System specs

A nice review here : http://www.ruggedpcreview.com/3_slates_xplore_ix104c3.html

Users handbook : ftp://Support:Xplore@ftp.xploretech.com/Reports%20and%20Handbooks/iX104C3%20USERS%20HANDBOOK.pdf

Note: my model only has a digitizer (tablet PC model), no touchscreen (dual mode version)

Debian stable to the rescue

First I wanted to install Arch Linux on this system, but soon I encountered a severe setback : the Wacom stylus would not work. Then I tried Ubuntu 12.04 (Precise), everything worked out of the box, except the stylus!
Explanation : it seems the support for this older, serial Wacom tablet has been removed from the X.Org Wacom input drivers, since the 0.10.6 version and up.
(more info can be found here : http://ubuntuforums.org/showthread.php?t=1780154 )

Fortunately Debian Squeeze still uses a working 0.10.5 driver version!

Dual booting

I chose to keep the original Windows XP (Tablet PC edition) so I used PartedMagic / Gparted to shrink the windows partition (40G should be large enough).

If ever needed to restore the original windows sytem, recovery disks and drivers can be found here : http://www.xploretech.com/support/download_center

Debian Installation

This will be an i386 Debian since the Pentium M processor is 32bit only.

Plug an usb keyboard (optional : a mouse if using the graphical installer).

I installed my system from the network (netinstall with PXE booting). The wired network interface (realtek RTL8169sb/8110sb) works out of the box, the Intel wireless adapter (ipw2200) needs a firmware (will be installed later after we enable the non-free repository).

A standard (Gnome 2) desktop environment was selected.

Installation done, reboot into your newly installed system.

Note : when not using an usb keyboard, you will want to :

• enable automatic login in gdm3
• disable screen locking

(we will work on these two things a bit later)

System configuration

Still, the Wacom stylus does not work out of the box.

Configuring the Wacom stylus

We need to add some udev rules
# nano /etc/udev/rules.d/70-wacom-serial.rules

ACTION!="add|change", GOTO="wacom_end"

# Match all serial wacom tablets with a serial ID starting with WACf
# Notes: We assign NAME though we shouldn't, but currently the server requires it.
#        We assign the lot to subsystem pnp too because server reads NAME from
#        the parent device. Once all that's fixed, a simple SUBSYSTEM="tty"
#        will do and the ENV{NAME} can be removed.
SUBSYSTEM=="tty|pnp", SUBSYSTEMS=="pnp", ATTRS{id}=="WACf*", ENV{ID_MODEL}="Serial Wacom Tablet $attr{id}", ENV{ID_INPUT}="1", ENV{ID_INPUT_TABLET}="1", ENV{NAME}="Serial Wacom Tab
let $attr{id}"
SUBSYSTEM=="tty|pnp", SUBSYSTEMS=="pnp", ATTRS{id}=="FUJ*", ENV{ID_MODEL}="Serial Wacom Tablet $attr{id}", ENV{ID_INPUT}="1", ENV{ID_INPUT_TABLET}="1", ENV{NAME}="Serial Wacom Tabl
et $attr{id}"

LABEL="wacom_end"

Then we also need to tell X.Org about our tablet
# mkdir -p /etc/X11/xorg.conf.d/
# cat >/etc/X11/xorg.conf.d/50-wacom.conf <<EOF

Section "InputClass"
Identifier "Wacom class"
MatchProduct "Wacom|WACOM|Hanwang|PTK-540WL"
MatchDevicePath "/dev/input/event*"
Driver "wacom"
EndSection

Section "InputClass"
Identifier "Wacom serial class"
MatchProduct "Serial Wacom Tablet"
Driver "wacom"
EndSection

Section "InputClass"
Identifier "Wacom serial class identifiers"
MatchProduct "WACf|FUJ02e5|FUJ02e7|FUJ02e9"
Driver "wacom"
Option "Button1" "1"        # left mouse button
Option "Button2" "3"        # right mouse button
EndSection
EOF

Reboot your system, the stylus should now be working!

Stylus calibration

If needed to perform stylus calibration, we will install xinput_calibrator from the sources (package is not available for Squeeze)
http://www.freedesktop.org/wiki/Software/xinput_calibrator

As a regular user
$ sudo apt-get install build-essential dh-autoreconf libx11-dev libxext-dev libxi-dev
$ cd && wget http://github.com/downloads/tias/xinput_calibrator/xinput_calibrator-0.7.5.tar.gz
$ tar xvzf xinput_calibrator* && cd xinput_calibrator*
$ ./autogen.sh && make && sudo make install

Now run
$ xinput_calibrator –output-type xorg.conf.d

Finally, as root, copy and paste the program’s output (the “option” lines) into your /etc/X11/xorg.conf.d/50-wacom.conf
(restart X for changes to take effect)

Updating the kernel (optional)

Enable the Debian backports
# echo >>/etc/apt/sources.list ‘deb http://backports.debian.org/debian-backports squeeze-backports main’ && apt-get update
# apt-get -t squeeze-backports install linux-image-686-pae

Enabling the non-free repo
# nano /etc/apt/sources.list

(your debian mirror will vary)

deb http://ftp.fr.debian.org/debian/ squeeze main contrib non-free

And installing the non-free firmwares
# apt-get update && apt-get install firmware-linux-nonfree firmware-ipw2x00 firmware-realtek

(reboot system)

Installing a newer Iceweasel (http://mozilla.debian.net/)
# echo >>/etc/apt/sources.list ‘deb http://mozilla.debian.net/ squeeze-backports iceweasel-release’
# apt-get update && apt-get install -t squeeze-backports iceweasel

Interesting add-ons for Iceweasel/Firefox :

FireGestures
https://addons.mozilla.org/en-US/firefox/addon/firegestures/

Accessibility tools

The Gnome On-screen Keyboard (GOK) was installed by default. I found it to be quite annoying to use (and sometimes buggy).
# apt-get remove gok

(There’s also Dasher. Haven’t tried it yet)

brltty (the Braille daemon) was also installed. As I don’t need it (and it takes some CPU time) :
# apt-get remove brltty

Same with Orca, the screen reader
# apt-get remove gnome-orca

So let’s install a nicer virtual keyboard :

Florence ( http://florence.sourceforge.net/english.html )
# apt-get install florence

Matchbox keyboard (light but less integrated into Gnome)
# apt-get install matchbox-keyboard

Enabling Florence at the GDM login screen
# cp /usr/share/applications/florence.desktop /usr/share/gdm/autostart/LoginWindow/

(you may now remove autologin in GDM)

Enable virtual keyboard when screen is locked ( https://live.gnome.org/GnomeScreensaver/FrequentlyAskedQuestions )

For some reason I wasn’t able to use Florence instead of matchbox-keyboard.
In GConf editor :

set /apps/gnome-screensaver/embedded_keyboard_enable to “true”
set /apps/gnome-screensaver/embedded_keyboard_command to “matchbox-keyboard –xid”

Allow virtual keyboard with gksu

Open GConf editor :

Set /apps/gksu/disable-grab to “true”

Some more applications for hand writing/drawing with the stylus

Xournal note taking
# apt-get install xournal

Mypaint drawing
# apt-get install mypaint

Special keys

By default on this hardware :

- the P1 key is mapped to F1
- P2 is mapped to F2
- P3 is mapped to F8
- Fn is mapped to F11
- “screen rotation” key is mapped to F12
- “secure” key is mapped to Ctrl-Alt-Del

How to see the corresponding keycodes? Just start
$ xev

Then try each special key.

P1 is keycode 0×67
P2 is 0×68
P3 is 0×74
Fn is 0×95
“Rotation key” is 0×96
“Secure key” will send the 3 keycodes corresponding to Ctrl-Alt-Del

Now modify your hotkey shortcuts in the Gnome settings.

Screen rotation

Copy this small script to /usr/local/bin/rotate.sh
# cat >/usr/local/bin/rotate.sh <<EOF
#!/bin/bash
#
# Rotate the screen clockwise 90 degrees.
# Also, rotate the wacom pointer so the stylus will still work.
#
# Original script by Ben Wong,  October 1, 2010
# Public domain.  No rights reserved.
#
# Modified by fredo696@gmail.com / http://agentoss.wordpress.com
# for use on Debian 6.0
# February 10, 2013
#

# set your wacom device name here (xsetwacom –list)
stylusdevname=”Serial Wacom Tablet WACf004 PNP0501″

case $(xsetwacom get “$stylusdevname” Rotate) in
CCW)  # Currently top is rotated left, we should set it normal (0°)
xrandr -o normal
xsetwacom set “$stylusdevname” Rotate NONE
;;
NONE)  # Screen is not rotated, we should rotate it right (90°)
xrandr -o right
xsetwacom set “$stylusdevname” Rotate CW
;;
CW)    # Top of screen is rotated right, we should invert it (180°)
xrandr -o inverted
xsetwacom set “$stylusdevname” Rotate HALF
;;
HALF)  # Screen is inverted, we should rotate it left (270°)
xrandr -o left
xsetwacom set “$stylusdevname” Rotate CCW
;;
*)
echo “Unknown result from ‘xsetwacom get $stylusdevname Rotate’” >&2
exit 1
;;
esac
exit 0
EOF

And make it executable
# chmod +x /usr/local/bin/rotate.sh

Now setup the “screen rotation” hotkey in the Gnome2 hotkey settings, to execute this script. Should work nicely

Gnome hotkey settings are good when you want to launch a program with a hotkey, but is not adapted when you want to remap a key.
To do key remapping we will use xmodmap ( https://wiki.archlinux.org/index.php/Extra_Keyboard_Keys_in_Xorg )

For instance I like the P2 and P3 buttons to act as Page_Up and Page_Down (useful when browsing)

As a regular user
$ nano ~/.Xmodmap

# P2 = F2 key = Page Up
keycode 68 = Page_Up
# P3 = F8 key = Page Down
keycode 74 = Page_Down

To test your .Xmodmap
$ xmodmap ~/.Xmodmap

When login in your next Gnome session, you will be asked if you want to load an .Xmodmap file, we select it and say yes of course.

Note : when using this method of key remapping, you will loose the actual F2 and F8 keys on the virtual keyboard.

TODO : Fingerprint scanner
The fingerprint reader module is a SGS Thomson/UPEK model (usb id 0483:2016). See more at http://www.freedesktop.org/wiki/Software/fprint/libfprint/upekts
# lsusb

Fingerprint GUI project
http://www.n-view.net/Appliance/fingerprint/index.php
# wget http://www.n-view.net/Appliance/fingerprint/download/fingerprint-gui-1.04.tar.gz

or libfprint
http://www.freedesktop.org/wiki/Software/fprint/Installation

Sound

Sound playback works out of the box; recording from the builtin mic needed some fiddling.

You need to enable some controls in the gnome volume control utility. See screenshots below.

Voice control and speech recognition

Google Chrome + speech recognition extension

Web speech API is now available with Chrome version 25 or later
https://www.google.com/intl/en/chrome/demos/speech.html

Download and install the .deb package from the official site, here for the 32 bits version
$ wget https://dl.google.com/linux/direct/google-chrome-stable_current_i386.deb
$ sudo dpkg -i google-chrome*
(if apt complains about missing dependencies)
$ sudo apt-get -f install

Next, install a speech recognition extension. I suggest : “Speech Recognition for Text inputs”
(website at http://www.nonelike.me/2012/03/chrome-speech-recognition-extension.html )

Works nicely

(sadly, I don’t think Firefox/Iceweasel has a similar working extension yet)

Power Management

The battery has quite a short autonomy on this model, thus it’s important to optimize energy consumption.

CPU frequency scaling works out of the box.

Suspend to RAM (sleep) and Suspend to disk (hibernate) are working fine.

