This page explains how to set up my friend Maurice's laptop.
For context, see my talk at BSDcan 2019 (slides, video).
disable SecureBoot, set the time to UTC
copy install65.fs to a USB boot stick.
Plug AC power (left hand side) and Matedock (right hand side) into laptop.
Insert USB boot stick laptop MateDock (any USB format).
Power on laptop and press F12 to enter boot selection menu. Boot from USB stick.
Welcome to the OpenBSD/amd64 6.5 installation program. (I)nstall, (U)pgrade, (A)utoinstall, (S)hell? s Prepare system disk: fdisk -i -y -g -b 960 sd0 disklabel -E sd0 > D > a partition: [a] offset: [1024] size: [500117105] FS type: [4.2BSD]: RAID > w > q
Insert key disk into laptop or Matedock:
sd2 at scsibus3 targ 1 lun 0: <...> SCSI4 0/direct removable serial ...
Prepare key disk:
# cd /dev/ # sh MAKEDEV sd2 # fdisk -i -y sd2 # disklabel -E sd2 > a partition: [a] offset: [64] size: [30298526] 1M FS type: [4.2BSD] RAID > w > q
Create softraid crypto disk:
# bioctl -cC -Cforce -l /dev/sd0a -k /dev/sd2a softraid0 sd3 at scsibus2 targ 1 lun 0:SCSI2 0/direct fixed sd: 244197MB 512 bytes/sector, 500116577 sectors softraid0: CRYPTO volume attached as sd3
See also faq14.html#softraid
exit the shell:
# exit
Welcome to the OpenBSD/amd64 6.5 installation program. (I)nstall, (U)pgrade, (A)utoinstall, (S)hell? i
Follow faq4.html#Install; the following items need special consideration:
The installer offers to create a non-root user. This user can be used for remote administration. The user account for Maurice will be created later.
skip network configuration:
Which network interface do you wish to configure? (or 'done') [iwm0] done
Don't enable xenodm:
Do you want the X Window System to be started by xenodm(8)? [no] no
Use crypto volume as root disk:
Which disk is the root disk? ('?' for details) [sd0] sd3
Use MBR on the crypto volume:
Use (W)hole disk MBR, whole disk (G)PT, or (E)dit? [gpt] w
Accepting the default partition layout should be fine unless you have special needs (and you know what you're doing ;)
Install sets from the boot disk (should be sd1):
Location of sets? (disk http or 'done') [http] disk Is the disk partition already mounted? [yes] no Which disk contains the install media? (or 'done'): sd1 Which sd1 partition has the install sets? (or 'done'): [a] Pathname to the sets? (or 'done'): [6.5/amd64] Directory does not contain SHA256.sig. Continue without verification? [no] y
When the installatioin has completed, reboot the laptop.
Login as root.
Create a backup image of the key disk:
# dd bs=8192 skip=1 if=/dev/rsd2a of=/root/backup-keydisk.img # chmod 400 /root/backup-keydisk.img # gzip /root/backup-keydisk.img
Copy the backup image to a safe place outside the laptop.
We need firmware for the iwm(4) wifi driver. On another machine, download iwm-firmware, e.g. iwm-firmware-0.20170105.tgz and put it on a USB stick. Plug this USB stick into Matedock, then mount the partition which contains the firmware file and install iwm firmware:
# mount -o ro /dev/sd1i /mnt # fw_update -p /mnt iwm iwm-firmware-0.2017105: ok # umount /mnt
Configure wifi networks by editing /etc/hostname.iwm0:
lladdr random join greatstay wpakey greatstay join "" dhcp
See faq6.html#Wireless for details.
Enable unwind(8) for captive portal support:
rcctl enable unwind rcctl start unwind echo "prepend domain-name-servers 127.0.0.1;" >> /etc/dhclient.conf
Start wifi:
sh /etc/netstart iwm0
Now that we're online, run fw_update again to install remaining missing firmware files:
# fw_update inteldrm-firmware-20181218: ok intel-firmware-20180807p0v0: ok uvideo-firmware-v1.2p2: ok vmm-firwmare-1.11.0p1: ok
Enable apmd for more battery life and suspend/resume:
# rcctl enable apmd # rcctl set apmd flags -A # rcctl start apmd
Add a new user account for the desktop:
# adduser maurice
# pkg_add gnome firefox thunderbird textsuggest ffmpeg toad vlc
Gnome needs higher resource limits than the defaults. Edit /etc/login.conf to add the following lines:
gnome:\ :datasize-cur=1024M:\ :tc=default:Set the user account's login class to 'gnome':
# usermod -L gnome maurice
# rcctl enable multicast messagebus avahi_daemon gdm
Edit /etc/gdm/custom.conf, and add these lines to the '[daemon]' section:
TimedLoginEnable=True TimedLogin=maurice TimedLoginDelay=5
Reboot and wait for gnome to start up.
