diff options
Diffstat (limited to 'docs/howtos')
-rw-r--r-- | docs/howtos/configuring_parabola.html | 784 | ||||
-rw-r--r-- | docs/howtos/encrypted_parabola.html | 112 |
2 files changed, 871 insertions, 25 deletions
diff --git a/docs/howtos/configuring_parabola.html b/docs/howtos/configuring_parabola.html new file mode 100644 index 0000000..56c5420 --- /dev/null +++ b/docs/howtos/configuring_parabola.html @@ -0,0 +1,784 @@ +<!DOCTYPE html> +<html> +<head> + <meta charset="utf-8"> + <meta name="viewport" content="width=device-width, initial-scale=1"> + + <style type="text/css"> + body { + background:#fff; + color:#000; + font-family:sans-serif; + font-size:1em; + } + div.important { + background-color:#ccc; + } + </style> + + <title>Configuring Parabola (post-install)</title> +</head> + +<body> + <header> + <h1 id="pagetop">Configuring Parabola (post-install)</h1> + <aside>Or <a href="../index.html">back to main index</a></aside> + </header> + +<hr/> + + <h2>Table of Contents</h2> + <ul> + <li> + <a href="#pacman_configure">Configuring pacman</a> + <ul> + <li><a href="#pacman_update">Updating Parabola</a></li> + <li> + <a href="#pacman_maintain">Maintaining Parabola during system updates</a> + <ul> + <li><a href="#pacman_cacheclean">Clearing package cache after updating</a></li> + <li><a href="#pacman_commandequiv">Pacman command equivalents (compared to other package managers)</a></li> + </ul> + </li> + <li><a href="#yourfreedom">your-freedom</a></li> + </ul> + </li> + <li><a href="#useradd">Add a user account</a></li> + <li><a href="#systemd">System D</a></li> + <li><a href="#interesting_repos">Interesting repositories</a></li> + <li> + <a href="#network">Setup a network connection in Parabola</a> + <ul> + <li><a href="#network_hostname">Setting hostname</a></li> + <li><a href="#network_status">Network status</a></li> + <li><a href="#network_devicenames">Network interface names</a></li> + <li><a href="#network_setup">Network setup</a></li> + </ul> + </li> + <li><a href="#system_maintain">System maintenance</a> - important!</li> + <li> + <a href="#desktop">Configuring the desktop</a> + <ul> + <li><a href="#desktop_xorg">Install Xorg</a></li> + <li><a href="#desktop_kblayout">Xorg keyboard layout</a></li> + <li><a href="#desktop_lxde">Install LXDE</a></li> + <li><a href="#lxde_clock">LXDE - clock</a></li> + <li><a href="#lxde_font">LXDE - font</a></li> + <li><a href="#lxde_screenlock">LXDE - screenlock</a></li> + <li><a href="#lxde_automount">LXDE - automounting</a></li> + <li><a href="#lxde_suspend">LXDE - disable suspend</a></li> + <li><a href="#lxde_battery">LXDE - battery monitor</a></li> + <li><a href="#lxde_network">LXDE - network manager</a></li> + </ul> + </li> + </ul> + +<hr/> + + <p> + While not strictly related to the libreboot project, this guide + is intended to be useful for those interested in installing + Parabola on their libreboot machine. This is also beneficial because development + is now being done on Parabola, where Trisquel is no longer used by the maintainer + at the time of writing. + </p> + + <p> + It details configuration steps that I took after installing the base system, + as a follow up to <a href="encrypted_parabola.html">encrypted_parabola.html</a>. + This guide is likely to become obsolete at a later date (due to the volatile + 'rolling-release' model that Arch/Parabola both use), but attempts will be made to maintain it. + </p> + + <p> + <b> + This guide was valid on 2014-09-21. If you see any changes that should to be made at the present date, please get in touch + with the libreboot project! + </b> + </p> + + <p> + You do not necessarily have to follow this guide word-for-word; <i>parabola</i> is extremely flexible. + The aim here is to provide a common setup that most users will be happy with. While Parabola + can seem daunting at first glance (especially for new GNU/Linux users), with a simple guide it can provide + all of the same usability as Trisquel, without hiding any details from the user. + </p> + + <p> + Paradoxically, as you get more advanced Parabola can actually become <i>easier to use</i> + when you want to setup your machine in a special way compared to what most distributions provide. + You will find over time that other distributions tend to <i>get in your way</i>. + </p> + + <p> + <b> + This guide assumes that you already have Parabola installed. If you have not yet installed Parabola, + then <a href="encrypted_parabola.html">this guide</a> is highly recommended! + </b> + </p> + + <p> + A lot of the steps in this guide will refer to the Arch wiki. Arch is the upstream distribution that Parabola uses. + Most of this guide will also tell you to read wiki articles, other pages, manuals, and so on. In general it tries + to cherry pick the most useful information but nonetheless you are encouraged to learn as much as possible. + <b>It might take you a few days to fully install your system how you like, depending on how much you need to read. Patience is key, + especially for new users</b>. + </p> + + <p> + The Arch wiki will sometimes use bad language, such as calling the whole system Linux, using the term open-source (or closed-source), + and