Skip to content

Latest commit

 

History

History
1442 lines (919 loc) · 51.1 KB

install.xubuntu.22.04.md

File metadata and controls

1442 lines (919 loc) · 51.1 KB

Instructions for installing XUbuntu 22.04

Note that this was the result of an upgrade of 20.04 to 22.04 - these may not be completely accurate for a clean install, as that has not been vetted.

Base Install - RAID

As the minimal CD is no more, and the installer doesn't do everything we need, we'll need to boot a live image, do some console stuff, then do the install. So, without further ado....

Refs: https://help.ubuntu.com/community/Full_Disk_Encryption_Howto_2019

  1. Boot the desktop LiveCD

  2. Choose "Try and Install Xubuntu"

  3. Once it boots, choose language and "Try Xubuntu".

  4. Once you get a desktop, open a terminal and start setting things up.

    You need to become root (or enter sudo way too many times):

    1. Partitioning

      sudo -i
      

      For the purposes of the following, we'll assume that disk 1 is /dev/nvme0n1 and disk 2 is /dev/nvme1n1. Adjust as appropriate for your system. We start with exports to save some typing.

      export DEV1="/dev/nvme0n1"
      export DEV2="/dev/nvme1n1"
      

      And, stealing from the clever trick in the reference, account for the NVME drives having a "p" for the partition.

      export DEV1P="${DEV1}$( if [[ "$DEV1" =~ "nvme" ]]; then echo "p"; fi )"
      export DEV2P="${DEV2}$( if [[ "$DEV2" =~ "nvme" ]]; then echo "p"; fi )"
      

      Delete all the partitions on both drives:

      sgdisk --zap-all $DEV1
      sgdisk --zap-all $DEV2
      

      You probably want to reboot at this time, because the installer tries to be helpful by doing things like activating swap.. which means you need to deactivate everything it activated in order to do the following steps. Rebooting makes this easier.

      After that, create some new ones, set their types and names correctly, and create a hybrid MBR.

      sgdisk --new=1:0:+1G $DEV1
      sgdisk --new=2:0:+2M $DEV1
      sgdisk --new=3:0:+1G $DEV1
      sgdisk --new=4:0:0 $DEV1
      sgdisk --typecode=1:FD00 --typecode=2:EF02 --typecode=3:EF00 --typecode=4:FD00 $DEV1
      sgdisk --change-name=1:"Encrypted boot RAID" --change-name=2:"BIOS boot partition" --change-name=3:"EFI system partition" --change-name=4:"Encrypted LVM RAID" $DEV1
      sgdisk --hybrid 1:2:3 $DEV1
      

      Print the table to check it.

      sgdisk --print $DEV1
      

      Assuming it's good, copy the partition info from the first drive to the second, so they match, making sure to create new GUIDs for the disk (so they're not just plain copies).

      sgdisk -R $DEV2 $DEV1
      sgdisk -G $DEV2
      

      And make sure the kernel has the new partition table in memory:

      partprobe
      
    2. RAID array creation

      First, install the mdadm tool

      sudo apt install mdadm
      

      Then create the RAID arrays:

      mdadm --create md0 --level=1 --raid-devices=2 ${DEV1P}1 ${DEV2P}1
      mdadm --create md1 --level=1 --raid-devices=2 ${DEV1P}4 ${DEV2P}4
      
    3. Set crypto for boot array.

      Note that, due to GRUB limitations, the older LUKS1 format is required for the boot partition. See the explanation here for more information.

      cryptsetup luksFormat --type=luks1 /dev/md/md0
      
    4. And for the main array:

      cryptsetup luksFormat /dev/md/md1
      
    5. Then open both of them

      cryptsetup open /dev/md/md0 md0_crypt
      cryptsetup open /dev/md/md1 md1_crypt
      
    6. Again, because of installer limitations, it doesn't let you create a filesystem on the boot partition, so let's do that:

      mkfs.ext4 -L boot /dev/mapper/md0_crypt
      

      Alternatively, create a btrfs filesystem similarly:

      mkfs.btrfs -L boot /dev/mapper/md0_crypt
      
    7. Since we're formatting things, format the EFI partitions:

      mkfs.vfat -n EFI ${DEV1P}3
      mkfs.vfat -n EFI ${DEV2P}3
      
    8. Create the LVM stuff (again, installer limitations...)

      pvcreate /dev/mapper/md1_crypt
      vgcreate drives /dev/mapper/md1_crypt
      lvcreate --size 8G  --name swap drives
      lvcreate --size 25G --name tmp drives
      lvcreate --size 50G --name var drives
      lvcreate --size 50G --name root drives
      lvcreate --extents 100%FREE --name home drives
      

      Which corresponds to the following partitions and sizes (mountpoints are for reference and used later)

      LVM Partition Size  Mountpoint
      swap           8GB
      tmp           25GB  /tmp
      var           50GB  /var
      root          50GB  /
      home          Rest  /home
      

      Note that a larger swap is necessary for machines where you want to hibernate. If so, you need at least as much swap space as you have RAM, so do that plus a bit. See this article for suggestions, but 64GB RAM gets 72GB swap. If you don't care about hibernation, you can go as small as you like. I typically use 8GB for most machines.

      Note 1: Over time, /var has gotten larger due to the proliferation of containers (docker, snap, etc.). If you do not plan to use these, it can be smaller.

      Note 2: For some machines, a common area of /pub, or /shared, might be appropriate, and should be taken out of /home.

    9. Once that is all done, minimize the terminal window (you'll want to leave it open for later) and start the installer by double clicking the icon on the desktop.

  5. The installer

    Proceed through as normal, selecting sane choices until you get to the "Installation Type" screen, where you want to choose "Something else". It will detect all of the volumes already created and you can set mountpoints and filesystems as normal.

    Set the boot loader installation to be on the first hard drive (doesn't matter, it will fail anyway).

    Let the installer run and then it will fail to install grub. This is expected and is a result of some naming issues. Tell the installer to continue without installing a bootloader - we'll do so manually in the next step.

    The installer crashes (because, obviously, this is the correct behavior), but this is the last step of the install, so we're okay. Let it continue and crash, and then go on to the next step.

