Part 1 - Installing NixOs

Init

I heard a lot about NixOS over the last couple of years. For example Why Puppet/Chef/Ansible aren’t good enough (and we can do better) or Binärgewitter Spezial #7: NixOS.

The basic concept of Nix(OS) made me curious, I’ve been working with Puppet as configuration management tool at work since quite a while, which is such an awesome tool! The idea of having package and configuration management as code directly integrated into your operating system sounded really interesting for me, so I wanted to give it a try.

Until very recently, I didn’t had a private Laptop, only my work device with Ubuntu. Some weeks back I bought a Dell 9360 and I’m really happy with this device (small and powerful)

What we going to do

I don’t need Windows on this machine so no need to keep it. Full disk encryption is a must for me in regards of security!

  • USB stick installation
  • LVM disk partitioning
  • Luks encryption full disk encryption
  • UEFI boot loader and boot partition
  • Minimal system with with i3 as window manager

Conventions

  • $ for regular user login
  • # for root login
  • -- for comments

Preparations

Installation media

At first we need an installation medium. I’m using the 64-bit minimal install CD which is downloadable under NixOS Download

After you downloaded the image it has to be copied to the USB stick (NOTE: this is going to destroy all data on the USB stick)

-- Check for the USB stick device name
$ lsblk

-- Copy the image via dd
-- Source of the NixOs CD image
# IMAGE="~/nixos-minimal-18.03.132268.5f16ba8fb0f-x86_64-linux.iso"
# DEST="/dev/sdb"
# dd bs=1M if=$IMAGE of=$DEST

System configuration

Before the installation can start, some things must be configured inside UEFI.

To enter UEFI press F2 in the beginning of the boot process (this is at least the case for Dell systems, for other systems ask the search engine of your choice)

  • Disable Security boot
    • In Dell UEFI: Settings → Secure Boot → Secure Boot Enable
  • Set DATA Operation to AHCI, otherwise no hard disk is available during setup
    • In Dell UEFI: Settings → System Configuration → SATA Operation

Installation

Time to boot from the prepared USB Stick. On my Dell machine you must press F12 during boot up to open the boot menu where you then select the USB stick. Also this process can differ from device to device.

From here on we’ll be in a root shell the whole time during the NixOs installation.

Keyboard layout

Yes I’m German and used to the German keyboard layout, so have to change it.

-- Load German layout
# loadkeys de

Networking

Having internet access during NixOs installation is beneficial. If you plan anything more than a minimal system, you want internet access to install system packages.

Either you’re lazy and plug a network cable in or you setup up WiFi, because the Dell 9360 has no Ethernet port I had to do it.

-- Generates PSK entry for autenticating against your WiFi network
wpa_passphrase $SSID $PASSPHRASE > /etc/wpa_supplicant.conf

-- Restarts WPA Supplicant, which enables the WiFi for us
service restart

-- Test
ping nixos.org

64 bytes ....

Partitioning

Keep in mind this step is going to destroy all data on your disk

UEFI devices requiring a GUID partition table (GPT) therefore we’ll using gdisk instead of fdisk. If you’re installing on a non UEFI system you can do the same job with fdisk.

-- Identify the disk for  NixOs installation -- something like /dev/sda or /dev/nvme0n1
-- We'll refer to the disk as $DISK
# blkid

-- Open gdisk on the disk we want to install
# gdisk $DISK

-----------------
-- GDISK COMMANDS

-- Print all partitions on the disk
Command: p

-- Delete all partitions
-- Repeat untill all partitions are gone
Command: d

Now we can create all partitions we need (or want):

  1. EFI boot partition
  2. LVM partition (Logical volume management) for root and swap partitions
  • LVM makes it easier to change partition size or layout if needed
-----------------
-- STILL IN GDISK
-- GDISK COMMANDS

-- Create EFI boot partition
Command: n
Partition number: 1
First sector: <use default value>
Last sector: +1G       -- Make a 1 gigabyte big partition
Hex code or GUID: ef00 -- EFI System type

-- Create LVM partition
Command: n
Partition number: 2
First sector: <use default value>
Last sector: <use default value>  -- Use all available diskspace
Hex code or GUID: 8e00            -- Linux LVM System type

-- Write changed to disk
Command: w

Encryption and LVM

Partition table and primary partitions are in place. The partition which contains the LVM partitions can be encrypted now. This is the second partition which has been created above - it should be something like /dev/nvme0n1p2 or /dev/sda2, I’ll refer to it as $LVM_PARTITION below.

The boot partition isn’t encrypted because there is no need (at least for me) and I’d make thing to complex, but if you want, take a look at the Archlinux Wiki - Disk encryption.