Still we need to install some useful tools
# apt-get install laptop-mode-tools powertop

Configure laptop-mode-tools
# nano /etc/laptop-mode/laptop-mode.conf

ENABLE_AUTO_MODULES=1

Edit LCD brightness settings
# nano /etc/laptop-mode/conf.d/lcd-brightness.conf

TO FIX : does not work. Modifying the value in /sys/class/backlight/intel_backlight/brightness seems to do nothing

# grep . /sys/class/backlight/intel_backlight/*

Enable bluetooth power off
# nano /etc/laptop-mode/conf.d/bluetooth.conf

CONTROL_BLUETOOTH=1

Other modules should have good default settings.

Finally restart the laptop-mode daemon
# /etc/init.d/laptop-mode restart

Also run powertop for other possible optimizations.

Show battery level and health in a terminal:
# acpi -i

TODO : disable GPS for lower energy consumption (kernel module : ftdi_sio)

Optimizations

Filesystem optimizations (noatime, tmpfs)
# nano /etc/fstab

proc            /proc           proc    defaults            0       0
UUID=xxxxxxxxxx /               ext4    errors=remount-ro,noatime 0       1
UUID=xxxxxxxxxx /home           ext4    defaults,noatime        0       2
UUID=xxxxxxxxxx none            swap    sw                  0       0
tmpfs           /tmp            tmpfs   defaults,nosuid,nodev   0       0

Minimize swappiness (for less disk usage)
# sysctl -w ‘vm.swappiness=0′
# nano /etc/sysctl.conf

vm.swappiness = 0

Prelink binaries for faster loading
# apt-get install prelink
# prelink -a

(Remember to run prelink after software updates)

Sensors configuration (optional) for system temperature monitoring
# sensors-detect

Some minor cosmetic changes

Grub bootloader

Choose an image and convert it to PNG format using “convert” from the imagemagick package
$ convert image.jpg boot.png

Change the default background image
# nano /etc/default/grub

GRUB_GFXMODE=1024×768
GRUB_GFXPAYLOAD_LINUX=”keep”
GRUB_BACKGROUND=”path/to/the/boot.png”

Then
# update-grub

GDM3′s default background image can be changed as well
# nano /usr/share/gdm/greeter-config/10_desktop-base

GPS Applications

Install the gpsd GPS daemon
# apt-get install gpsd gpsd-clients

Configure your GPS device
# dpkg-reconfigure gpsd

device should by /dev/ttyUSB0

Start gpsd
# /etc/init.d/gpsd restart

Note: You’ll may have to get outside to properly receive GPS signal!

Navigation software

FoxtrotGPS (lightweight on dependencies)
# apt-get install foxtrotgps

gpsdrive (heavier on dependencies)
# apt-get install gpsdrive

Viking (not as easy to use)
# apt-get install viking

(there are plenty others)

Conclusion

If you own a similar computer running Linux, please share your comments, tips & tricks, etc!

Links

Debian Linux on a Tablet PC Howto
http://risujin.org/debian/

Tablet PC tips from the Arch wiki
https://wiki.archlinux.org/index.php/Tablet_PC

TODO

cellwriter (handwriting recognition)
voice control
navit (gps)

# apt-get install systemd

# less /usr/share/doc/systemd/README.Debian

# nano /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT=”quiet init=/bin/systemd”

# update-grub && reboot

That’s it!

Now experiment with

# man systemd

# systemctl

# systemd-journalctl

# systemctl reboot

…

NetBSD 6.0.1

Goals

• lightweight (no mysql server, no antivirus)
• simple (no virtual domains/users)
• secure

Requirements

• a valid internet domain name if you want to be able to send/receive email to/from the internet (buy a domain or take a free one at http://freedns.afraid.org )
• valid DNS records for your domain
• we assume your mail server is behind a properly configured router/gateway/firewall

Hardware/Virtual machine requirements

• 512M RAM
• 3G of disk space minimum, 8G recommended

Install NetBSD

Install from iso : http://www.netbsd.org/mirrors/#iso

Installation without X11

Note : if you later decide to install software such as Munin, you will need the X11 libraries so it’s better in this case to do a full installation.

Configure network

• Your DNS domain : domain.tld (replace by your own)
• Your host name: mx (or “mail”, or anything you want)

(so the fully qualified domain name FQDN for this system is : mx.domain.tld)

• Enable sshd : YES
• Enable ntpd : YES
• Run ntpdate at boot : YES

Installation finished, reboot, login as root

 # man afterboot
 # man hier

Change root password if not done at install time

 # passwd root

* USE A STRONG PASSWORD! *

Create a regular UNIX user, with a home directory created (we want to store our mails in ~/Maildir) Also add the user to the wheel group (for “su” ability)

 # useradd -m -G wheel fred
 # passwd fred

* USE A STRONG PASSWORD! *

Now you can login via ssh with your regular user to start your copy/paste session

First we switch to root

 # su -

Set mirror for downloading binary packages

 # export PKG_PATH=ftp://ftp2.fr.NetBSD.org/pub/pkgsrc/packages/NetBSD/$(uname -m)/6.0_2012Q3/All
 # echo >>~/.profile "export PKG_PATH=$PKG_PATH"

(adjust to another mirror and repository if needed)

My survival kit in BSD-land

 # pkg_add -v bash nano pkgin
 # echo >>~/.profile 'export EDITOR=nano'

Notes : – packages are installed into /usr/pkg/ – if you need to see again the included notes for a given package : pkg_info

Change default shell for root

 # whereis bash
 # export EDITOR=nano; chsh

Shell : /usr/pkg/bin/bash

Start a new bash shell

 # bash

Postfix configuration

Good news, Postfix is part of the netbsd base install and therefore already installed and running! But we need to adjust its configuration. (docs are in /usr/share/examples/postfix/)

We want to store our mail messages in Maildir format, not in mbox format

 # postconf -e 'home_mailbox = Maildir/'

(or uncomment the line which is already present in the /etc/postfix/main.cf)

If you need to use a relayhost to send messages to the internet (in most cases, your ISP’s relay mail server)

 # postconf -e 'relayhost=[smtp.yourisp.org]'

Note : if you need to authenticate yourself on the relayhost, read instructions in /usr/share/examples/postfix/SOHO_README

We need proper internet domain and hostname

 # postconf -e 'mydomain=domain.tld'
 # postconf -e 'myhostname=mx.domain.tld'

Allow delivery to user@$mydomain

 # postconf -e 'mydestination = $mydomain, $myhostname, localhost.$mydomain, localhost'

Generate a self-signed SSL certificate and private key for our system

 # mkdir -p /etc/ssl/{certs,private}
 # cp /usr/share/examples/openssl/openssl.cnf /etc/openssl/
 # openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/myserver.key -out /etc/ssl/certs/myserver.crt
 # chmod 600 /etc/ssl/private/myserver.key

Enable TLS/SSL support for security (see /usr/share/examples/postfix/TLS_README for more)

 # postconf -e 'smtpd_tls_security_level=may'
 # postconf -e 'smtpd_use_tls=yes'
 # postconf -e 'smtpd_tls_auth_only=yes'
 # postconf -e 'smtpd_tls_cert_file=/etc/ssl/certs/myserver.crt'
 # postconf -e 'smtpd_tls_key_file=/etc/ssl/private/myserver.key'
 # postconf -e 'smtpd_tls_loglevel=1'

The rest of the postfix configuration is set to sane defaults.

Enable inbound smtp reception

 # nano /etc/postfix/master.cf

uncomment the first “smtp” line

Changes made, reload postfix

 # /etc/rc.d/postfix reload

Send a test mail from root to your regular user

 # echo "from my netbsd mailserver" | mail -s "test mail" fred

Look at the log to see if everything went fine

 # tail /var/log/maillog

Also it’s a good idea to forward system mails (sent to root) to our regular user

 # nano /etc/mail/aliases

add a line at the end :

root: fred

Save and don’t forget :

 # newaliases

Installing packages with pkgin

pkgin is an enhanced package manager similar to apt/yum/zypper. You must also specify the correct PKG_PATH in its configuration file.

 # echo $PKG_PATH >/usr/pkg/etc/pkgin/repositories.conf && pkgin update

For those who are on dynamic IP, you can use ddclient to update your DNS records (see your domain name registrar)

 # pkgin in ddclient
 # nano /usr/pkg/etc/ddclient.conf

(I personally use n$m$ch$$p and it works perfectly)

Test your settings

 # ddclient -verbose -daemon 0

Start daemon

 # cp -v /usr/pkg/share/examples/rc.d/ddclient /etc/rc.d/
 # echo >>/etc/rc.conf 'ddclient=YES' && /etc/rc.d/ddclient start

Check your DNS records

 # dig domain.tld -t any

or

 # host -a domain.tld

Antispam : greylisting with postgrey

(unlike some other greylisting software for postfix, postgrey doesn’t need a mysql server)

 # pkgin in postgrey

Start daemon

 # cp -v /usr/pkg/share/examples/rc.d/postgrey /etc/rc.d/
 # echo >>/etc/rc.conf 'postgrey=YES' && /etc/rc.d/postgrey start

See the documentation

 # perldoc postgrey

Adjust postfix for using postgrey daemon

 # postconf -e 'smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, check_policy_service inet:127.0.0.1:2525'
 # /etc/rc.d/postfix reload

Note : in NetBSD, the postgrey daemon is configured to listen on the 2525/tcp port, not 10023/tcp.

Now in order to test if postgrey actually works properly, send an email to your system from an external email address, and check the mail log

 # tail /var/log/maillog | grep postgrey

Antispam : spamassassin/spamass-milter

 # pkgin in spamass-milter

(will include spamassassin as a dependency)

Copy the rc.d files

 # cp -v /usr/pkg/share/examples/rc.d/{spamd,spamass-milter} /etc/rc.d/

The /etc/rc.d/spamass-milter must be corrected (this dirty hack is needed otherwise postfix will not be able to access the socket and the milter will fail)

# cat >>/etc/rc.d/spamass-milter <<EOF

 echo -n "Changing /var/run/spamass.sock ownership and permissions..."
 sleep 1
 chown postfix:postfix /var/run/spamass.sock
 chmod 0660 /var/run/spamass.sock
 echo " done"
 EOF

Adjust Spamassassin’s settings

 # nano /usr/pkg/etc/spamassassin/local.cf

Uncomment the “rewrite_header Subject” directive.

Start daemons

 # echo >>/etc/rc.conf 'spamd=YES' && /etc/rc.d/spamd start
 # echo >>/etc/rc.conf 'spamass_milter=YES' && /etc/rc.d/spamass-milter start

Integrate spamass-milter with postfix (Note : this was taken from a working Debian/Postfix/Spamass-milter config )

 # postconf -e 'smtpd_milters=unix:/var/run/spamass.sock'
 # postconf -e 'milter_default_action=accept'
 # postconf -e 'milter_connect_macros= j {daemon_name} v {if_name} _'
 # /etc/rc.d/postfix reload

Update spamassassin’s rules

 # sa-update -v && /etc/rc.d/spamd reload

Create a new cron job for daily update

 # crontab -e

 @daily /usr/pkg/bin/sa-update >/dev/null 2>&1 && /etc/rc.d/spamd reload >/dev/null 2>&1

Testing your antispam settings Send yourself a sample spam email (from an external email account), see /usr/pkg/share/doc/spamassassin/sample-spam.txt

TODO : train system for spam recognition

 # perldoc sa-learn

Install IMAP server : Dovecot

 # pkgin in dovecot-2

Dovecot configuration files are located in : /usr/pkg/etc/dovecot/ Log file is : /var/log/maillog

Edit default config, I disable pop3 since I don’t use it.

 # cd /usr/pkg/etc/dovecot/
 # nano dovecot.conf 
 protocols = imap lmtp

Now edit the 10-ssl.conf file and change the path for the certificate

 # nano conf.d/10-ssl.conf

ssl = yes

ssl_cert = </etc/ssl/certs/myserver.crt

ssl_key = </etc/ssl/private/myserver.key

Next, we want to use MailDir format for storing our messages, in our user’s home directory.