    (You may need to kill the installer with killall ubiquity)

  6. Manual bootloader installation

    The core issue is that, the installer isn't set up for working with metadisks, so we need to set it up ourselves. But, we need to be in a chroot environment to do the grub-install, so, mount our root fs:

    mount /dev/mapper/drives-root /target
    

    If using btrfs, the above needs to be like:

    mount /dev/mapper/drives-root /target -o subvol=@
    

    Then do:

    for n in proc sys dev etc/resolv.conf; do mount --rbind /$n /target/$n; done
    chroot /target
    mount -a
    

    We also need to tell grub to use crypto disks:

    echo "GRUB_ENABLE_CRYPTODISK=y" > /etc/default/grub.d/local.cfg
    

    And, neither the mdadm nor the cryptsetup tools are installed in the chroot, and we need those for grub to be able to do useful things with the md arrays, and to be able to boot afterwards. So, install them.

    apt install mdadm cryptsetup-initramfs
    

    And now, finally, we can install grub:

    grub-install /dev/sda
    grub-install /dev/sdb
    

    But, we also need to tell linux to unlock our filesystems and rebuild the inittab:

    echo "md0_crypt UUID=$(blkid -s UUID -o value /dev/md0) none luks,discard" >> /etc/crypttab
    
    echo "md1_crypt UUID=$(blkid -s UUID -o value /dev/md1) none luks,discard" >> /etc/crypttab
    
    update-initramfs -u -k all
    

    Once this is all done, you can reboot into your newly created machine.

Save typing with keyfiles (Optional)

(You can do this after you've booted into the new machine, but remember to set DEV1, DEV2, DEV1P, and DEV2P first, as described at the beginning of this section.)

If you want to save some typing, you can create keyfiles which are built into the initramfs and used to unlock the encrypted volumes. Note that they are relatively safe because they are installed on an encrypted volume - but, if someone were to compromise the running system, they could conceivably grab the file then use it to decrypt the volume - your call.

  1. Configure it to build the keyfile into the initramfs:

    echo "KEYFILE_PATTERN=/etc/luks/*.keyfile" >> /etc/cryptsetup-initramfs/conf-hook
    
    echo "UMASK=0077" >> /etc/initramfs-tools/initramfs.conf
    
  2. Create the keyfile (a 512 byte random number), and add it as a key to the volume.

    mkdir /etc/luks
    dd if=/dev/urandom of=/etc/luks/boot.keyfile bs=512 count=1
    chmod 0500 /etc/luks
    chmod 0400 /etc/luks/boot.keyfile
    cryptsetup luksAddKey /dev/md0 /etc/luks/boot.keyfile
    cryptsetup luksAddKey /dev/md1 /etc/luks/boot.keyfile
    
  3. Remove the existing crypttab, add the new lines which say to use the keys we just created, then rebuild the initramfs.

    rm /etc/crypttab

    echo "md0_crypt UUID=$(blkid -s UUID -o value /dev/md0) /etc/luks/boot.keyfile luks,discard" >> /etc/crypttab

    echo "md1_crypt UUID=$(blkid -s UUID -o value /dev/md1) /etc/luks/boot.keyfile luks,discard" >> /etc/crypttab

    update-initramfs -u -k all

  4. Reboot and you'll enter your password less.

Base Install - Single Disk

As the minimal CD is no more, and the installer doesn't do everything we need, we'll need to boot a live image, do some console stuff, then do the install. So, without further ado....

Refs: https://help.ubuntu.com/community/Full_Disk_Encryption_Howto_2019

  1. Boot the desktop LiveCD

  2. Choose "Try and Install Xubuntu"

  3. Once it boots, choose language and "Try Xubuntu".

  4. Once you get a desktop, open a terminal and start setting things up.

    You need to become root (or enter sudo way too many times):

    1. Partitioning

      sudo -i
      

      For the purposes of the following, we'll assume that the disk is /dev/nvme0n1. Adjust as appropriate for your system. We start with exports to save some typing.

      export DEV="/dev/nvme0n1"
      

      And, stealing from the clever trick in the reference, account for the NVME drives having a "p" for the partition.

      export DEVP="${DEV}$( if [[ "$DEV" =~ "nvme" ]]; then echo "p"; fi )"
      

      Delete all the partitions:

      sgdisk --zap-all $DEV
      

      You probably want to reboot at this time, because the installer tries to be helpful by doing things like activating swap.. which means you need to deactivate everything it activated in order to do the following steps. Rebooting makes this easier.

      After that, create some new ones, set their types and names correctly, and create a hybrid MBR.

      sgdisk --new=1:0:+1G $DEV
      sgdisk --new=2:0:+2M $DEV
      sgdisk --new=3:0:+1G $DEV
      sgdisk --new=4:0:0 $DEV
      sgdisk --typecode=1:FD00 --typecode=2:EF02 --typecode=3:EF00 --typecode=4:FD00 $DEV
      sgdisk --change-name=1:"Encrypted boot" --change-name=2:"BIOS boot partition" --change-name=3:"EFI system partition" --change-name=4:"Encrypted LVM" $DEV
      sgdisk --hybrid 1:2:3 $DEV
      

      Print the table to check it.

      sgdisk --print $DEV
      

      And make sure the kernel has the new partition table in memory:

      partprobe
      
    2. Set crypto for boot array.

      Note that, due to GRUB limitations, the older LUKS1 format is required for the boot partition. See the explanation here for more information.

      cryptsetup luksFormat --type=luks1 ${DEVP}1
      
    3. And for the main partition:

      cryptsetup luksFormat ${DEVP}4
      
    4. Then open both of them

      cryptsetup open ${DEVP}1 boot_crypt
      cryptsetup open ${DEVP}4 lvm_crypt
      
    5. Again, because of installer limitations, it doesn't let you create a filesystem on the boot partition, so let's do that:

      mkfs.ext4 -L boot /dev/mapper/boot_crypt
      

      Alternatively, create a btrfs filesystem similarly:

      mkfs.btrfs -L boot /dev/mapper/boot_crypt
      
    6. Since we're formatting things, format the EFI partition:

      mkfs.vfat -n EFI ${DEVP}3
      
    7. Create the LVM stuff (again, installer limitations...)

      pvcreate /dev/mapper/lvm_crypt
      vgcreate drives /dev/mapper/lvm_crypt
      lvcreate --size 8G  --name swap drives
      lvcreate --size 25G --name tmp drives
      lvcreate --size 50G --name var drives
      lvcreate --size 50G --name root drives
      lvcreate --extents 100%FREE --name home drives
      

      Which corresponds to the following partitions and sizes (mountpoints are for reference and used later)

      LVM Partition Size  Mountpoint
      swap           8GB
      tmp           25GB  /tmp
      var           50GB  /var
      root          50GB  /
      home          Rest  /home
      

      (See the discussion in the RAID section for information about swap size, etc.)

