commands. These are

``` {.bash}
# SEAN DECRYPTION BEGIN

# we need to set the keymap early in order to be able to decrypt
if [ "$KEYMAP" ]; then
        /usr/bin/loadkeys -q $KEYMAP
fi

/usr/bin/setfont $FONT

echo ""
echo -n "This is Sean's computer - enter system passphrase: "

/bin/stty -echo; read PASSPHRASE; /bin/stty echo
echo ""
echo -n "$PASSPHRASE" | cryptsetup --key-file=- luksOpen /dev/sda2 artemis-var
echo -n "$PASSPHRASE" | cryptsetup --key-file=- luksOpen /dev/sda3 artemis-home

PASSPHRASE="ilikedmcryptoncruxreallyreallyreallalot"
unset PASSPHRASE

# SEAN DECRYPTION END
```

The idea of this code is to stop someone from being able to do anything
with the system without opening it up, which was considered to be an
acceptable risk in our encryption strategy.

Add this line to `/etc/fstab`:

``` {.conf}
/dev/mapper/artemis-home /home ext4 defaults 0 2
```

Reboot, and confirm our test file is still in place with the content we
gave it. If so, it's time to move the files in `/var`. We stop daemons
that might write there before doing so,[^1] move the data and then
reboot and cross our fingers.

First add this line to `/etc/fstab`:

``` {.conf}
/dev/mapper/artemis-var /var reiserfs defaults,noatime,notail 0 2
```

then

``` {.nil}
# mkdir /mnt/tmp
# mount /dev/mapper/artemis-var /mnt/tmp
# /etc/rc.d/sysklogd stop
# /etc/rc.d/crond stop
# /etc/rc.d/net stop
# mv /var/* /mnt/tmp
# mv /var/.* /mnt/tmp
# reboot
```

This doesn't really require a reboot, but it's nice to see all the
encryption stuff now fully working in tandem.

<!-- ### DONE On artemis, unmount /var in rc.shutdown to prevent reiserfs journal replay on every boot<span class="tag" data-tag-name="TechFix"></span><span class="tag" data-tag-name="NOEXPORT"></span> -->

<!-- CLOSED: \[2011-08-29 Mon 14:53\] -->

Post-encryption setup
---------------------

Whew, now that encryption’s done we’re safe to start setting up my
environment.

### Distribution update

First bring the distribution up-to-date:

``` {.nil}
# prt-get sysup
```

This will take a while since the packages will need to be compiled,
unlike during the installation where this has already been done. Also
`prt-get`’s dependency resolution isn’t perfect, and you may be required
to intervene to upgrade some packages before others.

Now we’ve hacked `/etc/rc` we need to lock it to prevent it being
overwritten by updates, which would stop our system from starting up.
Add this line to `/etc/pkgadd.conf`

``` {.conf}
UPGRADE         ^etc/rc$                NO
```

### Wireless

Let’s stop dependency on another host for Internet access.

For artemis, we need the wireless firmware from
[here](http://intellinuxwireless.org/?n%3Ddownloads&f%3Ducodes_5000),
and we need a release of the 5000 images (for our 5100AGN card) old
enough to have -2 at the end, as our kernel version doesn’t seem to look
for anything higher. 8.24.2.12.tgz appears to be the latest with this
property. Extract the `.ucode` file into `/lib/firmware` and reboot and
the hardware should be ready to go.

For zephyr we need
[rt2870.bin](http://www.ralinktech.com/support.php?s%3D2) which we can
drop into `/lib/firmware`; we then need a symlink:
`ln -s /lib/firmware/rt2870.bin
/lib/firmware/rt3070.bin` because the rt2870.bin driver covers a lot of
hardware and the kernel looks in the wrong place.

Install `wicd` to manage network connections from now on. Somehow `glib`
doesn’t get updated enough/at all in the sysup so do it again here
(maybe).

``` {.nil}
# prt-get update glib
# prt-get depinst wicd urwid
# /etc/rc.d/dbus start
# /etc/rc.d/wicd start
```

Add the `atd`, `dbus` and `wicd` daemons (in that order) to
`/etc/rc.conf`, and comment out the gateway settings for `eth0` from
`/etc/rc.d/net` (we can’t remove this daemon entirely because we need
the loopback interface—discovered this the hard way when mpd wouldn’t
work…). Fire up `wicd-curses` to connect to your wireless network.
Remember to add `10.9.8.1` as first DNS server, globally, then OpenDNS.

### ntp

At this point I tend to notice my system clock drifting.

``` {.nil}
# prt-get depinst openntpd
# /etc/rc.d/ntpd start
```

Add ntpd to list of daemons in `/etc/rc.conf`. In `/etc/rc.d/ntpd`, make
the `-s` into `-S` so that ntp doesn’t even try to change the time on
startup, which makes a big difference to boot speed.

Add to `/etc/pkgadd.conf`:

``` {.conf}
UPGRADE         ^etc/rc\.d/ntpd$ NO
```

to protect our changes.

