After having dabbled in Gentoo Linux for years, I finally decided I was tired of dealing with the regularly-occurring broken packages and dependencies, out-of-date software, and distro-breaking structure changes. I am now diving headfirst into Ubuntu Linux 16.04.1, in an effort to set up a household appliance system that “just works”. However, I have found that Ubuntu doesn’t automate nearly as much of the setup as I had hoped, and so this is my log of steps I have followed to get my system working as intended, so that I can re-create them when and where necessary.

Beginning with a bare install of Ubuntu Server with openssh enabled.

System Configuration:

  • /etc/lvm/lvm.conf
    • snapshot_autoextend_threshold = 75 # This enables thin snapshots
  • /root/bin/snapshot
    #!/bin/bash
    lvcreate -L1G -s -n "root-"$(date +"%Y%m%d-%H%M") vg0/root
    
  • /etc/default/grub
    GRUB_DEFAULT=0
    GRUB_HIDDEN_TIMEOUT=0
    GRUB_HIDDEN_TIMEOUT_QUIET=true
    GRUB_TIMEOUT=0
    GRUB_DISABLE_OS_PROBER=true
  • dpkg-reconfigure unattended-upgrades
    • /etc/apt/apt.conf.d/50unattended-upgrades
      Unattended-Upgrade::Remove-Unused-Dependencies "true";
  • /etc/sysctl.conf // Using an SSD, so I want to minimize swap usage
    vm.swappiness=0
  • systemctl edit getty@tty1 // Don’t wipe boot messages off screen at login
    [Service]
    TTYVTDisallocate=no

System utilities:

  • apt install htop
  • apt purge btrfs-tools // I am running ZFS RAID for the time being.
  • apt purge mdadm // I am running ZFS RAID for the time being.
  • apt purge apport # Crash reporter
  • apt purge bluez bluez-cups bluez-obexd libgnome-bluetooth13 # bluetooth
  • apt purge rfkill # Wireless devices management tool
  • apt purge colord # color profile daemon for photo viewers
  • apt purge lxd lxd-client lxcfs lxc # virtual VMs
  • apt purge snapd ubuntu-core-launcher squashfs-tools # Ubuntu’s snapd
  • apt purge signond ibus # Pulls KDE as dependencies, not really needed.
  • apt install p7zip-full
  • apt install sqlite3 // needed for fail2ban scripts
  • apt install apcupsd # UPS Battery monitor
    •  apt install apcupsd-cgi (if using with a httpd)
    • /etc/apcupsd/apcupsd.conf
      UPSCABLE usb
      UPSTYPE usb
      DEVICE
      

  • apt install ssmtp # This is needed for administrative emails (i.e. for smartmontools)
    • mailhub=mailserver:587
    • AuthUser=emailaddress@server.com
    • AuthPass=mypassword
    • UseSTARTTLS=YES
  • dpkg -i powerpanel_132_amd64.deb # CyberPower PowerPanel
    • /etc/sudoers
      www-data ALL=(ALL) NOPASSWD: /usr/sbin/pwrstat -status
  • apt install lm-sensors
  • apt install hddtemp

Networking configuration:

  • apt purge network-manager # We do this like real men.
  • /etc/udev/rules.d/10-network.rules # Persistent network interface names
    SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="74:27:ea:da:85:14", ATTR{dev_id}=="0x0", ATTR{type}=="1", NAME="eth_onboard"
    SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:0a:cd:20:13:61", ATTR{dev_id}=="0x0", ATTR{type}=="1", NAME="eth_discreet"
  • apt-get install bridge-utils
  • /etc/network/interfaces # Setting up a bridge here for use with OpenVPN
    auto eth_onboard
    iface eth_onboard inet dhcp
    auto br0
    iface br0 inet static
    address 192.168.0.1
    netmask 255.255.255.0
    gateway 192.168.0.1
    dns-nameservers 192.168.0.1
    bridge_ports eth_discreet
    iface eth_discreet inet manual
    up ip link set $IFACE up promisc on
    down ip link set $IFACE down promisc off
  • /etc/default/grub
    GRUB_CMDLINE_LINUX_DEFAULT="net.ifnames=0"
    • update-grub

Networking service software:

  • apt install vsftpd
    • chmod -R g+s /srv/ftp
    • find /srv/ftp/ -type f -exec chmod 644 {} \;
    • find /srv/ftp/ -type d -exec chmod 775 {} \;
  • apt install transmission-daemon
    • gpasswd -a debian-transmission ftp
  • apt install samba
    interfaces = 192.168.0.0/24 # eth0
    hosts allow = 192.168.0.0/24 127.0.0.1
    
