Handige Knakker

Since my work laptop is too restricted, i’m trying to set up Ubuntu on a USB stick and boot from there.
Actually, it has proven to be a very smooth experience so far. I’m impressed by the overall speed and battery performance.

Couple of things i must not forget.
WORK IN PROGRESS

Get some essentials:

sudo apt install curl ffmpeg keepassxc

Latest Google Chrome Browser: link
Latest Citrix Workspace (Receiver): link
Latest Citrix RTME (HDX for Skype): link

After installing the ica client:

sudo ln -s /usr/share/ca-certificates/mozilla/* /opt/Citrix/ICAClient/keystore/cacerts
cd /opt/Citrix/ICAClient/keystore/cacerts
sudo wget https://www.quovadisglobal.com/wp-content/files/media/quovadis_quovadisrootca2.pem
sudo /opt/Citrix/ICAClient/util/ctx_rehash

modify /opt/Citrix/ICAClient/config/wfclient.template before making the first connection (“~/Library/Application Support/Citrix Receiver/Config” on MacOS by the way)

MSLocaleNumber=0x00000413
KeyboardLayout=US-International

Also: modify /opt/Citrix/ICAClient/config/All_Regions.ini

MouseSendsControlV=False

If you use wayland and experience problems with special key-combo’s like alt-tab:

gsettings set org.gnome.mutter.wayland xwayland-grab-access-rules "['Wfica']"
gsettings set org.gnome.mutter.wayland xwayland-allow-grabs true

For other apps: if you don’t know which value to use: xprop WM_CLASS

Lastly:

sudo apt-get install --reinstall libcanberra-gtk-module
/opt/Citrix/ICAClient/util/configmgr (for mapping local drives)

Install Microsoft Teams:

sudo curl https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -
sudo echo "deb [arch=amd64] https://packages.microsoft.com/repos/ms-teams stable main" > /etc/apt/sources.list.d/teams.list
apt update
apt install teams

Connecting to exchange web services (for calendar sync)

sudo apt install evolution-ews

Google drive support e.g. for keepass

sudo add-apt-repository ppa:alessandro-strada/ppa
sudo apt-get update
sudo apt-get install google-drive-ocamlfuse

edit ~/.gdfuse/default/config and set mv_keep_target=true

mkdir ~/Documents/GoogleDrive
google-drive-ocamlfuse ~/Documents/GoogleDrive

startup file for google drive mount and offline backup of keepass databases:

#!/bin/bash

google-drive-ocamlfuse ~/Documents/GoogleDrive
if [ ! -d ~/BACKUP/keepass/ ]; then mkdir -p ~/BACKUP/keepass/; fi
if [ -d ~/Documents/GoogleDrive/keepass/ ]; then cp -f ~/Documents/GoogleDrive/keepass/*.kdbx ~/BACKUP/keepass/; else echo Offline; fi

gedit json formatter:
Preferences - Plugins - enable External Tools
preferences - Manage external Tools
“+”, give name e.g. “Format Json”, shortcut key Ctrl+Alt+J, input=Current Document, output=Replace current document
code:

#! /usr/bin/env python
 
import json
import sys
 
j = json.load(sys.stdin)
print( json.dumps(j, sort_keys=True, indent=2) )

Kodi:

sudo apt-get install software-properties-common
sudo add-apt-repository ppa:team-xbmc/ppa
sudo apt-get update
sudo apt-get install kodi

Youtube-dl:

sudo curl -L https://yt-dl.org/downloads/latest/youtube-dl -o /usr/local/bin/youtube-dl
sudo chmod a+rx /usr/local/bin/youtube-dl
sudo ln -s /usr/bin/python3 /usr/local/bin/python

Example how to allow certain known connections (e.g. unifi accesspoints) and log unknown connection attempts.
This is done by adding a chain called LOGDROP, append packets that match the criteria (tcp/8080) to that chain, log the packets and drop them.

iptables:

#!/bin/bash

AP01="192.168.0.1"
AP02="192.168.0.2"
AP03="192.168.0.3"

# Resetting ...
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -X

# Setting default policy on incoming traffic
iptables -P INPUT DROP                                                  # DENY INCOMING CONNECTIONS
iptables -P FORWARD DROP                                                # THIS IS NOT A ROUTER

# allowed accesspoints
iptables -A INPUT -p tcp --dport 8080 -s $AP01 -j ACCEPT                # UNIFI - AP01
iptables -A INPUT -p udp --dport 3478 -s $AP01 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -s $AP02 -j ACCEPT                # UNIFI - AP02
iptables -A INPUT -p udp --dport 3478 -s $AP02 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -s $AP03 -j ACCEPT                # UNIFI - AP03
iptables -A INPUT -p udp --dport 3478 -s $AP03 -j ACCEPT
# log AP connections that aren't allowed
iptables -N LOGDROP
iptables -A INPUT -p tcp --dport 8080 -j LOGDROP
iptables -A LOGDROP -j LOG --log-prefix "IPTables-Dropped: " --log-level 7
iptables -A LOGDROP -j DROP

# Make persistent
iptables-save >/etc/iptables/rules.v4

Create a file in /etc/rsyslog.d/ called “30-unifi-accesspoints.conf” with the following content:

:msg,contains,"IPTables-Dropped: " /var/log/unifi_accesspoints.log

and restart rsyslog

Mediainfo is a very nice utility, but it works even better with rar support.
Took me a while to compile it succesfully, therefor here are the steps. Easy once you know it :~

First, install current version of the normal Mediainfo and other requirements that we need later.