 # nano conf.d/10-mail.conf

mail_location = maildir:~/Maildir

All changes done, now start Dovecot daemon

 # cp -v /usr/pkg/share/examples/rc.d/dovecot /etc/rc.d/
 # echo >>/etc/rc.conf 'dovecot=YES' && /etc/rc.d/dovecot start

Postfix SASL support from Dovecot

This will allow you to authenticate yourself on your server, in order to send mails from outside of your local network (from your portable computer or smartphone, for instance)

Just follow the provided instructions

 # less /usr/pkg/share/doc/dovecot/wiki/HowTo.PostfixAndDovecotSASL.txt

Just be careful with this postfix line (order is important) :

 smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_policy_service inet:127.0.0.1:2525

(Reload postfix and dovecot of course)

 # /etc/rc.d/postfix reload
 # /etc/rc.d/dovecot reload

Installing Apache web server with PHP5

 # pkgin se apache |less

We see there are several apache versions to choose from. Go for the latest, Apache 2.4.x

 # pkgin in apache-2.4

• The apache user/group is : www/www
• The apache daemon is : httpd
• Configuration files are located in : /usr/pkg/etc/httpd/
• Default document root is : /usr/pkg/share/httpd/htdocs/
• Log files are located in : /var/log/httpd/

Note 1 : Apache’s logs will not be rotated by default. You must edit the /etc/newsyslog.conf file and add entries for Apache’s log files. Also see

 # man newsyslog

Note 2 : NetBSD comes with its own, small, httpd server (man httpd), which is not enabled by default. /etc/rc.d/httpd is the daemon startup file for this web server whereas Apache uses /etc/rc.d/apache

Copy rc.d init file and start apache (will be started at boot too)

 # cp -v /usr/pkg/share/examples/rc.d/apache /etc/rc.d/
 # echo >>/etc/rc.conf 'apache=YES' && /etc/rc.d/apache start

Installing PHP5.3.x for apache

 # pkgin in ap24-php53 php53-suhosin

Enable suhosin in PHP

 # echo >>/usr/pkg/etc/php.ini 'extension=suhosin.so'

Configure timezone in PHP

 # echo >>/usr/pkg/etc/php.ini 'date.timezone = Europe/Paris'

Enable PHP module in apache

 # nano /usr/pkg/etc/httpd/httpd.conf

Append the lines :

 LoadModule php5_module lib/httpd/mod_php5.so
 AddHandler application/x-httpd-php .php

And change the line :

 DirectoryIndex index.html

to

 DirectoryIndex index.html index.php

Save config, restart apache

 # /etc/rc.d/apache restart

Verify if PHP is ok

# cat >/usr/pkg/share/httpd/htdocs/tmpinfo.php <<EOF

<?php phpinfo(); ?>

EOF

Point your browser at : http://<server>/tmpinfo.php

Everything works? Good, now delete the file (security risk)

 # rm /usr/pkg/share/httpd/htdocs/tmpinfo.php

We could also enable the Apache documentation

 # nano /usr/pkg/etc/httpd/httpd.conf && /etc/rc.d/apache reload

Enable the “negotiation” module

 LoadModule negotiation_module lib/httpd/mod_negotiation.so

Then restrict access to the manual to our LAN

 # nano /usr/pkg/etc/httpd/httpd-manual.conf

Replace the line

 Require all granted

by

 Require ip 192.168.

And browse the docs at http:///manual/

Install Squirrelmail webmail

 # pkgin in squirrelmail squirrelmail-locales

Run the configuration script

 # cd /usr/pkg/share/squirrelmail/config && ./conf.pl

Important : set your domain name in “Server settings”!

Enable some plugins (useful for debugging) : info, message_details, …

Create a symlink in htdocs

 # ln -s /usr/pkg/share/squirrelmail /usr/pkg/share/httpd/htdocs/

(or any other name)

 # ln -s /usr/pkg/share/squirrelmail /usr/pkg/share/httpd/htdocs/mail

We need to enable the gettext extension in php.ini

 # echo >>/usr/pkg/etc/php.ini 'extension=gettext.so'

And restart apache

 # /etc/rc.d/apache restart

Now point your browser to : http:///squirrelmail/ and login with the username and password of your regular user. (root logins are not permitted of course)

You should find in your inbox, the test mail message from root we sent earlier.

Squirrelmail plugins :

• Compatibility ( http://squirrelmail.org/plugin_view.php?id=152 ) : needed by other plugins
• Lockout ( http://squirrelmail.org/plugin_view.php?id=200 ) : Anti bruteforce
• Logger ( http://squirrelmail.org/plugin_view.php?id=52 ) : Log user activity

 # pkgin in wget
 # cd /usr/pkg/share/squirrelmail/plugins/

(change download links with the latest versions available)

 # wget http://squirrelmail.org/countdl.php?fileurl=http%3A%2F%2Fwww.squirrelmail.org%2Fplugins%2Fcompatibility-2.0.16-1.0.tar.gz -O compatibility.tar.gz
 # tar xvzf compatibility.tar.gz

Lockout plugin (not required if fail2ban is used)

 # wget http://squirrelmail.org/countdl.php?fileurl=http%3A%2F%2Fwww.squirrelmail.org%2Fplugins%2Flockout-1.7-1.4.1.tar.gz -O lockout.tar.gz
 # tar xvzf lockout.tar.gz
 # cd lockout/data
 # cp config_example.php config.php
 # nano config.php

(read carefully and choose your settings!)

Logger plugin (required if you want to use fail2ban!)

 # wget http://squirrelmail.org/countdl.php?fileurl=http%3A%2F%2Fwww.squirrelmail.org%2Fplugins%2Fsquirrel_logger-2.3.1-1.2.7.tar.gz -O logger.tar.gz
 # tar xvzf logger.tar.gz
 # cd squirrel_logger/
 # cp config_example.php config.php
 # nano config.php

in the "$sl_logs = array ()", uncomment the 'LOGIN_ERROR' line. (this will cause all login errors to be logged in /var/log/maillog)

also set : $sl_use_GMT = 0 (required for the fail2ban jail to work)

Activate our new plugins

 # /usr/pkg/share/squirrelmail/config/conf.pl

Roundcube webmail (with sqlite backend)

 # pkgin in sqlite php53-sqlite roundcube

Enable php extensions as we are told by the packages’ instructions

# cat >>/usr/pkg/etc/php.ini <<EOF

 extension=sqlite.so
 extension=sockets.so
 extension=mysql.so
 extension=mcrypt.so
 extension=mbstring.so
 extension=json.so
 extension=iconv.so
 extension=gd.so
 extension=dom.so
 EOF

• Log files: /var/log/roundcube/
• Document root: /usr/pkg/share/roundcube/
• Docs are in : /usr/pkg/share/doc/roundcube/INSTALL

Build pear-MDB2Driversqlite from source (it’s missing in the binary packages)

 # cd /root
 # ftp ftp://ftp.netbsd.org/pub/pkgsrc/pkgsrc-2012Q3/pkgsrc.tar.xz
 # tar --xz -xf pkgsrc.tar.xz -C /usr
 # unset PKG_PATH
 # cd /usr/pkgsrc/databases/pear-MDB2_Driver_sqlite
 # make && make package

Finally install the generated package

 # pkg_add -v /usr/pkgsrc/packages/All/php53-pear-MDB2_Driver_sqlite-1.5.0b3.tgz

Setup sqlite database

 # cd /usr/pkg/share/roundcube
 # sqlite -init SQL/sqlite.initial.sql sqlite.db
 .exit

Now for security purposes we move the database out of the web server’s documents tree

 # mkdir -p /var/db/roundcube
 # mv sqlite.db /var/db/roundcube
 # chown -R www:www /var/db/roundcube
 # chmod 660 /var/db/roundcube/sqlite.db

Edit Roundcube configuration

 # nano /usr/pkg/etc/roundcube/db.inc.php

 $rcmail_config['db_dsnw'] = 'sqlite:////var/db/roundcube/sqlite.db?mode=0646'; 
 # nano /usr/pkg/etc/roundcube/main.inc.php

 $rcmail_config['default_host'] = 'localhost';

Edit roundcube.conf for Apache

 # nano /usr/pkg/etc/roundcube/roundcube.conf

  # Order allow,deny
  # Allow from all
 require all granted
 ...
  # Order deny,allow
  # Deny from all
 require all denied

Setup Apache

 # echo >>/usr/pkg/etc/httpd/httpd.conf 'Include /usr/pkg/etc/roundcube/roundcube.conf' && /etc/rc.d/apache reload

Point your browser to : http:///roundcube/ and enjoy the nice webmail interface!

Remember to check /var/log/roundcube/errors in case of problems.

Enabling SSL in Apache (and other security bits)

First edit the http-ssl.conf file

 # nano /usr/pkg/etc/httpd/httpd-ssl.conf

Edit the following lines

 SSLCertificateFile "/etc/ssl/certs/myserver.crt"
 SSLCertificateKeyFile "/etc/ssl/private/myserver.key"

Then edit the global httpd.conf

 # nano /usr/pkg/etc/httpd/httpd.conf

Uncomment the following lines

 LoadModule socache_shmcb_module lib/httpd/mod_socache_shmcb.so
 LoadModule ssl_module lib/httpd/mod_ssl.so
 Include etc/httpd/httpd-ssl.conf
 Include etc/httpd/httpd-default.conf

Change some security defaults as well

 # nano /usr/pkg/etc/httpd/httpd-default.conf 
 ServerTokens Prod
 TraceEnable off

Also disable PHP signature

 # nano /usr/pkg/etc/php.ini 
 expose_php = Off

Enforce https redirection

http://wiki.apache.org/httpd/RedirectSSL

You could as well add a list of IP blocks to be denied access to your web server (warning, huge lists will slow down your web server)

• https://www.countryipblocks.net/country_selection.php
• http://ipinfodb.com/ipcountryblock.php
• http://www.find-ip-address.org/ip-country/

Generate an .htaccess deny list and include it in your Apache conf.

Or the opposite, a country whitelist. Example of corresponding Apache 2.4 conf for a whitelist :

<Location />
<RequireAny>

 require all denied
 require local
 require ip 192.168.

 require ip 2.0.0.0/12
 require ip 5.10.128.0/21
 require ip 5.23.40.0/21
 require ip 5.39.224.0/21
 require ip 5.39.232.0/21
 require ip 5.42.152.0/21 ...

</RequireAny>
</Location>

Finally

 # /etc/rc.d/apache reload

Ask the “kind” web crawlers not to index our site

# cat >/usr/pkg/share/httpd/htdocs/robots.txt <<EOF

 User-Agent: *
 Disallow: /
 EOF

Firewalling

New firewall in NetBSD 6.0 : npf

 # man npfctl
 # man npf.conf

Due to my lack of experience with it, I used the pf firewall instead. Here’s a sample pf firewall configuration :

# cat >/etc/pf.conf <<EOF

#
# Generated by Fwbuilder 5.1 and edited
# replace wm0 with your actual network interface name!
# Rule  0 (wm0)
# anti spoofing rule
block in   log  quick on wm0 inet  from self  to any  label “RULE 0 — DROP “
# Rule  1 (lo)
pass  quick on lo inet  from any  to any  label “RULE 1 — ACCEPT “
# enable the following two rules when using fail2ban
table < fail2ban > persist
block in quick from < fail2ban > to any label “fail2ban rule”
# Rule  2 (global)
# useful ICMP types; ping request
pass in   quick inet proto icmp  from any  to self icmp-type { 3 , 0 code 0 , 8 code 0 , 11 code 0 , 11 code 1  }  label “RULE 2 — ACCEPT “
# allow SSH in (with connection rate limiting to prevent bruteforcing)
pass in   quick inet proto tcp  from any  to self port 22 flags any keep state ( max-src-conn-rate 3/30 ) label “RULE 2 — ACCEPT “
# allow SMTP in
pass in   quick inet proto tcp  from any  to self port 25 flags any  label “RULE 2 — ACCEPT “
# allow IMAP in
pass in   quick inet proto tcp  from any  to self port 143 flags any  label “RULE 2 — ACCEPT “
# allow HTTP and HTTPS in
pass in   quick inet proto tcp  from any  to self port 80 flags any  label “RULE 2 — ACCEPT “
pass in   quick inet proto tcp  from any  to self port 443 flags any  label “RULE 2 — ACCEPT “
# Rule  3 (global) :  allow all traffic out
pass out  quick inet  from self  to any  label “RULE 3 — ACCEPT “
# Rule  4 (global) : block all the rest (with logging)
block  log  quick inet  from any  to any  label “RULE 4 — DROP “
# Rule  fallback rule
block  quick inet  from any  to any no state  label “RULE 10000 — DROP “
EOF

Note : remove the spaces between the "<" ">" signs.