<!-- #### DONE Exclude /etc/rc.d/ntpd from being changed on package updates<span class="tag" data-tag-name="NOEXPORT"></span> -->

<!-- CLOSED: \[2011-08-29 Mon 14:58\] -->

### User account

``` {.nil}
# mkdir /home/swhitton
# chown swhitton:users /home/swhitton
# passwd swhitton
```

Log out and login again as the new user. Bootstrap its homedir:

``` {.nil}
$ mr --trust-all bootstrap xyrael.net/mrconfig-crux
```

<!-- ### DONE Apple keyboard at console -->

<!-- CLOSED: \[2011-08-29 Mon 14:59\] -->

On zephyr, add to `/etc/rc.local`:

``` {.bash}
echo 2 | sudo tee /sys/module/hid_apple/parameters/fnmode > /dev/null
```

### X

#### Setup

We’re going with the non-free nVidia drivers since we have a nVidia card
we want to make some use of:

``` {.nil}
# prt-get depinst nvidia
# reboot
# nvidia-xconfig
# gl-select use nvidia
```

To test X, back as `swhitton`, we prepare a minimal `.xinitrc` with just
the line `exec urxvt`, moving the usual file to `.xinitrc~`.

``` {.nil}
$ startx
```

If you get a terminal that you can type into, and the mouse moves
around, we’re good to go. Run `exit` in the terminal to kill off X.

##### Driver tweaks

Add the following lines to the `Device` section of `/etc/X11/xorg.conf`
for some minor improvements (from Arch wiki):

``` {.conf}
Option "NoLogo" "1"
Option "RenderAccel" "1"
Option "ConnectedMonitor" "DFP"
Option "TripleBuffer" "1"
Option "DamageEvents" "1"
Option "DPS" "1"
```

Remove the third line for zephyr.

#### The almighty Terminus

We need three versions of Terminus: one which provides the traditional X
font, one which provides the xft font and one for the console.

The Arch package provides all three at once, I believe, or at least the
first two so should probably be looked into at some point.

``` {.nil}
# prt-get depinst xorg-font-terminus console-font-terminus terminus-font
```

In the `Files` section of `/etc/X11/xorg.conf`, add the line

``` {.conf}
FontPath "/usr/lib/X11/fonts/terminus"
```

and then my `.Xresources` should take care of the rest. For console,
update `/etc/rc.conf` to use this new font, `Lat2-Terminus16`.

#### Font beautification

CRUX’s X11 fonts look pretty poor without tweaks, and there are various
ways to improve the situation. After much messing around I reckon that
the cleartype approach is the best, especially since the packages on the
AUR were recently renewed and seem to be maintained. Links about this
issue at the end of this document.

First we set up some package aliases so that our prt-get doesn’t think
we’ve removed important dependencies. Append to
`/var/lib/pkg/prt-get.aliases`

``` {.conf-colon}
libxft-cleartype: xorg-libxft
freetype2-cleartype: freetype
cairo-cleartype: cairo
postfix: exim
```

and append to `/etc/pkgadd.conf` to protect this file from upgrades:

``` {.conf}
UPGRADE         ^var/lib/pkg/prt-get.aliases$ NO
```

``` {.nil}
# prt-get remove freetype xorg-libxft cairo
# prt-get install freetype2-cleartype libxft-cleartype cairo-cleartype
```

Taking the -ubuntu approach means no Xft Terminus so require the hacked
TTF versions floating about, which means no smaller font in Conkeror
minibuffer.

Check in `/etc/fonts/fonts.conf` that near the top there is

``` {.xml}
<dir>/usr/share/fonts</dir>
<dir>/usr/lib/X11/fonts</dir>
<dir>~/.fonts</dir>
```

as the second line might be missing. This should be packaged
up/automated at some point.

<!-- ##### DONE Tidy up dependency installation around this stuff<span class="tag" data-tag-name="NOEXPORT"></span> -->

<!-- CLOSED: \[2011-07-17 Sun 21:48\] -->

<!-- Atm there will be clashes, particularly concerning the freetype files. -->

<!-- &lt;Romster&gt; edit /var/lib/pkg/prt-get.aliases and add your port as -->
<!-- an alias \[16:50\] &lt;Romster&gt; be sure to add that file to -->
<!-- /etc/pkgadd.conf else changes will be gone should you ever -->
<!-- reinstall/update prt-get. -->

<!-- ##### DONE Add `--install-scripts` throughout this file, as probably needed in lots of places<span class="tag" data-tag-name="NOEXPORT"></span> -->

<!-- CLOSED: \[2011-07-17 Sun 21:48\] -->

<!-- Or just use prt-get config variable `runscripts` -->

#### Lisp

We are going to install the lisp environment to run my window manager,
StumpWM, using the [quicklisp approach from the
ArchWiki](https://wiki.archlinux.org/index.php/Stumpwm#With_Quicklisp_.28recommended.29).
When my lisp knowledge improves I will make this into a package.

``` {.nil}
# prt-get depinst sbcl texinfo
# wget beta.quicklisp.org/quicklisp.lisp
# sbcl --load quicklisp.lisp
```

and then in the interactive shell

``` {.commonlisp}
(quicklisp-quickstart:install)
(ql:add-to-init-file)
(ql:update-all-dists)
(ql:quickload "clx")
(ql:quickload "cl-ppcre")
(quit)
```

This relies on the environment variable we set in `.zshrc`,
`SBCL_HOME=/usr/lib/sbcl`.