    8. Once that is all done, minimize the terminal window (you'll want to leave it open for later) and start the installer by double clicking the icon on the desktop.

  5. The installer

    Proceed through as normal, selecting sane choices until you get to the "Installation Type" screen, where you want to choose "Something else". It will detect all of the volumes already created and you can set mountpoints and filesystems as normal.

    Set the boot loader installation to be on the first hard drive (doesn't matter, it will fail anyway).

    Let the installer run and then it will fail to install grub. This is expected and is a result of some naming issues. Tell the installer to continue without installing a bootloader - we'll do so manually in the next step.

    The installer crashes (because, obviously, this is the correct behavior), but this is the last step of the install, so we're okay. Let it continue and crash, and then go on to the next step.

    (You may need to kill the installer with killall ubiquity)

  6. Manual bootloader installation

    Technically, you can get the bootloader to install if you edit some config files while it is working, but we need to do some post-install setup anyway, so we might as well just install the bootloader manually as well. But, we need to be in a chroot environment to do the grub-install, so, mount our root fs:

    mount /dev/mapper/drives-root /target
    

    If using btrfs, the above needs to be like:

    mount /dev/mapper/drives-root /target -o subvol=@
    

    Then do:

    for n in proc sys dev etc/resolv.conf; do mount --rbind /$n /target/$n; done
    chroot /target
    mount -a
    

    We also need to tell grub to use crypto disks:

    echo "GRUB_ENABLE_CRYPTODISK=y" > /etc/default/grub.d/local.cfg
    

    And, the cryptsetup tools are installed in the chroot. So, install them.

    apt install cryptsetup-initramfs
    

    And now, finally, we can install grub:

    grub-install /dev/sda
    

    But, we also need to tell linux to unlock our filesystems and rebuild the inittab:

    echo "boot_crypt UUID=$(blkid -s UUID -o value ${DEVP}1) none luks,discard" >> /etc/crypttab
    
    echo "lvm_crypt UUID=$(blkid -s UUID -o value ${DEVP}4) none luks,discard" >> /etc/crypttab
    
    update-initramfs -u -k all
    

    Once this is all done, you can reboot into your newly created machine.

Save typing with keyfiles (Optional)

(You can do this after you've booted into the new machine, but remember to set DEV and DEVP first, as described at the beginning of this section.

If you want to save some typing, you can create keyfiles which are built into the initramfs and used to unlock the encrypted volumes. Note that they are relatively safe because they are installed on an encrypted volume - but, if someone were to compromise the running system, they could conceivably grab the file then use it to decrypt the volume - your call.

  1. Configure it to build the keyfile into the initramfs:

    echo "KEYFILE_PATTERN=/etc/luks/*.keyfile" >> /etc/cryptsetup-initramfs/conf-hook
    
    echo "UMASK=0077" >> /etc/initramfs-tools/initramfs.conf
    
  2. Create the keyfile (a 512 byte random number), and add it as a key to the volume.

    mkdir /etc/luks
    dd if=/dev/urandom of=/etc/luks/boot.keyfile bs=512 count=1
    chmod 0500 /etc/luks
    chmod 0400 /etc/luks/boot.keyfile
    cryptsetup luksAddKey /dev/${DEVP}1 /etc/luks/boot.keyfile
    cryptsetup luksAddKey /dev/${DEVP}4 /etc/luks/boot.keyfile
    
  3. Remove the existing crypttab, add the new lines which say to use the keys we just created, then rebuild the initramfs.

    rm /etc/crypttab

    echo "boot_crypt UUID=$(blkid -s UUID -o value /dev/${DEVP}1) /etc/luks/boot.keyfile luks,discard" >> /etc/crypttab

    echo "lvm_crypt UUID=$(blkid -s UUID -o value /dev/${DEVP}4) /etc/luks/boot.keyfile luks,discard" >> /etc/crypttab

    update-initramfs -u -k all

  4. Reboot and you'll enter your password less.

Things common to most machines

  1. Install useful base things

    sudo apt install synaptic
    
  2. After machine is up, run synaptic and:

    1. go to settings->repositories make sure the following are enabled:

      • main
      • universe
      • restricted
      • multiverse
      • And then have it select a close mirror (select "Other" from the drop down and have it select the best mirror).
    2. (or just grab sources.list from some reasonable machine)

  3. Do:

    sudo apt update && sudo apt dist-upgrade
    
  4. Install generally useful things:

    sudo apt install traceroute emacs emacs-goodies-el elpa-go-mode elpa-rust-mode elpa-f elpa-let-alist elpa-markdown-mode elpa-yaml-mode elpa-flycheck cpufrequtils tigervnc-viewer symlinks sysstat ifstat dstat apg whois powertop printer-driver-cups-pdf units tofrodos ntp unrar mesa-utils mono-runtime aspell aspell-en geeqie input-utils p7zip latencytop apt-show-versions apt-file keepassx ipcalc iftop atop gkrellm gnote cheese tree gdisk lm-sensors ppa-purge mlocate gddrescue lzip lziprecover net-tools clusterssh smartmontools nvme-cli fdupes internetarchive wget apt-transport-https vorbis-tools opus-tools
    
    
    sudo snap install firefox thunderbird
    
  5. Update to the HWE stack

    sudo apt install --install-recommends linux-generic-hwe-22.04
    
  6. LAPTOP ONLY Set CPU throttling so it doesn't overheat when it decides to turbo all the CPUs.

    1. Rant: Turbo boost is a stupid idea. "Oh, let's run our CPU hot and let the thermal throttling stop it from actually melting". Are you really serious with this foolishness? This results in die temps upwards of 90C, a pile of thermal throttling messages in the logs, and heat buildup elsewhere in the system.

    2. Methodology for arriving at the numbers:

      a. Rough: Set it to the value that the CPU is rated for with no turbo boosting.

      b. Optimal: Run something computationally intensive for a long period of time (lzip a big file). The goal here is for it to be stable and ideally stay below 80C. What you really want is for it to never thermally throttle (which will show in the syslog). If it ever does, back the speed down.

      1. Create /etc/default/cpufrequtils and set the content as follows, with MAX_SPEED set as determined above. The following values are for my current Lenovo P51.

