Note that this was the result of an upgrade of 20.04 to 22.04 - these may not be completely accurate for a clean install, as that has not been vetted.
As the minimal CD is no more, and the installer doesn't do everything we need, we'll need to boot a live image, do some console stuff, then do the install. So, without further ado....
Refs: https://help.ubuntu.com/community/Full_Disk_Encryption_Howto_2019
-
Boot the desktop LiveCD
-
Choose "Try and Install Xubuntu"
-
Once it boots, choose language and "Try Xubuntu".
-
Once you get a desktop, open a terminal and start setting things up.
You need to become root (or enter
sudo
way too many times):-
Partitioning
sudo -i
For the purposes of the following, we'll assume that disk 1 is
/dev/nvme0n1
and disk 2 is/dev/nvme1n1
. Adjust as appropriate for your system. We start with exports to save some typing.export DEV1="/dev/nvme0n1" export DEV2="/dev/nvme1n1"
And, stealing from the clever trick in the reference, account for the NVME drives having a "p" for the partition.
export DEV1P="${DEV1}$( if [[ "$DEV1" =~ "nvme" ]]; then echo "p"; fi )" export DEV2P="${DEV2}$( if [[ "$DEV2" =~ "nvme" ]]; then echo "p"; fi )"
Delete all the partitions on both drives:
sgdisk --zap-all $DEV1 sgdisk --zap-all $DEV2
You probably want to reboot at this time, because the installer tries to be helpful by doing things like activating swap.. which means you need to deactivate everything it activated in order to do the following steps. Rebooting makes this easier.
After that, create some new ones, set their types and names correctly, and create a hybrid MBR.
sgdisk --new=1:0:+1G $DEV1 sgdisk --new=2:0:+2M $DEV1 sgdisk --new=3:0:+1G $DEV1 sgdisk --new=4:0:0 $DEV1 sgdisk --typecode=1:FD00 --typecode=2:EF02 --typecode=3:EF00 --typecode=4:FD00 $DEV1 sgdisk --change-name=1:"Encrypted boot RAID" --change-name=2:"BIOS boot partition" --change-name=3:"EFI system partition" --change-name=4:"Encrypted LVM RAID" $DEV1 sgdisk --hybrid 1:2:3 $DEV1
Print the table to check it.
sgdisk --print $DEV1
Assuming it's good, copy the partition info from the first drive to the second, so they match, making sure to create new GUIDs for the disk (so they're not just plain copies).
sgdisk -R $DEV2 $DEV1 sgdisk -G $DEV2
And make sure the kernel has the new partition table in memory:
partprobe
-
RAID array creation
First, install the mdadm tool
sudo apt install mdadm
Then create the RAID arrays:
mdadm --create md0 --level=1 --raid-devices=2 ${DEV1P}1 ${DEV2P}1 mdadm --create md1 --level=1 --raid-devices=2 ${DEV1P}4 ${DEV2P}4
-
Set crypto for boot array.
Note that, due to GRUB limitations, the older LUKS1 format is required for the boot partition. See the explanation here for more information.
cryptsetup luksFormat --type=luks1 /dev/md/md0
-
And for the main array:
cryptsetup luksFormat /dev/md/md1
-
Then open both of them
cryptsetup open /dev/md/md0 md0_crypt cryptsetup open /dev/md/md1 md1_crypt
-
Again, because of installer limitations, it doesn't let you create a filesystem on the boot partition, so let's do that:
mkfs.ext4 -L boot /dev/mapper/md0_crypt
Alternatively, create a btrfs filesystem similarly:
mkfs.btrfs -L boot /dev/mapper/md0_crypt
-
Since we're formatting things, format the EFI partitions:
mkfs.vfat -n EFI ${DEV1P}3 mkfs.vfat -n EFI ${DEV2P}3
-
Create the LVM stuff (again, installer limitations...)
pvcreate /dev/mapper/md1_crypt vgcreate drives /dev/mapper/md1_crypt lvcreate --size 8G --name swap drives lvcreate --size 25G --name tmp drives lvcreate --size 50G --name var drives lvcreate --size 50G --name root drives lvcreate --extents 100%FREE --name home drives
Which corresponds to the following partitions and sizes (mountpoints are for reference and used later)
LVM Partition Size Mountpoint swap 8GB tmp 25GB /tmp var 50GB /var root 50GB / home Rest /home
Note that a larger swap is necessary for machines where you want to hibernate. If so, you need at least as much swap space as you have RAM, so do that plus a bit. See this article for suggestions, but 64GB RAM gets 72GB swap. If you don't care about hibernation, you can go as small as you like. I typically use 8GB for most machines.
Note 1: Over time,
/var
has gotten larger due to the proliferation of containers (docker, snap, etc.). If you do not plan to use these, it can be smaller.Note 2: For some machines, a common area of
/pub
, or/shared
, might be appropriate, and should be taken out of/home
. -
Once that is all done, minimize the terminal window (you'll want to leave it open for later) and start the installer by double clicking the icon on the desktop.
-
-
The installer
Proceed through as normal, selecting sane choices until you get to the "Installation Type" screen, where you want to choose "Something else". It will detect all of the volumes already created and you can set mountpoints and filesystems as normal.
Set the boot loader installation to be on the first hard drive (doesn't matter, it will fail anyway).
Let the installer run and then it will fail to install grub. This is expected and is a result of some naming issues. Tell the installer to continue without installing a bootloader - we'll do so manually in the next step.
The installer crashes (because, obviously, this is the correct behavior), but this is the last step of the install, so we're okay. Let it continue and crash, and then go on to the next step.
