Author Archives: Scott Alfter

Cheatsheet: encrypt the root filesystem on an existing Arch Linux install

Worried that your notebook might fall into the wrong hands, but you didn’t encrypt / when you set it up? This will fix it.

This cheatsheet makes a few assumptions:

  1. Your computer uses EFI, not legacy BIOS.
  2. You’re using an EFI boot stub to boot, not GRUB or some other bootloader.
  3. You are not using a unified kernel image.
  4. You’re using a busybox-based initramfs, not a systemd-based initramfs.
  5. Your root filesystem is btrfs-formatted and doesn’t use subvolumes.

The boot device in my computer is /dev/nvme0n1. /dev/nvme0n1p1 is the EFI system partition, which gets mounted as /boot. /dev/nvme0n1p3 is the btrfs root filesystem for my Arch Linux install; its label is arch_root and /etc/fstab is set to mount by label. Substitute appropriate values for your system wherever you see these.

  1. Boot from an Arch ISO. Current versions of SystemRescueCD are based on Arch and should also work.
  2. Mount the root filesystem: mkdir /mnt/arch && mount /dev/nvme0n1p3 /mnt/arch
  3. Shrink the root filesystem. This will be an iterative process. First, examine the output of btrfs filesystem usage -b /mnt/arch. There should be a line with something like “(min: some-number)” in it. Resize the filesystem with the negative of that number: btrfs filesystem resize -some-number /mnt/arch. Repeat both commands until the second one returns an error; at this point, the root filesystem is shrunk to its minimal size, which ought to speed up the encryption step.
  4. Unmount the filesystem: umount /mnt/arch
  5. Encrypt the filesystem: cryptsetup reencrypt --encrypt --reduce-device-size 32M /dev/nvme0n1p3. You’ll be prompted for a passphrase. This will need to be entered every time you boot your computer, so a long random string from a password manager, while secure, is probably not a good idea from a usability standpoint. Also, this phase will probably take a while. I shrunk the root filesystem down to about 90 GB, and with the Core i7-1165G7 in my Framework 13, encryption took about a half-hour.
  6. Mount the encrypted filesystem: cryptsetup open /dev/nvme0n1p3 recrypt && mount /dev/mapper/recrypt /mnt/arch
  7. Expand the filesystem back to use the rest of the partition: btrfs filesystem resize max /mnt/arch
  8. Mount the EFI partition and chroot into your Arch install: mount /dev/nvme0n1p1 /mnt/arch/boot && arch-chroot /mnt/arch
  9. Edit /etc/mkinitcpio.conf. There’s a line that starts with HOOKS=. Look for block within that line, and add encrypt after it.
  10. Regenerate the initramfs: mkinitcpio -P
  11. Get the UUIDs of the encrypted container and the decrypted filesystem: ls -l /dev/disk/by-uuid. This directory has symlinks to the actual device nodes, so the one pointing to /dev/mapper/recrypt is the decrypted filesystem UUID (we’ll call it fs_UUID) and the one pointing to /dev/nvme0n1p3 is the encrypted container UUID (we’ll call it enc_UUID).
  12. Update the EFI boot config. First, use efibootmgr --unicode to find your existing Arch boot entry. Make note of any existing kernel command-line options, then delete it with something like efibootmgr -b 1 -B (if your boot entry was labeled Boot0001). Then, create the updated entry with something like this: efibootmgr --disk /dev/nvme0n1 --part 1 --create --label "Arch Linux" --loader /vmlinuz-linux --unicode 'initrd=\initramfs-linux.img cryptdevice=UUID=enc_UUID:recrypt:allow-discards root=UUID=fs_UUID rootflags=rw zswap.enabled=0 rw rootfstype=btrfs'
  13. Exit the chroot and reboot. Enter your passphrase (from step 5) when asked.

References

Arch Linux Wiki: dm-crypt: Encrypt an existing unencrypted file system
Arch Linux Wiki: dm-crypt: Unlocking in early userspace
Resize btrfs filesystem to the minimum size in a single step
LUKS encryption with EFISTUB boot?