Enable the firewall (and his logging daemon)

 # /etc/rc.d/pf onestart
 # /etc/rc.d/pflogd onestart

If no error occured, enable the pf firewall (and his logging daemon) at boot

 # echo >>/etc/rc.conf 'pf=YES'
 # echo >>/etc/rc.conf 'pflogd=YES'

You can review pf’s log file (binary format) with

 # tcpdump -r /var/log/pflog |tail

Note : /var/log/pflog can grow fast!

Fail2ban on NetBSD

Thanks to : http://www.bsdguides.org/2012/fail2ban-with-pf-on-openbsd-5-2

Download and install the latest Fail2ban release

 # wget https://github.com/fail2ban/fail2ban/archive/master.zip --no-check-certificate
 # unzip master.zip
 # cd fail2ban-master
 # python2.7 setup.py install

Create a new pf.conf action file for fail2ban

# cat >/etc/fail2ban/action.d/pf.conf <<EOF

 [Definition]
 actionstart = 
 actionstop =
 actioncheck =
 actionban = /sbin/pfctl -t fail2ban -T add < ip >/32 
 actionunban = /sbin/pfctl -t fail2ban -T del < ip >/32
 [Init]
 EOF

Note : remove the spaces between the “<” “>” signs.

And add the following jails in a new jail.local file

# cat >/etc/fail2ban/jail.local <<EOF

 # NetBSD jails with PF firewall 
[DEFAULT]
 ignoreip = 127.0.0.1/8 192.168.0.0/16
 bantime = 600
 findtime = 600
 maxretry = 5

 [ssh-pf]
 enabled = true
 filter = sshd
 action = pf[name="ssh-pf"]
 sendmail-whois[name="ssh-pf", dest=root]
 logpath = /var/log/authlog

 # Note for dovecot : will not block squirrelmail bruteforce attacks (localhost ip ignored), only external attacks.
 [dovecot-pf]
 enabled = true
 filter = dovecot
 action = pf[name="dovecot-pf"]
 sendmail-whois[name="dovecot-pf", dest=root]
 logpath = /var/log/maillog

 [postfix-pf]
 enabled = true
 filter = postfix
 action = pf[name="postfix-pf"]
 sendmail-whois[name="postfix-pf", dest=root]
 logpath = /var/log/maillog

 [sasl-pf]
 enabled = true
 filter = sasl
 action = pf[name="sasl-pf"]
 sendmail-whois[name="sasl-pf", dest=root]
 logpath = /var/log/maillog

 # inspired from : http://mattrude.com/projects/roundcube-fail2ban-plugin/
 [roundcube-pf]
 enabled = true
 filter = roundcube
 action = pf[name="roundcube-pf"]
 sendmail-whois[name="roundcube-pf", dest=root]
 logpath = /var/log/roundcube/errors

 [squirrelmail-pf]
 enabled = true
 filter = squirrelmail
 action = pf[name="squirrelmail-pf"]
 sendmail-whois[name="squirrelmail-pf", dest=root]
 logpath = /var/log/maillog

 # end of jails
 EOF

Create the roundcube.conf filter

# cat >/etc/fail2ban/filter.d/roundcube.conf <<EOF

 [Definition]
 failregex = .*Login failed for .*. from < HOST >
 ignoreregex =
 EOF

Note : remove the spaces between the “<” “>” signs.

And the squirrelmail.conf filter

# cat >/etc/fail2ban/filter.d/squirrelmail.conf <<EOF

 [Definition]
 failregex = .*Failed webmail login: by .*. at < HOST > on .*.: Unknown user or password incorrect.
 ignoreregex =
 EOF

Note : remove the spaces between the “<” “>” signs.

Note : comment the “::1 localhost” line in /etc/hosts. Dovecot jail may not work correctly otherwise.

Let’s install gamin (file alteration monitor) so that fail2ban will use it instead of the “polling” backend

 # pkgin in gamin

To start fail2ban at boot, we create a corresponding rc script

# cat >/etc/rc.d/fail2ban <<EOF

 #!/bin/sh
 #
 # fail2ban rc script for NetBSD
 #
 # PROVIDE: fail2ban
 # REQUIRE: DAEMON
 # BEFORE: LOGIN
 # KEYWORD : shutdown

 if [ -f /etc/rc.subr ]; then
  . /etc/rc.subr
 fi

 name="fail2ban"
 rcvar=${name}
 command="/usr/pkg/bin/fail2ban-client"
 command_args="-x"

 if [ ! -d /var/run/fail2ban ]; then
  mkdir /var/run/fail2ban/
 fi

 echo -n " ${name}: "
 ${command} ${command_args} "$1"

 EOF

And set in rc.conf

 # echo >>/etc/rc.conf 'fail2ban=YES'

Finally start fail2ban

 # /etc/rc.d/fail2ban start

or

 # fail2ban-client start

Now test your jails!

TODO : (FIX) old bans come up again after fail2ban restart! log rotation related?

Tips

Verify the banned ip’s in the “fail2ban” pf table

 # pfctl -t fail2ban -T show

Manually unban an ip

 # fail2ban-client set <jail> unbanip <ip>

Test a regex

 # fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/squirrelmail.conf

Security

 # man security

Check daily for security updates

 # echo >>/etc/daily.conf 'fetch_pkg_vulnerabilities=YES'

For creating your next mail users (with disabled shell access)

 # useradd -m -s /sbin/nologin mynewuser && passwd mynewuser

* USE STRONG PASSWORDS! (AGAIN!) *

System monitoring

Show processes

 # top -ac

Show listening network ports

 # netstat -an|less

By default, NetBSD will run a daily cron job (/etc/daily) which includes a complete system security check (/etc/security). Mail reports will be sent to root.

 # crontab -l
 # man daily

Postfix stats with pflogsumm

 # pkgin in pflogsumm

example of use

 # zcat /var/log/maillog*.gz |pflogsumm

Mailgraph for postfix

 # pkgin in mailgraph
 # cp -v /usr/pkg/share/examples/rc.d/mailgraph /etc/rc.d/

rc file needs some changes

 # nano /etc/rc.d/mailgraph

command_args=”-d -l /var/log/maillog”

 # mkdir -p /var/db/mailgraph
 # echo >>/etc/rc.conf 'mailgraph=YES' && /etc/rc.d/mailgraph start

We need to make sure Apache can run cgi’s

 # nano /usr/pkg/etc/httpd/httpd.conf && /etc/rc.d/apache reload

uncomment the lines :

 LoadModule cgid_module lib/httpd/mod_cgid.so Scriptsock cgisock

Now point your browser at : http://<server>/cgi-bin/mailgraph.cgi

TODO : FIX : no graphics displayed!

Web server stats with Webalizer (AWStats is also available)

 # pkgin in webalizer

Create output directory in our htdocs

 # mkdir /usr/pkg/share/httpd/htdocs/webalizer/

Edit webalizer conf

 # nano /usr/pkg/etc/webalizer.conf 
LogFile        /var/log/httpd/access_log
OutputDir      /usr/pkg/share/httpd/htdocs/webalizer/
PageType        htm*
PageType        cgi
PageType        php*
PageType        pl
DNSCache        dns_cache.db
DNSChildren     5
HTMLBody <BODY BGCOLOR="white" TEXT="black">
AllSites        yes
AllURLs         yes
AllReferrers    yes
AllAgents       yes
AllSearchStr    yes
AllUsers        yes
HideSite        *domain.tld
HideSite        localhost
HideReferrer    domain.tld/
HideReferrer    localhost
HideURL         *.gif
HideURL         *.GIF
HideURL         *.jpg
HideURL         *.JPG
HideURL         *.png
HideURL         *.PNG
ColorHit        B1D28F
ColorFile       E3AD00
ColorSite       FFEB55
ColorKbyte      FF80DF
ColorPage       80B3FF
ColorVisit      638000
ColorMisc       EEEEEE

The rest of the settings are defaults.

Now generate stats

 # webalizer

Restrict access to the webalizer generated files, to the LAN only

 # nano /usr/pkg/etc/httpd/httpd.conf && /etc/rc.d/apache reload

Append the following lines

<Directory "/usr/pkg/share/httpd/htdocs/webalizer">

Require ip 192.168.

</Directory>

You might want to add a cronjob

 # crontab -e

 0 0 * * * /usr/pkg/bin/webalizer -Q

Munin

 # pkgin in munin-server munin-node

TODO!

Finally, test your mail server with some nice online tools

• http://www.emailsecuritygrader.com/
• http://dnsgoodies.com/
• http://viewdns.info/dnsreport/
• http://mxtoolbox.com

(hint: try these tools with both cases: fail2ban enabled or disabled)

Conclusion

Please report any mistakes, suggestions, ideas for improvement… Thanks!

TIPS

Remove user from the wheel group : We need to first delete the user (while preserving his home directory and files!)

 # userdel -v fred

And add him again (not recreating his home directory)

 # adduser fred
 # passwd fred

If you decide your UNIX users should not be be able to log in to a shell

 # chsh -s /sbin/nologin fred

Beware : not to lock yourself out of a remote system! (Remember ssh root login is not allowed by default)

Verify with

 # user info fred

Stopping/rebooting the system cleanly

 # shutdown -p now
 # shutdown -r now

Reference links

• http://www.netbsd.org/docs/guide/en/index.html
• http://www.cyberciti.biz/faq/howto-pf-firewall-list-firewall-rules/
• http://pkgsrc.se/

TODO

• DKIM / http://wiki.auto-hebergement.fr/services/dkim


#!/bin/bash
#
# Wireless Ad-hoc script
#
# http://agentoss.wordpress.com / fredo696@gmail.com
#
# This script will setup your wireless adapter in Ad-Hoc mode
# and start a DHCP server so that other peers (eg. an Android device)
# can receive an IP address and connect to your computer.
#
# After that, you can start a minimal webserver (darkhttpd for example)
# so that you can quickly share some files with minimal effort!
#
# This script must be run as root.
# Tested on Arch Linux.
# Some adaptations may be needed for other Linux systems.
#
# Requirements: iw, ifconfig commands, and dnsmasq.
#
# WARNING : WEP encryption is weak security

exit 0


Slackware 14.0 (XFCE desktop)

Installation

# cfdisk /dev/sda

# setup

# reboot

Post-installation configuration

# mail

# mutt

Setup Slackpkg and update your freshly installed system

# nano /etc/slackpkg/mirrors

# slackpkg update
# slackpkg upgrade-all

Set the system locale

# locale -a

# nano /etc/profile.d/lang.sh

export LANG=fr_FR.utf8

# slackpkg search l10n

# slackpkg install kde-l10n-fr calligra-l10n-fr

Sendmail

# netconfig

# cd /usr/share/sendmail/cf/cf
# nano sendmail-slackware.mc

dnl define(`SMART_HOST',`mailserver.example.com')

define(`SMART_HOST',`smtp.yourisp.com')