         ENABLE="true"
         GOVERNOR="powersave"
         MAX_SPEED="3200000"
         MIN_SPEED="0"
        
  7. Make ssh (server) work:

    1. Install it, if not already installed:

      sudo apt install openssh-server
      
    2. For an old machine, use the old keys - you did save /etc before you wiped it, didn't you?

    3. For a new machine, use the new keys generated by the distro.

    4. make sure to add to the firewall:

       sudo ufw allow ssh
      
    5. In /etc/ssh/sshd_config, set:

      PermitRootLogin no
      
    6. once you've set up public key auth, turn off password access. Edit /etc/ssh/sshd_config and set

      PasswordAuthentication no
      
    7. Then kick it:

       sudo service ssh restart
      
  8. Disable firewall logging (it can be quite verbose on a busy network), then turn on the firewall.

       sudo ufw logging off
       sudo ufw enable
    
  9. Make sure to let printers through the firewall. All printers are modern enough that they'll just appear and we can print to them - no lengthy configuration required anymore. Yay progress!

       sudo ufw allow cups
       sudo ufw allow mdns
    
  10. ntpd (for fixed machines only, for mobile, the default is fine)

    1. for server, make sure to add to ufw:

      sudo ufw allow ntp
      
    2. for client

      1. edit /etc/ntp.conf and comment out the line:

        server ntp.ubuntu.com
        
      2. and add the line:

        server router
        
  11. Add the fstab line for ramfs so I can easily mount a ramdisk whenever I have need of one:

    none    /mnt/ramfs    ramfs  noauto,user,mode=0770    0    0
    

    make sure to make the mountpoint too:

    sudo mkdir /mnt/ramfs
    
  12. Allow normal users to read dmesg again.

    Edit /etc/sysctl.d/10-kernel-hardening.conf and uncomment the following line at the bottom of the file:

    kernel.dmesg_restrict = 0
    

    then do:

    sudo service procps restart
    

    To apply the change.

  13. Fix the too long timeout for the boot selection menu

    Edit /etc/default/grub and add:

    GRUB_RECORDFAIL_TIMEOUT=5
    

    Then do:

    sudo update-grub
    
  14. Add the efi_sync to the daily cron list:

    cd /etc/cron.daily
    sudo ln -s /home/matt/bin/efi_sync .
    

Things common to most desktop machines

  1. More applications

    sudo apt install xfce4-goodies xfce4-mount-plugin usb-creator-gtk cifs-utils gnome-calculator tumbler tumbler-plugins-extra audacious
    
  2. Install real chrome.

    • The Ubuntu packaged chromium is broken in a couple of ways - NaCL support, etc. NaCL support is required for Hangouts to work. Solution: Install Chrome from a PPA.

    • Instructions from: https://www.ubuntuupdates.org/ppa/google_chrome

    • But they do not follow best practices, so I adapted them according to docker/docs#11625

    • See the following for more info on chromium fail: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/882942

    • Do:

      wget -O- https://dl-ssl.google.com/linux/linux_signing_key.pub |sudo gpg --no-default-keyring --keyring=/usr/share/keyrings/google.gpg --import
      sudo sh -c 'echo "deb [arch=amd64 signed-by=/usr/share/keyrings/google.gpg] http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google-chrome.list'
      sudo chmod a+r /etc/apt/sources.list.d/google-chrome.list
      sudo apt update
      sudo apt install google-chrome-stable
      
  3. Stop the stupid GNOME SSH agent thing from working.

    • NOTE: This is a stupid hack to get around the fact that, apparently, the gnome keyring is started unconditionally with all components if any gnome services are run (and we would like to run them, just not this specific one).
    1. To fix, do:

      cd /usr/bin
      sudo mv gnome-keyring-daemon gnome-keyring-daemon-wrapped
      
    2. Then create a new gnome-keyring-daemon and set its contents to:

      #!/bin/sh
      exec /usr/bin/gnome-keyring-daemon-wrapped --components=pkcs11,secrets,gpg "$@"
      
    3. and make it executable:

      sudo chmod a+rx /usr/bin/gnome-keyring-daemon
      
  4. Install slack

    sudo snap install slack --classic
    
  5. Install element (matrix client)

    sudo wget -O /usr/share/keyrings/element-io-archive-keyring.gpg https://packages.element.io/debian/element-io-archive-keyring.gpg
    echo "deb [signed-by=/usr/share/keyrings/element-io-archive-keyring.gpg] https://packages.element.io/debian/ default main" | sudo tee /etc/apt/sources.list.d/element-io.list
    sudo apt update
    sudo apt install element-desktop
    
  6. Install shutter

    sudo snap install shutter
    
  7. Install Joplin

    sudo snap install joplin-desktop
    
    1. Make sure to set it up for NextCloud sync. The sync URL is https://owncloud.mattcaron.net/remote.php/webdav/Joplin-sync
  8. Install and set up ktorrent:

    sudo apt install ktorrent
    sudo ufw allow 6881
    sudo ufw allow 8881
    
  9. Make java pretty

    1. Edit /etc/java-11-openjdk/swing.properties and uncomment:

      swing.defaultlaf=com.sun.java.swing.plaf.gtk.GTKLookAndFeel
      
  10. Install an equalizer (among other effects)

    sudo apt install pulseeffects lsp-plugins
    
  11. Add STL thumbnailer support

    1. See https://github.com/unlimitedbacon/stl-thumb for the latest, but basically download the deb and install it:

      sudo apt install libosmesa6-dev
      sudo dpkg -i ./stl-thumb_0.5.0_amd64.deb
      
  12. Floorplan software

    sudo snap install sweethome3d-homedesign
    

    Once installed, grab asset packs from http://www.sweethome3d.com/download.jsp and install them.

