Base install

Normal installation of Debian wheezy. Make sure you choose the amd64 architecture. I used the mini.iso image to boot from USB, then install the base system and the rest of the installation can be done via wifi.

Add non-free contrib to etc/apt/sources.list to get access to non-free packages, some firmware for example.

Boot protection

First generate a hash with the following command:


Add a file named etc/grub.d/02_password with the following content:

cat << EOF
set superusers="root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.hash

Set the file permissions and apply the changes:

chmod 755 /etc/grub.d/02_password

Now you can unlock the menu with username root.

Unrestricted booting

Locking every menu item by default is the new behaviour of the latest versions of grub. To disable this, add the --unrestricted option to the menuentry you want to unlock. In my case, the second entry in /etc/grub.d/10_linux did the trick:

echo "menuentry '$(echo "$os" | grub_quote)' ${CLASS} --unrestricted ...

Don't forget to generate the new config file:


Also, keep a watch on this thread. It looks like a good solution.

Hardware support

Test the camera:

mplayer tv://

Set the default brightness in etc/X11/wdm/Xsetup_0:

echo 5 > /sys/class/backlight/acpi_video0/brightness

Add this line to etc/pm/config.d/unload_modules to make hibernation work properly:


Add the following lines to etc/xbindkeysrc to enable the special buttons:

"amixer -c 0 set Master 2dB- unmute"

"amixer -c 0 set Master 2dB+ unmute"

"amixer set Master toggle"

"amixer -c 0 set Mic toggle"


"xscreensaver-command -lock"

For some reason, xbindkeysrc is no longer sourced automatically (I noticed it in jessie May 7, 2014). To enable this feature again, do the following:

echo xbindkeys_autostart > /etc/X11/Xsession.d/98xbindkeys

If the default sound card is not the one you want, try:

alsactl store 0

The microphone is muted by default, it may be tricky to enable it:

  • open alsamixer
  • choose
  • scroll to Capture
  • toggle to Capture LR via spacetab

Add the following lines to etc/X11/xorg.conf.d/10-synaptics.conf to configure the trackpad:

Section "InputClass"
  Identifier "touchpad catchall"
  Driver "synaptics"
  MatchIsTouchpad "on"
  MatchDevicePath "/dev/input/event*"
  Option "TapButton1" "1"
  Option "TapButton2" "2"
  Option "TapButton3" "3"
  Option "VertTwoFingerScroll" "on"
  Option "HorizTwoFingerScroll" "on"
  Option "HorizHysteresis" "50"
  Option "VertHysteresis" "50"
  Option "PalmDetect" "1"
  Option "PalmMinWidth" "5"
  Option "PalmMinZ" "40"

Leds can be controlled by manipulating proc/acpi/ibm/led the following leds seem to be supported:

number description
0 power (inside)
7 sleep (lid)
12 ?

To enable the fingerprint reader, install the fprintd package and run:

fprintd-enroll username

Edit usr/share/polkit-1/actions/net.reactivated.fprint.device.policy and change:




in the net.reactivated.fprint.device.enroll and net.reactivated.fprint.device.verify sections.

Adding these lines to etc/modprobe.d/blacklist.conf used to disable beeps, but I still have them:

blacklist pcspkr
blacklist snd-pcsp

To enable/disable a second monitor or beamer I made the following aliases:

alias beamer_on="xrandr --output DP1 --auto --right-of LVDS1; pkill -n --signal SIGUSR1 wmaker"
alias beamer_off="xrandr --output DP1 --off"

SSD optimisations

Use a RAM disk instead of the SSD for the tmp folder by editing etc/default/tmpfs:


To reduce the number of writes to the SSD, edit etc/udev/rules.d/60-schedulers.rules:

# Handle the scheduler choice according to the type of disk detected

# system default : set cfq scheduler for rotating disks
ACTION=="add|change", KERNEL=="sd[a-z]", ATTR{queue/rotational}=="1", ATTR{queue/scheduler}="cfq"

# SSD specific : set deadline scheduler for non-rotating disks
ACTION=="add|change", KERNEL=="sd[a-z]", ATTR{queue/rotational}=="0", ATTR{queue/scheduler}="deadline"

To minimise the swap usage, edit etc/sysctl.conf:

# Minimize swap use

Enable TRIM:

  • Add the discard option to etc/crypttab.
  • Set issue_discards = 1 in etc/lvm/lvm.conf.
  • Add the following script in etc/cron.weekly.

Battery life

Disable unused wireless interfaces by editing etc/rc.local:

rfkill block wwan
rfkill block bluetooth

Low battery warning

I made a small script that issues a warning when the battery is low and does a hybrid hibernation if the battery is critically low.

Put this file in etc/acpi/events/. and this script in etc/acpi/.


I use Wicd as a network manager, which works fine. The only problem is that shutting down the wireless interface is a bit difficult. Routes are not removed, the interface stays up, etc.

Fix this by adding the following lines to etc/network/interfaces:

iface wlan0 inet manual
  pre-up rfkill unblock wlan
  pre-up /etc/init.d/wicd start
  post-down dhclient -x
  post-down /etc/init.d/wicd stop
  post-down ifconfig wlan0 down
  post-down rfkill block wlan

Since Wicd starts the interface, we have to make sure ifup/ifdown knows this. We do this by adding the following line to etc/rc.local:

echo wlan0=wlan0 >> /run/network/ifstate

I also didn't like the Wicd logo, so I used this one.