(You may need to kill the installer with
killall ubiquity
) -
Manual bootloader installation
The core issue is that, the installer isn't set up for working with metadisks, so we need to set it up ourselves. But, we need to be in a chroot environment to do the
grub-install
, so, mount our root fs:mount /dev/mapper/drives-root /target
If using btrfs, the above needs to be like:
mount /dev/mapper/drives-root /target -o subvol=@
Then do:
for n in proc sys dev etc/resolv.conf; do mount --rbind /$n /target/$n; done chroot /target mount -a
We also need to tell grub to use crypto disks:
echo "GRUB_ENABLE_CRYPTODISK=y" > /etc/default/grub.d/local.cfg
And, neither the mdadm nor the cryptsetup tools are installed in the chroot, and we need those for grub to be able to do useful things with the md arrays, and to be able to boot afterwards. So, install them.
apt install mdadm cryptsetup-initramfs
And now, finally, we can install grub:
grub-install /dev/sda grub-install /dev/sdb
But, we also need to tell linux to unlock our filesystems and rebuild the inittab:
echo "md0_crypt UUID=$(blkid -s UUID -o value /dev/md0) none luks,discard" >> /etc/crypttab echo "md1_crypt UUID=$(blkid -s UUID -o value /dev/md1) none luks,discard" >> /etc/crypttab update-initramfs -u -k all
Once this is all done, you can reboot into your newly created machine.
(You can do this after you've booted into the new machine, but remember to set
DEV1
, DEV2
, DEV1P
, and DEV2P
first, as described at the beginning of this section.)
If you want to save some typing, you can create keyfiles which are built into the initramfs and used to unlock the encrypted volumes. Note that they are relatively safe because they are installed on an encrypted volume - but, if someone were to compromise the running system, they could conceivably grab the file then use it to decrypt the volume - your call.
-
Configure it to build the keyfile into the initramfs:
echo "KEYFILE_PATTERN=/etc/luks/*.keyfile" >> /etc/cryptsetup-initramfs/conf-hook echo "UMASK=0077" >> /etc/initramfs-tools/initramfs.conf
-
Create the keyfile (a 512 byte random number), and add it as a key to the volume.
mkdir /etc/luks dd if=/dev/urandom of=/etc/luks/boot.keyfile bs=512 count=1 chmod 0500 /etc/luks chmod 0400 /etc/luks/boot.keyfile cryptsetup luksAddKey /dev/md0 /etc/luks/boot.keyfile cryptsetup luksAddKey /dev/md1 /etc/luks/boot.keyfile
-
Remove the existing
crypttab
, add the new lines which say to use the keys we just created, then rebuild theinitramfs
.rm /etc/crypttab
echo "md0_crypt UUID=$(blkid -s UUID -o value /dev/md0) /etc/luks/boot.keyfile luks,discard" >> /etc/crypttab
echo "md1_crypt UUID=$(blkid -s UUID -o value /dev/md1) /etc/luks/boot.keyfile luks,discard" >> /etc/crypttab
update-initramfs -u -k all
-
Reboot and you'll enter your password less.
As the minimal CD is no more, and the installer doesn't do everything we need, we'll need to boot a live image, do some console stuff, then do the install. So, without further ado....
Refs: https://help.ubuntu.com/community/Full_Disk_Encryption_Howto_2019
-
Boot the desktop LiveCD
-
Choose "Try and Install Xubuntu"
-
Once it boots, choose language and "Try Xubuntu".
-
Once you get a desktop, open a terminal and start setting things up.
You need to become root (or enter
sudo
way too many times):-
Partitioning
sudo -i
For the purposes of the following, we'll assume that the disk is
/dev/nvme0n1
. Adjust as appropriate for your system. We start with exports to save some typing.export DEV="/dev/nvme0n1"
And, stealing from the clever trick in the reference, account for the NVME drives having a "p" for the partition.
export DEVP="${DEV}$( if [[ "$DEV" =~ "nvme" ]]; then echo "p"; fi )"
Delete all the partitions:
sgdisk --zap-all $DEV
You probably want to reboot at this time, because the installer tries to be helpful by doing things like activating swap.. which means you need to deactivate everything it activated in order to do the following steps. Rebooting makes this easier.
After that, create some new ones, set their types and names correctly, and create a hybrid MBR.
sgdisk --new=1:0:+1G $DEV sgdisk --new=2:0:+2M $DEV sgdisk --new=3:0:+1G $DEV sgdisk --new=4:0:0 $DEV sgdisk --typecode=1:FD00 --typecode=2:EF02 --typecode=3:EF00 --typecode=4:FD00 $DEV sgdisk --change-name=1:"Encrypted boot" --change-name=2:"BIOS boot partition" --change-name=3:"EFI system partition" --change-name=4:"Encrypted LVM" $DEV sgdisk --hybrid 1:2:3 $DEV
Print the table to check it.
sgdisk --print $DEV
And make sure the kernel has the new partition table in memory:
partprobe
-
Set crypto for boot array.
Note that, due to GRUB limitations, the older LUKS1 format is required for the boot partition. See the explanation here for more information.
cryptsetup luksFormat --type=luks1 ${DEVP}1
-
And for the main partition:
cryptsetup luksFormat ${DEVP}4
-
Then open both of them
cryptsetup open ${DEVP}1 boot_crypt cryptsetup open ${DEVP}4 lvm_crypt
-
Again, because of installer limitations, it doesn't let you create a filesystem on the boot partition, so let's do that:
mkfs.ext4 -L boot /dev/mapper/boot_crypt
Alternatively, create a btrfs filesystem similarly:
mkfs.btrfs -L boot /dev/mapper/boot_crypt
-
Since we're formatting things, format the EFI partition:
mkfs.vfat -n EFI ${DEVP}3
-
Create the LVM stuff (again, installer limitations...)
pvcreate /dev/mapper/lvm_crypt vgcreate drives /dev/mapper/lvm_crypt lvcreate --size 8G --name swap drives lvcreate --size 25G --name tmp drives lvcreate --size 50G --name var drives lvcreate --size 50G --name root drives lvcreate --extents 100%FREE --name home drives
Which corresponds to the following partitions and sizes (mountpoints are for reference and used later)
LVM Partition Size Mountpoint swap 8GB tmp 25GB /tmp var 50GB /var root 50GB / home Rest /home
(See the discussion in the RAID section for information about swap size, etc.)