  13. Remove audio apps that I don't use (mostly to stop them from showing in the volume control menu):

    sudo apt remove clementine rhythmbox
    
  14. Remove minidlna.. why is this installed by default?

    sudo apt remove --purge minidlna
    

Things for monitored machines (servers, etc.), not standalone "islands"

  1. Fix cron - add the following to the top of personal crontab:

  2. Install and set up ssmtp

    sudo apt install ssmtp mailutils
    cd /etc/ssmtp
    mv ssmtp.conf ssmtp.conf.old
    cp ~/system_stuff/ssmtp/ssmtp.conf .
    chgrp mail ssmtp.conf
    chmod a+r ssmtp.conf
    

Things for some machines

Development machines

(This is all the development tools, libraries, utilities, etc. that I commonly use. There may be redundancy with the base list)

  1. Install development tools.

    sudo apt install nmap gcc make g++ gdb autoconf libtool automake libc6-dev meld xmlstarlet libtk-gbarr-perl subversion monodoc-manual glade kcachegrind kcachegrind-converters graphviz mysql-client nant sqlite3 dia gsfonts-x11 python3-pycurl python3-paramiko python3-pip python3-virtualenv python-is-python3 python-setuptools regexxer git gitk git-svn libmath-round-perl picocom manpages-posix manpages-posix-dev manpages-dev manpages dh-make devscripts mercurial libboost-all-dev libboost-all-dev libhunspell-dev libwxgtk3.0-gtk3-dev libwxbase3.0-dev ccache npm gdc libgphobos-dev libsqlite3-dev freecad openscad slic3r arduino adb cmake libncurses-dev flex bison gperf astyle okteta
    
  2. Install snapcraft

    sudo snap install --classic snapcraft
    
  3. Install VSCode and some plugins

    sudo snap install code --classic
    
    code --install-extension DavidAnson.vscode-markdownlint
    code --install-extension rust-lang.rust-analyzer
    code --install-extension tamasfe.even-better-toml
    code --install-extension James-Yu.latex-workshop
    code --install-extension streetsidesoftware.code-spell-checker
    code --install-extension ms-azuretools.vscode-docker
    code --install-extension ms-vscode.cpptools
    code --install-extension ms-vscode.cmake-tools
    code --install-extension chiehyu.vscode-astyle
    code --install-extension leathong.openscad-language-support
    
  4. (Maybe) install some extra filesystems (as needed)

    sudo apt install davfs2 sshfs jmtpfs ecryptfs-utils exfatprogs exfat-fuse hfsplus libguestfs-tools
    
  5. Install qbrew build dependencies:

    sudo apt install qt5-qmake qtbase5-dev qttools5-dev-tools
    
  6. Install Virtualbox package archive, install Virtualbox, and give users permission to use it:

    echo "deb [arch=amd64 signed-by=/usr/share/keyrings/oracle-virtualbox-2016.gpg] https://download.virtualbox.org/virtualbox/debian jammy contrib" | sudo tee /etc/apt/sources.list.d/virtualbox.list
    wget -O- https://www.virtualbox.org/download/oracle_vbox_2016.asc | sudo gpg --yes --output /usr/share/keyrings/oracle-virtualbox-2016.gpg --dearmor
    sudo apt install virtualbox-7.0
    sudo usermod -a -G vboxusers matt
    
  7. Install docker and give users permission to use it:

    sudo apt install docker.io
    sudo usermod -a -G docker matt
    
  8. Install iperf and add firewall exception

    sudo apt install iperf
    sudo ufw allow 5001
    
  9. Install wireshark and add users to wireshark group

    sudo apt install wireshark
    sudo usermod -a -G wireshark matt
    
  10. Set up logic analyzer stuff (sigrok/pulseview)

    1. Install:

      sudo apt install pulseview sigrok-firmware-fx2lafw
      
    2. But, it needs udev rules installed. Get the two rules files from here:

      1. https://sigrok.org/gitweb/?p=libsigrok.git;a=blob_plain;f=contrib/60-libsigrok.rules;hb=HEAD
      2. https://sigrok.org/gitweb/?p=libsigrok.git;a=blob_plain;f=contrib/61-libsigrok-plugdev.rules;hb=HEAD
    3. And install them in to /etc/udev/rules.d. Note that this allows all plugdev users to use the logic analyzer (which is fine, because I am in that group).

    4. Note that the device I have uses the fx2lafw driver.

  11. Arduino hackery

    I find myself using various old versions of Arduino, so some hackery is required because they link against old versions of things....

    cd /usr/lib/x86_64-linux-gnu/
    sudo ln -s libreadline.so.8 libreadline.so.6
    sudo apt install libncurses5 libtinfo5
    

    And make sure you have dialout perms:

    sudo usermod -a -G dialout matt
    
  12. Install RPi SD card imager

    sudo snap install rpi-imager
    
  13. Headtracking build stuff

    1. Opentrack dependencies

      sudo apt install cmake git qttools5-dev qtbase5-private-dev libprocps-dev libopencv-dev
      
    2. AITrack dependencies

      sudo apt install qtbase5-dev qtbase5-dev-tools libqt5x11extras5-dev libopencv-dev libspdlog-dev libfmt-dev libomp-12-dev libqt5x11extras5 libspdlog1 libomp5-12 libxsettings-dev libxsettings-client-dev
      

Publishing/media/etc. machines

(This includes all kinds of desktop publishing, media manipluation and transcoding, video editing, etc.)

  1. LaTeX

    1. install the "full boat" options:

      sudo apt install --install-suggests texlive-full latex2html
      
    2. And set things up:

      cd /usr/share/texmf/tex/latex
      sudo cp -a ~/system_stuff/latex/local .
      sudo chown -R root:root local
      sudo cp -a ~/system_stuff/latex/fonts/cookingsymbols.tfm /usr/share/texmf/fonts/tfm/public/.
      sudo mkdir -p /usr/share/texmf/fonts/source/public/
      sudo chmod a+rx /usr/share/texmf/fonts/source/public/
      sudo cp -a ~/system_stuff/latex/fonts/cookingsymbols.mf /usr/share/texmf/fonts/source/public/.
      sudo texhash
      
  2. Install publishing tools from apt:

    sudo apt install xsane scribus scribus-template gnuplot gnuplot-mode digikam kipi-plugins okular okular-extra-backends k3b libk3b7-extracodecs gstreamer1.0-plugins-bad gstreamer1.0-plugins-ugly kaffeine xine-ui libvdpau-va-gl1 mpg123 sox rhythmbox graphviz audacity libsox-fmt-all dvdbackup dia gsfonts-x11 ubuntustudio-fonts vorbisgain clementine krita sound-juicer djvulibre-bin djvulibre-desktop pdf2djvu ubuntu-restricted-extras cheese arandr blender kdenlive kino tesseract-ocr ffmpeg2theora mp3info libreoffice meshlab pithos handbrake
    
  3. And some of them are snaps now

    sudo snap install mp3gain
    
  4. Install dvdstyler:

    1. Refs: http://ubuntuhandbook.org/index.php/2019/05/dvdstyler-3-1-released-with-hd-videos-support-how-to-install/

      sudo add-apt-repository ppa:ubuntuhandbook1/dvdstyler
      sudo apt install dvdstyler
      
  5. Set up video editing:

    1. Add user to video group so I can capture video

      sudo usermod -a -G video matt
      
  6. Change wodim to be suid root to limit having to sudo.

    sudo chmod u+s `which wodim`
    
  7. Make DVDs work

Crazy desktop machine with too many drives.