it will sometimes recommend the use of proprietary software. You need to be careful about this when reading anything on the + Arch wiki. + </p> + + <p> + Some of these steps require internet access. I'll go into networking later but for now, I just connected + my machine to a switch and did:<br/> + # <b>systemctl start dhcpcd.service</b><br/> + You can stop it later by running:<br/> + # <b>systemctl stop dhcpcd.service</b><br/> + For most people this should be enough, but if you don't have DHCP on your network then you should setup your network connection first:<br/> + <a href="#network">Setup network connection in Parabola</a> + </p> + +<hr/> + + <h2 id="pacman_configure">Configure pacman</h2> + <p> + pacman (<b>pac</b>kage <b>man</b>ager) is the name of the package management system in Arch, which Parabola + (as a deblobbed parallel effort) also uses. Like with 'apt-get' on debian-based systems like Trisquel, + this can be used to add/remove and update the software on your computer. + </p> + <p> + Based on <a href="https://wiki.parabolagnulinux.org/Installation_Guide#Configure_pacman">https://wiki.parabolagnulinux.org/Installation_Guide#Configure_pacman</a> + and from reading <a href="https://wiki.archlinux.org/index.php/Pacman">https://wiki.archlinux.org/index.php/Pacman</a> (make sure to read and understand this, + it's very important) and + <a href="https://wiki.parabolagnulinux.org/Official_Repositories">https://wiki.parabolagnulinux.org/Official_Repositories</a> + </p> + <p> + <a href="#pagetop">Back to top of page.</a> + </p> + <h3 id="pacman_update">Updating Parabola</h3> + <p> + In the end, I didn't change my configuration for pacman. When you are updating, resync with the latest package names/versions:<br/> + # <b>pacman -Syy</b><br/> + (according to the wiki, -Syy is better than Sy because it refreshes the package list even if it appears to be up to date, + which can be useful when switching to another mirror).<br/> + Then, update the system:<br/> + # <b>pacman -Syu</b> + </p> + <p> + <b> + Before installing packages with 'pacman -S', always update first, using the notes above. + </b> + </p> + <p> + Keep an eye out on the output, or read it in /var/log/pacman.log. Sometimes, pacman will show messages + about maintenance steps that you will need to perform with certain files (typically configurations) + after the update. Also, you should check both the Parabola and Arch home pages to see if they mention any issues. + If a new kernel is installed, you should also update to be able to use it (the currently running kernel will + also be fine). It's generally good enough to update Parabola once every week, or maybe twice. As a + rolling release distribution, it's a good idea never to leave your install too outdated; update regularly. This + is simply because of the way the project works; old packages are deleted from the repositories quickly, once they are updated. + A system that hasn't been updated for quite a while will mean potentially more reading of previous posts through the website, + and more maintenance work. + </p> + <p> + The Arch forum can also be useful, if others have the same issue as you (if you encounter issues, that is). Parabola's + IRC channel (#parabola on freenode) can also help you. + </p> + <p> + Due to this and the volatile nature of Parabola/Arch, you should only update when you have at least a couple hours of spare time + in case of issues that need to be resolved. You should never update, for example, if you need your system for an important event, + like a presentation or sending an email to an important person before an allocated deadline, and so on. + </p> + <p> + Relax - packages are well-tested regularly when new updates are made to the repositories. Separate 'testing' repositories + exist for this exact reason. Despite what many people will tell you, Parabola is fairly stable and trouble-free, + so long as you are aware of how to check for issues, and are willing to spend some time fixing issues in + the rare event that they do occur. + </p> + <p> + <a href="#pagetop">Back to top of page.</a> + </p> + <h3 id="pacman_maintain">Maintaining Parabola</h3> + <p> + Parabola is a very simple distro, in the sense that you are in full control + and everything is made transparent to you. One consequence is + that you also need to know what you are doing, and what you have done before. In general, keeping notes (such as what I have done + with this page) can be very useful as a reference in the future (if you wanted to re-install it or install the distro + on another computer, for example). + </p> + <p> + <a href="#pagetop">Back to top of page.