# ./Build sendmail-slackware.mc

# cp sendmail-slackware.cf /etc/mail/sendmail.cf

# chmod +x /etc/rc.d/rc.sendmail
# /etc/rc.d/rc.sendmail start

# echo 'from my Slackware box'| mail -s 'Hello' my@address.com

# tail /var/log/maillog

# echo >/root/.forward my@address.com

# echo 'from my Slackware box'| mail -s 'Forwarding' root@localhost

X.Org systemwide keyboard settings

# nano /etc/X11/xorg.conf.d/10-evdev.conf

Section "InputClass"
        Identifier "evdev keyboard catchall"
        MatchIsKeyboard "on"
        MatchDevicePath "/dev/input/event*"
        Driver "evdev"
        option "xkblayout"      "fr"
EndSection

Virtualbox guest additions (optional, only if running in a VM)

# mount /dev/sr0 /mnt/tmp
# sh /mnt/tmp/VBoxLinuxAdditions.run

Create a regular user “fred”

# adduser fred

Graphical login

# nano /etc/inittab

Install additional software

# nano flashplayer-plugin.SlackBuild

# sh flashplayer-plugin.SlackBuild

# installpkg /tmp/flashplayer-plugin-11.2.202.238-x86_64-1alien.txz

Additional software from 3rd party packages

# cd
# wget http://slackware.org.uk/people/alien/restricted_slackbuilds/vlc/pkg64/14.0/vlc-2.0.3-x86_64-1alien.txz
# installpkg vlc*

# wget http://www.rlworkman.net/pkgs/14.0/x86_64/libreoffice-3.6.1_en_US-x86_64-1_rlw.txz
# installpkg libreoffice*

AlienBob also has LibreOffice packages (including the language packs), just wait for some days for the updated packages for Slackware 14.0 to appear

Filesystem optimizations

# nano /etc/fstab

Generic Kernel, faster boot and resume from hibernation

# /usr/share/mkinitrd/mkinitrd_command_generator.sh -r

# mkinitrd -c -k 3.2.29 -f ext4 -r /dev/sda2 -m mbcache:jbd2:ext4 -u -o /boot/initrd.gz

# nano /etc/lilo.conf

default=Linux-generic

image= /boot/vmlinuz-generic-3.2.29
root=/dev/sda2
  initrd = /boot/initrd.gz
  label = Linux-generic
  read-only
  append="quiet fastboot resume=/dev/sda1"

# lilo -v

Then reboot. Less messages, (a little) faster boot times

Firewalling

# iptables -L

#!/bin/sh
# iptables script generated 2012-09-30
# http://www.mista.nu/iptables
IPT="/usr/sbin/iptables"
# Flush old rules, old custom tables
$IPT --flush
$IPT --delete-chain
# Set default policies for all three default chains
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
# Enable free use of loopback interfaces
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# All TCP sessions should begin with SYN
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -s 0.0.0.0/0 -j DROP
# Accept inbound TCP packets
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# SMTP
#$IPT -A INPUT -p tcp --dport smtp -m state --state NEW -s 0.0.0.0/0 -j ACCEPT
# HTTP
#$IPT -A INPUT -p tcp --dport http -m state --state NEW -s 0.0.0.0/0 -j ACCEPT
# HTTPS
#$IPT -A INPUT -p tcp --dport https -m state --state NEW -s 0.0.0.0/0 -j ACCEPT
# SSH
$IPT -A INPUT -p tcp --dport ssh -m state --state NEW -s 0.0.0.0/0 -j ACCEPT
# Accept inbound ICMP messages
$IPT -A INPUT -p ICMP --icmp-type 8 -s 0.0.0.0/0 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -s 0.0.0.0/0 -j ACCEPT
# EOF

Start firewall at boot

# chmod +x /etc/rc.d/rc.firewall

# iptables -F

# chmod -x /etc/rc.d/rc.firewall

That’s it!

TIPS

# pkgtool

# xwmconfig

# chmod -x /usr/bin/kdm

Useful links

Installation (base system)

# dd if=frugalware*.iso of=/dev/sdX bs=1M

Partitioning

Package selection

Bootloader

Users

Post-installation configuration

# netconfig

# systemctl restart netconfig.service

# pacman -S nano htop iptables

Configuring the sound

# pacman -S alsa-utils
# alsactl init
# alsamixer
(be sure to keep the annoying 'beep' volume low, or even mute!)
# alsactl store
# aplay /usr/share/sounds/alsa/Noise.wav

# echo >/etc/modprobe.d/alsa-base.conf 'options snd-hda-intel model=thinkpad'

Power Management

# pacman -S laptop-mode-tools cpupower powertop acpi

# systemctl start laptop-mode-tools.service
# systemctl enable laptop-mode-tools.service

# laptop_mode

# laptop_mode

# powertop

# nano /etc/laptop-mode/conf.d/lcd-brightness.conf

# acpi

# pm-suspend

# pm-hibernate

Both are working

# tail /var/log/messages

# sensors-detect

Installing the XFCE desktop environment

# pacman -S xfce4 xscreensaver gst-plugins-base-alsa

# pacman -S xf86-video-intel xf86-input-synaptics

# rm /etc/systemd/system/default.target
# ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target

# rm /etc/systemd/system/default.target
# ln -sf /lib/systemd/system/graphical.target /etc/systemd/system/default.target

Wireless network connection management

# pacman -S wicd
# systemctl disable netconfig.service
# systemctl enable wicd.service

Installing some desktop programs

$ su

# pacman -S chromium-browser firefox thunderbird

# pacman -S multimedia xmultimedia audacious radiotray

XFCE session management

# pacman -S consolekit consolekit-x11

# cat >/etc/polkit-1/localauthority/50-local.d/40-power.pkla <<EOF
[Local restart]
Identity=unix-group:users
Action=org.freedesktop.consolekit.system.restart
ResultAny=yes
ResultInactive=no
ResultActive=yes
[Local shutdown]
Identity=unix-group:users
Action=org.freedesktop.consolekit.system.stop
ResultAny=yes
ResultInactive=no
ResultActive=yes
[Local restart - multiple]
Identity=unix-group:users
Action=org.freedesktop.consolekit.system.restart-multiple-users
ResultAny=yes
ResultInactive=no
ResultActive=yes
[Local shutdown - multiple]
Identity=unix-group:users
Action=org.freedesktop.consolekit.system.stop-multiple-users
ResultAny=yes
ResultInactive=no
ResultActive=yes
[Local suspend]
Identity=unix-group:users
Action=org.freedesktop.upower.suspend
ResultAny=yes
ResultInactive=no
ResultActive=yes
[Local hibernate]
Identity=unix-group:users
Action=org.freedesktop.upower.hibernate
ResultAny=yes
ResultInactive=no
ResultActive=yes
EOF

Restart XFCE if needed.

Laptop special keys

Touchscreen

# pacman -S gtkmm2

$ xinput_calibrator

References

Mageia can also be used to setup fast, clean and easy to use server systems.

Minimal installation

Partitioning

Select packages

Users

Configuration

IMPORTANT!

Apache

Need a blog? Easy installation of WordPress

# mysql -uroot -p <<EOF
CREATE DATABASE mywpdatabase;
GRANT ALL PRIVILEGES ON mywpdatabase.* TO "mywpuser"@"localhost" IDENTIFIED BY "mywppassword";
FLUSH PRIVILEGES;
EXIT
EOF

Need a CMS?

Need a wiki?

Alias /skins /usr/share/mediawiki/skins
Alias /wiki /var/www/mediawiki/mywiki
<Directory "/var/www/mediawiki/mywiki">
   Order allow,deny
   Allow from All
   Options +FollowSymLinks
</Directory>

Need a web-based project management system?

Need a bug-tracking web-based system?

Need a Pastebin?

Basic server supervision

smartmontools and hddtemp for hard disk health monitoring

Sensors (can be used with Munin for monitoring temperatures, fan speeds, etc)

Logwatch (daily cron job)

Graphical supervision with munin 2.0

Basic server security

Install Mageia-specific security tools, such as msec

rkhunter (rootkit detection)

Fail2ban (anti brute-force)

And you’ll see the banned IP from the “attacking” machine

TIPS

Useful links

DISCLAIMER : As always, use this tutorial at your own risk!

Hardware used for this howto :
Mini-ITX motherboard with Pentium-M 1.5GHz (centrino)
512M DDR ram
Integrated graphics, sound and ethernet.
8G Compact Flash card with IDE-CF adapter.

Installation

Go and download the official netinstall iso image at https://www.archlinux.org/download/
As root, copy the iso to an empty USB drive (it even fits on an old 512M drive)

# dd if=archlinux*netinstall*.iso of=/dev/sdX bs=1M
# sync

Usual warning, replace /dev/sdX with your actual drive, ALL DATA WILL BE ERASED on the drive!
Now boot the system with the usb drive (32 or 64 bits, the choice is yours).
When booted, you are presented with a short message and a root prompt, let’s begin installation.
Setup your keymap for a more comfortable usage (here for french keymap)

# loadkeys fr

If you need to see the short installation message again

# more /etc/motd

Fire up (wired) networking (here for a dhcp client on eth0)

# dhcpcd eth0

If you don’t have a dhcp server, setup the interface manually with ifconfig and write your DNS servers in /etc/resolv.conf

# ifconfig eth0 <ipaddr> <netmask>

Now it’s even better if you can log on the system via SSH and copy/paste the rest of the commands from this howto!
Set up a password for root (ssh logins are not possible without password by default)

# passwd

Startup SSH daemon

# rc.d start sshd

And you should be able to connect remotely on this machine from another.
TIP : to see your ip address

# ip addr show eth0

Partition your target installation media (here it’s /dev/sda for me).
Just for the sake of changing a bit we will use cfdisk instead of fdisk.

# cfdisk /dev/sda

Create 2 partitions :
/dev/sda1 : for the system (bootable)
/dev/sda2 : swap partition (should be at least the size of the system’s RAM)
Format the filesystem (here for a read-only system, we will be using ext4 without the journal feature)

# mkfs.ext4 /dev/sda1 -O ^has_journal
# mkswap /dev/sda2

Mount the target root filesystem

# mount /dev/sda1 /mnt

Start the Arch base system bootstrap

# pacstrap /mnt base

The base system packages are being downloaded and installed.
Now let’s chroot into our target system

# arch-chroot /mnt

Before rebooting the system, a proper bootloader is necessary. I personnally like a faster and simpler bootloader (good bye GRUB2!) but your mileage may vary.
Note : as of 2012/07/20 Grub Legacy is not officially supported anymore by Arch, see http://www.archlinux.org/news/grub-legacy-no-longer-supported/
So let’s use the good old LILO

# pacman -S lilo

Review and edit lilo.conf

# nano /etc/lilo.conf

#
# /etc/lilo.conf
#
boot=/dev/sda
# This line often fixes L40 errors on bootup
# disk=/dev/hda bios=0×80
default=arch
timeout=50
lba32
prompt
image=/boot/vmlinuz-linux
label=arch
root=/dev/sda1
initrd=/boot/initramfs-linux.img
read-only

Then write up the bootloader

# lilo -v

Now you can reboot your system!

Post-installation configuration

Login as root (empty password)

# loadkeys fr

The / filesystem may be mounted read-only already. In order to make changes we are remounting it writable.

# mount -o remount,rw /

Edit /etc/fstab for the change to be permanent

# nano /etc/fstab

Add the line :

/dev/sda1/ext4defaults,noatime,rw01
Set a new root password

# passwd

As usual with Arch, we begin with the configuration of /etc/rc.conf

# man rc.conf
# nano /etc/rc.conf

Setup your network settings, I use dhcp so leave untouched the network section.
Setup your hostname

# echo >/etc/hostname archweb

Timezone

# ln -s /usr/share/zoneinfo/Europe/Paris /etc/localtime

Uncomment preferred locale in /etc/locale.gen, and generate it

# nano /etc/locale.gen && locale-gen

Set locale

# echo >/etc/locale.conf ‘LANG=fr_FR.UTF-8′

Keymap

# echo >/etc/vconsole.conf ‘KEYMAP=fr’
(Reboot system to ensure everything works well)
Install and start sshd so that you can remotely connect on this machine

# pacman -S openssh && rc.d start sshd

Create a regular user “guest”

# adduser guest

additional groups : video,audio
(or else your user will not have sound playback or access to webcam)
Also set a password for this user.