This machine has 2 NVMe drives set up in a RAID setup, as described above, and then a bunch of single drives for working, etc. - basically, stuff that doesn't need to be redundant because if I lose it, it's not a big deal, because I can download it again.

  1. UPS

    The first bit, with GNOME, doesn't seem to exist anymore and I can't find an XFCE equivalent. Anyway:

    sudo apt install nut

Edit `/etc/nut/ups.conf` and add the following at the bottom:

    [ups]
        driver = usbhid-ups
        port = auto

There's only one UPS hooked to this guy, so we don't need to worry about
disambiguation.

 Also, if you just installed nut, but the UPS is already plugged in, you'll
 need to unplug and replug it to fire the hotplug events.

 Start it:

  sudo upsdrvctl start

Add the following to /etc/nut/upsd.conf

   ACL all 0.0.0.0/0
   ACL localhost 127.0.0.1/32
   ACCEPT localhost
   REJECT all

This will reject all nonlocal traffic

Add the following to `/etc/nut/upsd.users`

   [local_mon]
       password = PASSWORD_HERE
       allowfrom = localhost
       upsmon master

Obviously, make PASSWORD_HERE some random password

Add the following to `/etc/nut/upsmon.conf`, at the bottom of the `MONITOR` section:

  MONITOR ups@localhost 1 local_mon PASSWORD_HERE master

Edit `/etc/nut/nut.conf` and set

  MODE=standalone

Enable and start it:

   sudo systemctl enable nut-server
   sudo systemctl restart nut-server
   sudo systemctl enable nut-client
   sudo systemctl restart nut-client

You can print statistics via:

   upsc ups
  1. The mouse controller software

    sudo add-apt-repository ppa:solaar-unifying/stable
    sudo apt install solaar
    
  2. Steam drive

    1. Partition it and make a filesystem for it. Note the UUID it generated.

    2. Edit /etc/fstab and add the following lines:

      UUID=7d2aaa21-a75b-4f0a-a508-51e50a78c304 /home/matt/storage1   ext4    defaults        0       2
      UUID=34106401-02ac-4148-9ac2-50e29847208f /home/matt/storage2   ext4    defaults        0       2
      UUID=4a3f0b96-e61e-461a-a3f8-215799516415 /home/matt/storage3   ext4    defaults        0       2
      UUID=d58b4aa3-e32a-460a-9734-a84ccab5a61d /home/matt/storage4   ext4    defaults        0       2
      

      (Fill out the UUID appropriately.)

    3. Make the mount points

      mkdir ~/storage1 ~/storage2 ~/storage3 ~/storage4
      
    4. Mount it all:

      sudo mount -a
      
    5. Fix all the perms

      sudo chown -R matt:matt /home/matt/storage*
      
  3. udev rule to program programmable keyboard (Keychron K10 pro)

    1. Edit /etc/udev/rules.d/50-keychron-k10-pro.rules

    2. Add this line:

      KERNEL=="hidraw*", ATTRS{idVendor}=="3434", MODE="0664", GROUP="plugdev"
      
    3. Fix perms:

      chmod a+r /etc/udev/rules.d/50-keychron-k10-pro.rules
      
    4. Reload the rules and rerun them:

      udevadm control --reload-rules
      udevadm trigger
      
  4. ZenBleed vuln mitigation.

    1. Ref: https://lock.cmpxchg8b.com/zenbleed.html

    2. TODO: Remove once microcode fix is released in Ubuntu repos. Estimated Dec 2023.

    3. Reference - at time of writing, register 0xc0011029's value is:

      0x3000310e08002
      
    4. Create /etc/systemd/system/zenbleed-mitigation.service as follows:

      [Service]
      Type=oneshot
      RemainAfterExit=yes
      ExecStart=/bin/bash -c 'wrmsr -a 0xc0011029 $(($(rdmsr -c 0xc0011029) | (1<<9)))'
      
      
      [Install]
      WantedBy=multi-user.target
      
    5. Enable and then start it:

      systemctl enable zenbleed-mitigation.service
      systemctl start zenbleed-mitigation.service
      
    6. After running it, the register is:

      0x3000310e08202
      

      Which confirms bit 9 being set.

    7. You can check the register at any time with:

      sudo rdmsr -c 0xc0011029
      

Video game machines

Note: A lot of the old video game stuff has moved to MiSTer (because FPGA). This is what remains, generally because was originally a PC game and therefore I'm using software to emulate software (which makes more sense than software emulating hardware. FPGAs are for emulating hardware).

  1. Install video game things from apt:

    sudo apt install wine-stable playonlinux steam jstest-gtk pcsx2 gamemode
    
  2. And from snap

    sudo snap install dolphin-emulator
    
  3. Allow steam in-home streaming ports. 1. Ref: https://support.steampowered.com/kb_article.php?ref=8571-GLVN-8711

    sudo ufw allow from 192.168.9.0/24 to any port 27031 proto udp comment 'steam'
    sudo ufw allow from 192.168.9.0/24 to any port 27036 proto udp comment 'steam'
    sudo ufw allow from 192.168.9.0/24 to any port 27036 proto tcp comment 'steam'
    sudo ufw allow from 192.168.9.0/24 to any port 27037 proto tcp comment 'steam'
    
  4. Add gcdemu

    sudo apt-add-repository ppa:cdemu/ppa
    sudo apt install gcdemu
    
  5. Install modern DOSBox (dosbox-x)

    - compiling this from source because the snap currently can't do
      joysticks and there aren't any other prepackaged builds.
    