-
Once that is all done, minimize the terminal window (you'll want to leave it open for later) and start the installer by double clicking the icon on the desktop.
-
-
The installer
Proceed through as normal, selecting sane choices until you get to the "Installation Type" screen, where you want to choose "Something else". It will detect all of the volumes already created and you can set mountpoints and filesystems as normal.
Set the boot loader installation to be on the first hard drive (doesn't matter, it will fail anyway).
Let the installer run and then it will fail to install grub. This is expected and is a result of some naming issues. Tell the installer to continue without installing a bootloader - we'll do so manually in the next step.
The installer crashes (because, obviously, this is the correct behavior), but this is the last step of the install, so we're okay. Let it continue and crash, and then go on to the next step.
(You may need to kill the installer with
killall ubiquity
) -
Manual bootloader installation
Technically, you can get the bootloader to install if you edit some config files while it is working, but we need to do some post-install setup anyway, so we might as well just install the bootloader manually as well. But, we need to be in a chroot environment to do the
grub-install
, so, mount our root fs:mount /dev/mapper/drives-root /target
If using btrfs, the above needs to be like:
mount /dev/mapper/drives-root /target -o subvol=@
Then do:
for n in proc sys dev etc/resolv.conf; do mount --rbind /$n /target/$n; done chroot /target mount -a
We also need to tell grub to use crypto disks:
echo "GRUB_ENABLE_CRYPTODISK=y" > /etc/default/grub.d/local.cfg
And, the cryptsetup tools are installed in the chroot. So, install them.
apt install cryptsetup-initramfs
And now, finally, we can install grub:
grub-install /dev/sda
But, we also need to tell linux to unlock our filesystems and rebuild the inittab:
echo "boot_crypt UUID=$(blkid -s UUID -o value ${DEVP}1) none luks,discard" >> /etc/crypttab echo "lvm_crypt UUID=$(blkid -s UUID -o value ${DEVP}4) none luks,discard" >> /etc/crypttab update-initramfs -u -k all
Once this is all done, you can reboot into your newly created machine.
(You can do this after you've booted into the new machine, but remember to set
DEV
and DEVP
first, as described at the beginning of this section.
If you want to save some typing, you can create keyfiles which are built into the initramfs and used to unlock the encrypted volumes. Note that they are relatively safe because they are installed on an encrypted volume - but, if someone were to compromise the running system, they could conceivably grab the file then use it to decrypt the volume - your call.
-
Configure it to build the keyfile into the initramfs:
echo "KEYFILE_PATTERN=/etc/luks/*.keyfile" >> /etc/cryptsetup-initramfs/conf-hook echo "UMASK=0077" >> /etc/initramfs-tools/initramfs.conf
-
Create the keyfile (a 512 byte random number), and add it as a key to the volume.
mkdir /etc/luks dd if=/dev/urandom of=/etc/luks/boot.keyfile bs=512 count=1 chmod 0500 /etc/luks chmod 0400 /etc/luks/boot.keyfile cryptsetup luksAddKey /dev/${DEVP}1 /etc/luks/boot.keyfile cryptsetup luksAddKey /dev/${DEVP}4 /etc/luks/boot.keyfile
-
Remove the existing
crypttab
, add the new lines which say to use the keys we just created, then rebuild theinitramfs
.rm /etc/crypttab
echo "boot_crypt UUID=$(blkid -s UUID -o value /dev/${DEVP}1) /etc/luks/boot.keyfile luks,discard" >> /etc/crypttab
echo "lvm_crypt UUID=$(blkid -s UUID -o value /dev/${DEVP}4) /etc/luks/boot.keyfile luks,discard" >> /etc/crypttab
update-initramfs -u -k all
-
Reboot and you'll enter your password less.
-
Install useful base things
sudo apt install synaptic
-
After machine is up, run synaptic and:
-
go to settings->repositories make sure the following are enabled:
- main
- universe
- restricted
- multiverse
- And then have it select a close mirror (select "Other" from the drop down and have it select the best mirror).
-
(or just grab sources.list from some reasonable machine)
-
-
Do:
sudo apt update && sudo apt dist-upgrade
-
Install generally useful things:
sudo apt install traceroute emacs emacs-goodies-el elpa-go-mode elpa-rust-mode elpa-f elpa-let-alist elpa-markdown-mode elpa-yaml-mode elpa-flycheck cpufrequtils tigervnc-viewer symlinks sysstat ifstat dstat apg whois powertop printer-driver-cups-pdf units tofrodos ntp unrar mesa-utils mono-runtime aspell aspell-en geeqie input-utils p7zip latencytop apt-show-versions apt-file keepassx ipcalc iftop atop gkrellm gnote cheese tree gdisk lm-sensors ppa-purge mlocate gddrescue lzip lziprecover net-tools clusterssh smartmontools nvme-cli fdupes internetarchive wget apt-transport-https vorbis-tools opus-tools sudo snap install firefox thunderbird
-
Update to the HWE stack
sudo apt install --install-recommends linux-generic-hwe-22.04
-
LAPTOP ONLY Set CPU throttling so it doesn't overheat when it decides to turbo all the CPUs.
-
Rant: Turbo boost is a stupid idea. "Oh, let's run our CPU hot and let the thermal throttling stop it from actually melting". Are you really serious with this foolishness? This results in die temps upwards of 90C, a pile of thermal throttling messages in the logs, and heat buildup elsewhere in the system.
-
Methodology for arriving at the numbers:
a. Rough: Set it to the value that the CPU is rated for with no turbo boosting.
b. Optimal: Run something computationally intensive for a long period of time (lzip a big file). The goal here is for it to be stable and ideally stay below 80C. What you really want is for it to never thermally throttle (which will show in the syslog). If it ever does, back the speed down.
