Base install

Normal installation of Debian wheezy. Make sure you choose the amd64 architecture. I used the mini.iso image to boot from USB, then install the base system and the rest of the installation can be done via wifi.

Add non-free contrib to etc/apt/sources.list to get access to non-free packages, some firmware for example.

Boot protection

First generate a hash with the following command:

grub-mkpasswd-pbkdf2

Add a file named etc/grub.d/02_password with the following content:

cat << EOF
set superusers="root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.hash
EOF

Set the file permissions and apply the changes:

chmod 755 /etc/grub.d/02_password
update-grub

Now you can unlock the menu with username root.

Unrestricted booting

Locking every menu item by default is the new behaviour of the latest versions of grub. To disable this, add the --unrestricted option to the menuentry you want to unlock. In my case, the second entry in /etc/grub.d/10_linux did the trick:

echo "menuentry '$(echo "$os" | grub_quote)' ${CLASS} --unrestricted ...

Don't forget to generate the new config file:

update-grub

Also, keep a watch on this thread. It looks like a good solution.

Hardware support

Test the camera:

mplayer tv://

Set the default brightness in etc/X11/wdm/Xsetup_0:

echo 5 > /sys/class/backlight/acpi_video0/brightness

Add this line to etc/pm/config.d/unload_modules to make hibernation work properly:

SUSPEND_MODULES="$SUSPEND_MODULES iwlwifi"

Add the following lines to etc/xbindkeysrc to enable the special buttons:

"amixer -c 0 set Master 2dB- unmute"
  XF86AudioLowerVolume

"amixer -c 0 set Master 2dB+ unmute"
  XF86AudioRaiseVolume

"amixer set Master toggle"
  XF86AudioMute

"amixer -c 0 set Mic toggle"
  XF86AudioMicMute

"xterm"
  XF86Launch1

"xscreensaver-command -lock"
  XF86ScreenSaver

For some reason, xbindkeysrc is no longer sourced automatically (I noticed it in jessie May 7, 2014). To enable this feature again, do the following:

echo xbindkeys_autostart > /etc/X11/Xsession.d/98xbindkeys

If the default sound card is not the one you want, try:

alsactl store 0

The microphone is muted by default, it may be tricky to enable it:

  • open alsamixer
  • choose
  • scroll to Capture
  • toggle to Capture LR via spacetab

Add the following lines to etc/X11/xorg.conf.d/10-synaptics.conf to configure the trackpad:

Section "InputClass"
  Identifier "touchpad catchall"
  Driver "synaptics"
  MatchIsTouchpad "on"
  MatchDevicePath "/dev/input/event*"
  Option "TapButton1" "1"
  Option "TapButton2" "2"
  Option "TapButton3" "3"
  Option "VertTwoFingerScroll" "on"
  Option "HorizTwoFingerScroll" "on"
  Option "HorizHysteresis" "50"
  Option "VertHysteresis" "50"
  Option "PalmDetect" "1"
  Option "PalmMinWidth" "5"
  Option "PalmMinZ" "40"
EndSection

Leds can be controlled by manipulating proc/acpi/ibm/led the following leds seem to be supported:

number description
0 power (inside)
7 sleep (lid)
12 ?

To enable the fingerprint reader, install the fprintd package and run:

fprintd-enroll username

Edit usr/share/polkit-1/actions/net.reactivated.fprint.device.policy and change:

<allow_any>no</allow_any>

to:

<allow_any>yes</allow_any>

in the net.reactivated.fprint.device.enroll and net.reactivated.fprint.device.verify sections.

Adding these lines to etc/modprobe.d/blacklist.conf used to disable beeps, but I still have them:

blacklist pcspkr
blacklist snd-pcsp

To enable/disable a second monitor or beamer I made the following aliases:

alias beamer_on="xrandr --output DP1 --auto --right-of LVDS1; pkill -n --signal SIGUSR1 wmaker"
alias beamer_off="xrandr --output DP1 --off"

SSD optimisations

Use a RAM disk instead of the SSD for the tmp folder by editing etc/default/tmpfs:

RAMTMP=yes

To reduce the number of writes to the SSD, edit etc/udev/rules.d/60-schedulers.rules:

# Handle the scheduler choice according to the type of disk detected

# system default : set cfq scheduler for rotating disks
ACTION=="add|change", KERNEL=="sd[a-z]", ATTR{queue/rotational}=="1", ATTR{queue/scheduler}="cfq"

# SSD specific : set deadline scheduler for non-rotating disks
ACTION=="add|change", KERNEL=="sd[a-z]", ATTR{queue/rotational}=="0", ATTR{queue/scheduler}="deadline"

To minimise the swap usage, edit etc/sysctl.conf:

# Minimize swap use
vm.swappiness=0

Enable TRIM:

  • Add the discard option to etc/crypttab.
  • Set issue_discards = 1 in etc/lvm/lvm.conf.
  • Add the following script in etc/cron.weekly.