    And make sure fluidsynth is installed for the good tunes.

    sudo apt install fluidsynth fluid-soundfont-gm fluid-soundfont-gs
    
  6. Install Lutris

    Instructions: https://lutris.net/downloads/

    sudo add-apt-repository ppa:lutris-team/lutris
    sudo apt install lutris
    
  7. Set up additional video card libraries and tools:

    1. Install the Vulkan tools, libraries, and so forth:

      sudo apt install vulkan-tools mesa-vulkan-drivers mesa-vulkan-drivers:i386
      
    2. One can then check things with vulkaninfo.

  8. Install the Steam controller

    1. Create /etc/udev/rules.d/60-steam-controller-perms.rules with the following contents:

      # This rule is needed for basic functionality of the controller in Steam and keyboard/mouse emulation
      SUBSYSTEM=="usb", ATTRS{idVendor}=="28de", MODE="0666"
      
      # This rule is necessary for gamepad emulation; make sure you replace 'matt' with a group that the user that runs Steam belongs to
      KERNEL=="uinput", MODE="0660", GROUP="matt", OPTIONS+="static_node=uinput"
      
      # Valve HID devices over USB hidraw
      KERNEL=="hidraw*", ATTRS{idVendor}=="28de", MODE="0666"
      
      # Valve HID devices over bluetooth hidraw
      KERNEL=="hidraw*", KERNELS=="*28DE:*", MODE="0666"
      
      # DualShock 4 over USB hidraw
      KERNEL=="hidraw*", ATTRS{idVendor}=="054c", ATTRS{idProduct}=="05c4", MODE="0666"
      
      # DualShock 4 wireless adapter over USB hidraw
      KERNEL=="hidraw*", ATTRS{idVendor}=="054c", ATTRS{idProduct}=="0ba0", MODE="0666"
      
      # DualShock 4 Slim over USB hidraw
      KERNEL=="hidraw*", ATTRS{idVendor}=="054c", ATTRS{idProduct}=="09cc", MODE="0666"
      
      # DualShock 4 over bluetooth hidraw
      KERNEL=="hidraw*", KERNELS=="*054C:05C4*", MODE="0666"
      
      # DualShock 4 Slim over bluetooth hidraw
      KERNEL=="hidraw*", KERNELS=="*054C:09CC*", MODE="0666"
      
      # Nintendo Switch Pro Controller over USB hidraw
      KERNEL=="hidraw*", ATTRS{idVendor}=="057e", ATTRS{idProduct}=="2009", MODE="0666"
      
      # Nintendo Switch Pro Controller over bluetooth hidraw
      KERNEL=="hidraw*", KERNELS=="*057E:2009*", MODE="0666"
      
  9. Set up the 8BitDo Ultimate controller

    sudo apt install xboxdrv
    

    To set perms and automatically run xboxdrv, add /etc/udev/rules.d/99-8bitdo-ultimate.rules with the contents of:

    # 8BitDo Ultimate controller
    SUBSYSTEM=="usb", ATTRS{idVendor}=="2dc8", ATTRS{idProduct}=="3106", MODE="0666"
    

    Fix perms:

    sudo chmod a+r /etc/udev/rules.d/99-8bitdo-ultimate.rules
    

    And then kick it:

    sudo udevadm control --reload-rules && sudo udevadm trigger
    

    Once that is done, the following driver line will work:

    /usr/bin/xboxdrv --device-by-id 2dc8:3106 --type xbox360
    

    Note: this must be kept running in order for the controller to not time out and power off after about 2 minutes.

  10. Install Rise of The Triad (ROTT), symlink game files where expected, and configure it properly.

    sudo apt install rott
    cd /usr/share/games/
    sudo ln -s ~/storage1/dosbox/drive_c/games/rott .
    sudo update-alternatives --set rott /usr/games/rott-commercial
    
  11. Install Quake and symlink game files where expected.

    sudo apt install quake
    cd /usr/share/games/quake/
    sudo ln -s ~/storage1/dosbox/drive_c/games/quake/id1 .
    
    1. Allow Quake server port through

      sudo ufw allow 26000 comment 'quake'

  12. Install doomsday (modernized Doom/Doom2/Heretic/Hexen native engine) and eureka level editor

    sudo apt install doomsday eureka
    

    (this is configured from inside its own menus)

  13. Install latest Descent 1 and 2 rebirth, and symlink things to the correct places

    1. Compile it (if necessary - and we do a --clean first, just in case):

      sudo apt-get install build-essential scons libsdl1.2-dev libsdl-image1.2-dev libsdl-mixer1.2-dev libphysfs-dev
      cd ~/workspace/code/dxx-rebirth
      scons --clean
      scons -j 16 prefix=/usr
      cp -a build/d1x-rebirth/d1x-rebirth build/d2x-rebirth/d2x-rebirth ~/games/bin/.
      
    2. Put things in the correct places (these are the same places as used by the Ubuntu packaged versions, to make switching between them easy.)

      cd /usr/share/games/
      sudo mkdir -p d1x-rebirth/Data d2x-rebirth/Data
      cd d1x-rebirth/Data
      sudo ln -s ~/storage1/dosbox/drive_c/games/descent/descenta/* .
      cd d2x-rebirth/Data
      sudo ln -s ~/storage1/dosbox/drive_c/games/descent/descnt2v/* .
      
    3. Allow the network port through the firewall (so we can host games)

      sudo ufw allow 42424/udp comment 'descent'
      
  14. Install protontricks (for Proton tweaking)

    sudo apt install python3-pip python3-setuptools python3-venv pipx
    pipx install protontricks
    
  15. Install prerequisites to compile bstone (https://github.com/bibendovsky/bstone)

    sudo apt install libsdl2-dev
    
  16. Add repo and install ECWolf (Wolfenstein 3D and Spear of Destiny source port)

    sudo wget -O /usr/share/keyrings/drdteam.gpg http://debian.drdteam.org/drdteam.gpg
    sudo sh -c 'echo "deb [signed-by=/usr/share/keyrings/drdteam.gpg] http://debian.drdteam.org/ stable multiverse" >> /etc/apt/sources.list.d/drdteam.list'
    sudo apt-get update
    sudo apt-get install ecwolf
    
  17. Install and set up devilutionX (for Diablo/Hellfire) TODO: There is a snap now, install and make sure it works.

    sudo snap install devilutionx
    

    and then copy *.mpq from the respective CDs to ~/.local/share/diasurgical/devilution/

  18. Install Return to Castle Wolfenstein and symlink things to the correct places:

    sudo apt install rtcw
    sudo ln -s ~/storage1/video_games/installed/rtcw /usr/share/games/.
    