Disable screen lock in Gnome Settings: Privacy → Screen lock → Off
Add textsuggest-server as a startup application in Gnome Tweaks under Startup Applications → +; Choose "TextSuggest Server"
In Gnome Settings, add a shortcut for textsuggest under 'Devices' → 'Keyboard' (scroll to the bottom of shortcut list and click +).
Name: textsuggest Command: textsuggest --auto-selection=end Shorcut: Insert (F12 key on Matebook X)
Configure toad for auto-mount of removable disk drives. Toad works out of the box once hotplugd is running:
rcctl enable hotplugd rcctl start hotplugd
echo xinput --set-button-map /dev/wsmouse0 1 1 3 4 5 6 7 >> /home/maurice/.profile
Edit file /etc/gdm/PreSession/Default and append the lines:
if [ -c /dev/video0 ]; then /sbin/chown $USER /dev/video0 fi
Edit file /etc/gdm/PostSession/Default and add these lines before 'exit 0':
if [ -c /dev/video0 ]; then /sbin/chown root /dev/video0 /bin/chmod 600 /dev/video0 fi
The Matebook X has an illuminance sensor which can be used to control display brightness automatically. Setting display brightness to an optimal low level saves a lot of battery, and this is most effective when done automatically.
We can poll the sensor and set display brightness with a simple shell script:
#!/bin/sh brightness=100 cur=100 while sleep 10; do illum=`sysctl -n hw.sensors.acpials0.illuminance0 | cut -d. -f1` [ $illum -gt 0 ] && brightness=5 [ $illum -gt 10 ] && brightness=10 [ $illum -gt 20 ] && brightness=15 [ $illum -gt 80 ] && brightness=20 [ $illum -gt 200 ] && brightness=30 [ $illum -gt 400 ] && brightness=40 [ $illum -gt 600 ] && brightness=60 [ $illum -gt 800 ] && brightness=80 [ $illum -gt 1000 ] && brightness=100 if [ $brightness -ne $cur ]; then /sbin/wsconsctl -n display.brightness=$brightness cur=$brightness fi done
Save the above script as /root/bin/backlight.sh.
Create the file /etc/rc.local with this line to start the script on boot:/root/bin/backlight.sh &
Create the file /etc/mixerctl.conf with the content:
outputs.master=250 record.volume=250 record.adc-0:1_source=mic
The last line makes the internal microphone work.
Needed only in 6.5 release, no longer needed in 6.6
When the Matebook X battery is completely discharged, the BIOS clock resets to the first of January 2016. To fix this automatically when it happens, disable ntpd constrains and enable the -s flag for ntpd:
Edit the file /etc/ntpd.conf and remove this line: constraints from "https://www.google.com"
rcctl set ntpd flags -s
In Firefox, go to about:config and double-click the configuration option layers.acceleration.force-enable so that it gets set to true.
HTML5 audio/video should be working out of the box because the ffmpeg package was installed alongside the firefox package.
pkg_add deja-dup
Open 'Backups' Gnome application and schedule regular backup of home folder to a folder on a nextcloud server.
To help Maurice remotely if there is a problem with the machine, we need SSH access to the laptop. We want a setup where such access can be granted by Maurice on demand by clicking a button, and which works regardless of whether the laptop is sitting in a network with NAT.
Log into maurice's user account and Create an ssh key: ssh-keygen Do not set a passphrase.
Pick a dedicated SSH jump host with a public IP address. Add a regular user on this machine which may authenticate with above SSH key.
Test login manually:
ssh maurice@ssh.example.com
On the laptop, configure ssh to set up a reverse-tunnel to the laptop's SSH server:
Host jumphost Hostname ssh.example.com RemoteForward 2222 127.0.0.1:22
Create a .desktop file in ~/.local/share/applications which open an SSH connection to the jump host:
[Desktop Entry] Encoding=UTF-8 Version=1.0 Type=Application Terminal=True Exec=gnome-terminal -- ssh jumphost Name=Allow Remote Administration Comment=Allow remote administration Icon=utilities-terminal-symbolic Categories=Application;System
While Maurice is logged into the ssh jump host, other users logged into the jump host may in turn connect to the laptop with: ssh -p 2222 127.0.0.1
On the jumphost, put a message like this into /etc/motd:
Welcome to remote administration! Please close this window when administration is done.
To restore a key disk to 'sd1', do the following (all data on the key disk drive will be lost):
# fdisk -iy sd1 # disklabel -E sd1 > D > a partition: [a] offset: [64] size: [60050906] 1M FS type: [4.2BSD] RAID > w > q # dd bs=8192 seek=1 if=/root/backup-keydisk.img of=/dev/rsd1a