Cheatsheet: configure Nextcloud external storage from the command line

As a workaround for this problem that has cropped up in recent versions of Nextcloud, I needed to figure out how to configure external storage from the command line. This is a short list of commands I’ve found useful.

(I’m running the Docker image provided by Nextcloud, modified to support SMB. Samba runs in another container on the same host. Replace the italicized text with appropriate values for your installation.)

List external shares for a user:
docker exec -u 82 nextcloud php occ files_external:list username
(The first column will list an ID that is needed for some commands.)

Create an external share:
docker exec -u 82 nextcloud php occ files_external:create --user username share_name smb password::password -c host=samba_hostname -c share=samba_share_name -c root= -c domain=samba_domain -c user=samba_user -c password=samba_passord -c case_sensitive=true

Enable sharing:
docker exec -u 82 nextcloud php occ files_external:option id enable_sharing true

Delete a share:
docker exec -iu 82 nextcloud php occ files_external:delete id
(You’ll need to confirm that you want to do this…hence docker exec -i.)

Scan for files within a share:
docker exec -u 82 nextcloud php occ files:scan -p /username/files/share_name username
(I haven’t needed to do this after creating a share, but YMMV.)

A blast from the past

I got around to imaging the hard drive from my Apple IIGS this morning. The drive, a 4.3-GB Seagate Barracuda 4LP (purchased used 20 or so years ago to replace the smaller drive I had been using), was hooked up to an Adaptec AVA-2902 on an old Pentium III motherboard I saved from a computer that was otherwise scrapped. The image found its way onto an SD card, which I read into my computer. With a bit of slicing and dicing with CiderPress, I had the image booting into the IIGS emulation in MAME. I then started poking around to see what kind of stuff I still had in there.

Back in the early ’90s, I was the newsletter editor for the Apple user group (both Apple II and Macintosh) in Las Vegas. My IIGS was actually a IIe at the time, but fairly well equipped with a 10-MHz accelerator, a 40-MB SCSI hard drive, a mouse, and a whopping 1 MB of RAM. This ran a desktop-publishing program called PublishIt! fairly well. It’s what I used to produce the newsletter. I’d paste up the articles and columns and render them to a PostScript file that I’d take into school to print. I was attending UNLV at the time; I’d dial in, upload the file, and send it to the laser printer in the computer lab. I’d pick up the printout, take it to one of the local OfficeMax-type stores, and have them produce a few dozen copies to mail out to the members.

Today, I pulled up the last newsletter I produced, dated March 1993. I loaded it into PublishIt! on an emulated IIGS in MAME, rendered it to PostScript (had to make sure “LaserPrep” was included), and shut down the emulator. I extracted the file from the disk image with CiderPress and converted it from PostScript to PDF with Ghostscript. This is the result:

https://alfter.us/wp-content/uploads/2025/06/snafug-newsletter-9303.pdf

The disk image was also put onto a BlueSCSI, from which my IIGS (I still have it) can boot. The BlueSCSI is smaller and lighter than the hard drive, and getting data on and off it is as simple as pulling the MicroSD card and manipulating the image files in CiderPress.

Keep your Windows 10 system on Windows 10: block the Windows 11 upgrade

Just a quick reminder to myself that I can look up as I roll back the handful of Windows 11 installations I have to Windows 10 (for the small handful of purposes that I need to keep any sort of Windows around at all). Save the following to a file named win11block.reg and import it into the registry to keep Windows Update from trying to put Windows 11 on your Windows 10 system:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate]
"ProductVersion"="Windows 10"
"TargetReleaseVersion"=dword:00000001
"TargetReleaseVersionInfo"="22H2"

Running a Collabora server behind caddy-docker-proxy

Just a quick cheatsheet-ish post as I figure out how to move my home server off nginx and onto caddy-docker-proxy, which I hope will make configuration easier in the long run. Figuring out what labels to attach to get Caddy to do what I want is a minor stumbling block.