Sound configuration

# pacman -S alsa-utils && alsactl init
# alsamixer; alsactl store
# aplay /usr/share/sounds/alsa/Noise.wav

add then alsa daemon to rc.conf

# nano /etc/rc.conf

Install some more useful system packages

# pacman -S net-tools htop lzop

(lzop needed for tar –lzop)
Minimal X.Org installation

# pacman -S xorg-server xorg-xinit xorg-setxkbmap xorg-xmessage xf86-input-evdev xf86-video-vesa xf86-video-fbdev rxvt-unicode feh

(some more dependencies will of course be automatically installed)
If you now the right xf86-video-* driver for your graphics card, add it to the line. For my test system with Intel integrated graphics, I used xf86-video-intel.
ATI users will add xf86-video-ati, nVidia users will add xf86-video-nv OR xf86-video-nouveau.
When the target system is a removable media (usb pendrive), it’s a good idea to install them all.
Use urxvt terminal emulator instead of xterm

# ln -s /usr/bin/urxvt /usr/bin/xterm

Installing a lightweight window manager
For this howto I chose to use the lwm window manager. It’s ultra-lightweight, mouse-driven, requires no configuration and has no hotkey shortcuts.

# pacman -S lwm

If you prefer another, super lightweight, non-tiling wm, I suggest fluxbox (configuration is a bit easier than openbox).
ratpoison also come to mind, but it’s more keyboard-oriented.
spectrwm makes a good choice for a minimalist tiling wm (and doesn’t require compilation unlike dwm).

Login as regular user “guest”

$ cat >~/.xinitrc <<EOF
setxkbmap fr &
urxvt &
exec lwm
EOF

and start X

$ startx
Right now the whole system uses approx. ~800M of disk space.

Installing and configuring the web browsers
It may be interesting to install several web browsers (Firefox, Chromium, Opera, and Surf) and let the user chose which one he wants to use (see that later)
Note : Surf ( http://suckless.org/ ) is a minimalist, fast non-tabbed webkit-based browser.
From now on I’ll focus mainly on Firefox as it is still my favourite browser (although Chromium and Opera show quite faster startup times)

# pacman -S chromium opera gstreamer0.10-base-plugins gstreamer0.10-good surf firefox arch-firefox-search firefox-adblock-plus firefox-noscript

TIP : install only Opera if short on disk space (will use ~100M of disk)
Install some nicer fonts as well

# pacman -S ttf-liberation ttf-ubuntu-font-family ttf-droid

Then configure the fonts in Firefox accordingly (Edit>Preferences>Content>Advanced)
(also pick a nice theme/persona for your Firefox while you’re at it, since the default GTK theme looks quite bland!)
You may want to install the dreaded flash and java plugins, and a small pdf viewer

# pacman -S flashplugin jre7-openjdk icedtea-web-java7 epdfview

TIP : avoid java if short on disk space.
TODO : chromium config
TODO : opera config

Automatically start the web browser with X (and with a custom start page)
Here we make sure that the browser is restarted automatically when the user closes it.
Also, which web browser to start is determined by the kernel command line (and thus by the boot menu )
We are also setting a background wallpaper using feh. Download a nice wallpaper from interfacelift.com (for instance) and save it to /usr/share/wallpaper/wallpaper.jpg
(or use the official Arch wallpaper package -around ~10M- : archlinux-wallpaper)
Note : this is the system-wide xinitrc

# nano /etc/X11/xinit/xinitrc

Delete the lines below (and including) the “twm &”, and append the following lines :

# xinitrc
#
# default url to start browser to
URL=”file:///usr/local/share/doc/homepage/index.html”
# for debugging purposes
#URL=”file:///tmp/debug.html”
# set wallpaper
feh –bg-scale –no-fehbg /usr/share/wallpaper/wallpaper.jpg
# set keymap, eventually start some program and of course our window manager
setxkbmap fr &
#urxvt &
lwm &
# parse browser= parameter from kernel command line
# to determine with web browser to use (if parameter not found, a default browser is used)
CMDLINE=`cat /proc/cmdline`
WEB_BROWSER=”firefox”
for x in $CMDLINE; do
[[ $x = browser=* ]] || continue
WEB_BROWSER=`printf ‘%b\n’ “${x#browser=}”`
done
# for debugging purposes
#echo >/tmp/debug.html “System startup time (s) (before starting browser): `cat /proc/uptime`”
# start browser, infinite loop
# if the browser cannot be started, display an error message
while true;
do
$WEB_BROWSER $URL || xmessage -center -buttons “Ooops!” “For some reason, the web browser ‘$WEB_BROWSER’ could not start!”
sleep 1
done
# this is never executed
exit 0

Automatically login (as regular user “guest”) into X at boot time

# nano /etc/rc.local

su – guest -c startx &
exit 0

(make sure /usr/bin/Xorg has the setuid bit set, this is normally the default in Arch)

# chmod u+s /usr/bin/Xorg

Now reboot your system and see.

Optimizations
It is possible to gain a great amount of boot time by using several techniques.
Recompress the initramfs with LZO (fastest decompression)

# /etc/mkinitcpio.conf

COMPRESSION=”lzop”

and rebuild

# mkinitcpio -p linux
Start daemons in background in /etc/rc.conf

# nano /etc/rc.conf

DAEMONS=(syslog-ng @network @crond @dbus @alsa @sshd)

(You may experience that the browser is unable to connect to the network for several seconds right after booting, that’s because network initialization hasn’t yet completed, especially when using dhcp. Just wait some more seconds and refresh the page)
Might be better to use a fixed non-dhcp network configuration. Or you can use an offline default start page (~/index.html).
Use some kernel boot-time options in the bootloader’s configuration (here for lilo) : quiet and fastboot.
Also use a trick to hide the console messages during boot, by redirecting output to the serial console (console=ttyS0).
And change lilo’s default menu colors with a slightly less ugly, Arch-inspired scheme, while we’re at it!
You have to create a nice 640x480x256 colors bmp image or use a lilo provided one.

# nano /etc/lilo.conf

#
# /etc/lilo.conf
#
boot=/dev/sda
default=Firefox
timeout=50
lba32
prompt
compact
# set console vga mode to 1024x768x16 when booting
vga=0×317
#install=menu
#menu-title = “Arch Linux Lightweight Web Kiosk”
#menu-scheme = Bk:Ck
install=bmp
# path to your custom bitmap image
#bitmap=/boot/archlinux-boot.bmp
# or else use an image provided with lilo
bitmap=/boot/inside.bmp
# position of menu entries
#bmp-table=300p,200p,1,15,17
# hide menu timer (but timeout still active)
#bmp-timer=none
image=/boot/vmlinuz-linux
label=Firefox
root=/dev/sda1
initrd=/boot/initramfs-linux.img
read-only
# the “browser=” parameter determines which web browser will be started
append=”quiet fastboot console=ttyS0 browser=firefox”

image=/boot/vmlinuz-linux
label=Chromium
root=/dev/sda1
initrd=/boot/initramfs-linux.img
read-only
append=”quiet fastboot console=ttyS0 browser=chromium”
image=/boot/vmlinuz-linux
label=Opera
root=/dev/sda1
initrd=/boot/initramfs-linux.img
read-only
append=”quiet fastboot console=ttyS0 browser=opera”
image=/boot/vmlinuz-linux
label=Surf
root=/dev/sda1
initrd=/boot/initramfs-linux.img
read-only
append=”quiet fastboot console=ttyS0 browser=surf”
# Maintenance mode : boot in single mode “S” with the fallback initramfs
image=/boot/vmlinuz-linux
label=”MaintenanceMode”
root=/dev/sda1
initrd=/boot/initramfs-linux-fallback.img
read-only
append=”S”

Don’t forget to update lilo

# lilo -v
Using disks UUIDs
If you have installed this system on a removable drive, you’ll WANT to use UUIDs. Fortunately, LILO understands this well.
First generate the UUIDs for your partitions

# blkid

Then update /etc/fstab accordingly (replace /dev/sda1 with UUID=”copy_and_paste_uuid_from_blkid_s_output”)

UUID=”796e578f-0b2e-4994-8f2b-84fbd9f60c66″ /   ext4    defaults,noatime,ro     0       1

(do the same for other disk partitions when needed)
Then update lilo.conf

# lilo-uuid-diskid

This will change the “boot=” option in lilo.conf with the disk’s id.
But you may also need to manually replace the “root=” value for every kernel entry.
This would give (excerpt) :

image=/boot/vmlinuz-linux
label=Firefox
#        root=/dev/sda1
root=”UUID=796e578f-0b2e-4994-8f2b-84fbd9f60c66″

When done, update lilo

# lilo -v

Trimming down the system a bit
At this stage, our system has grown up to ~1.5G of disk space, which is a quite lot already.
Let’s try to save some megs here and there.
Show installed packages

# pacman -Q |more

Remove core manpages? You decide!

# pacman -Qi man-pages

takes ~15M of disk space

# pacman -R manpages

NOTE : this will not erase the man pages from non-core programs, so we do it

# rm -rvf /usr/share/man/*

Erase the documentation, the include and source files as well (*except* if you plan to compile things!)

# rm -rvf /usr/share/{doc,gtk-doc}/*
# rm -rvf /usr/{include,src}/*

Remove useless locale files (/usr/share/locale/) *except* some

# shopt -s extglob
# rm -rvf /usr/share/locale/!(fr|en_US|locale.alias)

(here we only keep fr and en_US locales, the rest is deleted!)
(Too bad Arch doesn’t have an official equivalent to Debian’s localepurge)
NOTE : don’t forget to do this again whenever you add some packages or update the system
See disk usage per directory and hunt down some more useless stuff (for our usage anyway!) at your convenience

# du -m -d 1 / |sort -g
# du -m -d 1 /usr |sort -g
Some other packages not needed for our setup (won’t save many megs…)

# pacman -R lvm2 mdadm xfsprogs reiserfsprogs ppp

And finally clean pacman’s downloaded packages (should gain at least ~200M!)

# pacman -S –clean –clean

(yes, –clean two times to force full removal of cached packages)

Reduce the number of ttys
This will save some precious RAM on low-memory systems.

# nano /etc/inittab

Comment out some ttys (leave at least the first one!)

