Linux Cross Configuration

2021-06-17

(last time edited: 2021-10-17)

tags: linux, sysadmin

When I set up a new server or homestation I always find incredibly tedious to configure distributions manually. No matter Linux and open source software follow certain standards, cross configuration can sometimes be annoying. Thankfully distributions that don't rely on Systemd are easier to set up.

Anyways. Here is the list of interesting stuff I always set in most of my setups.

Polkit

First install Polkit.

then add your user to wheel group.

# usermod -aG wheel your_username

Login back again to your session to make group changes available.

Now create custom rules under root. To see all possible polkit that actions do:

$ pkaction

These rules usually already come by default. If it's not found, then add it manually in a separate file.

polkit.addAdminRules(function(action, subject) {
    return ["unix-group:wheel"];
});

Add these ones.

polkit.addRule(function(action, subject) {
    if (subject.isInGroup("wheel")) {
        if (action.id.match("org.freedesktop.login1.reboot") || action.id.match("org.freedesktop.login1.power-off") || action.id.match("org.freedesktop.login1.suspend")) {
            return polkit.Result.YES;
        }
    }
});

Also don't forget to start the elogind service in OpenRC or Runit.

Backlight

RUN+="/bin/chgrp video /sys/class/backlight/intel_backlight/brightness"
RUN+="/bin/chmod g+w /sys/class/backlight/intel_backlight/brightness"

Samba

The configuration file should be like this.

daemon_list="smbd"
smbd_options="-D -s /path/to/smb.conf"

The procedure is similar in other process supervisors such as Runit.

User Creation and Groups

# useradd -u 1111 -s /bin/mksh -c "computer owner" USERNAME

or

# adduser -u 1111 -s /bin/mksh -g "computer owner" USERNAME

Add the main user to these groups using usermod.

wheel (for sudo or elogind privileges)
video
input
audio
kvm
wireshark

opllogin
sambagroup

# usermod -aG video,input,audio,kvm,wireshark,opllogin,sambagroup USERNAME

SSH

AllowUsers *@192.168.1.0/24
PermitRootLogin yes
X11Forwarding yes
Port 22

PasswordAuthentication no
PermitEmptyPasswords no

PubkeyAuthentication yes

ChallengeResponseAuthentication no

PermitRootLogin prohibit-password

PubkeyAcceptedKeyTypes ssh-ed25519

X11Forwarding no

UseDNS no
SyslogFacility AUTH
LogLevel DEBUG

Xorg

Section "InputClass"
    Identifier "keyboard"
    Option "XkbLayout" "latam"
EndSection
Section "InputClass"
    Identifier "mouse"
    Driver "libinput"
    Option "AccelProfile" "flat"
EndSection
Section "Extensions"
    Option "DPMS" "Disable"
EndSection
Section "ServerFlags"
    Option "DontVTSwitch" "True"
    Option "DontZap" "True"
EndSection
Section "Device"
    Identifier "gfx"
    Driver "nouveau"
    Option "GLXVBlank" "true"
EndSection
Section "Device"
    Identifier "some card"
    Driver "amdgpu"
    Option "TearFree" "true"
EndSection

The same can be achieved without touching Xorg configuration files, but using Xrandr as a normal user.

$ xrandr --output $OUTPUT --set TearFree on

Check for any settings override in the following path: /usr/share/X11/xorg.conf.d. It's better to configure Xorg settings via a simple /etc/X11/xorg.conf.d/xorg.conf custom personal file.

needs_root_rights = no

Blacklisted Modules

blacklist snd-pcsp
blacklist pcspkr

Enabled Modules

#...

snd_seq

#...

Activate Kernel Mode Setting (KMS) (Alpine Linux only)

Enabling KMS modules for graphics card (in my case a newer model of Radeon card (amdgpu)). KMS will let the kernel handle all the graphical processing via that module rather than letting the X server do the job in userspace. Adding the framebuffer console fbcon module is optional.

# echo amdgpu >> /etc/modules

Add kms to /etc/mkinitfs/mkinitfs.conf features. Regenerate the initramfs.

# mkinitfs

Same goes for nVIDIA cards and you shall use Nouveau open source drivers. Please don't use Nouveau at all.

# echo nouveau >> /etc/modules

# mkinitfs

Kernel Command Line

radeon.audio=1
net.ifnames=0 biosdevname=0
cgroup_no_v1=all
# rd.luks.uuid pointing to crypto_LUKS UUID
# root pointing to LV UUID
rd.luks.uuid=UUID=d1290dm1209dm120d9m12 root=UUID=dasdj9102jd1209djm120d 
# cryptroot pointing to crypto_LUKS UUID
# root pointing to LV UUID
cryptroot=UUID=d192dm129d012 root=UUID=d1902md1920md1920dm12

If using GRUB regenerate configuration file after committing changes.