#### More building blocks

Unfortunately, stumpwm won’t build unless we’re root at the moment as I
haven’t got the package set up right. So first we comment out the lines
we added to `/etc/prt-get.conf` and `/etc/pkgmk.conf` and then

``` {.nil}
# cd /usr/ports/swhitton/stumpwm
# pkgmk -d
# chown pkgmk:pkgmk stumpwm\#git-1.pkg.tar.gz
# mv stumpwm\#git-1.pkg.tar.gz /var/pkgmk/packages
```

Now uncomment the lines again and

``` {.nil}
# prt-get depinst xbindkeys avfs stumpwm
$ mkdir .avfs
# echo "user_allow_other" >> /etc/fuse.conf
```

This should be enough to get a graphical environment up, so `startx` and
open up a shell with the usual `C-i C-t`. If dual monitors need setting
up, su to root and run `nvidia-settings`.

#### SLiM

And changes to theme to make slimlock work and changes to slimlock.conf.

#### gettys & SLiM

Using a display manager is much neater than running startx from
`~/.zshrc`.

``` {.nil}
# prt-get depinst mingetty slim slimlock
```

We use mingetty because it allows autologin if we ever want it and it
uses less resources than agetty. We don’t use autologin at the moment
because we’re screenlocking with slimlock rather than vlock. One virtual
console is sufficient.

``` {.conf}
#c1:2:respawn:/sbin/mingetty --noclear --loginpause --autologin swhitton tty1 linux
c2:2:respawn:/sbin/mingetty --noclear tty2 linux
#c3:2:respawn:/sbin/agetty 38400 tty3 linux
#c4:2:respawn:/sbin/agetty 38400 tty4 linux
#c5:2:respawn:/sbin/agetty 38400 tty5 linux
#c6:2:respawn:/sbin/agetty 38400 tty6 linux
#s1:2:respawn:/sbin/agetty 38400 ttyS0 vt100

x:2:respawn:/usr/bin/slim >& /dev/null
```

Amend these lines in `/etc/slim.conf`:

``` {.conf}
console_cmd         /usr/bin/urxvt -T "Console login" -e /bin/sh -c
"/bin/cat /etc/issue; exec /bin/login"
default_user swhitton
auto_login yes (on artemis)
```

and in `/etc/slimlock.conf`:

``` {.conf}
wrong_passwd_timeout            0
show_username                   1
show_welcome_msg                0
```

and a fix to `/usr/share/slim/themes/crux-smooth/slim.theme`:

``` {.conf}
username_x              170
password_x              170
```

<!-- ##### CANCELLED Make this fix a patched version of the package -->

<!-- CLOSED: \[2011-08-29 Mon 12:20\] -->

### ALSA

Let’s get sound operational.

``` {.nil}
# prt-get depinst alsa-lib alsa-utils alsa-oss
# alsamixer
```

Hit `M` to unmute the main channel. Raise the volume until the db gain
is 0 and then play a sound to test. If it doesn’t play, raise the other
sliders around a bit.

``` {.nil}
# aplay /home/swhitton/lib/beep.wav
```

Now add alsa to the daemons array in `/etc/rc.conf` and run

``` {.nil}
# alsactl -f /var/lib/alsa/asound.state store
# /etc/rc.d/alsa start
```

### sshd

Add to `/etc/hosts.allow`:

``` {.conf}
sshd: 10.9.8. 192.168.0. 10.8.0.
```

We need sshd running all the time in order to have tramp working
smoothly, it seems (not in find-file but in eshell).

### mpd, ncmpcpp & mpdscribble

No reason to go any further without some tunes. We need to install
`libmms` first in order to get proper streaming support.

``` {.nil}
# prt-get depinst libmms libfaac
# prt-get depinst mpd mpc ncmpcpp mpdscribble
```

#### Sync media library

One of unison’s dependencies, ocaml, will need a .footprint deleting.

``` {.nil}
# prt-get depinst unison
```

Reconnect ethernet cable and run `/etc/rc.d/net restart` on both
machines to bring up the connection. Run

``` {.nil}
$ unison ~/var ssh://10.8.0.2/var
```

on host tethered artemis/zephyr to copy `~/var` back over to new
machine.

#### Configuration

We want mpd to run as swhitton. Uncomment loads of stuff in
`/etc/mpd.conf` (and add `mixer_type "software"` to ALSA output to make
mpd volume independent of everything else) make sensible edits and run

``` {.nil}
$ mkdir -p .mpd/playlists
# chown swhitton.users /var/cache/mpdscribble/*.journal
# usermod -a -G audio swhitton
```

At some point we should move the config we use inside `/home/swhitton`
since everything happens there now.

Add this line to `/etc/hosts.allow`:

``` {.conf}
mpd: 127.0.0.1
```

Add this line to `/etc/pkgadd.conf`:

``` {.conf}
UPGRADE         ^var/cache/mpdscribble/.*\.journal$     NO
```

`.xinitrc` will take care of starting mpd and mpdscribble.