</a> + </p> + <h4 id="pacman_cacheclean">Cleaning the package cache</h4> + <p> + <b> + The following is very important as you continue to use, update and maintain your Parabola system:<br/> + <a href="https://wiki.archlinux.org/index.php/Pacman#Cleaning_the_package_cache">https://wiki.archlinux.org/index.php/Pacman#Cleaning_the_package_cache</a>. + Essentially, this guide talks about a directory that has to be cleaned once in a while, to prevent it from growing too big (it's a cache + of old package information, updated automatically when you do anything in pacman). + </b> + </p> + <p> + To clean out all old packages that are cached:<br/> + # <b>pacman -Sc</b> + </p> + <p> + The wiki cautions that this should be used with care. For example, since older packages are deleted from the repo, + if you encounter issues and want to revert back to an older package then it's useful to have the caches available. + Only do this if you are sure that you won't need it. + </p> + <p> + The wiki also mentions this method for removing everything from the cache, including currently installed packages that are cached:<br/> + # <b>pacman -Scc</b><br/> + This is inadvisable, since it means re-downloading the package again if you wanted to quickly re-install it. This should only be used + when disk space is at a premium. + </p> + <p> + <a href="#pagetop">Back to top of page.</a> + </p> + <h4 id="pacman_commandequiv">pacman command equivalents</h4> + <p> + The following table lists other distro package manager commands, and their equivalent in pacman:<br/> + <a href="https://wiki.archlinux.org/index.php/Pacman_Rosetta">https://wiki.archlinux.org/index.php/Pacman_Rosetta</a> + </p> + <p> + <a href="#pagetop">Back to top of page.</a> + </p> + + <h3 id="yourfreedom">your-freedom</h3> + <p> + your-freedom is a package specific to Parabola, and it is installed by default. What it does is conflict with packages + from Arch that are known to be non-free (proprietary) software. When migrating from Arch (there is a guide on the Parabola + wiki for migrating - converting - an existing Arch system to a Parabola system), installing + your-freedom will also fail if these packages are installed, citing them as conflicts; the recommended solution + is then to delete the offending packages, and continue installing <i>your-freedom</i>. + </p> + <p> + <a href="#pagetop">Back to top of page.</a> + </p> + +<hr/> + + <h2 id="useradd">Add a user</h2> + <p> + Based on <a href="https://wiki.archlinux.org/index.php/Users_and_Groups">https://wiki.archlinux.org/index.php/Users_and_Groups</a>. + </p> + <p> + It is important (for security reasons) to create and use a non-root (non-admin) user account for every day use. The default 'root' account is intended + only for critical administrative work, since it has complete access to the entire operating system. + </p> + <p> + Read the entire document linked to above, and then continue. + </p> + <p> + Add your user:<br/> + # <b>useradd -m -G wheel -s /bin/bash <i>yourusername</i></b><br/> + Set a password:<br/> + # <b>passwd <i>yourusername</i></b> + </p> + + <p><a href="#pagetop">Back to top of page</a></p> + +<hr/> + + <h2 id="systemd">systemd</h2> + <p> + This is the name of the system used for managing services in Parabola. It is a good idea to become familiar with it. + Read <a href="https://wiki.archlinux.org/index.php/systemd">https://wiki.archlinux.org/index.php/systemd</a> + and <a href="https://wiki.archlinux.org/index.php/systemd#Basic_systemctl_usage">https://wiki.archlinux.org/index.php/systemd#Basic_systemctl_usage</a> + to gain a full understanding. <b>This is very important! Make sure to read them.</b> + </p> + <p> + An example of a 'service' could be a webserver (such as lighttpd), or sshd (openssh), dhcp, etc. There are countless others. + </p> + <p> + <a href="https://bbs.archlinux.org/viewtopic.php?pid=1149530#p1149530">https://bbs.archlinux.org/viewtopic.php?pid=1149530#p1149530</a> explains + the background behind the decision by Arch (Parabola's upstream supplier) to use systemd. + </p> + + <p> + The manpage should also help:<br/> + # <b>man systemd</b><br/> + The section on 'unit types' is especially useful. + </p> + + <p> + According to the wiki, systemd 'journal' keeps logs of a size up to 10% of the total size your / partition takes up. + on a 60GB root this would mean 6GB. That's not exactly practical, and can have performance implications later when the + log gets too big. Based on instructions from the wiki, I will reduce the total size of the journal to 50MiB (the wiki + recommends 50MiB). + </p> + <p> + Open /etc/systemd/journald.conf and find the line that says:<br/> + <i>#SystemMaxUse=</i><br/> + Change it to say:<br/> + <i>SystemMaxUse=50M</i> + </p> + <p> + The wiki also recommended a method for forwarding journal output to TTY 12 (accessible by pressing ctrl+alt+f12, + and you use ctrl+alt+[F1-F12] to switch between terminals). I decided not to enable it. + </p> + <p> + Restart journald:<br/> + # <b>systemctl restart systemd-journald</b> + </p> + + <p> + The wiki recommends that if the journal gets too large, you can also simply delete (rm -rf) everything inside /var/log/journald/* + but recommends backing it up. This shouldn't be necessary, since you already set the size limit above and systemd will automatically + start to delete older records when the journal size reaches it's limit (according to systemd developers). + </p> + + <p> + Finally, the wiki mentions 'temporary' files and the utility for managing them.