sudo -s
apt install mediainfo libmediainfo-dev git build-essential

Then get the latest source code from the mediaarea.net website. Currently version 20.03.

mkdir /root/installers/ && cd /root/installers
wget https://mediaarea.net/download/binary/mediainfo/20.03/MediaInfo_CLI_20.03_GNU_FromSource.tar.gz
tar zxvf MediaInfo_CLI_20.03_GNU_FromSource.tar.gz
cd MediaInfo_CLI_GNU_FromSource
./CLI_Compile.sh
cd MediaInfo/Project/GNU/CLI && make install

Now we’re going to add the rar functionality. It depends on a modified version of libdvdread, also from lundman, that we need first.

cd /root/installers
wget http://lundman.net/ftp/dvdread/libdvdread-4.2.0.plus.tar.gz
tar zxvf libdvdread-4.2.0.plus.tar.gz
cd libdvdread-4.2.0.plus
./configure && make && make install

And now we’re going to build the mediainfo-rar version:

cd /root/installers
wget "http://www.lundman.net/ftp/mediainfo-rar/mediainfo-rar-1.4.0.tar.gz"
tar zxvf mediainfo-rar-1.4.0.tar.gz
cd mediainfo-rar-1.4.0
./configure && make && make install

Run it: mediainfo-rar.
If it complains about “error while loading shared libraries: libdvdread.so.4”, fix it with:

ln -s /usr/local/lib/libdvdread.so.4 /lib/x86_64-linux-gnu/libdvdread.so.4

That’s all.

Backup links in case sources will ever disappear:
MediaInfo_CLI_20.03_GNU_FromSource.tar.gz
libdvdread-4.2.0.plus.tar.gz
mediainfo-rar-1.4.0.tar.gz

Somehow systemd does not run in the debian-chroot, so in case inetd is working for you, here’s how:
ssh to your synology

sudo -s
chroot /volume1/@appstore/debian-chroot/var/chroottarget /bin/bash
apt install wget tcpd zip unzip openssl lftp openbsd-inetd

Install software of choice. Then:

service openbsd-inetd start
exit

Auto-start the inetd service with the debian-chroot:

sqlite3 /volume1/@appstore/debian-chroot/var/debian-chroot.db
INSERT INTO services VALUES ('0', 'INETD', '/etc/init.d/openbsd-inetd','ps -p $(cat /var/run/inetd.pid)');
.quit

1 Install the synology “noarch” package
Go to the Package Center, then Settings
Trusted sources, “Synology Inc. and trusted publishers”
Package Sources, Add, “SynoCommunity” + “http://packages.synocommunity.com/”
Community, install Python (v2.x, not v3) and nano
Manual Install, debian-chroot_noarch-all_8.4-7.spk but DO NOT “Run after installation”

2 Fix the DSM Interface
Ssh to your Synology

sudo -s
cd /volume1/@appstore/debian-chroot/env/bin
./pip install click
nano /var/packages/debian-chroot/target/app/debian-chroot.js

Then replace

"url": "3rdparty/debian-chroot/debian-chroot.cgi/direct/router",
with
"url": "/webman/3rdparty/debian-chroot/debian-chroot.cgi/direct/router",
and:
'url': '3rdparty/debian-chroot/debian-chroot.cgi/direct/poller',
with
'url': '/webman/3rdparty/debian-chroot/debian-chroot.cgi/direct/poller',

And alter the onclose function:

onClose: function () { 
    this.doClose();
    this.mainPanel.onDeactivate();
    return true;
},

3 Replace the binaries with x64
Remove old binaries:

cd /volume1/@appstore/debian-chroot/var
rm -rf chroottarget

Put the x64 chroot.tar.gz in the current directory

tar zxvf chroot.tar.gz
echo "chroot" >/volume1/@appstore/debian-chroot/var/chroottarget/etc/hostname
cp /etc/resolv.conf /volume1/@appstore/debian-chroot/var/chroottarget/etc/resolv.conf
touch /usr/local/debian-chroot/var/installed

If you created a chroot for a different architecture than x64, use the following command. Otherwise skip this.

chroot /volume1/@appstore/debian-chroot/var/chroottarget /debootstrap/debootstrap --second-stage

The chroot is now installed. Start it:

/var/packages/debian-chroot/scripts/start-stop-status start

Enter the chroot:

chroot /volume1/@appstore/debian-chroot/var/chroottarget /bin/bash

Post-installation steps:

apt update && apt upgrade && apt autoremove
apt-get install locales
dpkg-reconfigure locales -> only "[*] en_US.UTF-8 UTF-8" -> system default: en_US.UTF-8
dpkg-reconfigure tzdata -> set correct timezone, e.g. Europe, Amsterdam

Optional
If you want extra mounts in your chroot, look in:

/var/packages/debian-chroot/scripts/start-stop-status

example to add a Synology share called stuff to the chroot:

add to BOTTOM of all mount commands in section start_daemon script:
        grep -q "${CHROOTTARGET}/mnt/site " /proc/mounts || mount -o bind /volume1/stuff ${CHROOTTARGET}/mnt/site
add to TOP of all umount commands in section stop_daemon script:
        umount ${CHROOTTARGET}/mnt/site

Reboot your synology

On your current installed debian x64 installation:

sudo apt install debootstrap
sudo debootstrap stable chroottarget
sudo tar -cvzf chroot.tar.gz chroottarget

Save the chroot.tar.gz

If you need to create a chroot for a different architecture, eg armhf, the second command would be:

sudo debootstrap --foreign --arch armhf stable chroottarget