### sudo

Execute `visudo` and uncomment the line

``` {.conf}
%wheel ALL=(ALL) NOPASSWD: ALL
```

conf and execute

``` {.nil}
usermod -a -G wheel swhitton
```

to give swhitton full sudo access.

### Desktop software

``` {.nil}
# prt-get depinst xpdf epdfview firefox feh gtk-chtheme gnome-themes
flash-player-plugin texlive-full auctex sshfs-fuse mplayer vlock gimp
xclip libreoffice scrot shared-mime-info gnome-mime-data htop at
filezilla abook libogg flac libvorbis easytag unzip imagemagick bc
aspell-en unrar w3m conkeror yapet x11-fonts-dejavu abiword emacs-w3m
dvd+rw-tools cdrkit prt-utils xorg-font-msttcorefonts urw-fonts
ttf-vista-fonts pinentry pinentry-gtk2 bbdb org-mode ntfs-3g_ntfsprogs
notmuch rtorrent ncdu pm-utils mkvtoolnix ffmpeg dvdauthor gtypist
guile normalize abcde cd-discid eject terminator vte-python xchat s3fs
service psi-im vcdimager subversion xfce-mcs-manager thunar
```

Select a theme with `gtk-chtheme`.

Do *not* be tempted to install the packages `xorg-font-adobe-100dpi` &
`xorg-font-adobe-75dpi`. They take priority over other fonts and look
rubbish, screwing things up in general.

At some point I should write a Pkgbuild to install
[pdftk](http://www.pdflabs.com/tools/pdftk-the-pdf-toolkit/), but this
is a nightmare because `gcj` is a nightmare to build, so for now I’ll
just use the pdftk on athena.

Conkeror relies on xulrunner, which at present comes with the CRUX 2.7
installation CD but as Firefox now includes it is not available in the
ports database. If needed in the future, the CRUX git repository history
contain the Pkgfile: link
[1](http://crux.nu/gitweb/?p%3Dports/opt.git%3Ba%3Dblob%3Bf%3Dxulrunner/Pkgfile%3Bh%3D15c0967f212611b544da5381f135460b3a7f6c75%3Bhb%3D765241f5fc2ef30ca99e643ea667930f6e8e163f),
[2](http://crux.nu/gitweb/?p%3Dports/opt.git%3Ba%3Dblob%3Bf%3Dxulrunner/mozconfig%3Bh%3D411ffaf26f2e0456c2c313e688cbc0c7bcfbfe7f%3Bhb%3D765241f5fc2ef30ca99e643ea667930f6e8e163f),
[3](http://crux.nu/gitweb/?p%3Dports/opt.git%3Ba%3Dblob%3Bf%3Dxulrunner/xulrunner.diff%3Bh%3D5503c8d399a8ba9af88790d2c9c64de38e191ddc%3Bhb%3D765241f5fc2ef30ca99e643ea667930f6e8e163f).

<!-- #### DONE Fix lack of `conkeror-spawn-helper`<span class="tag" data-tag-name="NOEXPORT"></span> -->

<!-- CLOSED: \[2011-07-14 Thu 16:42\] -->

<!-- #### CANCELLED Write Pkgfile for TeX Live<span class="tag" data-tag-name="NOEXPORT"></span> -->

<!-- CLOSED: \[2011-08-29 Mon 14:50\] -->

<!-- This will need these pages: -->
<!-- <http://www.tug.org/texlive/quickinstall.html> -->
<!-- <http://www.tug.org/texlive/acquire-netinstall.html> and then some way -->
<!-- of telling the install script what to do without doing so interactively. -->
<!-- -profile seems to be the way to go. Symlinks for manpages, infopages and -->
<!-- the binaries, too. -->

<!-- #### DONE Investigate `xulrunner`<span class="tag" data-tag-name="NOEXPORT"></span> -->

<!-- CLOSED: \[2011-08-29 Mon 19:11\] -->

<!-- It seems to be installed when the distro was installed yet isn’t in the -->
<!-- ports db? Removed intentionally. -->

<!-- #### CANCELLED Add xfce repository in order to install xfburn<span class="tag" data-tag-name="NOEXPORT"></span> -->

<!-- CLOSED: \[2011-08-29 Mon 14:50\] -->

<!-- Don’t really want to do this until dealt with freetype issue. Maybe a -->
<!-- dummy package? -->

<!-- xcdroast? Tried to install it… -->

<!-- At the moment we just use: genisoimage -o tmp/dvd.iso local/toburn -->
<!-- growisofs -Z /dev/sr0=/home/swhitton/tmp/dvd.iso -->

<!-- prt-get readme cdrkit explains why burndir won’t work: growisofs is -->
<!-- looking for mkisofs instead of genisoimage. -->

<!-- #### CANCELLED Make abiword work<span class="tag" data-tag-name="NOEXPORT"></span> -->