<br/> + # <b>man systemd-tmpfiles</b><br/> + The command for 'clean' is:<br/> + # <b>systemd-tmpfiles --clean</b><br/> + According to the manpage, this <i>"cleans all files and directories with an age parameter"</i>. + According to the Arch wiki, this reads information in /etc/tmpfiles.d/ and /usr/lib/tmpfiles.d/ + to know what actions to perform. Therefore, it is a good idea to read what's stored in these locations + to get a better understanding. + </p> + <p> + I looked in /etc/tmpfiles.d/ and found that it was empty on my system. However, /usr/lib/tmpfiles.d/ contained some files. + The first one was etc.conf, containing information and a reference to this manpage:<br/> + # <b>man tmpfiles.d</b><br/> + Read that manpage, and then continue studying all of the files. + </p> + <p> + The systemd developers tell me that it usually isn't necessary to touch the systemd-tmpfiles utility manually at all. + </p> + + <p><a href="#pagetop">Back to top of page</a></p> + +<hr/> + + <h2 id="interesting_repos">Interesting repositories</h2> + <p> + Parabola wiki at <a href="https://wiki.parabolagnulinux.org/Repositories#kernels">https://wiki.parabolagnulinux.org/Repositories#kernels</a> + mentions about a repository called [kernels] for custom kernels that aren't in the default base. It might be worth looking into what is available + there, depending on your use case. + </p> + <p> + I enabled it on my system, to see what was in it. Edit /etc/pacman.conf and below the 'extra' section add:<br/> + <i> + [kernels]<br/> + Include = /etc/pacman.d/mirrorlist + </i> + </p> + <p> + Now sync with the repository:<br/> + # <b>pacman -Syy</b> + </p> + <p> + List all available packages in this repository:<br/> + # <b>pacman -Sl kernels</b> + </p> + <p> + In the end, I decided not to install anything from it but I kept the repository enabled regardless. + </p> + <p><a href="#pagetop">Back to top of page.</a></p> + +<hr/> + + <h2 id="network">Setup a network connection in Parabola</h2> + <p> + Read <a href="https://wiki.archlinux.org/index.php/Configuring_Network">https://wiki.archlinux.org/index.php/Configuring_Network</a>. + </p> + <p> + <a href="#pagetop">Back to top of page.</a> + </p> + <h3 id="network_hostname">Set the hostname</h3> + <p> + This should be the same as the hostname that you set in /etc/hostname when installing Parabola. You can also do it with systemd (do so now, if you like):<br/> + # <b>hostnamectl set-hostname <i>yourhostname</i></b><br/> + This writes the specified hostname to /etc/hostname. More information can be found in these manpages:<br/> + # <b>man hostname</b><br/> + # <b>info hostname</b><br/> + # <b>man hostnamectl</b> + </p> + <p> + Add the same hostname to /etc/hosts, on each line. Example:<br/> + <i> + 127.0.0.1 localhost.localdomain localhost <u>myhostname</u><br/> + ::1 localhost.localdomain localhost <u>myhostname</u> + </i> + </p> + <p> + You'll note that I set both lines; the 2nd line is for IPv6. More and more ISP's are providing this now (mine does) + so it's good to be forward-thinking here. + </p> + <p> + The <i>hostname</i> utility is part of the <i>inetutils</i> package and is in core/, installed by default (as part of <i>base</i>). + </p> + <p> + <a href="#pagetop">Back to top of page.</a> + </p> + <h3 id="network_status">Network Status</h3> + <p> + According to the Arch wiki, <a href="https://wiki.archlinux.org/index.php/Udev">udev</a> should already detect the ethernet chipset + and load the driver for it automatically at boot time. You can check this in the <i>"Ethernet controller"</i> section + when running this command:<br/> + # <b>lspci -v</b> + </p> + <p> + Look at the remaining sections <i>'Kernel driver in use'</i> and <i>'Kernel modules'</i>. In my case it was as follows:<br/> + <i> + Kernel driver in use: e1000e<br/> + Kernel modules: e1000e + </i> + </p> + <p> + Check that the driver was loaded by issuing <i>dmesg | grep module_name</i>. In my case, I did:<br/> + # <b>dmesg | grep e1000e</b> + </p> + <h3 id="network_devicenames">Network device names</h3> + <p> + According to <a href="https://wiki.archlinux.org/index.php/Configuring_Network#Device_names">https://wiki.archlinux.org/index.php/Configuring_Network#Device_names</a>, + it is important to note that the old interface names like eth0, wlan0, wwan0 and so on no longer apply. Instead, <i>systemd</i> + creates device names starting with en (for enternet), wl (for wifi) and ww (for wwan) with a fixed identifier that systemd automatically generates. + An example device name for your ethernet chipset would be <i>enp0s25</i>, where it is never supposed to change. + </p> + <p> + If you want to enable the old names (eth0, wlan0, wwan0, etc), the Arch wiki recommends + adding <i>net.ifnames=0</i> to your kernel parameters (in libreboot context, this would be accomplished by following the + instructions in <a href="grub_cbfs.html">grub_cbfs.html</a>). + </p> + <p> + For background information, + read <a href="http://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/">Predictable Network Interface Names</a> + </p> + <p> + Show device names:<br/> + # <b>ls /sys/class/net</b> + </p> + <p> + Changing the device names is possible (I chose not to do it):<br/> + <a href="https://wiki.archlinux.org/index.php/Configuring_Network#Change_device_name">https://wiki.archlinux.org/index.php/Configuring_Network#Change_device_name</a> + </p> + <p> + <a href="#pagetop">Back to top of page.