-
Create
/etc/default/cpufrequtils
and set the content as follows, with MAX_SPEED set as determined above. The following values are for my current Lenovo P51.ENABLE="true" GOVERNOR="powersave" MAX_SPEED="3200000" MIN_SPEED="0"
-
-
-
Make ssh (server) work:
-
Install it, if not already installed:
sudo apt install openssh-server
-
For an old machine, use the old keys - you did save /etc before you wiped it, didn't you?
-
For a new machine, use the new keys generated by the distro.
-
make sure to add to the firewall:
sudo ufw allow ssh
-
In
/etc/ssh/sshd_config
, set:PermitRootLogin no
-
once you've set up public key auth, turn off password access. Edit
/etc/ssh/sshd_config
and setPasswordAuthentication no
-
Then kick it:
sudo service ssh restart
-
-
Disable firewall logging (it can be quite verbose on a busy network), then turn on the firewall.
sudo ufw logging off sudo ufw enable
-
Make sure to let printers through the firewall. All printers are modern enough that they'll just appear and we can print to them - no lengthy configuration required anymore. Yay progress!
sudo ufw allow cups sudo ufw allow mdns
-
ntpd (for fixed machines only, for mobile, the default is fine)
-
for server, make sure to add to ufw:
sudo ufw allow ntp
-
for client
-
edit
/etc/ntp.conf
and comment out the line:server ntp.ubuntu.com
-
and add the line:
server router
-
-
-
Add the fstab line for ramfs so I can easily mount a ramdisk whenever I have need of one:
none /mnt/ramfs ramfs noauto,user,mode=0770 0 0
make sure to make the mountpoint too:
sudo mkdir /mnt/ramfs
-
Allow normal users to read
dmesg
again.Edit
/etc/sysctl.d/10-kernel-hardening.conf
and uncomment the following line at the bottom of the file:kernel.dmesg_restrict = 0
then do:
sudo service procps restart
To apply the change.
-
Fix the too long timeout for the boot selection menu
Edit
/etc/default/grub
and add:GRUB_RECORDFAIL_TIMEOUT=5
Then do:
sudo update-grub
-
Add the
efi_sync
to the daily cron list:cd /etc/cron.daily sudo ln -s /home/matt/bin/efi_sync .
-
More applications
sudo apt install xfce4-goodies xfce4-mount-plugin usb-creator-gtk cifs-utils gnome-calculator tumbler tumbler-plugins-extra audacious
-
Install real chrome.
-
The Ubuntu packaged chromium is broken in a couple of ways - NaCL support, etc. NaCL support is required for Hangouts to work. Solution: Install Chrome from a PPA.
-
Instructions from: https://www.ubuntuupdates.org/ppa/google_chrome
-
But they do not follow best practices, so I adapted them according to docker/docs#11625
-
See the following for more info on chromium fail: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/882942
-
Do:
wget -O- https://dl-ssl.google.com/linux/linux_signing_key.pub |sudo gpg --no-default-keyring --keyring=/usr/share/keyrings/google.gpg --import sudo sh -c 'echo "deb [arch=amd64 signed-by=/usr/share/keyrings/google.gpg] http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google-chrome.list' sudo chmod a+r /etc/apt/sources.list.d/google-chrome.list sudo apt update sudo apt install google-chrome-stable
-
-
Stop the stupid GNOME SSH agent thing from working.
- NOTE: This is a stupid hack to get around the fact that, apparently, the gnome keyring is started unconditionally with all components if any gnome services are run (and we would like to run them, just not this specific one).
-
To fix, do:
cd /usr/bin sudo mv gnome-keyring-daemon gnome-keyring-daemon-wrapped
-
Then create a new
gnome-keyring-daemon
and set its contents to:#!/bin/sh exec /usr/bin/gnome-keyring-daemon-wrapped --components=pkcs11,secrets,gpg "$@"
-
and make it executable:
sudo chmod a+rx /usr/bin/gnome-keyring-daemon
-
Install slack
sudo snap install slack --classic
-
Install element (matrix client)
sudo wget -O /usr/share/keyrings/element-io-archive-keyring.gpg https://packages.element.io/debian/element-io-archive-keyring.gpg echo "deb [signed-by=/usr/share/keyrings/element-io-archive-keyring.gpg] https://packages.element.io/debian/ default main" | sudo tee /etc/apt/sources.list.d/element-io.list sudo apt update sudo apt install element-desktop
-
Install shutter
sudo snap install shutter
-
Install Joplin
sudo snap install joplin-desktop
- Make sure to set it up for NextCloud sync. The sync URL is https://owncloud.mattcaron.net/remote.php/webdav/Joplin-sync
-
Install and set up ktorrent:
sudo apt install ktorrent sudo ufw allow 6881 sudo ufw allow 8881
-
Make java pretty
-
Edit
/etc/java-11-openjdk/swing.properties
and uncomment:swing.defaultlaf=com.sun.java.swing.plaf.gtk.GTKLookAndFeel
-
-
Install an equalizer (among other effects)
sudo apt install pulseeffects lsp-plugins
-
Add STL thumbnailer support
-
See https://github.com/unlimitedbacon/stl-thumb for the latest, but basically download the deb and install it:
sudo apt install libosmesa6-dev sudo dpkg -i ./stl-thumb_0.5.0_amd64.deb
-
-
Floorplan software
sudo snap install sweethome3d-homedesign
Once installed, grab asset packs from http://www.sweethome3d.com/download.jsp and install them.
