Debian GNU/Linux

Notes. Links.

Encrypted Disk

Encryption of all disks (but /boot) during installation

Keyfile for dm-crypt on USB-Storage or SD-Card with initrd

Generate a random keyfile (e.g. dd if=/dev/random of=dmcrypt-key bs=4k count=1), add that key to the keys table of your dm-crypted device (cryptsetup luksAddKey /dev/sda4 dmcrypt-key). Add the keyfile («my-root-key») to a partition labelled «mykeydisk» on the USB stick or the SD card. Save/adjust the following files and update the initrd image. Voilà.


# load modules that we need
modprobe usb-storage 1>&2
modprobe scsi_mod 1>&2
modprobe sd_mod 1>&2
modprobe ext2 1>&2

# wait a bit
sleep 5

# if we have the disk, mount it and deliver key, else fall back to
# manual passphrase input

if [ -h /dev/disk/by-label/mykeydisk ]; then
        mkdir /usb 1>&2
        mount /dev/disk/by-label/mykeydisk /usb 1>&2
        cat /usb/my-root-key
        umount /usb 1>&2
        echo "Passphrase, please: " 1>&2
        stty </proc/self/fd/2 -echo
        read </proc/self/fd/2 -rs -t 10 key
        stty </proc/self/fd/2 echo
        echo -n $key


sda6_crypt /dev/sda6 none luks,keyscript=/root/cryptodisk/


SVN repository (svnserve) per user for svn+ssh://

dpkg-divert --divert /usr/bin/svnserve.bin /usr/bin/svnserve


case "$USER" in
                exec svnserve.bin -r /mnt/nibbler/d1/SVN $@
                exec svnserve.bin $@

md/lvm/dm stress

dadm /dev/md0 --run
cryptsetup luksOpen /dev/md0 md0_crypt
vgchange -ay bender
mount ... /target
cp -rav /dev/mapper /target/dev

boot kubuntu.iso from memory stick

(in Grub 2)

loopback loop (hd1,1)/kubuntu.iso
linux (loop)/casper/vmlinuz boot=casper iso-scan/filename=/kubuntu.iso noeject noprompt --
initrd (loop)/casper/initrd.lz


Stolen from:



          o Choose a sensible primary mirror
          o Ensure use of release codenames (eg. "lenny") instead of synonyms
          o Confirm security mirror is enabled
          o Remove references to contrib and non-free

      Disable installation of Recommends:

      echo 'APT::Install-Recommends "0";' > /etc/apt/apt.conf.d/90recommends


      Ensure we are up to date security-wise:

      apt-get update && apt-get dist-upgrade


      Setup and configure locales first to avoid annoying Perl warnings. Don't choose All locales; you almost certainly don't want that.

      apt-get install locales
      dpkg-reconfigure -plow locales


      Install some essential utilities:

      apt-get install vim-nox ntp openssh-server screen most tree bzip2 unzip moreutils dnsutils htop pwgen telnet manpages manpages-dev vrms acl gawk strace curl tcpdump



      Before we create any real users, we configure PAM to reject weak passwords. Custom banned passwords can be added to the dictionary by editing /usr/share/dict/cracklib and running update-cracklib.

      apt-get install libpam-cracklib
      sed -i -e 's|^password|# |' /etc/pam.d/common-password
      echo 'password required retry=3 minlen=6 difok=3' >> /etc/pam.d/common-password
      echo 'password required use_authtok nullok md5' >> /etc/pam.d/common-password


      Configure sudo. I prefer to create a new group instead of re-using adm as that is already used by logfiles.

      addgroup rootusers
      adduser myuser
      adduser myuser rootusers
      apt-get install sudo
      echo 'User_Alias ROOTUSERS  = %rootusers' >> /etc/sudoers
      echo 'ROOTUSERS, root     ALL=(ALL) ALL' >> /etc/sudoers

Mail relay

Email remains the primary method to asynchronously inform the system adminstrator that their attention is required.

It is assumed that the machine will not handle your day-to-day email (or indeed accept any external mail) but will instead simply forward it elsewhere. We also assume a preference for Exim, but the configurion for Postfix is almost identical.


      First, install the mail packages:

      apt-get install exim4-daemon-light bsd-mailx
      dpkg-reconfigure exim4-config


      During the Exim configuration, choose Internet site and follow all the defaults, ensuring that you only listen on and you are not relaying mail for any other domains.

      We then configure forwarding to another email address so we don't have to continually poll this machine for issues:

      echo 'root:' >> /etc/aliases


      Finally, we test mail delivery:

      echo "Test 1 from $(hostname)" | mail root -s "Test 1 from $(hostname)"

The d-i manual has some further advice on this, including the use of "smarthosts".


      Stop Emacs creating backup files everywhere:

      mkdir -p /etc/emacs/site-start.d
      echo '(setq backup-inhibited t)' > /etc/emacs/site-start.d/10no-backup.el


      Configure Munin:

      apt-get install munin-node
      echo 'allow ^$' >> /etc/munin/munin-node.conf
      /etc/init.d/munin-node restart

      For baroque network configurations, you can generate the regular expression line with this script.

      Configure molly-guard, a tool for preventing accidental shutdowns. As molly-guard cannot detect shutdowns initiated within a combination of GNU screen and SSH, we configure it to always query the hostname:

      apt-get install molly-guard
      echo "ALWAYS_QUERY_HOSTNAME=true" >> /etc/molly-guard/rc


      Monitor disk S.M.A.R.T. attributes:

      apt-get install hddtemp smartmontools
      sed -i 's|^#start_smartd=yes|start_smartd=yes|' /etc/default/smartmontools
      /etc/init.d/smartmontools start


      Setup backups - I'm quite partial to backupninja because it automates most of the tedious SSH configuration. I adjust the time of the backup to when I'm likely to be around to fix issues and cut down on email noise by not reporting successful backups:

      apt-get install backupninja hwinfo debconf-utils rdiff-backup
      sed -i -e 's|^when = everyday at 01:00|when = everyday at 9:30|' /etc/backupninja.conf
      sed -i -e 's|^reportsuccess = yes|reportsuccess = no|' /etc/backupninja.conf


          o In /etc/fstab, check noatime is enabled on all filesystems, and acl where needed.
          o Use tune2fs to adjust how much of the disk is reserved for the superuser - the default of 5% is excessive for large volumes.

      Reboot. You should be prompted by molly-guard before your computer restarts.