</a> + </p> + <h3 id="network_setup">Network setup</h3> + <p> + I actually chose to ignore most of Networking section on the wiki. Instead, I plan to setup LXDE desktop with the graphical + network-manager client. Here is a list of network managers:<br/> + <a href="https://wiki.archlinux.org/index.php/List_of_applications/Internet#Network_managers">https://wiki.archlinux.org/index.php/List_of_applications/Internet#Network_managers</a>. + If you need to, set a static IP address (temporarily) using the networking guide an the Arch wiki, or start the dhcpcd service in systemd. + NetworkManager will be setup later, after installing LXDE. + </p> + <p> + <a href="#pagetop">Back to top of page.</a> + </p> + +<hr/> + + <h2 id="system_maintain">System Maintenance</h2> + <p> + Read <a href="https://wiki.archlinux.org/index.php/System_maintenance">https://wiki.archlinux.org/index.php/System_maintenance</a> before continuing. + Also read <a href="https://wiki.archlinux.org/index.php/Enhance_system_stability">https://wiki.archlinux.org/index.php/Enhance_system_stability</a>. + <b>This is important, so make sure to read them!</b> + </p> + <p> + Install smartmontools (can be used to check smart data - note: HDD's use non-free firmware inside, it's transparent to you + but the smart data comes from it. Therefore, don't rely on it too much):<br/> + # <b>pacman -S smartmontools</b><br/> + Read <a href="https://wiki.archlinux.org/index.php/S.M.A.R.T.">https://wiki.archlinux.org/index.php/S.M.A.R.T.</a> to learn how to use it. + </p> + <p> + <a href="#pagetop">Back to top of page.</a> + </p> + +<hr/> + + <h2 id="desktop">Configuring the desktop</h2> + <p> + Based on steps from + <a href="https://wiki.archlinux.org/index.php/General_recommendations#Graphical_user_interface">General Recommendations</a> on the Arch wiki. + The plan is to use LXDE and LXDM/LightDM, along with everything else that you would expect on other distributions that provide LXDE + by default. + </p> + <p> + <a href="#pagetop">Back to top of page.</a> + </p> + + <h3 id="desktop_xorg">Installing Xorg</h3> + <p> + Based on <a href="https://wiki.archlinux.org/index.php/Xorg">https://wiki.archlinux.org/index.php/Xorg</a>. + </p> + <p> + Firstly, install it!<br/> + # <b>pacman -S xorg-server</b><br/> + I also recommend installing this (contains lots of useful tools, including <i>xrandr</i>):<br/> + # <b>pacman -S xorg-server-utils</b> + </p> + <p> + Install the driver. For me this was <i>xf86-video-intel</i> on the ThinkPad X60. T60 and macbook11/21 should be the same.<br/> + # <b>pacman -S xf86-video-intel</b><br/> + For other systems you can try:<br/> + # <b>pacman -Ss xf86-video- | less</b><br/> + Combined with looking at your <i>lspci</i> output, you can determine which driver is needed. + By default, Xorg will revert to xf86-video-vesa which is a generic driver and doesn't provide true hardware acceleration. + </p> + <p> + Other drivers (not just video) can be found by looking at the <i>xorg-drivers</i> group:<br/> + # <b>pacman -Sg xorg-drivers</b><br/> + </p> + <p> + Mostly you will rely on a display manager, but in case you ever want to start X without one:<br/> + # <b>pacman -S xorg-xinit</b> + </p> + <p> + <optional><br/> + Arch wiki recommends installing these, for testing that X works:<br/> + # <b>pacman -S xorg-twm xorg-xclock xterm</b><br/> + Refer to <a href="https://wiki.archlinux.org/index.php/Xinitrc">https://wiki.archlinux.org/index.php/Xinitrc</a>. + and test X:<br/> + # <b>startx</b><br/> + When you are satisfied, type <b><i>exit</i></b> in xterm, inside the X session.<br/> + Uninstall them (clutter. eww): # <b>pacman -S xorg-xinit xorg-twm xorg-xclock xterm</b><br/> + </optional> + </p> + <p> + <a href="#pagetop">Back to top of page.</a> + </p> + + <h3 id="desktop_kblayout">Xorg keyboard layout</h3> + <p> + Refer to <a href="https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg">https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg</a>. + </p> + <p> + Xorg uses a different configuration method for keyboard layouts, so you will notice that the layout you + set in /etc/vconsole.conf earlier might not actually be the same in X. + </p> + <p> + To see what layout you currently use, try this on a terminal emulator in X:<br/> + # <b>setxkbmap -print -verbose 10</b> + </p> + <p> + In my case, I wanted to use the Dvorak (UK) keyboard which is quite different from Xorg's default Qwerty (US) layout. + </p> + <p> + I'll just say it now: <i>XkbModel</i> can be <i>pc105</i> in this case (ThinkPad X60, with a 105-key UK keyboard). + If you use an American keyboard (typically 104 keys) you will want to use <i>pc104</i>. + </p> + <p> + <i>XkbLayout</i> in my case would be <i>gb</i>, and <i>XkbVariant</i> would be <i>dvorak</i>. + </p> + <p> + The Arch wiki recommends two different methods for setting the keyboard layout:<br/> + <a href="https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg#Using_X_configuration_files">https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg#Using_X_configuration_files</a> and<br/> + <a