# grub-mkconfig -o /boot/grub/grub.cfg

Hosts

127.0.0.0 flasktest.local
127.0.0.0 static.flasktest.local

10.0.0.2 pwnagotchi.local

Nameservers

nameserver IP_OF_LOCAL_DNS_SERVER_RUNNING_DNSMASQ_DNSCRYPT

Intel Turbo

KERNEL=="cpu", RUN+="/bin/sh -c 'echo 1 > /sys/devices/system/cpu/intel_pstate/no_turbo'"

GRUB

GRUB_DISTRIBUTOR=loonix
GRUB_TIMEOUT=0
GRUB_DISABLE_OS_PROBER=false
GRUB_ENABLE_CRYPTODISK=true
GRUB_PRELOAD_MODULES="luks lvm cryptodisk part_gpt"

Regenerate configuration file after committing changes.

# grub-mkconfig -o /boot/grub/grub.cfg

SYSLINUX

# MENU AUTOBOOT System will be booted automatically in # seconds.
MENU AUTOBOOT

No need to regenerate a configuration file after comitting changes. SYSLINUX is simpler than GRUB.

Dracut

install_items+=" /root/device.key /etc/crypttab "

Mirrors

# repository="https://mirrors.servercentral.com/voidlinux/current/musl"

repository="https://ftp.lysator.liu.se/pub/voidlinux/current/musl"

or for stable releases

https://dl-cdn.alpinelinux.org/alpine/latest-stable/main
https://dl-cdn.alpinelinux.org/alpine/latest-stable/community

for edge releases (not recommended)

https://dl-cdn.alpinelinux.org/alpine/edge/main
https://dl-cdn.alpinelinux.org/alpine/edge/community

for more packages

https://dl-cdn.alpinelinux.org/alpine/edge/testing

Hostname

enterahostname

In Alpine Linux it's better to setup the hostname by executing as root:

# setup-hostname

Suspend (Works in Void Linux)

#!/bin/sh

for DEVICE in $(cut -f 1 /proc/acpi/wakeup); do

    if [ "$(grep "$DEVICE" /proc/acpi/wakeup | grep -o enabled)" = enabled ]; then
        echo "$DEVICE" > /proc/acpi/wakeup
    fi

done

echo "SLPB" > /proc/acpi/wakeup
echo "EXPB" > /proc/acpi/wakeup

LUKS Autounlocking (Works in Alpine Linux)

# target is just whatever name you wanna pick, it's not referring to the mountpoint name
# the UUID should be the crypto_LUKS device.

target=home
source=UUID=v12930vmer21093vm10923m0v1923

It is necessary to run certain services at boot runlevel.

# rc-update add lvm boot

# rc-update add dmcrypt boot

And fstab should be populated with the LVM mapped device pointing at the desired mountpoint. (/etc/fstab)

UUID=dm1902md120dm129dm102dd12do /home ext4 defaults 0 0
UUID=dasdm9102md9012md1902dd2kdm /mnt/somedir ext4 defaults 0 0

Xorg Autologin (Works in Void Linux)

GETTY_ARGS="--autologin your_username --noclear"
#!/bin/bash

# ...

# put this at the end
if [ "$USER" != "root" ] && [ -z "$DISPLAY" ]; then
    startx
fi

Xorg Autologin (Works in Alpine Linux)

Install the util-linux package otherwise it won't work. We depend on /sbin/agetty.

agetty_options="-a yourusername"

# ln -s /etc/init.d/agetty /etc/init.d/agetty.tty1

#!/bin/bash

# ...
# ...
# ...

# put this at the end
if [ "$USER" != "root" ] && [ -z "$DISPLAY" ]; then
    startx
fi

# rc-update add agetty.tty1 default && rc-service agetty.tty1 start

Crypttab (Works in Void Linux)

# otherencrypteddisk UUID="1f93040fm12f12-f23f21fn2309nf" none luks
encrypteddisk UUID="d9012d912mdmdapd1-d12d9120dm12m" /root/device.key luks

Rc.local (Works in Void Linux)

ip link set dev eth0 up
ip address add 192.168.1.1XX/255.255.255.0 dev eth0
ip route add default via 192.168.1.1 dev eth0

Rc.conf

HOSTNAME=void
TIMEZONE=America/Argentina/Salta
KEYMAP=la-latin1
CGROUP_MODE=unified
rc_cgroup_mode="unified"
rc_controller_cgroups="YES"

Subuid and Subgid

f = open("/etc/subuid", "w")

for uid in range(1000, 65536):
    f.write("%d:%d:65536\n" %(uid,uid*65536))

f.close()

f = open("/etc/subgid", "w")

for uid in range(1000, 65536):
    f.write("%d:%d:65536\n" %(uid,uid*65536))

f.close()

