Debian 13: general nftables with set for web server and router

This is general nftables for apache, ssh, dns ntp 

#!/usr/sbin/nft -f

flush ruleset

table inet filter {

    # Set for common inbound web server ports

    set web_ports {

        type inet_service;

        flags interval;

        elements = { 80, 443 }

    }

    # Set for other essential services, like SSH, DNS, and NTP

    set services {

        type inet_service;

        elements = { 22, 53, 123 }

    }

    chain input {

        type filter hook input priority 0; policy drop;

        # Allow connections that are part of an existing or related session

        ct state established,related accept

        # Drop invalid packets

        ct state invalid drop

        # Allow traffic from the loopback interface

        iif "lo" accept

        # Allow incoming traffic for common web services

        tcp dport @web_ports accept

        # Allow incoming SSH, DNS, and NTP traffic

        tcp dport @services accept

        udp dport @services accept

        # Allow incoming ICMP (ping) packets for diagnostics

        icmp type echo-request accept

        # Log and drop any other incoming traffic

        meta protocol vmap { ip : log prefix "[NFT-DROP]: ", ip6 : log prefix "[NFT-DROP]: " }

        meta protocol vmap { ip : drop, ip6 : drop }

    }

    chain forward {

        type filter hook forward priority 0; policy drop;

    }

    chain output {

        type filter hook output priority 0; policy accept;

    }

}

This is nftable for general router

• eth0 to internet/router
• eth1 to lan 

Edit/create nano /etc/sysctl.conf

net.ipv4.ip_forward=1

nftables rules

#!/usr/sbin/nft -f

# Clear all existing rules

flush ruleset

# --- Define variables for interfaces and networks ---

define wan_if = eth0

define lan_if = eth1

define lan_net = 192.168.1.0/24

# === Table for IPv4/IPv6 filtering ===

table inet filter {

    # Set for essential services (SSH, DNS, NTP)

    set essential_services {

        type inet_service;

        elements = { 22, 53, 123 }

    }

    # Set for web server ports

    set web_ports {

        type inet_service;

        flags interval;

        elements = { 80, 443 }

    }

    # Set of trusted interfaces (LAN)

    set trusted_interfaces {

        type ifname;

        elements = { $lan_if }

    }

    # Set of untrusted interfaces (WAN)

    set untrusted_interfaces {

        type ifname;

        elements = { $wan_if }

    }

    # --- INPUT chain: Controls traffic destined for the router itself ---

    chain input {

        type filter hook input priority 0; policy drop;

        # Accept packets that are part of an established or related connection

        ct state established,related accept

        # Drop any packets with an invalid connection state

        ct state invalid drop

        # Allow traffic from the loopback interface

        iif "lo" accept

        # Allow all traffic from the trusted LAN interfaces

        iifname @trusted_interfaces accept

        # Allow incoming SSH, DNS, and NTP from the internet (rate limited)

        iifname @untrusted_interfaces tcp dport @essential_services limit rate 10/minute accept

        iifname @untrusted_interfaces udp dport @essential_services limit rate 10/minute accept

        # Allow incoming web traffic (Apache) from the internet

        iifname @untrusted_interfaces tcp dport @web_ports accept

        # Allow ICMP (ping) from the internet, but rate-limit it

        iifname @untrusted_interfaces icmp type echo-request limit rate 5/second accept

        # Log and drop everything else coming from untrusted interfaces

        iifname @untrusted_interfaces log prefix "NFT-INET-DROP: "

        iifname @untrusted_interfaces drop

        # Catch-all log and drop for other incoming traffic

        log prefix "NFT-INPUT-DROP: "

        drop

    }

    # --- FORWARD chain: Controls traffic passing *through* the router ---

    chain forward {

        type filter hook forward priority 0; policy drop;

        # Accept packets that are part of an established or related connection

        ct state established,related accept

        # Drop invalid packets

        ct state invalid drop

        # Allow outbound traffic from the LAN to the internet

        iifname @trusted_interfaces oifname @untrusted_interfaces accept

        # Log and drop any other forwarded traffic

        log prefix "NFT-FORWARD-DROP: "

        drop

    }

    # --- OUTPUT chain: Controls traffic originating from the server ---

    chain output {

        type filter hook output priority 0; policy accept;

    }

}

# === NAT table for IPv4 (needed for internet access from LAN) ===

table ip nat {

    # --- PREROUTING chain: Used for incoming traffic before routing ---

    chain prerouting {

        type nat hook prerouting priority 0;

        # Example: Port forward incoming web traffic from the internet to a specific LAN machine

        # iifname $wan_if tcp dport { 80, 443 } dnat to 192.168.1.100

    }

    # --- POSTROUTING chain: Used for outgoing traffic after routing ---

    chain postrouting {

        type nat hook postrouting priority 100;

        # Masquerade traffic leaving the internet interface

        oifname $wan_if masquerade

    }

}

Debian 13: How to save ai solution with mathematical formula into odt file

After you ask AI, and AI give you solution with mathematical formula. You can not directly to copy-paste the result into libreoffice writer nor microsoft word.