<!-- CLOSED: \[2011-08-29 Mon 14:50\] -->

<!-- gnome-keyring will need fixing/version bumping as it looks for a version -->
<!-- of libtasn that is too old. -->

<!-- #### DONE Fix /usr/share ownership when installing my recently created packages<span class="tag" data-tag-name="NOEXPORT"></span> -->

<!-- CLOSED: \[2011-08-29 Mon 20:24\] -->

<!-- I think it has something to do with a package installing some zsh -->
<!-- completions. -->

<!-- #### DONE Fix mpdscribble & xbindkeys<span class="tag" data-tag-name="TechFix"></span><span class="tag" data-tag-name="NOEXPORT"></span> -->

<!-- CLOSED: \[2011-07-20 Wed 19:47\] SCHEDULED: &lt;2011-07-15 Fri&gt; -->

### OpenVPN

We want the OpenVPN configuration files to be encrypted.

``` {.nil}
# mkdir -p /home/etc/openvpn
# ln -s /home/etc/openvpn /etc
# prt-get depinst openvpn
```

Copy into `/etc/openvpn` the files `ca.crt`, `artemis.crt` and
`artemis.key` and then create `/etc/openvpn/tap.conf`:

``` {.conf}
client
remote 212.13.194.60 1194
dev tap
proto tcp
resolv-retry infinite
nobind
persist-remote-ip
persist-local-ip
ping 5
ping-restart 10
ping-timer-rem
persist-key
persist-tun
verb 2
ca /etc/openvpn/ca.crt
cert /etc/openvpn/artemis.crt
key /etc/openvpn/artemis.key
comp-lzo
;redirect-gateway def1
```

where the final line is to be uncommented when on my untrusted
university LAN. Add `openvpn` to the daemons started in `/etc/rc.conf`.
Use udp rather than tcp on desktop.

Create the `/etc/rc.d/openvpn` script (stolen from Arch):

``` {.bash}
#!/bin/sh
#
# /etc/rc.d/openvpn: start/stop vpn daemon
#

CFGDIR="/etc/openvpn"
STATEDIR="/var/run/openvpn"

case $1 in
start)
        mkdir -p "${STATEDIR}"
        for cfg in "${CFGDIR}"/*.conf; do
          /usr/sbin/openvpn --daemon --writepid "${STATEDIR}"/"$(basename "${cfg}" .conf)".pid --cd "${CFGDIR}" --config "${cfg}"
        done
    ;;
stop)
        for pidfile in "${STATEDIR}"/*.pid; do
          kill $(cat "${pidfile}" 2>/dev/null) 2>/dev/null
          rm -f "${pidfile}"
        done
    ;;
restart)
    $0 stop
    sleep 1
    $0 start
    ;;
*)
    echo "usage: $0 [start|stop|restart]"
    ;;
esac

# End of file
```

and fire her up:

``` {.nil}
# /etc/rc.d/openvpn start
```

<!-- #### DONE Paste the `/etc/rc.d/openvpn` script<span class="tag" data-tag-name="NOEXPORT"></span> -->

<!-- CLOSED: \[2011-07-17 Sun 22:58\] -->

### SSH configuration

Download the keys `desktop-key` and `key` into `~/.ssh`, and in
`~/.ssh/config` replace `athena.silentflame.com` with `athena.athenet`
and add

``` {.conf}
Host selene
User root
HostName selene.silentflame.com
IdentityFile ~/.ssh/desktop-key

Host raven
User ball3162
HostName linux.ox.ac.uk
IdentityFile ~/.ssh/desktop-key
```

### E-mail

Our first real encounter with pre-install scripts. `prt-get readme
dovecot/postfix` will provide an explanation.

``` {.nil}
# pkgrm exim
# prt-get depinst dovecot postfix offlineimap
```

We add the following line in `/etc/dovecot/conf.d/10-mail.conf`:

``` {.conf}
mail_location = maildir:~/.gnus.d/Maildir
```

and the following in `/etc/postfix/main.cf`:

``` {.conf}
relayhost = [10.9.8.1]:25
```

and we’re done. We may now run

``` {.nil}
# /etc/rc.d/postfix start
$ offlineimap
```

to do the initial download of my e-mail. Add the postfix daemon to
`/etc/rc.conf` (but not dovecot). You might want to test that e-mail
goes where it should via telnet:

``` {.nil}
~ # telnet localhost 25
Trying 127.0.0.1…
erase character is '^H'.
Connected to localhost.
Escape character is '^]'.
220 artemis.localdomain ESMTP Postfix
>>> EHLO localhost
250-artemis.localdomain
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
>>> mail from:<sean.whitton AT-NOSPAMPLZ balliol.ox.ac.uk>
250 2.1.0 Ok
>>> rcpt to:<spwhitton AT-NOSPAMHEREEITHERPLZ gmail.com>
250 2.1.5 Ok
>>> data
354 End data with <CR><LF>.<CR><LF>
>>> Dear Sean,

>>> This is my test message.  Thanks.

>>> Thanks.
>>> .
250 2.0.0 Ok: queued as C0CEFB9
quit
221 2.0.0 Bye
Connection closed by foreign host
```

where `>>>` prefixes a line I typed. This is the most esoteric e-mail
route I can come up with, where the mail goes local -&gt; athena -&gt;
Oxford smtp -&gt; gmail -&gt; athena -&gt; local, so check the headers
to make sure it’s gone everywhere it should.