In this case, it’s working with the Collabora server that my Nextcloud instance uses to enable online editing of office-type files. The sticking point is that the server complains if Nextcloud connects over plain HTTP, but Caddy (though which Nextcloud will connect) complained about the Collabora server’s self-signed SSL certificate.

This docker-compose.yml is what I ended up using:

services:
  collabora:
    image: collabora/code
    container_name: collabora
    restart: unless-stopped
    environment:
      extra_params: --o:ssl.enable=true
    networks:
      - www
    labels:
      caddy: collabora.alfter.us
      caddy.reverse_proxy: https://collabora.www:9980
      caddy.reverse_proxy.transport: http 
      caddy.reverse_proxy.transport.tls_insecure_skip_verify:
      
networks:
  www:
    name: www
    external: true

The “www” network connects Nginx and Caddy (eventually just Caddy) to all of the containers to be proxied. The first two labels are pretty normal, but the last two are what tell Caddy to ignore Collabora’s self-signed certificate. The part of the Caddyfile that handles collabora.alfter.us ends up looking something like this:

collabora.alfter.us {
  reverse_proxy https://collabora.www {
    transport http {
      tls_insecure_skip_verify
    }
  }
}

A quick little project

Only thing missing is the keyboard, though I threw some one-liners at it through the USB port, which shows up as a serial interface. This is a single-board computer that boots to a BASIC prompt, like the 8-bitters of ~40 years ago. It’s built around a Raspberry Pi Pico, produces VGA video output, and has an SD-card slot for program storage and a PS/2 keyboard jack. It’s a PicoMiteVGA implementation that I knocked together fairly quickly and sent out for manufacturing.

I have parts to build four more. They might show up on Tindie, once I verify that the keyboard input works. The KiCad files are over here.

z88dk: a quick way to get it running

I’m looking to bring up my RC2014-compatible computer project, now that I’ve assembled the minimal set of boards to have a working computer (CPU board, RAM/ROM board, and serial I/O board). The toolchain to build software for these systems is z88dk. It has a non-standard build system, and it looks like getting it to build on Gentoo Linux is a bit hairy. Fortunately, there’s a Docker image with all of the tools, and I think I can get it running with a bunch of shell scripts. Running the following from within /usr/local/bin should do the trick:

(echo '#!/usr/bin/env bash'; echo 'docker run -v .:/src -it --rm z88dk/z88dk "$@"') | sudo tee z88dk >/dev/null && sudo chmod +x z88dk; for i in zcc z88dk-sccz80 z88dk-zsdcc z88dk-z80asm z88dk-z80nm z88dk-zobjcopy z88dk-appmake z88dk-ticks z88dk-gdb z88dk-dis z88dk-lib z88dk-zx0 z88dk-zx7 z88dk-dzx0 z88dk-dzx7; do (echo '#!/usr/bin/env bash'; echo 'z88dk '$i' "$@"') | sudo tee $i >/dev/null && sudo chmod +x $i; done

Disabling RAID on HP Smart Array 420i controllers

At work, I have an old HP ProLiant DL385p Gen8 that had been running VMware ESXi for over a decade. We’ve migrated VMs off of it onto newer servers, so it was sitting idle. Broadcom’s recent acquisition of VMware and their plans for the product (the end of perpetual licensing, in particular) prompted a search for a replacement.

I nuked VMware off the server and installed Proxmox. I got it up and running with a mix of Windows and Linux VMs (including Windows 11 VMs running on the Opterons in this server, with no gripes about CPU compatibility, TPM availability, or anything…nice!) and a Docker host running some containers. Then I wanted to enable Ceph on Proxmox, but the RAID controller (an HP Smart Array P420i) was getting in the way. Ceph doesn’t like to work with hardware RAID.