In my case I’m creating a swap partition as big as the RAM of my machine (16GB for hibernation, which hopefully works) the rest will become root filesystem.

-- Enter your passphrase - DON'T FORGET THIS
# cryptsetup luksFormat $LVM_PARTITION

-- Decrypt the encrypted partition and call it nixos-enc.
-- The decrypted partition will be mounted at /dev/mapper/nixos-enc
# cryptsetup luksOpen $LVM_PARTITION nixos-enc

-- Create the LVM physical volume using nixos-enc
# pvcreate nixos-vg /dev/mapper/nixos-enc

-- Create the LVM volume group which will contain root and swap partition
# vgcreate nixos-vg /dev/mapper/nixos-enc

-- Create a 16G swap partition - the amount of RAM on this machine
-- Volume is labeled "swap"
# lvcreate -L 16G -n swap nixos-vg

-- Create a logical volume for root filesystem from the remaining free space
-- Volume is labeled "root"
# lvcreate -l 100%FREE -n root nixos-vg

Filesystem creation

In this step all needed filesystems are going to be created.

In the below script, $BOOT refers to the above created boot partition (e.g /dev/nvme0n1p1)

-- Create FAT32 filesystem on the boot partition
# mkfs.vfat -n boot $BOOT

-- Create ext4 filesystem for root partition
# mkfs.ext4 -L nixos /dev/nixos-vg/root

-- Create swap partition
# mkswap -L swap /dev/nixos-vg/swap

-- Turn the swap partition on
# swapon /dev/nixos-vg/swap

Preparation for the Installation

Time to mount the created filesystems, create system configuration and finally start the installation.

In the snippet below $BOOT refers to earlier created UEFI boot partition (first partition on the disk, most likely /dev/nvme0n1p1 or /dev/sda1)

# mount /dev/nixos-vg/root /mnt
# mkdir /mnt/boot
# mount $BOOT /mnt/boot

Generate initial NixOS configuration.

# nixos-generate-config --root /mnt

Creating the first Configuration

The NixOS main configuration file is located under /etc/nixos/configuration.nix. The root filesystem has been mounted under /mnt/ so the file path (for the installation) is /mnt/etc/nixos/configuration.nix.

If there is an error in your configuration, the installation command will fail, with an error message which helps you to identify and fix the problem. Keep calm, because of the way NixOS works you can reconfigure your system and every time fallback to a known good configuration. So you don’t have to care to much about the perfect system configuration during installation. Start minimal and build on top of it!

Let’s start to configure our new system.

-- Vim - no comment on that :)
# vim /mnt/etc/nixos/configuration.nix

NixOS needs to know that we’re using UEFI, (nixos-generate-config should do this automatically for new configurations when booted in UEFI mode.)

# Use the systemd-boot EFI boot loader
boot.loader.systemd-boot.enable = true;

It’s key to tell NixOS that we have a Luks encrypted partition, that must be decrypted before the LVM partition can be used.

boot.initrd.luks.devices = [
  {
    name = "root";
    devices = "/dev/nvme0n1p2";
    preLVM = true;
  }
];

Set keyboard layout to German and the default language to English

# Select internationalisation properties
i18n = (
  consoleKeyMap = "de";
  defaultLocale = "en_US.UTF-8"
);

Set timezone to (my) local time zone

# Set your time zone
time.timeZone = "Europe/Berlin";

Manage your network devices in an easy way. I’m going to install the applet package as well.

networking.networkmanager.enable = true;

In addition to the basic configuration items, we may want to install some system packages, otherwise you will end up with a very basic system. Packages can be specified as additional configuration items. The networkmanagerapplet package is included to give us a tray icon to configure networking from.

As the comment in the configuration file tells you, you can search for packages to install with nix-env -qaP | grep $PACKAGE.

# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs: [
  networkmanagerapplet
  vim
];

With the above configuration we would only getting a basic NixOS terminal environment, which isn’t bad at all, but a little bit of graphics would be nice or? The following configuration section will activate X11 with auto start. The window manager of choice, in my case i3 a tiling window manager which is highly configurable.

# Enable the X11 windowing system.
services.xserver.enable = true;
services.xserver.layout = "de";

services.xserver.windowManager.i3.enable = true;
services.xserver.autorun = true;

Enable touchpad support (Important for a laptop)

services.xserver.libinput.enable = true;

So nearly finished, the last thing to be done is to configure your personal user, because is isn’t a good idea to work the whole time as root. In the example below an user called tuxinaut will be created and added to some groups, most important here the wheel group that the user can run commands with sudo.