Now that `~/.newsrc.eld` isn’t synced between machines, recreate Gnus
group tree as follows (`^` opens tree and `u` subscribes to items; `Tn`
to create new topics and `GV` and `Gv` to manipulate virtual groups; `u`
to kill off things like `gnus-help`):

``` {.nil}
[ Gnus -- 54 ]
       0 / 19   / 1199 : INBOX
       0 / 1    / 2423 : Notices & updates
       9 / 16   / 2408 : Feeds & lists
         0 / *    / 0    : feeds.Guardian
  [ Listservs -- 1 ]
         0 / 1    / 372  : lists.BitFolk
*        0 / 0    / 140  : lists.VCS-Home
         0 / 0    / 27   : lists.Wikizine
  [ Feeds -- 16 ]
         1 / 4    / 595  : feeds.Blogs
         7 / 7    / 1320 : feeds.Comics
         1 / 3    / 253  : feeds.Friends
         0 / 2    / 240  : feeds.Tech
  [ Personal -- 1 ]
*        0 / 0    / 5080 : archive
         0 / 0    / 99   : drafts
         0 / 0    / 1735 : notices
         0 / 0    / 2245 : sent
*        0 / 0    / 40   : temptodo
         0 / 1    / 688  : updates
```

### crontab

``` {.cron}
*/5 * * * * /usr/bin/offlineimap -o -u Noninteractive.Quiet 1>/dev/null 2>/dev/null
0 * * * * /home/swhitton/bin/doccheckin >/dev/null
```

### acpid & laptop-mode

Most of this is only on artemis. First we disable updatedb which can
block suspend (on zephyr & artemis).

#### laptop-mode

``` {.nil}
# rm /etc/cron/daily/mlocate
# prt-get depinst powertop laptop-mode-tools pm-utils cpufrequtils acpi lm_sensors
```

Add the acpid and laptop-mode daemons to `/etc/rc.conf` (in that order).

I am not sure laptop mode is doing everything it can to save power
because `/etc/laptop-mode/conf.d/` doesn’t exist, as it does on Arch. At
some point may wish to look into improving things, using the
[Arch](https://wiki.archlinux.org/index.php/Laptop_Mode_Tools)
[wiki](https://wiki.archlinux.org/index.php/Laptop_Mode_Tools) (two
links).

<!-- ##### CANCELLED Make `laptop-mode` actually work<span class="tag" data-tag-name="NOEXPORT"></span> -->

<!-- CLOSED: \[2011-08-30 Tue 16:48\] -->

#### `lenovo-sl-laptop`

The `lenovo-sl-laptop` module provides control of the backlight and
access to various hotkeys from X. Recompiling the kernel wipes it out so
remember to re-add it should you need to do that.

``` {.nil}
# cd ~/local/src
# git clone git://github.com/tadzik/lenovo-sl-laptop.git
# cd lenovo-sl-laptop
# make
# mkdir /lib/modules/2.6.35.6/kernel/lenovo-sl-laptop
# cp lenovo-sl-laptop.ko /lib/modules/2.6.35.6/kernel/lenovo-sl-laptop
# echo "options lenovo-sl-laptop control_backlight=1" >> /etc/modprobe.d/modprobe.conf
# echo "modprobe lenovo-sl-laptop control_backlight=1" >> /etc/rc.autofs
```

nil

Add add acpi~backlight~=vendor to the kernel boot line in
`/etc/lilo.conf` and run `lilo` to put in place.

#### Suspend on lid closure

Edit the file `/etc/acpi/actions/lm_lid.sh` and add this block to the
top:

``` {.bash}
if grep -q closed /proc/acpi/button/lid/LID/state; then
    sudo -u swhitton /home/swhitton/bin/dwm-suspcmd nolock
fi
```

Sometimes a stale lock file prevents `pm-suspend` from working with no
errors or log messages. To deal with this:

``` {.nil}
# rm /var/run/pm-utils/locks/pm-suspend.lock
```

### autofs & NFS

``` {.nil}
# prt-get depinst autofs
# rm /etc/autofs/auto.{master,net,media}
```

`/etc/autofs/auto.master`:

``` {.conf}
/media /etc/autofs/auto.media
/net /etc/autofs/auto.net --timeout=30
```

`/etc/autofs/auto.net`:

``` {.conf}
athena -fstype=nfs,rw,async,vers=3 10.9.8.1:/home/swhitton/tmp
share -fstype=nfs,rw,async,vers=3 10.9.8.1:/srv/files
```

`/etc/autofs/auto.media`:

``` {.conf}
cd -fstype=auto,ro,sync,nodev,nosuid :/dev/sr0
usb -fstype=auto,async,nodev,nosuid,umask=000 :/dev/sdb1
sd -fstype=auto,async,nodev,nosuid,umask=000 :/dev/mmcblk0p1
```

Add rpcbind, nfs and autofs to the daemons array in `/etc/rc.conf`, in
that order.