1. Ask your AI to show the result in latex format.

2. Copy paste the result into text file e.q. example.text.

3. Create empty odt file e.q. output.odt 

4. Use pandoc application to convert it into odt.

$ pandoc -f latex -t odt -o output.odt example.text

    if the input file is latin1 encoded, like my text files, the solution is (imo the best output):

$ iconv -f ISO-8859-1 example.text | pandoc -f latex -t odt -o tmp.odt

    WARNING: this command will replace any content in tmp.odt and output.odt. 

5. Now, you can open odt with mathematical formula. 

To install pandoc and iconv (part of libc-bin) 

# apt-get install pandoc libc-bin libreoffice-texmaths

 

Moving apace, mariadb and php project from a debian site to other debian site

I want to create a bash script to backup and restore the project (apache, mariadb and php) easily. I need to work at 2 debian machine with the same configuration in 2 different location. I ask to duck.ai to solve the problem. Here is the result.

Create a file myconfig.conf

# myconfig.conf
DB_NAME="your_database_name"
DB_USER="your_username"
DB_PASS="your_password"
PROJECT_ROOT="/path/to/your/php/project"  # Add this line

Create bash script mybackup.sh 

#!/bin/bash

# Load database configuration from myconfig.conf
source myconfig.conf

# Create a backup file name for the database
DB_BACKUP_FILE="${DB_NAME}_$(date +%Y-%m-%d).sql"
# Create a zip file name for the project
PROJECT_BACKUP_FILE="$(basename "$PROJECT_ROOT")_backup_$(date +%Y-%m-%d).zip"

# Function to backup the database
backup_database() {
    echo "Backing up database: $DB_NAME"
    mysqldump -u "$DB_USER" -p"$DB_PASS" "$DB_NAME" > "$DB_BACKUP_FILE"
    if [ $? -eq 0 ]; then
        echo "Database backup successful: $DB_BACKUP_FILE"
    else
        echo "Database backup failed!"
        return 1
    fi
}

# Function to zip the project files
zip_project() {
    echo "Zipping project files from: $PROJECT_ROOT"
    zip -r "$PROJECT_BACKUP_FILE" "$PROJECT_ROOT"
    if [ $? -eq 0 ]; then
        echo "Project backup successful: $PROJECT_BACKUP_FILE"
    else
        echo "Project backup failed!"
        return 1
    fi
}

# Function to restore the database
restore_database() {
    echo "Restoring database: $DB_NAME from $1"
    mysql -u "$DB_USER" -p"$DB_PASS" "$DB_NAME" < "$1"
    if [ $? -eq 0 ]; then
        echo "Database restore successful!"
    else
        echo "Database restore failed!"
    fi
}

# Function to unzip the project files
unzip_project() {
    echo "Unzipping project files to: $PROJECT_ROOT"
    unzip -o "$1" -d "$PROJECT_ROOT"
    if [ $? -eq 0 ]; then
        echo "Project restore successful!"
    else
        echo "Project restore failed!"
    fi
}

# Check command line arguments
if [ "$1" == "backup" ]; then
    backup_database
    zip_project
elif [ "$1" == "restore" ]; then
    if [ -z "$2" ] || [ -z "$3" ]; then
        echo "Please provide the SQL backup file and the project zip file to restore from."
        exit 1
    fi
    SQL_BACKUP_FILE="$2"
    PROJECT_BACKUP_FILE="$3"
    restore_database "$SQL_BACKUP_FILE"
    unzip_project "$PROJECT_BACKUP_FILE"
else
    echo "Usage: $0 {backup|restore [sql_backup_file] [project_backup_file]}"
    exit 1
fi

To backup

./mybackup.sh backup

It will create 2 files

1. zip for backup and restore web root project
2. sql for backup and restore mariadb database 

To restore

./mybackup.sh restore your_database_backup.sql your_project_backup_file.zip

 

Debian 13: how to limit cpu frequency to preserve power or keep cpu cooler

Since Debian 13, cpufreq is being replaced by cpupower. Don't mix using power-profiles-daemon and linux-cpupower. I prefer to use linux-cpupower.