Battery life

Disable unused wireless interfaces by editing etc/rc.local:

rfkill block wwan
rfkill block bluetooth

Low battery warning

I made a small script that issues a warning when the battery is low and does a hybrid hibernation if the battery is critically low.

Put this file in etc/acpi/events/. and this script in etc/acpi/.

WLAN

I use Wicd as a network manager, which works fine. The only problem is that shutting down the wireless interface is a bit difficult. Routes are not removed, the interface stays up, etc.

Fix this by adding the following lines to etc/network/interfaces:

iface wlan0 inet manual
  pre-up rfkill unblock wlan
  pre-up /etc/init.d/wicd start
  post-down dhclient -x
  post-down /etc/init.d/wicd stop
  post-down ifconfig wlan0 down
  post-down rfkill block wlan

Since Wicd starts the interface, we have to make sure ifup/ifdown knows this. We do this by adding the following line to etc/rc.local:

echo wlan0=wlan0 >> /run/network/ifstate

I also didn't like the Wicd logo, so I used this one.

WWAN

GPRS networking

To communicate with the WWAN modem, you need to connect to serial device. This can be done with minicom, but also with screen, for example:

screen /dev/ttyACM1

To communicate with the GPRS modem, always use dev/ttyACM1.

Select the network operator and provider, this is only needed when you change countries. The settings are stored.

AT+COPS=1,0,"NL KPN",2
AT+CGDCONT=1,"IP","cloud.macheen.info"

Add a chat script that enables the network etc/chatscripts/gsm_on:

ABORT BUSY
ABORT 'NO CARRIER'
ABORT ERROR
TIMEOUT 10
'' AT+CFUN=6 OK
\d\d\dAT*ENAP=1,1 OK

And add one that disables the network etc/chatscripts/gsm_off:

ABORT ERROR
TIMEOUT 5
'' AT*ENAP=0 OK
AT+CFUN=0 OK

The network device that is created when the modem is properly configured is usually named usb0 if you want to change it to a more descriptive name, like wwan0 edit etc/udev/rules.d/70-persistent-net.rules and add the following lines (replace x:x:x:x:x:x with the MAC address):

# WWAN.
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="x:x:x:x:x:x", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="usb*", NAME="wwan0"

To make the ifup and ifdown commands available for wwan0, add the following lines to etc/network/interfaces:

iface wwan0 inet dhcp
  pre-up rfkill unblock wwan
  pre-up chat -f /etc/chatscripts/gsm_on < /dev/ttyACM1 > /dev/ttyACM1
  post-down chat -f /etc/chatscripts/gsm_off < /dev/ttyACM1 > /dev/ttyACM1
  post-down rfkill block wwan

If you use Lenovo mobile access, you can go here once you're connected to purchase a time pass.

XS4ALL

Content of etc/ppp/peers:

/dev/ttyACM0
115200
connect 'chat -f /etc/chatscripts/xs4all'
defaultroute
usepeerdns
name <username>
noauth

Content of etc/chatscripts/xs4all:

ABORT 'BUSY'
ABORT 'NO CARRIER'
ABORT 'ERROR'
'' AT
OK AT+CGDCONT=1,"IP","umts.xs4all.nl"
OK ATDT*99***1#

Configuration of etc/network/interfaces:

iface ppp0 inet ppp
  provider xs4all
  pre-up rfkill unblock wwan
  post down kill -TERM `cat /var/run/ppp0.pid`
  post-down rfkill block wwan

GPS

Send the following commands to dev/ttyACM2:

AT*E2GPSCTL=1,5,1
AT*E2GPSNPD

Now, a stream of data will be shown. To decode it, open an other terminal (CTRL-A c if you use screen) and run the following command:

cat /dev/ttyACM2 | gpsdecode

Debugging

Don't forget to unblock the WWAN device when debugging:

rfkill unblock wwan

The following command will return the IMEI number:

AT+CGSN

Wicd and wwan

Wicd currently has no support for multiple wireless devices, there is however support for a wired device. We trick Wicd into using the wwan interface as a wired device as follows.