Should now have in that array, in this order: acpid, laptop-mode, alsa,
net, rpcbind, nfs, autofs, crond, atd, ntpd, dbus, wicd, openvpn,
postfix, sshd.

Protect these configs in `/etc/pkgadd.conf`:

``` {.conf}
UPGRADE         ^etc/autofs/auto\..*$ NO
```

<!-- #### DONE Lock these config files<span class="tag" data-tag-name="NOEXPORT"></span> -->

<!-- CLOSED: \[2011-08-29 Mon 19:08\] -->

<!-- ### DONE Warcraft III, wine etc. (/opt in general) -->

<!-- CLOSED: \[2011-08-29 Mon 14:54\] -->

``` {.nil}
# prt-get depinst wine
```

The AcceptEx patch has now been merged with Wine so you should just be
able to install Warcraft III and its expansion and then update right off
Battle.net. And it seems Wine is able to trap the mouse inside the
window now too. Still rename Movies to Moviez, but the patch sorts out
resolution issues. Nice.

`winecfg` and enable emulate virtual desktop to play.

### <!-- DONE --> StarCraft II

<!-- CLOSED: \[2011-08-29 Mon 18:16\] -->

The most recent versions of wine allow you to get your mouse pointed
trapped in the window and work great with fullscreen windowed, but an
older version of wine is required for installation—at the time of
writing the most recent that works is 1.2.3. Begin by copying the two
wine package files of 1.2.3 and the most recent version (at the time of
writing, 1.3.24) into `/var/pkgmk/packages`. Mount the StarCraft II DVD
and copy the files to home directory to install:

``` {.nil}
# mount -o ro,unhide,uid=100 /dev/sr0 /mnt/cd
$ mkdir ~/tmp/sc2
$ cp -R /mnt/cd/* ~/tmp/sc2
$ wine start ~/tmp/sc2/Installer.exe
```

Run `winecfg` and disable `mmdevapi` completely under the Library tab.
After the game has finished installing and patching (takes forever),
switch the wine version (with `pkgadd -u /var/pkgmk/packages/…`) and set
the game to lowish graphics and select fullscreen windowed (lower than
what you’d have in Windows on the same hardware). Run `winecfg` again
and tick the trap mouse in full screen checkbox under the Graphics tab.

Cleanup:

``` {.nil}
# umount /mnt/cd
$ rm -rf ~/tmp/sc2
```

#### USB mouse

For StarCraft II on artemis you will want a USB mouse. This requires
`usbhid` to be compiled into the kernel, and then edit
`/etc/X11/xorg.conf`; replace the entire mouse section:

``` {.conf-space}
Section "InputDevice"
    Identifier     "Mouse0"
    Driver         "mouse"
    Option         "Protocol" "IMPS/2"
    Option         "Device" "/dev/input/mice"
    Option         "ZAxisMapping" "4 5"
EndSection
```

and then add to the `ServerLayout` section:

``` {.conf-space}
Option "AllowEmptyInput" "false"
```

### <!-- DONE --> VirtualBox

<!-- CLOSED: \[2011-08-30 Tue 15:49\] -->

This need only be done on zephyr (since it’s more powerful).

``` {.nil}
# prt-get depinst virtualbox
# usermod -a -G vboxusers swhitton
```

Worth setting up an Ubuntu VPS for testing. Remember to modprobe
`vboxdrv` before running VirtualBox.

### Browser plugins

Install Firemacs into Firefox, and change (some of the) bindings to
match Conkeror. Add AdBlockPlus to Conkeror but not no script as the
glue (`require("noscript");`) doesn’t work very well.

### Emacs keys in GTK apps

``` {.nil}
# prt-get install gconf
$ echo 'gtk-key-theme-name = "Emacs"' >>~/.gtkrc-2.0
$ gconftool-2 -t string --set /desktop/gnome/interface/gtk_key_theme Emacs
```

We don’t seem to have backward-delete-word on `C-w` with this, though.

Miscellaneous notes
===================

Backup strategy
---------------

All information to set the system up is in this document, so only the
contents of `/home/swhitton` need to be backed up, assuming, that is,
that all Pkgfiles have been uploaded to my CRUX repository. Of this
-   most directories are synced with my mr/git/gitosis setup;
-   `~/var` may be synced using Unison;
-   `~/local` and `~/tmp` need to be backed up manually;
-   check for any leftover non-hidden files in `~`;
-   dotfiles in `~` should already be checked into version control;
    those that are not are probably safe to discard;
-   any custom ports in `/usr/ports/local` that have not yet been
    transitioned into `~/src/ports`.

The only other place there may be things to be saved are in `/srv`
(should be symlinked into `/home` so that it’s encrypted, though),
`/var` (unlikely) and of course the Windows partition.