href="https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg#Using_localectl">https://wiki.archlinux.org/index.php/Keyboard_configuration_in_Xorg#Using_localectl</a>. + </p> + <p> + In my case, I chose to use the <i>configuration file</i> method:<br/> + Create the file /etc/X11/xorg.conf.d/10-keyboard.conf and put this inside:<br/> + <i> + Section "InputClass"<br/> + Identifier "system-keyboard"<br/> + MatchIsKeyboard "on"<br/> + Option "XkbLayout" "gb"<br/> + Option "XkbModel" "pc105"<br/> + Option "XkbVariant" "dvorak"<br/> + EndSection + </i> + </p> + <p> + For you, the steps above may differ if you have a different layout. If you use a US Qwerty keyboard, then + you don't even need to do anything (though it might help, for the sake of being explicit). + </p> + <p> + <a href="#pagetop">Back to top of page.</a> + </p> + + <h3 id="desktop_lxde">Install LXDE</h3> + <p> + Desktop choice isn't that important to me, so for simplicity I decided to use LXDE. It's lightweight + and does everything that I need. + If you would like to try something different, refer to + <a href="https://wiki.archlinux.org/index.php/Desktop_environment">https://wiki.archlinux.org/index.php/Desktop_environment</a> + </p> + <p> + Refer to <a href="https://wiki.archlinux.org/index.php/LXDE">https://wiki.archlinux.org/index.php/LXDE</a>. + </p> + <p> + Install it, choosing 'all' when asked for the default package list:<br/> + # <b>pacman -S lxde obconf</b> + </p> + <p> + I didn't want the following, so I removed them:<br/> + # <b>pacman -R lxmusic lxtask</b> + </p> + <p> + I also lazily installed all fonts:<br/> + # <b>pacman -S $(pacman -Ssq ttf-)</b> + </p> + <p> + LXDE comes with a terminal. You probably want a browser to go with that; I choose GNU IceCat, part of the <i><a href="https://gnu.org/">GNU project</a></i>:<br/> + # <b>pacman -S icecat</b><br/> + And a mail client:<br/> + # <b>pacman -S icedove</b> + </p> + <p> + In IceCat, go to <i>Preferences :: Advanced</i> and disable <i>GNU IceCat Health Report</i>. + </p> + <p> + I also like to install these:<br/> + # <b>pacman -S xsensors stress htop</b> + </p> + <p> + Enable LXDM (the default display manager, providing a graphical login):<br/> + # <b>systemctl enable lxdm.service</b><br/> + It will start when you boot up the machine. To start it now, do:<br/> + # <b>systemctl start lxdm.service</b> + </p> + <p> + Log in with your standard (non-root) user that you created earlier. + It is advisable to also create an xinitrc rule in case you ever want to start lxde without lxdm. + Read <a href="https://wiki.archlinux.org/index.php/Xinitrc">https://wiki.archlinux.org/index.php/Xinitrc</a>. + </p> + <p> + Open LXterminal:<br/> + $ <b>cp /etc/skel/.xinitrc ~</b><br/> + Open .xinitrc and add the following plus a line break at the bottom of the file.<br/> + <i> + # Probably not needed. The same locale info that we set before<br/> + # Based on advice from the LXDE wiki + export LC_ALL=en_GB.UTF-8<br/> + export LANGUAGE=en_GB.UTF-8<br/> + export LANG=en_GB.UTF-8<br/> + <br/> + # Start lxde desktop<br/> + exec startlxde<br/> + </i> + Now make sure that it is executable:<br/> + $ <b>chmod +x .xinitrc</b> + </p> + <p> + <a href="#pagetop">Back to top of page.</a> + </p> + + <h3 id="lxde_clock">LXDE - clock</h3> + <p> + In <b>Digital Clock Settings</b> (right click the clock) I set the Clock Format to <i>%Y/%m/%d %H:%M:%S</i> + </p> + <p> + <a href="#pagetop">Back to top of page.</a> + </p> + + <h3 id="lxde_font">LXDE - font</h3> + <p> + NOTE TO SELF: come back to this later. + </p> + <p> + <a href="#pagetop">Back to top of page.</a> + </p> + + <h3 id="lxde_screenlock">LXDE - screenlock</h3> + <p> + Arch wiki recommends to use <i>xscreensaver</i>:<br/> + # <b>pacman -S xscreensaver</b> + </p> + <p> + Under <i>Preferences :: Screensaver</i> in the LXDE menu, I chose <i>Mode: Blank Screen Only</i>, + setting <i>Blank After</i>, <i>Cycle After</i> and <i>Lock Screen After</i> (checked) to 10 minutes. + </p> + <p> + You can now lock the screen with <i>Logout :: Lock Screen</i> in the LXDE menu. + </p> + <p> + <a href="#pagetop">Back to top of page.</a> + </p> + + <h3 id="lxde_automount">LXDE - automounting</h3> + <p> + Refer to <a href="https://wiki.archlinux.org/index.php/File_manager_functionality">https://wiki.archlinux.org/index.php/File_manager_functionality</a>. + </p> + <p> + I chose to ignore this for now. NOTE TO SELF: come back to this later. + </p> + <p> + <a href="#pagetop">Back to top of page.</a> + </p> + <h3 id="lxde_suspend">LXDE - disable suspend</h3> + <p> + When closing the laptop lid, the machine suspends. This is annoying at least to me. + NOTE TO SELF: disable it, then document the steps here. + </p> + <p> + <a href="#pagetop">Back to top of page.</a> + </p> + <h3 id="lxde_battery">LXDE - battery monitor</h3> + <p> + Right click lxde panel and <i>Add/Remove Panel Items</i>. Click <i>Add</i> and select <i>Battery Monitor</i>, then click <i>Add</i>. + Close and then right-click the applet and go to <i>Battery Monitor Settings</i>, check the box that says <i>Show Extended Information</i>. + Now click <i>Close</i>. When you hover the cursor over it, it'll show information about the battery. + </p> + <p> + <a href="#pagetop">Back to top of page.