-
Remove audio apps that I don't use (mostly to stop them from showing in the volume control menu):
sudo apt remove clementine rhythmbox
-
Remove minidlna.. why is this installed by default?
sudo apt remove --purge minidlna
-
Fix cron - add the following to the top of personal crontab:
MAILTO="[email protected]"
-
Install and set up ssmtp
sudo apt install ssmtp mailutils cd /etc/ssmtp mv ssmtp.conf ssmtp.conf.old cp ~/system_stuff/ssmtp/ssmtp.conf . chgrp mail ssmtp.conf chmod a+r ssmtp.conf
(This is all the development tools, libraries, utilities, etc. that I commonly use. There may be redundancy with the base list)
-
Install development tools.
sudo apt install nmap gcc make g++ gdb autoconf libtool automake libc6-dev meld xmlstarlet libtk-gbarr-perl subversion monodoc-manual glade kcachegrind kcachegrind-converters graphviz mysql-client nant sqlite3 dia gsfonts-x11 python3-pycurl python3-paramiko python3-pip python3-virtualenv python-is-python3 python-setuptools regexxer git gitk git-svn libmath-round-perl picocom manpages-posix manpages-posix-dev manpages-dev manpages dh-make devscripts mercurial libboost-all-dev libboost-all-dev libhunspell-dev libwxgtk3.0-gtk3-dev libwxbase3.0-dev ccache npm gdc libgphobos-dev libsqlite3-dev freecad openscad slic3r arduino adb cmake libncurses-dev flex bison gperf astyle okteta
-
Install snapcraft
sudo snap install --classic snapcraft
-
Install VSCode and some plugins
sudo snap install code --classic code --install-extension DavidAnson.vscode-markdownlint code --install-extension rust-lang.rust-analyzer code --install-extension tamasfe.even-better-toml code --install-extension James-Yu.latex-workshop code --install-extension streetsidesoftware.code-spell-checker code --install-extension ms-azuretools.vscode-docker code --install-extension ms-vscode.cpptools code --install-extension ms-vscode.cmake-tools code --install-extension chiehyu.vscode-astyle code --install-extension leathong.openscad-language-support
-
(Maybe) install some extra filesystems (as needed)
sudo apt install davfs2 sshfs jmtpfs ecryptfs-utils exfatprogs exfat-fuse hfsplus libguestfs-tools
-
Install qbrew build dependencies:
sudo apt install qt5-qmake qtbase5-dev qttools5-dev-tools
-
Install Virtualbox package archive, install Virtualbox, and give users permission to use it:
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/oracle-virtualbox-2016.gpg] https://download.virtualbox.org/virtualbox/debian jammy contrib" | sudo tee /etc/apt/sources.list.d/virtualbox.list wget -O- https://www.virtualbox.org/download/oracle_vbox_2016.asc | sudo gpg --yes --output /usr/share/keyrings/oracle-virtualbox-2016.gpg --dearmor sudo apt install virtualbox-7.0 sudo usermod -a -G vboxusers matt
-
Install docker and give users permission to use it:
sudo apt install docker.io sudo usermod -a -G docker matt
-
Install iperf and add firewall exception
sudo apt install iperf sudo ufw allow 5001
-
Install wireshark and add users to wireshark group
sudo apt install wireshark sudo usermod -a -G wireshark matt
-
Set up logic analyzer stuff (sigrok/pulseview)
-
Install:
sudo apt install pulseview sigrok-firmware-fx2lafw
-
But, it needs udev rules installed. Get the two rules files from here:
-
And install them in to
/etc/udev/rules.d
. Note that this allows all plugdev users to use the logic analyzer (which is fine, because I am in that group). -
Note that the device I have uses the
fx2lafw
driver.
-
-
Arduino hackery
I find myself using various old versions of Arduino, so some hackery is required because they link against old versions of things....
cd /usr/lib/x86_64-linux-gnu/ sudo ln -s libreadline.so.8 libreadline.so.6 sudo apt install libncurses5 libtinfo5
And make sure you have dialout perms:
sudo usermod -a -G dialout matt
-
Install RPi SD card imager
sudo snap install rpi-imager
-
Headtracking build stuff
-
Opentrack dependencies
sudo apt install cmake git qttools5-dev qtbase5-private-dev libprocps-dev libopencv-dev
-
AITrack dependencies
sudo apt install qtbase5-dev qtbase5-dev-tools libqt5x11extras5-dev libopencv-dev libspdlog-dev libfmt-dev libomp-12-dev libqt5x11extras5 libspdlog1 libomp5-12 libxsettings-dev libxsettings-client-dev
-
(This includes all kinds of desktop publishing, media manipluation and transcoding, video editing, etc.)
-
LaTeX
-
install the "full boat" options:
sudo apt install --install-suggests texlive-full latex2html
-
And set things up:
cd /usr/share/texmf/tex/latex sudo cp -a ~/system_stuff/latex/local . sudo chown -R root:root local sudo cp -a ~/system_stuff/latex/fonts/cookingsymbols.tfm /usr/share/texmf/fonts/tfm/public/. sudo mkdir -p /usr/share/texmf/fonts/source/public/ sudo chmod a+rx /usr/share/texmf/fonts/source/public/ sudo cp -a ~/system_stuff/latex/fonts/cookingsymbols.mf /usr/share/texmf/fonts/source/public/. sudo texhash
-
-
Install publishing tools from apt:
sudo apt install xsane scribus scribus-template gnuplot gnuplot-mode digikam kipi-plugins okular okular-extra-backends k3b libk3b7-extracodecs gstreamer1.0-plugins-bad gstreamer1.0-plugins-ugly kaffeine xine-ui libvdpau-va-gl1 mpg123 sox rhythmbox graphviz audacity libsox-fmt-all dvdbackup dia gsfonts-x11 ubuntustudio-fonts vorbisgain clementine krita sound-juicer djvulibre-bin djvulibre-desktop pdf2djvu ubuntu-restricted-extras cheese arandr blender kdenlive kino tesseract-ocr ffmpeg2theora mp3info libreoffice meshlab pithos handbrake
-
And some of them are snaps now
sudo snap install mp3gain
-
Install dvdstyler:
-
sudo add-apt-repository ppa:ubuntuhandbook1/dvdstyler sudo apt install dvdstyler
-
-
Set up video editing:
-
Add user to video group so I can capture video
sudo usermod -a -G video matt
-
-
Change wodim to be suid root to limit having to sudo.
sudo chmod u+s `which wodim`
-
Make DVDs work
-
From: http://www.videolan.org/developers/libdvdcss.html
sudo apt install libdvd-pkg sudo dpkg-reconfigure libdvd-pkg
-
This machine has 2 NVMe drives set up in a RAID setup, as described above, and then a bunch of single drives for working, etc. - basically, stuff that doesn't need to be redundant because if I lose it, it's not a big deal, because I can download it again.