Packages

linux-firmware-none (only in alpine linux to get rid of firmware packages)
linux-firmware-amdgpu or linux-firmware-radeon or linux-firmware-nvidia (it depends)
linux-lts

busybox
busybox-extras (for telnet)

gcompat

lvm2
cryptsetup
multipath-tools (for kpartx)
grub
(grub-x86_64-efi in void) (grub-efi in alpine)
wireless-tools wpa_supplicant (they get installed once setup-interfaces is run)
linux-firmware-other (for wifi rt2870.bin firmware)
mpg123
htop
gnupg
efibootmgr
lynx
file
util-linux
grep
procps
mksh
tmux
irssi
net-tools
lsof
xz
unzip
p7zip
dpkg
usbutils
pciutils
rsync
samba
curl
git
sc
nmap
tcpdump 
iproute2
alsa-utils
(bind-utils in void) (bind-tools in alpine)
(lm_sensors in void) (lm-sensors in alpine)
jack jack-dbus jack-example-clients

Found in Alpine Community Packages:
smartmontools
evtest
miniupnpc
(pipewire in void) (pipewire pipewire-pulse pipewire-jack in alpine)
aircrack-ng
elogind polkit
sfeed
stow
fzf
pamixer
linuxconsoletools
inxi
ffmpeg
mutt
pass-otp
simple-mtpfs libmtp-examples
exiv2
cabextract
innoextract
rtorrent
youtube-dl
podman podman-compose crun
flatpak xdg-desktop-portal-gtk dbus-x11
pngquant
pulsemixer
pulseaudio-utils
(ImageMagick in void) (imagemagick in alpine)
qemu qemu-system-x86_64 qemu-img qemu-ui-gtk
linux-headers

pkgconf (for guis)

make gcc

go

nodejs
npm
lua5.3
ruby ruby-irb
moz78

python3
python3-dev

libffi-dev openssl-dev (needed for twine compiling)

# for pygame>=2.0.1 compiling
# dependencies: SDL, FONT, FONTSDL_ttf.h IMAGE, MIXER, PNG, JPEG, SCRAP, PORTMIDI, PORTTIME, FREETYPE
sdl2-dev (alpine community repo)
sdl2_mixer-dev (alpine community repo)
sdl2_image-dev (alpine community repo)
sdl2_ttf-dev (alpine community repo)
libjpeg-turbo-dev
portmidi-dev (alpine community repo)

(php in void) (php8 in alpine community repo)
(php-sqlite in void) (php8-sqlite3 php8-pdo_sqlite in alpine community repo)

Alpine Community Repo:

luarocks5.3
love
python3-tkinter
composer
tokei
shellcheck

gtk4.0-dev
mesa mesa-gl mesa-gles mesa-egl mesa-glapi mesa-vulkan-layers

####
mesa-dri-ati or mesa-dri-nouveau or mesa-dri-intel
mesa-vulkan-intel or mesa-vulkan-ati
####

###
xf86-video-ati (for old cards) or xf86-video-amdgpu (for newer cards) or xf86-video-nouveau or xf86-video-intel
###

ttf-dejavu
font-noto-cjk

Alpine Community Packages:
nload
bmon
iftop
speedtest-cli

arandr
(xorg-minimal in void) (xorg-server in alpine community repo)
xf86-input-libinput
adwaita-icon-theme
xkill
xrandr
xdpyinfo
xset
xclip
xev
xprop
xmessage
openbox
dmenu
tint2
jgmenu
st
sxhkd
feh
scrot
linux-firmware-none
linux-lts

openssh
mksh
umurmur
goaccess
nginx
rsync
python3
dnsmasq
iproute2
tcpdump
(apache-htpasswd in void) (apache2-utils in alpine)

Alpine Community Packages:
lego
shadow shadow-uidmap
podman podman-compose
stagit
dnscrypt-proxy
php8-fpm
(php-sqlite in void) (php8-pdo_sqlite in alpine)

bmon
nload
iftop

Alpine Edge Testing Packages:
pounce
alpine
nginx
python

Services

In Desktop:

chrony (default) (setup-ntp) (to auto sync time) (necessary)
openssh (default) (setup-sshd)

elogind (boot) (necessary for pipewire, jack, etc) (do not add it in default runlevel)

dmcrypt (boot) (necessary)
lvm (boot) (necessary)

crond (removed from default runlevel)

In Server:

openssh (default) (setup-sshd)

pounce (vps) (optional) + calico (needed/wanted on-demand)

nginx (vps) (optional)
umurmur (vps) (optional)

dnscrypt-proxy (local)
dnsmasq (local)

crond (removed from default runlevel)