OpenBSD Workstation Guide

So I’ve gone a little overboard collecting notes about what seems to me to be an ideal OpenBSD workstation for hackers. Everything from hardware to software. Thought I’d share it with you all because many of the items on the list were a surprise to me, and I think you’ll enjoy them. Feel free to write me and suggest even better ideas.

Will I actually build it? Who knows, but the research has been fun and educational in an OCD kind of way.

Table Of Contents

Design Goals

  • User actions should complete instantaneously. While I understand if compiling code and rendering videos takes time, opening programs and moving windows should have no observable delay. The system should use minimalist tools.
  • Corollary: cache data offline when possible. Everything from OpenStreetMaps to StackExchange can be stored locally. No reason to repeatedly hit the internet to query them. This also improves privacy because the initial download is indiscriminate and doesn’t reveal personal queries or patterns of computer activity.
  • No idling program should use a perceptible amount of CPU. Why does CalendarAgent on my Macbook sometimes use 150% CPU for fifteen minutes? Who knows. Why are background ChromeHelpers chugging along at upper-single-digit CPU? I didn’t realize that holding a rendered DOM could be so challenging.
  • Avoid interpreted languages, web-based desktop apps, and JavaScript garbage. There, I said it. Take your Electron apps with you to /dev/null!
  • Stability. Old fashioned programs on a conservative OS on quality mainstream hardware. There are enough challenges to tackle without a bleeding edge system being one of them.
  • Delegate to quality hardware components. Why use a janky ncurses software audio mixer when you can use…an actual audio mixer?
  • Hardware privacy. No cameras or microphones that I can’t physically disconnect. Also real hardware protection for cryptographic keys.
  • Software privacy. Commercial software and operating systems have gotten so terrible about this. I even catch Mac command line tools trying to call Google Analytics. Sorry homebrew, your cute emojis don’t make up for the surveillance.

The Hardware

Core

To get the best hardware for the money I’m opting for a desktop computer. Haven’t had one since the early 2000s and it feels anachronistic, but it will outperform a laptop of similar cost.

After much searching, I found the HP Z240 Tower Workstation. It’s no-nonsense and supports exactly the customizations I was looking for:

  • No operating system pre-loaded (Cut out the “Windows tax”)
  • Intel Xeon E3-1270 v6 processor (Supports ECC ram)
  • 16 GB (2×8 GB) DDR4-2400 ECC Unbuffered memory (2400Mhz is the full memory clock speed supported by the Xeon)
  • 256 GB HP Z Turbo Drive G2 PCIe SSD (Uses NVMe rather than SATA for faster throughput, supported by nvme(4) )
  • No graphics card (We’ll add our own)
  • Intel® Ethernet I210-T1 PCIe (Supported by em(4) )

tower

A modest discrete video card will enable 2D Glamor acceleration on X11. The Radeon HD 6450 (sold separately) is fanless and listed as supported by radeon(4) .

gpu

Why build a solid computer and not protect it? Externally, the APC BR1300G UPS will protect the system from power surges and abrupt shutdowns.

ups

Peripherals

You type every day, don’t hurt your wrists. The Matias Ergo Pro uses mechanical switches for that old fashioned clicky sound. It also includes dedicated buttons along the side for copying and pasting. Why is that cool? Well, it improves secondary selection , a technique that Sun computers used but time forgot.

keyboard

Since we’re talking about a home office workstation, you may want a printer. The higher quality printers speak PostScript and PDF natively. Unix machines connect to them on TCP port 9100 and send PostScript commands directly. (You can print via telnet if you know the commands!) The Brother HL-L5100DN is a duplex LaserJet which allows that “raw” TCP printing.

printer

(Note that the unit sold on Amazon includes a spy sensor called Dash Replenishment that phones home to Amazon. You will want your router to block this printer from connecting to the internet.)

Audio/Video

I know a lot of people enjoy surrounding themselves with a wall of monitors like they’re in the heart of NASA Mission Control, but I find multi-monitor setups slightly disorienting. It introduces an extra bit of cognitive overhead to determine which monitor is for what exactly. That’s why I’d go with a modest, crisp Dell UltraSharp 24″ U2417H . It’s 1080p and yeah there are 4k monitors nowadays, but text and icons are small enough as it is for me!

monitor

If I ever considered a second monitor it would be e-ink for comfortably reading electronic copies of books or long articles. The price is currently too high to justify the purchase, but the most promising monitor seems to be the Dasung Paperlike .

e-ink

In the other direction, video input, it’s more flexible to use a general-purpose HDMI capture box like the Rongyuxuan than settle on a particular webcam. This allows hooking up a real camera, or any other video device. This capture card uses the UVC interface supported by uvideo(4) .

hdmi capture

Although the motherboard for this system has built-in audio, we should use a card with better OpenBSD support. The WBTUO PCIe card uses a C-Media CMI8768 chipset, handled by cmpci(4) . The card provides S/PDIFF in and out ports if you ever want to use an external DAC or ADC.

sound card

The way to connect it with other things is with a dedicated hardware mixer. The Behringer Xenyx 802 has all the connections needed, and the ability to route audio to and from the computer and a variety of devices at once. The mixer may seem an odd peripheral, but I want to mix the computer with an old fashioned CD player, ham radio gear, and amplifier so this unifies the audio setup.

mixer

When doing remote pair programming or video team meetings it’s nice to have a quality microphone. The best ones for this kind of work are directional, with a cardioid reception pattern. The MXL 770 condenser mic is perfect, and uses a powered XLR connection supplied by the mixer.