-
UPS
The first bit, with GNOME, doesn't seem to exist anymore and I can't find an XFCE equivalent. Anyway:
sudo apt install nut
Edit `/etc/nut/ups.conf` and add the following at the bottom:
[ups]
driver = usbhid-ups
port = auto
There's only one UPS hooked to this guy, so we don't need to worry about
disambiguation.
Also, if you just installed nut, but the UPS is already plugged in, you'll
need to unplug and replug it to fire the hotplug events.
Start it:
sudo upsdrvctl start
Add the following to /etc/nut/upsd.conf
ACL all 0.0.0.0/0
ACL localhost 127.0.0.1/32
ACCEPT localhost
REJECT all
This will reject all nonlocal traffic
Add the following to `/etc/nut/upsd.users`
[local_mon]
password = PASSWORD_HERE
allowfrom = localhost
upsmon master
Obviously, make PASSWORD_HERE some random password
Add the following to `/etc/nut/upsmon.conf`, at the bottom of the `MONITOR` section:
MONITOR ups@localhost 1 local_mon PASSWORD_HERE master
Edit `/etc/nut/nut.conf` and set
MODE=standalone
Enable and start it:
sudo systemctl enable nut-server
sudo systemctl restart nut-server
sudo systemctl enable nut-client
sudo systemctl restart nut-client
You can print statistics via:
upsc ups
-
The mouse controller software
sudo add-apt-repository ppa:solaar-unifying/stable sudo apt install solaar
-
Steam drive
-
Partition it and make a filesystem for it. Note the UUID it generated.
-
Edit
/etc/fstab
and add the following lines:UUID=7d2aaa21-a75b-4f0a-a508-51e50a78c304 /home/matt/storage1 ext4 defaults 0 2 UUID=34106401-02ac-4148-9ac2-50e29847208f /home/matt/storage2 ext4 defaults 0 2 UUID=4a3f0b96-e61e-461a-a3f8-215799516415 /home/matt/storage3 ext4 defaults 0 2 UUID=d58b4aa3-e32a-460a-9734-a84ccab5a61d /home/matt/storage4 ext4 defaults 0 2
(Fill out the UUID appropriately.)
-
Make the mount points
mkdir ~/storage1 ~/storage2 ~/storage3 ~/storage4
-
Mount it all:
sudo mount -a
-
Fix all the perms
sudo chown -R matt:matt /home/matt/storage*
-
-
udev
rule to program programmable keyboard (Keychron K10 pro)-
Edit
/etc/udev/rules.d/50-keychron-k10-pro.rules
-
Add this line:
KERNEL=="hidraw*", ATTRS{idVendor}=="3434", MODE="0664", GROUP="plugdev"
-
Fix perms:
chmod a+r /etc/udev/rules.d/50-keychron-k10-pro.rules
-
Reload the rules and rerun them:
udevadm control --reload-rules udevadm trigger
-
-
ZenBleed vuln mitigation.
-
TODO: Remove once microcode fix is released in Ubuntu repos. Estimated Dec 2023.
-
Reference - at time of writing, register
0xc0011029
's value is:0x3000310e08002
-
Create
/etc/systemd/system/zenbleed-mitigation.service
as follows:[Service] Type=oneshot RemainAfterExit=yes ExecStart=/bin/bash -c 'wrmsr -a 0xc0011029 $(($(rdmsr -c 0xc0011029) | (1<<9)))' [Install] WantedBy=multi-user.target
-
Enable and then start it:
systemctl enable zenbleed-mitigation.service systemctl start zenbleed-mitigation.service
-
After running it, the register is:
0x3000310e08202
Which confirms bit 9 being set.
-
You can check the register at any time with:
sudo rdmsr -c 0xc0011029
Note: A lot of the old video game stuff has moved to MiSTer (because FPGA). This is what remains, generally because was originally a PC game and therefore I'm using software to emulate software (which makes more sense than software emulating hardware. FPGAs are for emulating hardware).
-
Install video game things from apt:
sudo apt install wine-stable playonlinux steam jstest-gtk pcsx2 gamemode
-
And from snap
sudo snap install dolphin-emulator
-
Allow steam in-home streaming ports. 1. Ref: https://support.steampowered.com/kb_article.php?ref=8571-GLVN-8711
sudo ufw allow from 192.168.9.0/24 to any port 27031 proto udp comment 'steam' sudo ufw allow from 192.168.9.0/24 to any port 27036 proto udp comment 'steam' sudo ufw allow from 192.168.9.0/24 to any port 27036 proto tcp comment 'steam' sudo ufw allow from 192.168.9.0/24 to any port 27037 proto tcp comment 'steam'
-
Add gcdemu
sudo apt-add-repository ppa:cdemu/ppa sudo apt install gcdemu
-
Install modern DOSBox (dosbox-x)
- compiling this from source because the snap currently can't do joysticks and there aren't any other prepackaged builds.
And make sure fluidsynth is installed for the good tunes.
sudo apt install fluidsynth fluid-soundfont-gm fluid-soundfont-gs
-
Install Lutris
Instructions: https://lutris.net/downloads/
sudo add-apt-repository ppa:lutris-team/lutris sudo apt install lutris
-
Set up additional video card libraries and tools:
-
Install the Vulkan tools, libraries, and so forth:
sudo apt install vulkan-tools mesa-vulkan-drivers mesa-vulkan-drivers:i386
-
One can then check things with
vulkaninfo
.