In the Preferences menu of the Wicd network manager, give ppp0 as a Wired interface. Select the Always show wired interface and deselect the Always switch to a wired connection when available check boxes.

Add the file /etc/wicd/scripts/preconnect/ppp0:

#!/bin/bash

connection_type="$1"

if [ "${connection_type}" == "wired" ]; then
  ifconfig wlan0 down
  rfkill block wlan
  ifup ppp0
fi

And add the file /etc/wicd/scripts/postdisconnect/ppp0:

#!/bin/bash

connection_type="$1"

if [ "${connection_type}" == "wired" ]; then
  ifdown ppp0
  rfkill unblock wlan
  ifconfig wlan0 up
fi

Make both files executable. Now connecting to the Wired Network will disable the wlan interface and enable the ppp interface.

Documentation

It can be quite tricky to get the GPS devices working, I used a lot of documentation that may be helpful:

Most of what I described above, I got from this site. More or less the same information can be found here. More general information can be found here.

Information about operator selection can be found here.

Information on how to select the provider, I found here.

AT command references can be found here, here and here. A short list of useful commands can be found here. A thread about configuring a modem.

A list of Dutch APNs.

Software

Third party software

Skype

Add the following line to etc/apt/sources.list:

deb http://download.skype.com/linux/repos/debian/ stable non-free

You then need to add the i386 architecture to install skype:

dpkg --add-architecture i386
apt-get update
apt-get install skype

Ozyman DNS

To install DNS tunnelling software (handy for airports):

wget http://beta.ivancover.com/dnstunnel/ozymandns_src_0.1.tgz
tar -xzvf ozymandns_src_0.1.tgz
mv droute.pl /usr/local/bin/
apt-get install libnet-dns-perl libmime-base32-perl tsocks

Firewall

Configure a rudimentary firewall:

iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables-save > /etc/iptables/rules.v4

Backup

Content of etc/bacula/bacula-fd.conf:

Director {
  Name = media-dir
  Password = "password1"
}

Director {
  Name = media-mon
  Password = "password2"
  Monitor = yes
}

FileDaemon {                          # this is me
  Name = obscured-fd
  FDport = 9102                  # where we listen for the director
  WorkingDirectory = /var/lib/bacula
  Pid Directory = /var/run/bacula
  Maximum Concurrent Jobs = 20
  #FDAddress = 127.0.0.1
}

Messages {
  Name = Standard
  director = media-dir = all, !skipped, !restored
}

Contentn of etc/bacula/bconsole.conf:

Director {
  Name = media-dir
  DIRport = 9101
  address = x.x.x.x
  Password = "password2"
}

Add the following rule to etc/iptables/rules.v4:

-A INPUT -s y.y.y.y/32 -p tcp -m tcp --dport 9102 -j ACCEPT

Misc

I prefer the foreground of the terminal to be green, this can be done by editing etc/X11/app-defaults/XTerm-color:

*VT100*foreground: green

Enable xscreensaver for all users by editing etc/X11/Xsession.d/98xscreensaver:

xscreensaver -no-splash &

To make sure I can always use short names for a certain domain, I edited etc/dhcp/dhclient.conf:

supersede domain-search "fixedpoint.nl";

User settings

To clear the download list in Iceweasel:

about:config
browser.download.manager.retention 0

To prevent caching to disk:

about:config
browser.cache.disk.enable false
browser.cache.memory.capacity 10000
browser.cache.offline.enable false

Sometimes I need to control a host named media from my laptop:

alias rmedia="ssh media x2x -east -to :0"

File usr/share/dbus-1/services/org.freedesktop.Notifications.service needed for guake:

[D-BUS Service]
Name=org.freedesktop.Notifications
Exec=/usr/lib/notification-daemon/notification-daemon

Vim

There's probably a better way of doing this, but to add Dutch spell correction:

cd /usr/share/vim/vim74/spell
wget http://ftp.vim.org/vim/runtime/spell/nl.utf-8.spl
wget http://ftp.vim.org/vim/runtime/spell/nl.utf-8.sug