# Define a user account. Don't forget to set a password with with passwd
user.extraUsers.tuxinaut = {
  createHome = true;
  extraGroups = ["wheel" "video" "audio" "disk" "networkmanager"];
  group = "users";
  isNormalUser = true;
  uid = 1000;
};

As you might already saw there is a lot of comment out configuration in the auto generated configuration.nix and I encourage you to read through it and try as much as possible out! For everything which isn’t self explaining the Search NixOS options side will help you.

3…2..1 start

When the configuration is fine. The installation can be started.

# nixos-install
-- It'll require you to change your root password - DON'T FORGET IT!

The installation process will take some time, enough time to go out and have some fresh air.

After the installation has been finished, cross fingers and reboot your new system.

# reboot

If something went wrong, don’t worry you can always boot back into the installation, mount the partitions, change your configuration, and install again.

Lets assume, that your system booted into a login screen, you want to change your user password to avoid to login into your graphical environment as root. To do this, press Ctrl-Alt-F1 this will open a terminal, login as root

This command will change your user password $USER has to be replaced with your configured user!

# passwd $USER

Reboot your system and login as your regular user.

# reboot

Enjoy your fresh installed NixOS

References

Here are the references which I used to install NixOs on my system.

Avoid Small CloudFormation Errors

INIT

During my last work with AWS CloudFormation I spent hours to debug an Invalid value for the parameter Policy error which I couldn’t explain at all.

In the CloudFormation code I wrote down, the following condition has been added which look completely fine but wasn’t.

Condition:
  ArnEquals:
    - SourceARN

During stack creation the Invalid value for the parameter Policy appeared and either I nor the Internet had a precise answer for this kind of error.

After starting debugging section by section and some hours later the error was finally located! The SourceArn was added in the ArnEquals condition without aws:SourceArn: prefix, so it was valid yaml but not valid CloudFormation code.

Condition:
  ArnEquals:
    - aws:SourceArn: !Sub

Takeaway

Even if you’re completely convinced that your CloudFormation code is correct and you’ve errors which you can’t explain check again!

Synology Photo Station: Disable face recognition (the right way)

Init

I activated some time ago face recognition for Photo Station on our Synology DS212+ because I thought it would be a good idea but it wasn’t. It is super slow (at least on the DS212+), unprecise, and caused over days (weeks) high CPU load so I decided to deactivated it. After deactivating the CPU load was still high and I also saw the face recognition process in the process list. After searching around I found some hints in the direction of these file(s) synophoto_face.queue, synophoto_face.queue.tmp.

Solution

The face recognition process created queue files (synophoto_face.queue and synophoto_face.queue.tmp) which caused the processing of those photo files even if face recognition is disabled. The easiest solution to stop the face recognition process is to delete those queue files. Unfortunately I didn’t found a way to do that via Web UI so you have to do that via shell and ssh.

Make sure SSH access is active (Control PanelTerminal & SNMP). Per default only the admin user is able to login via SSH.

ssh admin@my_nas
admin@my_nas: sudo -i
root@my_nas: rm -v -- /var/services/photo/\@eaDir/synophoto_face.*

After file removing I restarted the nas, just to be sure.

Fix NFC for htc m7 under Cyanogenmod 13 / LineageOS 14.1

Update 2018-03-10

Also not fixed for the latest XenonHD roms.

Update 2017-09-20

Still not fixed under LineageOS 14.1 but luckily the fix is the same.

Update 2016-12-22

After updating to the last nightly I found out that you also must remove /system/vendor/firmware/libpn544_fw.so (Or they moved the file I was to fast with removing)

Init

After upgrading my HTC m7 to Cyanogenmod 13 I discovered that NFC was not working. The NFC icon was touchable but nothing happened! I started to debug a little bit around. Here are my findings.

NFC initiation under Cyanogenmod 12.1

Under Cyanogenmod 12.1 NFC initiation looks like this. The NFC process is searching for some firmware but can’t find them and continues with old NFC firmware.

tuxinaut@sm191:~$ adb logcat | grep -Ei "NFCJNI|firmware"
D/NFCJNI  ( 2647): Start Initialization
E/NFC-HCI ( 2647): Could not open /vendor/firmware/libpn544_fw.so or /system/lib/libpn544_fw.so
W/NFC     ( 2647): Firmware image not available: this device might be running old NFC firmware!
D/NFCJNI  ( 2647): NFC capabilities: HAL = 8150100, FW = b10122, HW = 620003, Model = 11, HCI = 1, Full_FW = 1, Rev = 34, FW Update Info = 0
...
...
I/NFCJNI  ( 2647): NFC Initialized