mic

Backups

We’re going dead simple and old-school, back to tapes. There are a set of tape standards called LTO- n . As n increases the tape capacity gets bigger, but the tape drive gets more expensive. In my opinion the best balance these days for the home user is LTO-3. You can usually find an HP Ultrium 960 LTO-3 on eBay for 150 dollars. The cartridges hold 800GB and are about 15 dollars apiece. Hard drives keep coming down in price, but these tapes are very cheap and simpler than keeping a bunch of disk drives. Also tape has proven longevity, and good recoverability.

tape drive

To use old fashioned tech like this you need a SCSI host bus adapter like the Adaptec 29320LPE , supported by ahd(4) .

scsi

Cryptography

You don’t want to generate and store secret keys on a general purpose network attached computer. The attack surface is a mile wide. Generating or manipulating “offline” secret keys needs to happen on a separate computer with no network access.

Little boards like the Raspberry Pi would be good except they use ARM processors (incompatible with Tails OS) and have wifi. The JaguarBoard is a small x86 machine with no wireless capability. Just switch the keyboard and monitor over to this machine for your “cleanroom.”

jaguar board

Generating keys requires entropy. The Linux kernel on Tails samples system properties to generate randomness, but why not help it out with a dedicated true random number generator (TRNG)? Bit Babbler supplies pure randomness at a high bitrate through USB. ( OneRNG works better on the OpenBSD main system, via uonerng(4) .)

bit babbler

This little computer will save its results onto a OpenPGP Smartcard V2.1 . This card provides write-only access to keys, and computes cryptographic primitives internally to sign and encrypt messages. To use it with a regular computer, hook up a Cherry ST2000 card reader. This reader has a PIN pad built in, so no keylogger on the main computer could even obtain your decryption PIN.

The Software

We take the beefed up hardware above and pair it with ninja-fast software written in C. Some text-based, others raw X11 graphical apps unencumbered by ties to any specific window manager.

I’d advise OpenBSD for the underlying operating system, not a Linux. OpenBSD has greater internal consistency, their man pages are impeccable, and they make it a priority to prune old code to keep the system minimal.

Now the programs. There are too many items to elaborate on each, but here’s the list. Many were created by suckless and reviewed by inconsolation .

  • Window manager – i3
  • X11 configured for secondary selection. Map the special keys with xkb and call out to xsel.
  • Mouse
  • Application launcher – dmenu
  • Color management: Dell UltraSharp ICC color profile . Load it with xcalib . Adjust color tone at night with Redshift .
  • Screen magnifier – vmg
  • Screenshots – maim
  • Screen lock – slock
  • Terminal emulator: rxvt , or possibly urxvt for unicode
  • Shell: mksh is lightweight and posix compliant
  • VPN: OpenVPN with PrivateInternetAccess config files
  • RFC downloader/reader. Caches locally.
  • Web browser: the simple NetSurf , or qutebrowser for more complicated pages
  • Pipe text to clipboard: xclip
  • Todo manager: Taskwarrior
  • Map and driving directions: Navit with downloadable OpenStreetMap data
  • Desktop notifications – Dunst , be sure to use >= v1.1.0 for a memory leak fix
  • Calendar – calcurse includes support for CalDAV and triggering notification commands
  • RSS Reader – Newsboat , successor to the now unmaintained Newsbeuter
  • Email (see description of MxA components)
    • MUA – NeoMutt includes scriptable new-mail hook, and notmuch indexer
    • MTA – msmtp supports storing password using GnuPG
    • MRA – mbsync syncs the local mailbox with remote imap
    • urlview creates a menu from urls in a text file to open them
    • abook to store and retrieve addresses
    • Calendar integration: mutt + calcurse
  • GnuPG
  • Chat (don’t necessarily need them all, just as the need arises)
  • Offline Stackoverflow queries
    • Get quarterly xml data dump of questions and answers
    • How to import XML into postgres: http://stackoverflow.com/a/33211885
    • Map the “help” button on keyboard to search with highlighted text
  • Offline Wikipedia browser with Kiwix
  • Video editing – kdenlive No need to run KDE window manager, for the KDE part you should only need kdelibs, kdelibs-devel, qt and qt-devel packages.
    • Store editing artifacts on ram drive for super speed
    • Compile with Movit library for GPU acceleration
  • System monitoring
  • Calculator
  • Audio player – cmus
  • Video player – mpv
  • Weather forecast – weather retrieves METARs (Meteorological Aerodrome Reports) directly from NOAA
  • File manager – ViFM
  • REST client – Resty + jq
  • Backup and tape rotation – Bacula
  • Documents
  • Images
  • Office
    • Tech prose editing: Vim + goyo
    • Spreadsheets: sc-im
    • Preview Word files: docx2txt + vim .docx autocmd
    • Word processing: Ted
    • Spell checker: aspell
    • Presentations:
      • MagicPoint for the majority of presentations
      • Beamer for math-heavy slides (it’s based on LaTeX)
  • Git difftool/mergetool: TkDiff
责编内容来自:Begriffs.com blog (源链) | 更多关于

阅读提示:酷辣虫无法对本内容的真实性提供任何保证,请自行验证并承担相关的风险与后果!
本站遵循[CC BY-NC-SA 4.0]。如您有版权、意见投诉等问题,请通过eMail联系我们处理。
酷辣虫 » 手机数码 » OpenBSD Workstation Guide

喜欢 (0)or分享给?

专业 x 专注 x 聚合 x 分享 CC BY-NC-SA 4.0

使用声明 | 英豪名录