Prelink binaries for faster program startup (Optional)

# pacman -S prelink
# prelink -a
Security

Remove terminal emulators
(so that users can’t execute a terminal using the various window manager’s hotkeys, and thus can’t kill the window manager)

# pacman -R rxvt-unicode

(Note : You’ll still be able to access the system via SSH if needed)
Forbid user from exiting the window manager.
lwm does not have a hotkey to quit, so it’s all good. For another wm it will be necessary to disable the corresponding hotkey shortcut or menu entry.
Disable Kernel SysRq keys ( https://wiki.archlinux.org/index.php/Keyboard_Shortcuts )

# nano /etc/sysctl.conf

Make sure the kernel.sysrq value is set to 0 (this is normally the default in Arch Linux).
Disable tty switching in X (See man xorg.conf for reference)

# cat >/etc/X11/xorg.conf.d/10-custom.conf <<EOF
Section “ServerFlags”
Option “DontVTSwitch” “true”
Option “DontZap” “true”
EndSection
EOF
Firewalling
Make sure iptables is installed

# pacman -S iptables

Configure iptables. Here I choose to only allow HTTP/HTTPS ports in output, and deny everything in input (except ping and SSH in)
TODO : allow FTP out
TODO : SSH connection rate limiting

# nano /etc/iptables/iptables.rules

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
# Already established input connections
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
# allow traffic on loopback
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
# allow ping in
-A INPUT -p icmp –icmp-type echo-request -j ACCEPT
-A OUTPUT -p icmp –icmp-type echo-reply -j ACCEPT
# allow ping out
-A OUTPUT -p icmp –icmp-type echo-request -j ACCEPT
-A INPUT -p icmp –icmp-type echo-reply -j ACCEPT
# allow dns traffic out
-A OUTPUT -p udp –dport 53 -j ACCEPT
# allow SSH in
-A INPUT -p tcp –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp –sport 22 -m state –state ESTABLISHED -j ACCEPT
# allow HTTP/HTTPS out
-A OUTPUT -j ACCEPT -p tcp -m multiport –dports 80,443
# reject the rest
-A INPUT -p tcp -j REJECT –reject-with tcp-reset
-A INPUT -p udp -j REJECT –reject-with icmp-port-unreachable
-A INPUT -j REJECT –reject-with icmp-proto-unreachable
COMMIT

Start the firewall

# rc.d start iptables

Don’t forget to update /etc/rc.conf to start iptables (before network daemon) at boot time

# nano /etc/rc.conf

DAEMONS=(syslog-ng iptables @network @crond @alsa @sshd)

Test your firewall from another machine with nmap
TCP scan

# nmap <ip of target machine>

UDP scan

# nmap -sU <ip of target machine>
Making the system read-only
Several steps are needed to make sure the system will run correctly when the root filesystem is turned read-only.
Link /var/lock and /var/run to /run (tmpfs)

# ln -sf /run/lock /var/lock
# ln -sf /run /var/run

Link /etc/resolv.conf to /tmp/resolv.conf (this is necessary for the dhcpcd client to work properly)

# ln -sf /tmp/resolv.conf /etc/resolv.conf

Edit /etc/fstab
add the following lines :

tmpfs           /tmp            tmpfs   nodev,nosuid,rw      0       0
tmpfs           /var/tmp      tmpfs   nodev,nosuid,rw      0       0
tmpfs           /var/log       tmpfs   nodev,nosuid,rw      0       0

And don’t forget to set / with the ro attribute :

UUID=xxxxxxxxxxxxx       /       ext4    defaults,noatime,ro     0       1

Note : with read-only filesystems we use no swap partition. So you have to ensure your computer has enough RAM to operate properly (at least 256M suggested).

The trick is that the user profile will be copied into ram (/tmp) at boot time, so we ensure the profile does not contain unwanted data and is the smallest possible to retain fast boot times :
- delete bash history, temporary files and other unwanted data
- delete history and cache for ALL web browsers (you may as well completely disable disk cache in each browser)
- delete downloaded files
etc
To see how big is your profile

$ du -m -d 1 ~ |sort -g

When everything is ready, create the archived /home (use of lzop compression algorithm for the fastest decompression)

# tar cvf /home.tlzop /home –lzop
TIP: If you prefer to use a completely new, empty profile :
- do not generate the archived home (the script in rc.local will automatically detect when it does not exist)
- (optionally) erase /home/guest/

Finally, edit /etc/rc.local :

# nano /etc/rc.local

#!/bin/bash
#
# /etc/rc.local: Local multi-user startup script.
#
# login name of regular user (user account must exist!)
MYUSER=”guest”
MYHOMEARCHIVE=”/home.tlzop”
# read-only filesystem trick :
# extract /home directory archive to /tmp (in tmpfs)
# and bind it to /tmp/home
# create (empty) home/$MYUSER directory anyway just in case the archive doesn’t exist
mkdir -m 700 -p /tmp/home/$MYUSER && chown $MYUSER /tmp/home/$MYUSER
# extract home archive if it exists (if not the user profile will be empty)
[[ -f "$MYHOMEARCHIVE" ]] && echo -n “Extracting archived home directory $MYHOMEARCHIVE to /tmp … ” && tar xf “$MYHOMEARCHIVE” -C /tmp && echo “OK”
mount –bind /tmp/home /home
# start X as regular user
su – $MYUSER -c startx &
exit 0

The final touch
Create a default homepage document

# mkdir -p /usr/local/share/doc/homepage/
# cat >/usr/local/share/doc/homepage/index.html <<EOF
<h1>Welcome to the Arch Linux Simple Lightweight Web Kiosk!</h1>
<hr>
<h2>Useful hotkey shortcuts<h2>
lorem ipsum…
EOF

Now reboot your system, it will running in read-only mode. You may see some minor, non-blocking errors during boot (to be fixed… see /var/log/boot for more info).

Maintenance (“admin”) mode
Want to update your system? Or add some modifications?
Just boot in maintenance mode, enter your root password, and remount the filesystem so that it is writable again :

# mount -o remount,rw /

If you want to update, start the network first

# dhcpcd eth0
# pacman -Syu

Note: when updating /home profiles, don’t forget to finally re-generate the /home.tlzop archive!

# tar cvf /home.tlzop /home –lzop

End of modifications

# reboot

(please note, on next reboot the system will -of course- be read-only, as in /etc/fstab)

How to create a bootable usb drive (2G or higher capacity needed)
If you have installed this system on a non removable drive and want to create a bootable usb drive from it, follow these steps :
Boot in Maintenance mode
Plug your use drive and prepare it (all data will be erased!)

# cfdisk /dev/sdX

(adjust with your actual drive letter)
Create one bootable ext4 partition, save and quit cfdisk.
Create an ext4 filesystem (still with no journalling to prevent premature wear & tear of flash drives) and with a label (important)

# mkfs.ext4 /dev/sdXy -O ^has_journal -L archusb001 -T small

for information purposes

# tune2fs /dev/sdXy

Now mount usb drive and copy filesystem

# mkdir /tmp/usb
# mount /dev/sdXy /tmp/usb
# time cp -avr {/bin,/boot,/etc,/home,/lib,/opt,/root,/sbin,/srv,/usr,/var} /tmp/usb

(will take a while…)
Now we need to install the bootloader, so we chroot into our /tmp/usb

# mkdir /tmp/usb/{dev,proc,run,sys,tmp}
# mount –bind /dev /tmp/usb/dev
# mount –bind /proc /tmp/usb/proc
# mount –bind /sys /tmp/usb/sys
# chroot /tmp/usb

adjust /etc/fstab, replace UUID with LABEL

# nano /etc/fstab

LABEL=”archusb001″/ext4defaults,noatime,ro01

lilo.conf too needs several adjustments

# nano /etc/lilo.conf

adjust the boot= line with your usb drive letter, or remove it since we can specify it from the command line :

boot=/dev/sdX

adjust every “root=” line in the image sections with the usb drive’s root partition label

root=”LABEL=archusb001″

finally, adjust every “initrd=” line (we want to be use the fallback image so that different hardware will be recognized)

initrd=/boot/initramfs-linux-fallback

Your lilo.conf now should look like (“optimized” version) :
<paste lilo.conf>
Save and write lilo to disk /dev/sdX

# lilo -v -b /dev/sdX

Another important thing : we need to rebuild the initramfs with the “usb” hook added

# nano /etc/mkinitcpio.conf

add “usb” just before “filesystems” in the HOOKS array :

HOOKS=”base udev autodetect pata scsi sata usb filesystems usbinput fsck”

# mkinitcpio -p linux

Done, unmount everything and reboot on your usb drive!

# exit
# cd && umount /tmp/usb/{dev,proc,sys,.}

check filesystem just to be sure

# fsck.ext4 -y /dev/sdXy
# reboot

Conclusion

I’m sure there’s still plenty of details I have forgotten, and plenty of room for improvement. Your feedback is appreciated.
Now it’s your turn to play, share your experiences, boot times, etc!

Useful links and resources
https://wiki.archlinux.org/index.php/Arch_Install_Scripts
https://wiki.archlinux.org/index.php/Fstab
https://sites.google.com/site/linuxpendrive/rorootfs
http://www.jfc.org.uk/software/lwm.html
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables#Allowing_WWW_And_SSH_Access_To_Your_Firewall
http://www.thegeekstuff.com/2011/06/iptables-rules-examples/

Computer specs

Goal of this tutorial

This guide may evolve during time as I try to improve my Linux experience

Download Arch iso

https://www.archlinux.org/download/

(or for the latest snapshot build)

http://releng.archlinux.org/isos/

# dd if=archlinux-*.iso of=/dev/sdX bs=1M

Installation

Update 2012/08/21

Configuring our new system

# cd /etc
# cp wpa_supplicant.conf wpa_supplicant.conf.backup
# nano wpa_supplicant.conf

I use the simplest network configuration :

network=(
  ssid="your_ssid"
  psk="your_passphrase"
)

(delete all other examples)

# chmod 600 wpa_supplicant.conf

# ip link set wlan0 up

# wpa_supplicant -B -Dwext -iwlan0 -c/etc/wpa_supplicant.conf

# dhcpcd wlan0

# ip link set eth0 up && dhcpcd eth0

# pacman -Syu

# pacman -S openssh

Start the openssh daemon :

# /etc/rc.d/sshd start
or
# rc.d start sshd

# nano /etc/rc.conf

then append @sshd to the DAEMONS array (the ‘@’ prefix means that the daemon will be forked in the background)

# pacman -S alsa-utils

Set up the sound mixer

# alsactl init; alsamixer

# alsactl store

# nano /etc/rc.conf

# cat >/etc/modprobe.d/alsa.conf <<EOF
alias snd-card-0 snd-hda-intel
alias sound-slot-0 snd-hda-intel
options snd_hda_intel index=1
EOF

# usermod -a -G audio root

# aplay /usr/share/sounds/alsa/Noise.wav
or
# speaker-test

# pacman -S mpg123 && cd && wget http://storage.newjamendo.com/download/track/82293/mp32/Overture%20in%20Darkness.mp3 && mpg123 "Overture in Darkness.mp3"

# nano /etc/inputrc

# adduser

setterm -clear all -background black -foreground cyan -store
setfont Lat2-Terminus16

Installing X.Org

# pacman -S xf86-input-evdev xf86-input-synaptics xf86-video-ati xorg-server xorg-xinit xterm ttf-liberation xorg-xsetroot xorg-xmodmap xorg-xinput
# startx

# pacman -S dwm dmenu

# cat >~/.xinitrc <<EOF
setxkbmap fr
xterm &
exec dwm
EOF

# startx

# man dwm

for more!

Updated 04/21/2012

(Optional but recommended) Compile and install dwm (using ABS -the Arch Building System)

First, install ABS and the development environment, then run abs to download the abs files for dwm
# pacman -Sy abs base-devel && abs “community/dwm”

As a regular user, create a build directory in your home
$ mkdir -p $HOME/abs
then copy dwm’s build directory into it
$ cp -r /var/abs/community/dwm/ ~/abs
$ cd ~/abs/dwm

Get the source files
$ makepkg -o

Edit dwm’s config.h to your taste (French users have a look at http://wiki.archlinux.fr/DWM)
Also some nice color schemes here : http://fsk141.com/dwm-colors
$ nano config.h

Then compile and install with
$ makepkg -efi

Autologin into X

# pacman -S vlock

$ nano ~/.bash_profile

# automatically start X when login from tty1 (and lock the tty)
if [ -z "$DISPLAY" ] && [ $(tty) == /dev/tty1 ]; then
nohup startx >.xlog & vlock
fi

Security note : be sure to close all opened tty sessions when locking your computer

Tweaking the touchpad

# nano /etc/X11/xorg.conf.d/10-synaptics.conf

# used for the synclient command line
Option "SHMConfig" "on"
# for vertical scroll on the right edge of the touchpad
Option "VertEdgeScroll" "1"
# left mouse button
Option "TapButton1" "1"
# I prefer a 2-finger tap for the right mouse button
Option "TapButton3" "2"
# and a 3-finger tap for the middle mouse button
Option "TapButton2" "3"
# one tap in the right top corner of the touchpad will emulate a right mouse button
Option "RTCornerButton" "3"

# synclient -l
# synclient VertEdgeScroll=1

Don’t hesitate to experiment, and share your findings

Special function keys

# pacman -S xorg-xev xbindkeys

$ xev

Now press the fn+F5 keys, xev reports KeyPress/KeyRelease events with keycode number 180.