NFC initiation under Cyanogenmod 13

Under Cyanogenmod 13 NFC initiation looks like this. No missing firmware but some errors which cause NFC to not working.

tuxinaut@sm191:~$ adb logcat | grep -Ei "NFCJNI|firmware"
01-01 12:36:55.497  2721  2721 I NFCJNI  : NFC Service: loading nxp JNI
01-01 12:36:55.911  2721  2945 D NfcService: checking on firmware download
01-01 12:36:55.938  2721  2945 D NFCJNI  : Start Initialization
01-01 12:36:56.194  2721  2945 D NFCJNI  : NFC capabilities: HAL = 8150100, FW = b10122, HW = 620003, Model = 11, HCI = 1, Full_FW = 1, Rev = 34, FW Update Info = 249
01-01 12:36:56.392  2721  2945 D NFCJNI  : Download new Firmware
01-01 12:36:57.441  2721  2945 W NFCJNI  : Firmware update FAILED
01-01 12:36:57.631  2721  2945 D NFCJNI  : Download new Firmware
01-01 12:36:58.681  2721  2945 W NFCJNI  : Firmware update FAILED
01-01 12:36:58.871  2721  2945 D NFCJNI  : Download new Firmware
01-01 12:36:59.921  2721  2945 W NFCJNI  : Firmware update FAILED
01-01 12:36:59.921  2721  2945 E NFCJNI  : Unable to update firmware, giving up
01-01 12:36:59.971  2721  2945 D NFCJNI  : Terminating client thread...

Solution

After comparing the logcat outputs I searched for mentioned firmware file (libpn544_fw.so) and found the file under Cyanogenmod 13. So I removed this file and bingo NFC works.

On the mobile phone

  • Enable Developer settings. Touch multiple times on the Build number (under Settings)
  • Under Developer options
  • Enable root access for Apps and ADB
  • Enable Android debugging

On the computer

Install adb (under Ubuntu the package name android-tools-adb)

sudo apt-get install android-tools-adb

Open an adb shell

adb shell

Execute following commands in the adb shell

# Become root
su

# Make system filesystem writeable
mount -o rw,remount /system

# Remove the firmware file
rm -f /system/vendor/lib/libpn544_fw.so
rm -f /system/vendor/firmware/libpn544_fw.so

After this restart the device. After the restart NFC works as expected.

Fix spell checking for native Slack Linux app under Ubuntu 14.04

Init

During the last weeks I was wondering why the spell checking in the nativ Slack App (under Ubuntu 14.04) isn’t working at all. Finally I found some time to debug this issue.

After a short look into the logfile (/home/USERNAME/.config/Slack/logs/webapp-*.log) I saw following.

2016-11-15T17:07:27.274Z - info: 4 words typed without spell checking invoked, redetecting language
2016-11-15T17:07:27.287Z - info: Attempting detection, string length: 23
2016-11-15T17:07:27.290Z - info: Failed to load dictionary: /usr/lib/x86_64-linux-gnu/libstdc++.so.6: version `GLIBCXX_3.4.20' not found (required by /usr/lib/slack/resources/app.asar.unpacked/node_modules/@paulcbetts/cld/build/Release/cld.node)
2016-11-15T17:07:27.296Z - info: 4 words typed without spell checking invoked, redetecting language

Funny to see that because I thought this app is statically compiled and has no external dependencies ¯\_(ツ)_/¯

Solution

After searching around the solution was relatively trivial. You have to add the Toolchain test builds ppa and install / upgrade libstdc++6.

sudo add-apt-repository ppa:ubuntu-toolchain-r/test
sudo apt-get update

sudo apt-get install libstdc++6

After restarting the Slack app spell checking works as expected.

Sources

Windows7 root Partition aufräumen

INIT

Ja ich gebe es zu, Ich habe ein Windows7 System am laufen. Dieses ist nur fürs spielen gedacht (wenn ich mal dazu komme). Seit mehreren Monaten, haben ich beobachtet das der freie Speicher auf der C: Partition immer weiter abgenommen hat. OK ich dachte ist halt Windows und erklärte mir das mit Updates und Temp Dateien.

Deshalb habe ich die C: Partition 2 mal vergrößert, am Ende auf 50GB (Was ich selbst für Windows absurd groß fand). Immer nach dem vergrößern hat der freie Speicherplatz binnen Tagen wieder abgenommen, was mir denn doch komisch vorkam.

Lösung

Erstmal wollte ich wissen was auf der C: Partition wie viel Platz beansprucht. WinDirStat eignet sich wunderbar um grafisch anzuzeigen welche Ordner und Dateien wie viel Speicherplatz verbrauchen.