GPRS networking

To communicate with the WWAN modem, you need to connect to serial device. This can be done with minicom, but also with screen, for example:

screen /dev/ttyACM1

To communicate with the GPRS modem, always use dev/ttyACM1.

Select the network operator and provider, this is only needed when you change countries. The settings are stored.

AT+COPS=1,0,"NL KPN",2

Add a chat script that enables the network etc/chatscripts/gsm_on:

\d\d\dAT*ENAP=1,1 OK

And add one that disables the network etc/chatscripts/gsm_off:


The network device that is created when the modem is properly configured is usually named usb0 if you want to change it to a more descriptive name, like wwan0 edit etc/udev/rules.d/70-persistent-net.rules and add the following lines (replace x:x:x:x:x:x with the MAC address):

SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="x:x:x:x:x:x", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="usb*", NAME="wwan0"

To make the ifup and ifdown commands available for wwan0, add the following lines to etc/network/interfaces:

iface wwan0 inet dhcp
  pre-up rfkill unblock wwan
  pre-up chat -f /etc/chatscripts/gsm_on < /dev/ttyACM1 > /dev/ttyACM1
  post-down chat -f /etc/chatscripts/gsm_off < /dev/ttyACM1 > /dev/ttyACM1
  post-down rfkill block wwan

If you use Lenovo mobile access, you can go here once you're connected to purchase a time pass.


Content of etc/ppp/peers:

connect 'chat -f /etc/chatscripts/xs4all'
name <username>

Content of etc/chatscripts/xs4all:

'' AT
OK ATDT*99***1#

Configuration of etc/network/interfaces:

iface ppp0 inet ppp
  provider xs4all
  pre-up rfkill unblock wwan
  post down kill -TERM `cat /var/run/`
  post-down rfkill block wwan


Send the following commands to dev/ttyACM2:


Now, a stream of data will be shown. To decode it, open an other terminal (CTRL-A c if you use screen) and run the following command:

cat /dev/ttyACM2 | gpsdecode


Don't forget to unblock the WWAN device when debugging:

rfkill unblock wwan

The following command will return the IMEI number:


Wicd and wwan

Wicd currently has no support for multiple wireless devices, there is however support for a wired device. We trick Wicd into using the wwan interface as a wired device as follows.

In the Preferences menu of the Wicd network manager, give ppp0 as a Wired interface. Select the Always show wired interface and deselect the Always switch to a wired connection when available check boxes.

Add the file /etc/wicd/scripts/preconnect/ppp0:



if [ "${connection_type}" == "wired" ]; then
  ifconfig wlan0 down
  rfkill block wlan
  ifup ppp0

And add the file /etc/wicd/scripts/postdisconnect/ppp0:



if [ "${connection_type}" == "wired" ]; then
  ifdown ppp0
  rfkill unblock wlan
  ifconfig wlan0 up

Make both files executable. Now connecting to the Wired Network will disable the wlan interface and enable the ppp interface.


It can be quite tricky to get the GPS devices working, I used a lot of documentation that may be helpful:

Most of what I described above, I got from this site. More or less the same information can be found here. More general information can be found here.

Information about operator selection can be found here.

Information on how to select the provider, I found here.

AT command references can be found here, here and here. A short list of useful commands can be found here. A thread about configuring a modem.

A list of Dutch APNs.


Third party software


Add the following line to etc/apt/sources.list:

deb stable non-free

You then need to add the i386 architecture to install skype:

dpkg --add-architecture i386
apt-get update
apt-get install skype

Ozyman DNS

To install DNS tunnelling software (handy for airports):

tar -xzvf ozymandns_src_0.1.tgz
mv /usr/local/bin/
apt-get install libnet-dns-perl libmime-base32-perl tsocks


Configure a rudimentary firewall:

iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables-save > /etc/iptables/rules.v4


Content of etc/bacula/bacula-fd.conf:

Director {
  Name = media-dir
  Password = "password1"

Director {
  Name = media-mon
  Password = "password2"
  Monitor = yes

FileDaemon {                          # this is me
  Name = obscured-fd
  FDport = 9102                  # where we listen for the director
  WorkingDirectory = /var/lib/bacula
  Pid Directory = /var/run/bacula
  Maximum Concurrent Jobs = 20
  #FDAddress =

Messages {
  Name = Standard
  director = media-dir = all, !skipped, !restored

Contentn of etc/bacula/bconsole.conf:

Director {
  Name = media-dir
  DIRport = 9101
  address = x.x.x.x
  Password = "password2"

Add the following rule to etc/iptables/rules.v4:

-A INPUT -s y.y.y.y/32 -p tcp -m tcp --dport 9102 -j ACCEPT


I prefer the foreground of the terminal to be green, this can be done by editing etc/X11/app-defaults/XTerm-color:

*VT100*foreground: green

Enable xscreensaver for all users by editing etc/X11/Xsession.d/98xscreensaver:

xscreensaver -no-splash &

To make sure I can always use short names for a certain domain, I edited etc/dhcp/dhclient.conf:

supersede domain-search "";

User settings

To clear the download list in Iceweasel:

about:config 0

To prevent caching to disk:

browser.cache.disk.enable false
browser.cache.memory.capacity 10000
browser.cache.offline.enable false

Sometimes I need to control a host named media from my laptop:

alias rmedia="ssh media x2x -east -to :0"

File usr/share/dbus-1/services/org.freedesktop.Notifications.service needed for guake:

[D-BUS Service]


There's probably a better way of doing this, but to add Dutch spell correction:

cd /usr/share/vim/vim74/spell