-
-
Install the Steam controller
-
Create
/etc/udev/rules.d/60-steam-controller-perms.rules
with the following contents:# This rule is needed for basic functionality of the controller in Steam and keyboard/mouse emulation SUBSYSTEM=="usb", ATTRS{idVendor}=="28de", MODE="0666" # This rule is necessary for gamepad emulation; make sure you replace 'matt' with a group that the user that runs Steam belongs to KERNEL=="uinput", MODE="0660", GROUP="matt", OPTIONS+="static_node=uinput" # Valve HID devices over USB hidraw KERNEL=="hidraw*", ATTRS{idVendor}=="28de", MODE="0666" # Valve HID devices over bluetooth hidraw KERNEL=="hidraw*", KERNELS=="*28DE:*", MODE="0666" # DualShock 4 over USB hidraw KERNEL=="hidraw*", ATTRS{idVendor}=="054c", ATTRS{idProduct}=="05c4", MODE="0666" # DualShock 4 wireless adapter over USB hidraw KERNEL=="hidraw*", ATTRS{idVendor}=="054c", ATTRS{idProduct}=="0ba0", MODE="0666" # DualShock 4 Slim over USB hidraw KERNEL=="hidraw*", ATTRS{idVendor}=="054c", ATTRS{idProduct}=="09cc", MODE="0666" # DualShock 4 over bluetooth hidraw KERNEL=="hidraw*", KERNELS=="*054C:05C4*", MODE="0666" # DualShock 4 Slim over bluetooth hidraw KERNEL=="hidraw*", KERNELS=="*054C:09CC*", MODE="0666" # Nintendo Switch Pro Controller over USB hidraw KERNEL=="hidraw*", ATTRS{idVendor}=="057e", ATTRS{idProduct}=="2009", MODE="0666" # Nintendo Switch Pro Controller over bluetooth hidraw KERNEL=="hidraw*", KERNELS=="*057E:2009*", MODE="0666"
-
-
Set up the 8BitDo Ultimate controller
sudo apt install xboxdrv
To set perms and automatically run xboxdrv, add
/etc/udev/rules.d/99-8bitdo-ultimate.rules
with the contents of:# 8BitDo Ultimate controller SUBSYSTEM=="usb", ATTRS{idVendor}=="2dc8", ATTRS{idProduct}=="3106", MODE="0666"
Fix perms:
sudo chmod a+r /etc/udev/rules.d/99-8bitdo-ultimate.rules
And then kick it:
sudo udevadm control --reload-rules && sudo udevadm trigger
Once that is done, the following driver line will work:
/usr/bin/xboxdrv --device-by-id 2dc8:3106 --type xbox360
Note: this must be kept running in order for the controller to not time out and power off after about 2 minutes.
-
Install Rise of The Triad (ROTT), symlink game files where expected, and configure it properly.
sudo apt install rott cd /usr/share/games/ sudo ln -s ~/storage1/dosbox/drive_c/games/rott . sudo update-alternatives --set rott /usr/games/rott-commercial
-
Install Quake and symlink game files where expected.
sudo apt install quake cd /usr/share/games/quake/ sudo ln -s ~/storage1/dosbox/drive_c/games/quake/id1 .
-
Allow Quake server port through
sudo ufw allow 26000 comment 'quake'
-
-
Install doomsday (modernized Doom/Doom2/Heretic/Hexen native engine) and eureka level editor
sudo apt install doomsday eureka
(this is configured from inside its own menus)
-
Install latest Descent 1 and 2 rebirth, and symlink things to the correct places
-
Compile it (if necessary - and we do a --clean first, just in case):
sudo apt-get install build-essential scons libsdl1.2-dev libsdl-image1.2-dev libsdl-mixer1.2-dev libphysfs-dev cd ~/workspace/code/dxx-rebirth scons --clean scons -j 16 prefix=/usr cp -a build/d1x-rebirth/d1x-rebirth build/d2x-rebirth/d2x-rebirth ~/games/bin/.
-
Put things in the correct places (these are the same places as used by the Ubuntu packaged versions, to make switching between them easy.)
cd /usr/share/games/ sudo mkdir -p d1x-rebirth/Data d2x-rebirth/Data cd d1x-rebirth/Data sudo ln -s ~/storage1/dosbox/drive_c/games/descent/descenta/* . cd d2x-rebirth/Data sudo ln -s ~/storage1/dosbox/drive_c/games/descent/descnt2v/* .
-
Allow the network port through the firewall (so we can host games)
sudo ufw allow 42424/udp comment 'descent'
-
-
Install protontricks (for Proton tweaking)
sudo apt install python3-pip python3-setuptools python3-venv pipx pipx install protontricks
-
Install prerequisites to compile bstone (https://github.com/bibendovsky/bstone)
sudo apt install libsdl2-dev
-
Add repo and install ECWolf (Wolfenstein 3D and Spear of Destiny source port)
sudo wget -O /usr/share/keyrings/drdteam.gpg http://debian.drdteam.org/drdteam.gpg sudo sh -c 'echo "deb [signed-by=/usr/share/keyrings/drdteam.gpg] http://debian.drdteam.org/ stable multiverse" >> /etc/apt/sources.list.d/drdteam.list' sudo apt-get update sudo apt-get install ecwolf
-
Install and set up devilutionX (for Diablo/Hellfire) TODO: There is a snap now, install and make sure it works.
sudo snap install devilutionx
and then copy
*.mpq
from the respective CDs to~/.local/share/diasurgical/devilution/
-
Install Return to Castle Wolfenstein and symlink things to the correct places:
sudo apt install rtcw sudo ln -s ~/storage1/video_games/installed/rtcw /usr/share/games/.