</a> + </p> + <h3 id="lxde_network">LXDE - Network Manager</h3> + <p> + Refer to <a href="https://wiki.archlinux.org/index.php/LXDE#Network_Management">https://wiki.archlinux.org/index.php/LXDE#Network_Management</a>. + Then I read: <a href="https://wiki.archlinux.org/index.php/NetworkManager">https://wiki.archlinux.org/index.php/NetworkManager</a>. + </p> + <p> + Install Network Manager:<br/> + # <b>pacman -S networkmanager</b> + </p> + <p> + You will also want the graphical applet:<br/> + # <b>pacman -S network-manager-applet</b><br/> + Arch wiki says that an autostart rule will be written at <i>/etc/xdg/autostart/nm-applet.desktop</i> + </p> + <p> + I want to be able to use a VPN at some point, so the wiki tells me to do:<br/> + # <b>pacman -S networkmanager-openvpn</b> + </p> + <p> + LXDE uses openbox, so I refer to:<br/> + <a href="https://wiki.archlinux.org/index.php/NetworkManager#Openbox">https://wiki.archlinux.org/index.php/NetworkManager#Openbox</a>. + </p> + <p> + It tells me for the applet I need:<br/> + # <b>pacman -S xfce4-notifyd gnome-icon-theme</b><br/> + Also, for storing authentication details (wifi) I need:<br/> + # <b>pacman -S gnome-keyring</b> + </p> + <p> + I wanted to quickly enable networkmanager:<br/> + # <b>systemctl stop dhcpcd</b><br/> + # <b>systemctl start NetworkManager</b><br/> + Enable NetworkManager at boot time:<br/> + # <b>systemctl enable NetworkManager</b> + </p> + <p> + Restart LXDE (log out, and then log back in). + </p> + <p> + I added the volume control applet to the panel (right click panel, and add a new applet). + I also later changed the icons to use the gnome icon theme, in <i>lxappearance</i>. + </p> + <p> + <a href="#pagetop">Back to top of page.</a> + </p> + +<hr/> + + <p> + Copyright © 2014 Francis Rowe <info@gluglug.org.uk><br/> + This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. + A copy of the license can be found at <a href="../license.txt">../license.txt</a>. + </p> + + <p> + This document is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See <a href="../license.txt">../license.txt</a> for more information. + </p> + +</body> +</html> diff --git a/docs/howtos/encrypted_parabola.html b/docs/howtos/encrypted_parabola.html index b7f2359..c7a9210 100644 --- a/docs/howtos/encrypted_parabola.html +++ b/docs/howtos/encrypted_parabola.html @@ -35,6 +35,10 @@ </p> <p> + For this guide I used the 2013 09 01 image to boot the live installer and install the system. + </p> + + <p> Parabola is much more flexible than Trisquel, but also more involved to setup. Use Parabola. It's 10 million times better than Trisquel. </p> @@ -45,17 +49,42 @@ </p> <p> + <b>If you are using an SSD for this, make sure it's brand-new (or barely used). Or, otherwise, be sure that it never previously + contained plaintext copies of your data.</b> + </p> + + <p> Wipe the MBR (if you use MBR):<br/> # <b>lsblk</b><br/> Your HDD is probably /dev/sda: - # <b>dd if=/dev/zero of=/dev/sda bs=446 count=1</b><br/> + # <b>dd if=/dev/zero of=/dev/sda bs=446 count=1; sync</b><br/> Never use SeaBIOS! The MBR section can easily be changed with malicious code, which SeaBIOS will blindly execute. This guide is for libreboot with GRUB-as-payload only. </p> <p> Securely wipe the drive:<br/> - # <b>dd if=/dev/urandom of=/dev/sda</b> + # <b>dd if=/dev/urandom of=/dev/sda; sync</b><br/> + NOTE: If you have an SSD, only do this the first time. If it was already LUKS-encrypted before, + use the info below to wipe the LUKS header. Also, check online for your SSD what the recommended + erase block size is. For example if it was 2MiB:<br/> + # <b>dd if=/dev/urandom of=/dev/sda bs=2M; sync</b> + </p> + <p> + If your drive was already LUKS encrypted (maybe you are re-installing your distro) then + it is already 'wiped'. You should just wipe the LUKS header. + <a href="https://www.lisenet.com/2013/luks-add-keys-backup-and-restore-volume-header/">https://www.lisenet.com/2013/luks-add-keys-backup-and-restore-volume-header/</a> + showed me how to do this. It recommends to do the first 3MiB. Now, that guide is recommending putting zero there. I'm doing to use urandom. Do this:<br/> + # <b>head -c 3145728 /dev/urandom > /dev/sda; sync</b><br/> + (wiping the LUKS header is important, since it has hashed passphrases and so on. It's 'secure', but 'potentially' a risk). + </p> + <p> + <b> + If you do plan to use an SSD, make sure to read + <a href="https://wiki.archlinux.org/index.php/Solid_State_Drives">https://wiki.archlinux.org/index.php/Solid_State_Drives</a><br/> + Edit /etc/fstab later on when chrooted into your install. Also, read the whole article and keep all points in mind, adapting + them for this guide. + </b> </p> <p> @@ -197,30 +226,43 @@ Otherwise, refer to <a href="https://wiki.archlinux.org/index.php/Configuring_Network">https://wiki.archlinux.org/index.php/Configuring_Network</a>. You can test to see if internet is already working by pinging a few domains. </p> + <p> - The following is based on 'Verification of package signatures' in the Parabola install guide. Check there first to see if steps differ by now. - Now you have to update the default Parabola keyring. This is used for signing and verifying packages:<br/> - # <b>pacman -Sy parabola-keyring</b><br/> - It says that you you get GPG errors, it's probably an expired key so do:<br/> - # <b>pacman-key --populate parabola</b><br/> - # <b>pacman-key --refresh-keys</b><br/> - # <b>pacman -Sy parabola-keyring</b><br/> - To be honest, you should do the above anyway. Parabola has a lot of maintainers, and a lot of keys. Really!