  19. Install mangohud

    sudo add-apt-repository ppa:flexiondotorg/mangohud
    sudo apt install mangohud
    
  20. Enable variable refresh rate (aka FreeSync / G-Sync) for machines with appropriate hardware and displays.

    1. Check that the display supports it with xrandr --props | grep vrr_capable and make sure that the connected display can do it.

    2. Create /etc/X11/xorg.conf.d/r.conf as follows:

      Section "Device"
          Identifier "AMD"
          Driver "amdgpu"
          Option "DRI" "3"
          Option "VariableRefresh" "true"
      EndSection
      
    3. And make sure it can be read via sudo chmod a+r /etc/X11/xorg.conf.d/r.conf

    4. Reboot

    5. Check that it got enabled with grep VariableRefresh /var/log/Xorg.0.log

  21. Install racing wheel stuff

    NOTE: This will likely be deprecated once they are included in mainline kernels.

    NOTE: This is mainly for Assetto Corsa. For setting that up, see https://steamcommunity.com/app/244210/discussions/0/3824163953451160286/ and https://steamcommunity.com/sharedfiles/filedetails/?id=2828364666

    1. Install hid-tmff2 for the wheel (including DKMS setup)

      Ref: https://github.com/Kimplul/hid-tmff2

      cd ~/workspace/code
      git clone --recurse-submodules https://github.com/Kimplul/hid-tmff2.git
      cd hid-tmff2
      sudo ./dkms-install.sh
      echo 'blacklist hid_thrustmaster' | sudo tee /etc/modprobe.d/blacklist-hid-thrustmaster.conf
      echo "options hid-tmff-new timer_msecs=2" | sudo tee /etc/modprobe.d/hid-tmff-new.conf
      
    2. Install oversteer

      Ref: https://github.com/berarma/oversteer

      sudo apt install meson appstream-util
      cd ~/workspace/code
      git clone https://github.com/berarma/oversteer.git
      cd oversteer
      meson build
      cd build
      sudo ninja install
      sudo udevadm control --reload-rules && sudo udevadm trigger
      
    3. After that, wheel should work when plugging it in.

    4. Create the following udev rule as /etc/udev/rules.d/99-thrustmaster_t-lcm_pedals.rules to fix permissions for the pedals when plugged in via USB. The ENV bit also forces it to be a joystick for SDL (and therefore wine/proton) visibility purposes.

      SUBSYSTEM=="input", ATTRS{idVendor}=="044f", ATTRS{idProduct}=="b371", MODE="0664", ENV{ID_INPUT_JOYSTICK}="1", TAG+="uaccess"
      

      and then kick udev to reread it all:

      sudo udevadm control --reload-rules && sudo udevadm trigger
      

Random other things that may be needed on a case by case basis

  1. Set up samba:

    1. All machines:

      sudo apt install samba cifs-utils
      cd /etc/samba
      sudo mv smb.conf smb.conf.old
      sudo cp ~/system_stuff/samba/smb.conf.`hostname` ./smb.conf
      
    2. Servers

      sudo update-rc.d smbd defaults
      sudo update-rc.d nmbd defaults
      sudo service smbd start
      sudo service nmbd start
      
    3. Other machines (laptops, etc)

      1. Remember to turn it off on places you don't want the server, just the client.

        echo "manual" | sudo tee /etc/init/smbd.override
        echo "manual" | sudo tee /etc/init/nmbd.override
        sudo service smbd stop
        sudo service nmbd stop
        
      2. Make sure to add ufw rules for them

        sudo ufw allow from 192.168.9.0/24 to any port netbios-ns
        sudo ufw allow from 192.168.9.0/24 to any port netbios-dgm
        sudo ufw allow from 192.168.9.0/24 to any port netbios-ssn
        sudo ufw allow from 192.168.9.0/24 to any port microsoft-ds
        
    4. Set up apache (if necessary)

      1. see Apache Installation Instructions
    5. Set up sensors (if not set up automagically):

      1. For bluebox / Ryzen 3700 w/ B550 board:

        1. add the following to /etc/modules:

          nct6775
          
      2. For hiro / Thinkpad P51:

        1. add the following to /etc/modules:

          coretemp
          
      3. For new machines, you figure out what you need by running sensors-detect and following the prompts - the defaults are typically fine.

      4. FIXME - edit the conf file to fix scaling, etc.

    6. Add temperature monitoring script to crontab (servers only):

      @hourly              /home/matt/bin/tempChecker
      
  2. If pulseaudio gives you problems, do:

    sudo apt purge pulseaudio
    sudo rm -r ~/.pulse ~/.config/pulse /etc/pulse /usr/share/pulseaudio
    sudo apt install pulseaudio
    
    1. Reboot.

    2. If you don't get a volume icon, it's likely that the indicator plugin was uninstalled as a dependency; reinstall it:

      sudo apt install xfce4-pulseaudio-plugin
      
  3. Fix Wake On Lan

    1. Install ethtool

      sudo apt install ethtool
      
    2. Create /etc/network/if-up.d/wol_fix with the following content, replacing [card] with the card:

      #!/bin/sh
      /sbin/ethtool -s [card] wol g
      
    3. And set the perms on it:

      sudo chmod +x /etc/network/if-up.d/wol_fix
      

Misc. Notes

Notifications

There are some oddities as it relates to system notification icons.

First, there are 3 options:

  • Indicator Plugin
  • Status Tray Plugin
  • Status Notifier Plugin

Of these, Indicator Plugin seems to be the most reliable - that is, when I start Slack, Slack shows up. For the others, it only shows up if you restart the plugin (which means either deleting and re-adding it, or restarting the panel, both of which are annoying). This makes Indicator Plugin superior to the other two.

Second, and annoyingly, neither Indicator Plugin and Status Notifier plugin implement the "systray" handler - which is used by a few things, most notably the "print jobs status" notifier. It is, however, implemented by the Status Tray plugin. This means that we want to have both the Indicator Plugin and the Status Tray Plugin on the panel.

However, this leads to some duplication, most notably in the networking icons, and occassionally in other things. Fortunately, we can configure Status Notifier to hide these things by default (they are all behind a > on the bar).

There is some information about this here:

https://askubuntu.com/questions/1119638/what-is-the-difference-between-notification-area-systray-indicator-plugin

Which suggests that Indicator is a bit if Canonical sauce.

And this:

https://docs.xfce.org/panel-plugins/xfce4-statusnotifier-plugin/start

Says that Status Notifier is deprecated and I should just use Status Tray - which would be great, apart from the "it don't work" issue.