$ xbindkeys --defaults > $HOME/.xbindkeysrc
$ nano $HOME/.xbindkeysrc

"firefox"
 c:180

$ xbindkeys

"amixer set Master 5-"
 XF86AudioLowerVolume
"amixer set Master 5+"
 XF86AudioRaiseVolume
"amixer set Master toggle"
 XF86AudioMute

$ xmodmap -e "keycode 135 = Pointer_Button3"

does not work.

# pacman -S xautomation
$ nano ~/.xbindkeysrc

"xte 'mouseclick 3'"
 Menu

# pacman -S xscreensaver

$ xscreensaver-demo

to configure it.

$ nano ~./xinitrc

xscreensaver -nosplash &

Power Management

# pacman -S cpufrequtils
# cpufreq-info

tells us that there is no cpu frequency driver enabled

# modprobe powernow-k8 && modprobe cpufreq_ondemand && modprobe cpufreq_powersave
# cpufreq-info

much better!

# nano /etc/conf.d/cpufreq

# rc.d start cpufreq

# pacman -S laptop-mode-tools acpi acpid ethtool powertop upower

$ acpi

Configure laptop-mode

# nano /etc/laptop-mode/conf.d/lcd-brightness.conf

# nano /etc/laptop-mode/conf.d/bluetooth.conf

# rc.d start laptop-mode

# tail /var/log/messages.log

# laptop-mode status

# powertop

# nano /etc/rc.local.shutdown

Suspend to ram/suspend to disk (hibernate)

# pacman -S pm-utils

# pm-suspend

It seems to work! Now press a key to wake up.

# nano /etc/acpi/handler.sh

# blkid

then copy/paste the UUID for the swap partition, into the grub line

# nano /boot/grub/menu.lst

# nano /etc/mkinitcpio.conf

# mkinitcpio -p linux

# pm-hibernate

# more /var/log/pm-*.log

Allow regular users to use pm-suspend / pm-hibernate

# pacman -S sudo && visudo
%wheel ALL=(ALL) NOPASSWD: /usr/sbin/pm-suspend 
%wheel ALL=(ALL) NOPASSWD: /usr/sbin/pm-hibernate
%wheel ALL=(ALL) NOPASSWD: /usr/sbin/pm-suspend-hybrid

# usermod -a -G wheel <username>

$ nano $HOME/.xbindkeysrc

"xscreensaver-command -lock; sudo /usr/sbin/pm-hibernate"
 Mod4 + Escape

# nano /etc/laptop-mode/conf.d/auto-hibernate.conf

# rc.d restart laptop-mode

# pacman -S beep
# nano /usr/share/laptop-mode-tools/module-helpers/pm-hibernate

# Freezer on preference
if [ x$MEM = x1 ]; then
        beep -r 3
        echo "mem" > /sys/power/state
elif [ x$DISK = x1 ]; then
        beep -r 5
        echo "disk" > /sys/power/state
else
        ## Nothing to do.
        echo ;
fi

Automatically suspend on idle/inactivity (under X.Org)

xautolock -time 15 -locker "sudo pm-suspend-hybrid" &

Useful monitoring software

# pacman -S htop smartmontools

# smartctl -H /dev/sda

Better network handling

# pacman -S wicd
# rc.d restart dbus
# rc.d start wicd

$ wicd-curses

Firewall

# pacman -S ufw

# ufw allow 22/tcp

# nano /etc/ufw/ufw.conf

# rc.d start ufw

# ufw status
# iptables -L |more

Let’s install some software for workstation usage

# pacman -S lxterminal

# pacman -S pcmanfm

# pacman -S firefox arch-firefox-search firefox-adblock-plus firefox-noscript

# pacman -S thunderbird

# pacman -S mplayer mencoder ffmpeg vlc

$ mplayer tv://

or

$ mplayer tv:// -tv driver=v4l2:width=320:height=240:fps=30

$ mencoder -tv driver=v4l2:width=640:height=480 tv:// -o webcam.avi -ovc lavc=mpeg4 -nosound

(here with no sound because mencoder complains about missing /dev/dsp sound device…)

$ ffmpeg -f x11grab -s 1366x768 -r 15 -i :0.0 -sameq capture.flv

(without sound)

$ ffmpeg -f alsa -i hw:0 -f x11grab -s 1366x768 -r 15 -i :0.0 -sameq capture.avi

(with sound, using the internal mic. Check your capture levels with alsamixer)

# pacman -S audacious audacious-plugins

$ nano $HOME/.xbindkeysrc

$ killall xbindkeys && xbindkeys

Neat feature, now even if Audacious is not launched, a simple hotkey will launch it and resume playing the current playlist

Some small beautification tips!

# pacman -S feh

$ feh --bg-center <wallpaper filename>

will generate a ~/.fehbg

eval $(cat ~/.fehbg)

$ feh --bg-center <new wallpaper filename>

# pacman -S gnome-themes-standard gnome-themes-extras lxappearance
$ lxappearance

$ echo >~/.gtkrc-2.0.mine "gtk-cursor-theme-size=48"

Conclusion

And remember, the Arch wiki is a goldmine

Things To Do

Some simple custom scripts

battery.sh

#!/bin/bash
# battery.sh
batt_now=`cat /sys/class/power_supply/BAT0/energy_now`
batt_full=`cat /sys/class/power_supply/BAT0/energy_full`
batt_status=`cat /sys/class/power_supply/BAT0/status`
voltage_now=`cat /sys/class/power_supply/BAT0/voltage_now`
voltage_now_w=`echo "scale=2;$voltage_now / 1000000" | bc`
voltage_min_design=`cat /sys/class/power_supply/BAT0/voltage_min_design`
voltage_min_design_w=`echo "scale=2;$voltage_min_design / 1000000" | bc`
power_now=`cat /sys/class/power_supply/BAT0/power_now`
batt_level=`echo "scale=2;$batt_now/$batt_full*100" | bc`
conso=`echo "scale=2;$power_now / 1000000" | bc`

#echo "batt_full=$batt_full"
#echo "batt_now=$batt_now"
echo "Battery level : $batt_level % (status : $batt_status, $voltage_now_w V, min $voltage_min_design_w V)"
echo "System power consumption : $conso W"

wifi.sh

#!/bin/bash
# wifi.sh
killall dhcpcd
killall wpa_supplicant
wpa_supplicant -B -iwlan0 -c/etc/wpa_supplicant.conf
dhcpcd wlan0

gtk-switch-hicontrast.sh

#!/bin/bash
#
# gtk-switch-hicontrast.sh
#
# switch current user's gtk 2.0 theme (to hicontrast and back)
#
# http://agentoss.wordpress.com / fredo696@gmail.com
#
# this script is best used when called with a hotkey
#
# useful for laptops with a glossy lcd panel!
# for best results set the backlight luminosity to the max.
# 
# dependencies (mandatory) : gnome-themes-standard (should include the hicontrast themes)
# dependencies (optional) : zenity, lxappearance,
# gtkrc-reload from the AUR ( http://aur.archlinux.org/packages.php?ID=44052 )
# 
# 
# Note : if you already have a .mine gtkrc file, please back it up
# before using this script because it will be overwritten!
# 
# be sure that your .gtkrc-2.0 has an include directive like :
# include "~/.gtkrc-2.0.mine" as the last line
#

# file for storing the actual switch value ("NORMAL" or "HI")
hifileswitch="$HOME/.hicontrast"

# gtkrc file to write changes to
gtkfile_mine="$HOME/.gtkrc-2.0.mine"

# check if file is readable or writable
touch $hifileswitch
if [ $? -ne 0 ];then
 echo "Error touching $hifileswitch, aborting!"
 exit 1
fi

# get current switch value
hivalue=`cat $hifileswitch`

if [ ! $hivalue == "HI" ];then
 zenity --info --text="Switching gtk theme to HiConstrast.nnPlease restart all running GTK apps for changes to take full effect" 
  --timeout=2
 echo "HI" >$hifileswitch
# populate .mine file with highcontrast values (customize yours here)
# here I choose a bigger font size and a bigger mouse cursor
 cat >$gtkfile_mine <<EOF
# generated by $0
# do not modify this file by hand, it will be overwritten!
gtk-theme-name="HighContrast"
gtk-icon-theme-name="HighContrast"
gtk-font-name="Sans 14"
#gtk-cursor-theme-name="Bluecurve"
gtk-cursor-theme-size=48
gtk-toolbar-style=GTK_TOOLBAR_BOTH
gtk-toolbar-icon-size=GTK_ICON_SIZE_LARGE_TOOLBAR
gtk-button-images=1
gtk-menu-images=1
gtk-enable-event-sounds=1
gtk-enable-input-feedback-sounds=1
gtk-xft-antialias=1
gtk-xft-hinting=1
gtk-xft-hintstyle="hintfull"
gtk-xft-rgba="rgb"
EOF

else
# switching back to normal theme
 zenity --info --text="Switching gtk theme to normal" --timeout=2

# customize your "normal" (ie. not high contrast) .mine file here
# here it is an empty file so that no values in the default gtkrc-2.0 file
# are overridden
 cat >$gtkfile_mine <<EOF
# generated by $0
# do not modify this file by hand, it will be overwritten!
EOF

 echo "NORMAL" >$hifileswitch
fi

# force gtk theme reload
# unfortunately, icons are not refreshed it seems
# so we need to restart manually all running gtk apps...
gtkrc-reload || lxappearance

exit 0

The Config files

/etc/rc.conf

#
# /etc/rc.conf - Main Configuration for Arch Linux
#
# See 'man 5 rc.conf' for more details
#
# LOCALIZATION
# ------------
HARDWARECLOCK="UTC"
TIMEZONE="Europe/Paris"
KEYMAP="fr"
CONSOLEFONT="Lat2-Terminus16"
CONSOLEMAP=
LOCALE="fr_FR.UTF-8"
DAEMON_LOCALE="yes"
USECOLOR="yes"
# HARDWARE
# --------
MODULES=(powernow-k8 cpufreq_ondemand cpufreq_powersave)
USEDMRAID="no"
USEBTRFS="no"
USELVM="no"
# NETWORKING
# ----------
HOSTNAME=dm1z
interface=
address=
netmask=
broadcast=
gateway=
NETWORK_PERSIST="no"
# DAEMONS
# -------
#
DAEMONS=(syslog-ng ufw network crond @sshd @alsa @cpufreq @acpid @laptop-mode dbus @wicd)

/etc/wpa_supplicant.conf

eapol_version=1
ap_scan=1
fast_reauth=1
network={
        ssid="your_ssid"
        psk="your_passphrase"
}

$HOME/.xinitrc

eval $(cat ~/.fehbg)
setxkbmap fr
xbindkeys
xscreensaver -nosplash &
xautolock -time 15 -locker "sudo pm-suspend-hybrid" &
#xterm &
#xterm -fg white -bg black -e htop &
while true; do xsetroot -name "`acpi | tr -d 'n'; echo -n " // "; date +%R; sleep 60`"; done &
exec dbus-launch dwm

$HOME/.xbindkeysrc

"xbindkeys_show"
  control+shift + q

"lxterminal"
 Mod4 + x

"firefox"
 c:180

"firefox"
 Mod4 + f

"thunderbird"
 Mod4 + t
"$HOME/bin/gtk-switch-hicontrast.sh"
 Mod4 + h 
"xscreensaver-command -lock; sudo /usr/sbin/pm-suspend"
 Mod4 + s

"xscreensaver-command -lock; sudo /usr/sbin/pm-hibernate"
 Mod4 + Escape

"audacious -r"
 XF86AudioPrev

"audacious -f"
 XF86AudioNext

"audacious -t"
 XF86AudioPlay

"amixer set Master 5-"
 XF86AudioLowerVolume

"amixer set Master 5+"
 XF86AudioRaiseVolume

"amixer set Master toggle"
 XF86AudioMute

"xte 'mouseclick 3'"
 Menu

Mandatory screenshot