<br/> - Also, it says that if the clock is set incorrectly then you have to manually set the correct time (if keys are listed as expired because of it):<br/> - # <b>date MMDDhhmm[[CC]YY][.ss]</b> + I commented out all lines except the Server line for the UK Parabola server (main server) in <b>/etc/pacman.d/mirrorlist</b> and then did:<br/> + # <b>pacman -Syy</b><br/> + # <b>pacman -Syu</b><br/> + # <b>pacman -Sy pacman</b> (and then I did the other 2 steps above, again)<br/> + In my case I did the steps in the next paragraph, and followed the steps in this paragraph again. + </p> + <p> + <troubleshooting><br/> + The following is based on 'Verification of package signatures' in the Parabola install guide.<br/> + Check there first to see if steps differ by now.<br/> + Now you have to update the default Parabola keyring. This is used for signing and verifying packages:<br/> + # <b>pacman -Sy parabola-keyring</b><br/> + It says that you you get GPG errors, it's probably an expired key so do:<br/> + # <b>pacman-key --populate parabola</b><br/> + # <b>pacman-key --refresh-keys</b><br/> + # <b>pacman -Sy parabola-keyring</b><br/> + To be honest, you should do the above anyway. Parabola has a lot of maintainers, and a lot of keys. Really!<br/> + Also, it says that if the clock is set incorrectly then you have to manually set the correct time <br/> + (if keys are listed as expired because of it):<br/> + # <b>date MMDDhhmm[[CC]YY][.ss]</b><br/> + I also had to install:<br/> + # <b>pacman -S archlinux-keyring</b><br/> + # <b>pacman-key --populate archlinux</b><br/> + In my case I saw some conflicting files reported in pacman, stopping me from using it.<br/> + I deleted the files that it mentioned + and then it worked. Specifically, I had this error:<br/> + <i>licenses: /usr/share/licenses/common/MPS exists in filesystem</i><br/> + I rm -rf'd the file and then pacman worked. I'm told that the following would have also made it work:<br/> + # <b>pacman -Sf licenses</b><br/> + </troubleshooting><br/> + </p> + <p> + I also like to install other packages (base-devel, compilers and so on) and wpa_supplicant/dialog are needed for wireless after the install:<br/> + # <b>pacstrap /mnt base base-devel wpa_supplicant dialog</b> </p> - - <h3>Install the base system</h3> - <p> - I commented out all lines except the Server line for the UK Parabola server (main server) in <b>/etc/pacman.d/mirrorlist</b> and then did:<br/> - # <b>pacman -Syu</b><br/> - I also had to upgrade pacman and then do the above again:<br/> - # <b>pacman -Sy pacman</b> - </p> - <p> - I also like to install other packages (base-devel, compilers and so on) and wpa_supplicant/dialog are needed for wireless after the install:<br/> - # <b>pacstrap /mnt base base-devel wpa_supplicant dialog</b> - </p> <h3>Configure the system</h3> <p> @@ -345,7 +387,7 @@ Or just delete it. Above it, put:<br/> <i>auth required pam_tally.so deny=2 unlock_time=600 onerr=succeed file=/var/log/faillog</i><br/> To unlock a user manually (if a password attempt is failed 3 times), do:<br/> - # <b>pam_tally --user --reset</b> + # <b>pam_tally --user <i>theusername</i> --reset</b> What the above configuration does is lock the user out for 10 minutes, if they make 3 failed login attempts. </p> <p> @@ -418,6 +460,10 @@ </p> <p> + Personally, I opted to have the entry for linux-libre-grsec at the top, so that it would load by default. + </p> + + <p> Above the 'Load Operating System' menu entry you should also add a GRUB password, like so: </p> <pre><b><i>set superusers="root" @@ -469,6 +515,12 @@ password_pbkdf2 root grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB97 # <b>pacman -S dmidecode</b> </p> + <p> + When done, deleted GRUB (remember, we only needed it for the <i>grub-mkpasswd-pbkdf2</i> utility; + GRUB is already part of libreboot, flashed alongside it as a <i>payload</i>):<br/> + # <b>pacman -R grub</b> + </p> + <hr/> <p> @@ -487,6 +539,16 @@ password_pbkdf2 root grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB97 <hr/> + <h2>Follow-up tutorial: configuring Parabola</h2> + <p> + <a href="configuring_parabola.html">configuring_parabola.html</a> shows my own notes post-installation. Using these, you can get a basic + system similar to the one that I chose for myself. You can also cherry pick useful notes and come up with your own system. + Parabola is user-centric, which means that you are in control. For more information, read <a href="https://wiki.archlinux.org/index.php/The_Arch_Way">The Arch Way</a> + (Parabola also follows it). + </p> + +<hr/> + <p> Copyright © 2014 Francis Rowe <info@gluglug.org.uk><br/> This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. |