I deleted the existing array (eight 600GB drives in RAID-6) and set about to disabling RAID on the controller. This required booting into an OS of some sort (such as a Linux distro on a USB stick) and running a command-line tool…no big deal. When I did that, though, it failed to work at first. The firmware on the card was probably whatever shipped when we bought the server all those years ago. Information I’d read online suggested that a firmware upgrade would support HBA mode, so I set out to take care of that. This post covers two topics:

  1. Upgrading the controller firmware to make HBA mode available. (I’m targeting the Smart Array 420i, but the methods should work for other controllers as long as you can find the firmware and it’s not paywalled by HPE.)
  2. Toggling HBA mode on.

Upgrading the firmware

You’ll need a Windows PE bootable distribution (I used Hiren’s BootCD PE, but any would likely work) and the online firmware flash tool for Windows. (If you have a different controller, you can probably find it through the search box at the second link.) Put each of them on separate USB sticks.

Boot your WinPE stick. Unplug it (it’s running in RAM once you get to the desktop), plug in the stick with the firmware flash tool, and run the tool. It’ll take a few minutes to do its thing, and the server’s fans will start screaming for a bit while the controller firmware is being updated. When done, you’ll be prompted to reboot. Eject the stick and reboot.

Disabling RAID

For this, you’ll need a Debian live install image. Blast it onto a USB stick with the tool of your choice (these days, I normally use the Raspberry Pi Imager for this, even for stuff that’s not ultimately running on a Raspberry Pi). Debian offers several desktop options to choose from; LXDE works and should be lighter than most.

Boot your Debian stick and wait for it to get to the desktop. Open a shell window and enter the following to install ssacli, the command-line tool that manages Smart Array controllers:

sudo bash -l
apt update && apt install -y wget
echo "deb http://downloads.linux.hpe.com/SDR/repo/mcp jammy/current non-free" > /etc/apt/sources.list.d/hp-mcp.list
wget -q -O - https://downloads.linux.hpe.com/SDR/hpPublicKey1024.pub | gpg --dearmor > /etc/apt/trusted.gpg.d/hpPublicKey1024.gpg
wget -q -O - https://downloads.linux.hpe.com/SDR/hpPublicKey2048.pub | gpg --dearmor > /etc/apt/trusted.gpg.d/hpPublicKey2048.gpg
wget -q -O - https://downloads.linux.hpe.com/SDR/hpPublicKey2048_key1.pub | gpg --dearmor > /etc/apt/trusted.gpg.d/hpPublicKey2048_key1.gpg
wget -q -O - https://downloads.linux.hpe.com/SDR/hpePublicKey2048_key1.pub | gpg --dearmor > /etc/apt/trusted.gpg.d/hpePublicKey2048_key1.gpg
apt update && apt install -y ssacli

With ssacli installed, you can now use it to enumerate the installed controllers:

ssacli ctrl all show

Odds are you’ll just have one controller in slot 0:

Smart Array P420i in Slot 0 (Embedded)    (sn: <REDACTED>)

To enable HBA mode, use this:

ssacli ctrl slot=0 modify hbamode=on

With the 3.xx firmware that was on there previously, this wouldn’t work…it’d gripe about HBA mode not being supported. With the v8.32-0 firmware it’s now running, it should work, and once the card is switched over, any attached drives should now show up as /dev/sdb, /dev/sdc, etc.

Something to keep in mind

I’ve read the constitutions of a number of countries, including the Soviet Union’s. Now, some people are surprised to hear that they have a constitution, and it even supposedly grants a number of freedoms to its people. Many countries have written into their constitution provisions for freedom of speech and freedom of assembly. Well, if this is true, why is the Constitution of the United States so exceptional? 

Well, the difference is so small that it almost escapes you, but it’s so great it tells you the whole story in just three words: We the people. 

In those other constitutions, the Government tells the people of those countries what they’re allowed to do. In our Constitution, we the people tell the Government what it can do, and it can do only those things listed in that document and no others. Virtually every other revolution in history has just exchanged one set of rulers for another set of rulers. Our revolution is the first to say the people are the masters and government is their servant. 

Ronald Reagan, State of the Union Address, 27 January 1987