Es stellte sich relative schnell raus das der folgender Ordner mit 22GB dafür verantwortlich war.

c:\windows\logs\cbs\

Eine kurze Recherche ergab das der Inhalt des Ordner vom System File Checker (SFC) Tool stammt und “gefahrlos” gelöscht werden kann, wenn das System ohne Probleme läuft! Was ich denn auch gemacht habe, bis jetzt sind mir keine Probleme dadurch aufgefallen.

Quellen

Lenovo T440 Bios update

INIT

Ich versuche seit geraumer zeit auf meinen Lenovo T440 hibernation zum laufen zu bekommen. Leider ist es mir noch nicht gelungen hibernation stabil zum laufen zu bekommen. Dabei ist mir eingefallen das ich das BIOS updaten könnte, man weiß ja nie ob das was hilft.

Natürlich gibt es den einfachen Weg nur für Windows aber immerhin wird es einen nicht so schwer gemacht das ganze per USB stick zu erledigen.

Vorbereitung

Download der (aktuellen Version, zur zeit 2.36) BIOS Update Bootable CD für den T440/T440s

wget https://download.lenovo.com/pccbbs/mobiles/gjuj23us.iso
# MD5 summe vergleichen
# sollte in diesen fall 5a76509b23a0336cecc3ddb52db6b786 sein

md5sum gjuj23us.iso
5a76509b23a0336cecc3ddb52db6b786  gjuj23us.iso

Falls nicht schon vorhanden genisoimage installieren.

sudo apt-get install genisoimage

Nun das boot image extratypeen und das erstellte Image auf einen passenden USB Stick per dd überspielen.

geteltorito -o bios.img gjuj23us.iso
dd if=bios.img of=/dev/sdb

Wenn alles geklappt hat kann jetzt vom USB Stick gebootet werden und das Update kann eingespielt werden. Es sollte denn so aussehen wie auf dem Bild.

T440 Bios update

Quellen

Pandoc unter Arch Linux installieren

Sehr schön unter How to Install Pandoc on Arch Linux beschrieben, was mir aber gefehlt hat war die Repro URL welche in /etc/pacman.conf eingetragen werden muss.

[haskell-core]
Server = http://xsounds.org/~haskell/core/$arch

KeePass2 Plugins unter Ubuntu 12.04 kompilieren

Wer unter Ubuntu 12.04 Keepass2 Plugins nutzen möchte und folgende Fehlermeldung auftritt.

The following plugin is incompatible with the current KeePass version: /usr/lib/keepass2/OtpKeyProv.plgx

Liegt das daran das mono das Plugin nicht kompilieren kann. Abhilfe schafft type das Paket mono-complete zu installieren.

sudo apt-get install -y mono-complete

Manuelle VLAN Port Verwaltung mit Racktables

INIT

Wir möchten unsere VLANs mittels Racktables dokumentieren. Diesen wollen wir “erstmal” manuell machen, Racktables stellt typefür auch eine Weg bereit.

Hierzu ein Auszug aus dem entsprechenden Wiki Artikel Adding and removing 802.1Q ports offline

To turn the manual editor on, change the “List source: objects with extended 802.1Q sync”; config option to RackCode matching the objects, which should have it on. For example, if you had such switches tagged with “manual 802.1Q”;

WTF??? Wo? Wie? Was?

Lösung

Nach längeren suchen ist mir die Option 8021Q_EXTSYNC_LISTSRC unter die Finger gekommen. Diese ist nicht unter den Interface preferences sichtbar! Warum dieses so ist konnte ich noch nicht klären.

Zumindest wenn die init-full-0.20.8.sql der Demo Installation verwendet wird, ist die Option definitiv nicht sichtbar.

Ich habe mich dazu entschlossen die Option per Hand in der Datenbank sichtbar zu setzten. Dieses kann mit folgenden Befehl erreicht werden.

mysql -u root -p -e "UPDATE Config SET is_userdefined='yes' WHERE varname='8021Q_EXTSYNC_LISTSRC';" racktables

Nun kann unter denn Interface preferences der Wert der Option 8021Q_EXTSYNC_LISTSRC auf {manual 802.1Q} gesetzt werden. Zusätzlich muss ein Tag mit der selben Bezeichnung (manual 802.1Q) angelegt werden.

Nun muss dem entsprechenden Gerät der Tag manual 802.1Q + ein Switch Template zugewiesen werden. Danach ist es nun möglich unter dem Reiter 802.1Q sync Ports manuell hinzuzufügen und zu entfernen.