    [homes]
    comment = Home Directories
    browseable = no
    read only = no
    
    [public]
    comment = Public Files
    browseable = yes
    guest ok = yes
    path = /srv/ftp
    public = yes
    writable = yes
    guest account = ftp
    force user = ftp
    create mask = 0644
    directory mask = 0755
  • apt install openvpn
    • /etc/openvpn/server.conf
      • comment out local hostname
  • apt install apache2
    • apt install libapache2-mod-php
    • a2enmod cgi
    • set apache port to 8080 and 80 (COX internet blocks port 80)
    • setup, configure, and update website at /var/www/html
    • chmod -R www-data:www-data /var/www
    • apache2.conf # Enable .htaccess
      AllowOverride All
      • a2enmod rewrite
    • a2enmod proxy_http # reverse proxy
  • apt install php-curl php-xml //for (my private) transmission rss script
  • apt install fail2ban
  • Firewall/QOS

Router configuration:

  • apt install dnsmasq
    • /etc/dnsmasq.conf
      interface=eth_discreet
      dhcp-range=192.168.0.100,192.168.0.200,12h
      listen-address=192.168.0.1,127.0.0.1
  • apt install mysql-server
    • mysql_secure_installation
    • /etc/mysql/my.cnf // This edit is only for ZFS
      [mysqld]
      skip-innodb_doublewrite
    • apt install phpmyadmin
    • ln -s /etc/phpmyadmin/apache.conf /etc/apache2/conf-enabled/phpmyadmin.conf
  • apt install ntopng
    • /etc/ntopng.conf
      -B=not((src net 192.168.0.0/24) and (dst net 192.168.0.0/24))
      -i=eth_onboard
      -i=br0
  • add-apt-repository ppa:notartom/squid-ssl # Squid with SSL support
    • apt update
    • apt install squidguard # caching proxy with URL filtering
    • Set up Squid certificate
      • mkdir /etc/squid/ssl_cert
      • openssl genrsa -aes256 -out ca-key.pem 2048
      • openssl req -x509 -new -nodes -extensions v3_ca -key ca-key.pem -days 36500 -out ca-root.pem -sha512 # ca-root.pem # This is the file to distribute for CA installation
      • openssl pkcs12 -inkey ca-key.pem -in ca-root.pem -export -out shanock.pfx # This is the file to distribute for CA installation
    • /etc/squid/squid.conf
      url_rewrite_program /usr/bin/squidGuard
      maximum_object_size 4096 MB
      http_port 3128 transparent
      # Use the following for transparent HTTPS in conjunction with appropriate FireQOS config
      #https_port 192.168.0.1:3130 cert=/etc/squid/ssl_cert/ca-root.pem key=/etc/squid/ssl_cert/ca-key.pem ssl-bump intercept generate-host-certificates=on version=1 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
      # Use the following for explicit HTTPS
      http_port 192.168.0.1:3130 cert=/etc/squid/ssl_cert/ca-root.pem key=/etc/squid/ssl_cert/ca-key.pem ssl-bump intercept generate-host-certificates=on version=1 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
      # This is for exclusion lists
      acl DiscoverSNIHost at_step SslBump1
      acl NoSSLIntercept ssl::server_name_regex -i "/etc/squid/url.nobump"
      ssl_bump splice NoSSLIntercept
      ssl_bump peek DiscoverSNIHost
      
      ssl_bump stare all
      ssl_bump bump all
      acl localnet src 192.168.0.0/24
      http_access allow localnet
      cache_dir ufs /var/spool/squid 65536 16 256
      dns_v4_first on
      coredump_dir /var/spool/squid
      refresh_pattern ^ftp: 1440 20% 10080
      refresh_pattern ^gopher: 1440 0% 1440
      refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private
      refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90% 432000 override-expire ignore-no-cache ignore-no-store ignore-private
      refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|gz|ram|rar|bin|ppt|doc|tiff)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private
      refresh_pattern -i \.index.(html|htm)$ 0 40% 10080
      refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320
      refresh_pattern -i movies.com/.* 10080 90% 43200
      refresh_pattern -i youtube.com/.* 10080 90% 43200
      refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
      refresh_pattern . 0 40% 40320
    • /etc/squid/url.nobump
      update\.microsoft\.com
      update\.microsoft\.com\.akadns\.net
    • squid3 -z # Creates cache directories
    • Extract lists from www.shallalist.de to /var/lib/squidguard/db
    • /etc/squidguard/squidGuard.conf
      dest adv {
      	domainlist BL/adv/domains
      	urllist BL/adv/urls
      }
      dest costtraps {
      	domainlist BL/costtraps/domains
      	urllist BL/costtraps/urls
      }
      dest spyware {
      	domainlist BL/spyware/domains
      	urllist BL/spyware/urls
      }
      dest tracker {
      	domainlist BL/tracker/domains
      	urllist BL/tracker/urls
      }
      acl {
      	default {
      		pass !adv !costtraps !spyware !tracker all
      		redirect http://lan.shanock.com:8080/blocked.php?targetgroup=%t&uri=%p&url=%u
      	}
      }
    • Firewall/QOS