<!-- Ports repository -->
<!-- ---------------- -->

<!-- ### DONE Set up `crux.sean.whitton.me` httpup ports repo<span class="tag" data-tag-name="ProjectIdea"></span><span class="tag" data-tag-name="NOEXPORT"></span> -->

<!-- CLOSED: \[2011-08-30 Tue 16:56\] -->

<!-- <http://crux.nu/Wiki/SettingUpAnHttpupRepo> -->

<!-- #### DONE [CRUX ports](http://obra.se/)<span class="tag" data-tag-name="ToRead"></span><span class="tag" data-tag-name="NOEXPORT"></span> -->

<!-- CLOSED: \[2011-07-17 Sun 22:43\] -->

<!-- portspage script -->

Local LAMP setup for development
--------------------------------

### lighttpd & PHP

``` {.nil}
# prt-get depinst lighttpd php
# useradd -s /bin/false lighttpd
# groupadd lighttpd
# touch /var/www/logs/access_log
# touch /var/www/logs/error_log
# chown lighttpd:lighttpd /var/www/logs/*
```

Add `mod_fastcgi` to modules listing and switch to the non-chroot setup.
Add to the end of config file

``` {.conf}
fastcgi.server    = ( ".php" => 
    ((
        "bin-path" => "/usr/bin/php-cgi",
        "socket" => "/tmp/php.socket",
        "max-procs" => 1, # default: 2
        "idle-timeout" => 20,
        "bin-environment" => ( 
            "PHP_FCGI_CHILDREN" => "3", # default: 4
            "PHP_FCGI_MAX_REQUESTS" => "10000"
        ),
        "bin-copy-environment" => (
            "PATH", "SHELL", "USER"
        ),
        "broken-scriptfilename" => "enable"
    )))
```

Add to `/etc/hosts.allow`

``` {.conf-colon}
www: 127.0.0.1
```

When you want to use the web server, call `/etc/rc.d/lighttpd start`.

### MySQL

``` {.nil}
# prt-get depinst mysql php-mysql php-mysqli php-fcgi
# mysql_install_db
# mysqladmin -u root password <password_here>
```

Comment out `skip-innodb` and `skip-networking` in `/etc/my.cnf`. Start
the daemon when needed.

<!-- DONE --> ioquake setup
------------------

<!-- CLOSED: \[2011-08-29 Mon 15:11\] -->

ioquake installs per-user, so this is very neat. Visit [the
website](http://ioquake3.org/get-it/) and download the engine download
and the data installer. Use install path `~/local/bin` and binary path
`~/bin`. Install the data files with the same settings (leave tick boxes
as they are). Then take pak0.pk3 from copy of Quake III Arena and drop
this into `~/local/bin/ioquake3/baseq3`. To run, edit .xinitrc to set
ioquake3 as window manager and re-login.

<!-- DONE <http://crux.nu/ports/crux-2.7/opt/service/Pkgfile><span class="tag" data-tag-name="ToRead"></span> -->
<!-- -------------------------------------------------------------------------------------------------------- -->

<!-- CLOSED: \[2011-08-29 Mon 14:49\] -->

Other resources
===============

-   [The CRUX handbook](http://crux.nu/Main/Handbook2-7), of course
-   [An alternative installation
    guide](http://www.linuxforums.org/forum/coffee-lounge/121441-how-install-crux.html)
    by Dapper Dan
-   [The only other CRUX
    thread](http://www.linuxforums.org/forum/installation/129422-solved-crux-install-problem.html)
    on Linux Forums, afaict
-   [The only information I can find on setting up full disc encryption
    with CRUX](http://crux.nu/Wiki/Cryptsetup)
-   [K.Mandla’s blog](http://kmandla.wordpress.com/), who inspired me to
    try out CRUX
    -   K.Mandla on [building an ultralight
        kernel](http://kmandla.wordpress.com/2010/07/02/configuring-an-ultralight-2-6-34-kernel/)
-   The [Arch wiki](http://wiki.archlinux.org/), the best place guides
    on for this semi-minimalist style of GNU/Linux computing
-   On X11 font rendering:
    -   [Arch
        wiki](https://wiki.archlinux.org/index.php/Font_Configuration#Patched_packages)
    -   [K.Mandla](http://kmandla.wordpress.com/2008/10/29/fonts-as-sharp-as-razors-crux-ports-for-lcd-patches/)
    -   Arch BBS:
        [1](https://bbs.archlinux.org/viewtopic.php?id%3D16372),
        [2](https://bbs.archlinux.org/viewtopic.php?id%3D108884),
        [3](https://bbs.archlinux.org/viewtopic.php?id%3D105839)
    -   [Gentoo
        forums](http://forums.gentoo.org/viewtopic-t-723341.html)
    -   [Infinality
        forums](http://www.infinality.net/forum/viewtopic.php?f%3D2&t%3D74)
    -   [about all » Xft, Fonts X11,
        Terminus](http://wp.psyx.us/?p%3D235)
-   [Password-protecting LILO at various
    levels](http://www.brunolinux.com/05-Configuring_Your_System/Password_Protect_Lilo.html)
-   [StarCraft II on the Arch
    wiki](https://wiki.archlinux.org/index.php/Starcraft2)

[^1]: Some daemons may still write some logs; if this happens, nuke them
    and hope they weren't important. Yes, there are probably better
    approaches.