-
Install mangohud
sudo add-apt-repository ppa:flexiondotorg/mangohud sudo apt install mangohud
-
Enable variable refresh rate (aka FreeSync / G-Sync) for machines with appropriate hardware and displays.
-
Check that the display supports it with
xrandr --props | grep vrr_capable
and make sure that the connected display can do it. -
Create
/etc/X11/xorg.conf.d/r.conf
as follows:Section "Device" Identifier "AMD" Driver "amdgpu" Option "DRI" "3" Option "VariableRefresh" "true" EndSection
-
And make sure it can be read via
sudo chmod a+r /etc/X11/xorg.conf.d/r.conf
-
Reboot
-
Check that it got enabled with
grep VariableRefresh /var/log/Xorg.0.log
-
-
Install racing wheel stuff
NOTE: This will likely be deprecated once they are included in mainline kernels.
NOTE: This is mainly for Assetto Corsa. For setting that up, see https://steamcommunity.com/app/244210/discussions/0/3824163953451160286/ and https://steamcommunity.com/sharedfiles/filedetails/?id=2828364666
-
Install
hid-tmff2
for the wheel (including DKMS setup)Ref: https://github.com/Kimplul/hid-tmff2
cd ~/workspace/code git clone --recurse-submodules https://github.com/Kimplul/hid-tmff2.git cd hid-tmff2 sudo ./dkms-install.sh echo 'blacklist hid_thrustmaster' | sudo tee /etc/modprobe.d/blacklist-hid-thrustmaster.conf echo "options hid-tmff-new timer_msecs=2" | sudo tee /etc/modprobe.d/hid-tmff-new.conf
-
Install oversteer
Ref: https://github.com/berarma/oversteer
sudo apt install meson appstream-util cd ~/workspace/code git clone https://github.com/berarma/oversteer.git cd oversteer meson build cd build sudo ninja install sudo udevadm control --reload-rules && sudo udevadm trigger
-
After that, wheel should work when plugging it in.
-
Create the following udev rule as
/etc/udev/rules.d/99-thrustmaster_t-lcm_pedals.rules
to fix permissions for the pedals when plugged in via USB. The ENV bit also forces it to be a joystick for SDL (and therefore wine/proton) visibility purposes.SUBSYSTEM=="input", ATTRS{idVendor}=="044f", ATTRS{idProduct}=="b371", MODE="0664", ENV{ID_INPUT_JOYSTICK}="1", TAG+="uaccess"
and then kick udev to reread it all:
sudo udevadm control --reload-rules && sudo udevadm trigger
-
-
Set up samba:
-
All machines:
sudo apt install samba cifs-utils cd /etc/samba sudo mv smb.conf smb.conf.old sudo cp ~/system_stuff/samba/smb.conf.`hostname` ./smb.conf
-
Servers
sudo update-rc.d smbd defaults sudo update-rc.d nmbd defaults sudo service smbd start sudo service nmbd start
-
Other machines (laptops, etc)
-
Remember to turn it off on places you don't want the server, just the client.
echo "manual" | sudo tee /etc/init/smbd.override echo "manual" | sudo tee /etc/init/nmbd.override sudo service smbd stop sudo service nmbd stop
-
Make sure to add ufw rules for them
sudo ufw allow from 192.168.9.0/24 to any port netbios-ns sudo ufw allow from 192.168.9.0/24 to any port netbios-dgm sudo ufw allow from 192.168.9.0/24 to any port netbios-ssn sudo ufw allow from 192.168.9.0/24 to any port microsoft-ds
-
-
Set up apache (if necessary)
-
Set up sensors (if not set up automagically):
-
For bluebox / Ryzen 3700 w/ B550 board:
-
add the following to
/etc/modules
:nct6775
-
-
For hiro / Thinkpad P51:
-
add the following to
/etc/modules
:coretemp
-
-
For new machines, you figure out what you need by running
sensors-detect
and following the prompts - the defaults are typically fine. -
FIXME - edit the conf file to fix scaling, etc.
-
-
Add temperature monitoring script to crontab (servers only):
@hourly /home/matt/bin/tempChecker
-
-
If pulseaudio gives you problems, do:
sudo apt purge pulseaudio sudo rm -r ~/.pulse ~/.config/pulse /etc/pulse /usr/share/pulseaudio sudo apt install pulseaudio
-
Reboot.
-
If you don't get a volume icon, it's likely that the indicator plugin was uninstalled as a dependency; reinstall it:
sudo apt install xfce4-pulseaudio-plugin
-
-
Fix Wake On Lan
-
Install ethtool
sudo apt install ethtool
-
Create
/etc/network/if-up.d/wol_fix
with the following content, replacing[card]
with the card:#!/bin/sh /sbin/ethtool -s [card] wol g
-
And set the perms on it:
sudo chmod +x /etc/network/if-up.d/wol_fix
-
There are some oddities as it relates to system notification icons.
First, there are 3 options:
- Indicator Plugin
- Status Tray Plugin
- Status Notifier Plugin
Of these, Indicator Plugin seems to be the most reliable - that is, when I start Slack, Slack shows up. For the others, it only shows up if you restart the plugin (which means either deleting and re-adding it, or restarting the panel, both of which are annoying). This makes Indicator Plugin superior to the other two.
Second, and annoyingly, neither Indicator Plugin and Status Notifier plugin implement the "systray" handler - which is used by a few things, most notably the "print jobs status" notifier. It is, however, implemented by the Status Tray plugin. This means that we want to have both the Indicator Plugin and the Status Tray Plugin on the panel.
However, this leads to some duplication, most notably in the networking icons,
and occassionally in other things. Fortunately, we can configure Status Notifier
to hide these things by default (they are all behind a >
on the bar).
There is some information about this here:
Which suggests that Indicator is a bit if Canonical sauce.
And this:
https://docs.xfce.org/panel-plugins/xfce4-statusnotifier-plugin/start
Says that Status Notifier is deprecated and I should just use Status Tray - which would be great, apart from the "it don't work" issue.