GUI + RDP

  • apt install lubuntu-core # Lubuntu desktop without all the bloat
  • apt install x11vnc
    • /lib/systemd/system/x11vnc.service
      [Unit]
      Description=Start x11vnc at startup.
      After=multi-user.target
      
      [Service]
      Type=simple
      ExecStart=/usr/bin/x11vnc -nopw --auth guess -forever -loop -noxdamage -repeat -rfbport 5900 -shared
      
      [Install]
      WantedBy=multi-user.target
    • systemctl enable x11vnc.service
  • apt install xrdp
    • echo lxsession >~/.xsession
    • echo lxsession >/etc/skel/.xsession
    • /etc/xrdp/xrdp.ini
      [xrdp1]
      name=Guest
      lib=libvnc.so
      ip=127.0.0.1
      port=5900
      username=na
      #password=ask
      password=na
      
      [xrdp2]
      name=Login
      lib=libvnc.so
      username=ask
      password=ask
      ip=127.0.0.1
      port=-1
      
      [xrdp3]
      name=Reconnect
      lib=libvnc.so
      ip=127.0.0.1
      port=ask5900
      #username=ask
      password=ask

GUI Software

  • apt purge xvt
  • apt install xterm # Lightweight terminal
    • ~/.Xresources
      xterm*foreground: Gray
      xterm*ScrollBar: true
      xterm*savelines: 1024
      xterm*rightScrollBar: true
      
  • apt purge byobu
  • apt purge vim
  • apt purge gnome-screenshot
  • apt install diffuse # Graphical diff
  • apt install gedit # Text editor
  • apt install chromium-browser # Web browser
  • apt install lightdm-gtk-greeter-settings # For setting login screen wallpaper
  • apt install software-properties-gtk # Installs some mystery “unknown: unknown” driver, no idea what for

HTPC Software/Configuration

  • apt install gnome-mplayer
  • apt install pithos
  • Sound card fixes
    • Fix popping audio on Asus Xonar U3: (may not be needed) /etc/pulse/daemon.conf
      default-sample-rate = 48000
      
    • amixer default card /usr/share/alsa/alsa.conf
      defaults.ctl.card 1
      defaults.pcm.card 1
      
    • Multimedia keys ~/.config/openbox/lxde-rc.xml
      XF86AudioRaiseVolume
      amixer -q sset PCM 3%+
      XF86AudioLowerVolume
      amixer -q sset PCM 3%-
      XF86AudioMute
      amixer -q sset PCM Toggle
      
  • Configure a guest session for HTPC access:
    • create account guest-prefs
    • ln -s /home/guest-prefs /etc/guest-session/skel
    • /etc/apparmor.d/abstractions/lightdm # Allows guest accounts to access the NAS media files
      /srv/ftp/** rmix,
      /srv/ftp/ rmix,
      
    • /home/guest-prefs/.config/autostart/lxrandr-autostart.desktop # Sets monitor resolution to match projector resolution
      Exec=sh -c 'xrandr --addmode VGA1 1280x720 && xrandr --output VGA1 --mode 1280x720 --output HDMI1 --mode 1280x720 --same-as VGA1'
      
    • set a wallpaper for guest session
    • apt purge gnome-screensaver # Screensaver locks out the guest account
    • apt purge xscreensaver
    • apt purge xscreensaver-data
    • apt install xfce4-power-manager
      • set guest session screen blanking
    • /usr/share/polkit-1# gedit actions/org.freedesktop.login1.policy # Stops guest users from being able to shutdown/reboot the computer
      Do the following for all actions that need admin approval:

      <action id="org.freedesktop.login1.power-off">
      <defaults>
      <allow_active>yes</allow_active>

Virtual Machine Host:

  • apt install qemu virt-manager qemu-efi ovmf
  • gpasswd -a username libvirtd
  • setfacl -Rm u:libvirt-qemu:rwX,d:u:libvirt-qemu:rwX image_directory/

Bugfixes:

  • Diagnose startup service failures: systemctl –state=failed     service [service] status
  • /etc/pulse/default.pa // fix pulseaudio not working after a while
    #load-module module-switch-on-port-available
  • systemctl edit ntopng # fix bug, ntopng requres redis-server
    [Unit]
    Requires=redis-server.service
    After=redis-server.service
    
  • systemctl edit squid # fix bug, squid starts before zfs mounts
    [Unit]
    Requires=zfs-mount.service
    After=zfs-mount.service
    Wants=zfs-mount.service
    RequiresMountsFor=/var/spool/squid

  • Crontab: @reboot /usr/sbin/service squid start
  • systemctl daemon-reload

To Do:

update-initramfs -c -k all

  • fix guest session can switch user
  • fix PID error on guest logon “No session for pid XXXXX”
    • doesn’t work
    • /etc/apparmor.d/lightdm-guest-session:
    • /etc/xdg/lxsession/Lubuntu/* cx,
  • fix error connecting on xrdp logon
  • fix guest “failed to start session”
  • tweak resolution
  • vsftpd anonymous login/write