Install 

# apt-get install linux-cpupower

Show available frequency

# cpupower frequency-info
analyzing CPU 1:
  driver: acpi-cpufreq
  CPUs which run at the same hardware frequency: 1
  CPUs which need to have their frequency coordinated by software: 1
  maximum transition latency: 4.0 us
  hardware limits: 1000 MHz - 2.20 GHz
  available frequency steps:  2.20 GHz, 2.00 GHz, 1.80 GHz, 1.60 GHz, 1.30 GHz, 1000 MHz
  available cpufreq governors: performance schedutil
  current policy: frequency should be within 1000 MHz and 2.20 GHz.
                  The governor "schedutil" may decide which speed to use
                  within this range.
  current CPU frequency: 1.30 GHz (asserted by call to hardware)
  boost state support:
    Supported: yes
    Active: no
    Boost States: 2
    Total States: 8
    Pstate-Pb0: 2500MHz (boost state)
    Pstate-Pb1: 2400MHz (boost state)
    Pstate-P0:  2200MHz
    Pstate-P1:  2000MHz
    Pstate-P2:  1800MHz
    Pstate-P3:  1600MHz
    Pstate-P4:  1300MHz
    Pstate-P5:  1000MHz

Available frequency steps are:  2.20 GHz, 2.00 GHz, 1.80 GHz, 1.60 GHz, 1.30 GHz, 1000 MHz. Use frequency 1.8 GHz for all core:

# cpupower frequency-set -u 1.80 GHz
Setting cpu: 0
Setting cpu: 1
Setting cpu: 2
Setting cpu: 3

After applying maximum frequency

# cpupower frequency-info
analyzing CPU 2:
  driver: acpi-cpufreq
  CPUs which run at the same hardware frequency: 2
  CPUs which need to have their frequency coordinated by software: 2
  maximum transition latency: 4.0 us
  hardware limits: 1000 MHz - 2.20 GHz
  available frequency steps:  2.20 GHz, 2.00 GHz, 1.80 GHz, 1.60 GHz, 1.30 GHz, 1000 MHz
  available cpufreq governors: performance schedutil
  current policy: frequency should be within 1000 MHz and 1000 MHz.
                  The governor "schedutil" may decide which speed to use
                  within this range.
  current CPU frequency: 1000 MHz (asserted by call to hardware)
  boost state support:
    Supported: yes
    Active: no
    Boost States: 2
    Total States: 8
    Pstate-Pb0: 2500MHz (boost state)
    Pstate-Pb1: 2400MHz (boost state)
    Pstate-P0:  2200MHz
    Pstate-P1:  2000MHz
    Pstate-P2:  1800MHz
    Pstate-P3:  1600MHz
    Pstate-P4:  1300MHz
    Pstate-P5:  1000MHz

To make it persistent, create or edit /etc/systemd/system/cpu-limit.service

[Unit]
Description=Set CPU power management settings
# latest state runlevel 3 in SysVinit, let CPU run maximum frequency during starting system services
After=multi-user.target
# run after network ready
#After=network.target
# network may not run
#After=sysinit.target

[Service]
Type=oneshot
ExecStart=/usr/bin/cpupower frequency-set -u 2.00GHz
#ExecStart=/usr/bin/cpupower frequency-set --max 2.00GHz
#ExecStart=/usr/bin/cpupower frequency-set -g performance
# You can customize the cpupower command here.
# For example, to set to powersave:
# ExecStart=/usr/bin/cpupower frequency-set -g powersave
# Or to set a specific frequency:
# ExecStart=/usr/bin/cpupower frequency-set -f 2.5GHz

[Install]
WantedBy=multi-user.target



Note: you can copy paste and adjust frequency for your laptop/PC.

Change file permission

# chmod 644 /etc/systemd/system/cpu-limit.service

Reload system daemon

# systemctl daemon-reload
# systemctl enable cpu-limit.service
Created symlink '/etc/systemd/system/multi-user.target.wants/cpu-limit.service' → '/etc/systemd/system/cpu-limit.service'.

Everytime your restart this daemon will run time to set maximum frequency.

 

 

Debian 13: Fresh install dual boot Axioo Hype 5 AMD X6 using usb flash disk with ventoy boot manager installed

Spesification Axioo Hype 5 AMD X6:

• Ryzen™ 5 6600H & grafis Radeon™ 660M
• 16GB DDR5 RAM & 512GB SSD Gen 3

Shrink your windows 11 partition. We need 84 GB free space. 80 GB for debian / ext4 and 4 GB for swap. We do need to reserve 500 MB for ESP (EFI System Partition), windows 11 already create it.

Use windows disk manager and shrink partition. Fill

Enter the amount of space in MB 84000 MB

It is good practice to separate partition for windows system and application, and user data partition.

To install Ventoy boot manager in flash disk follow this.

Insert your USB flash disk contain Debian 13 net installer and ventoy installed. Press and hold “Shift” and restart windows. Unpress shift after laptop restarted.

Select “Use Device” and choose USB flash disk to boot.

Ventoy boot manager will give you any iso file you stored on flash disk if any. Choose debian, select “Boot in normal mode”.

Debian installer started, follow the instruction. You need an internet connection to install the xfce desktop environment. 

At the partition section, choose “Manual”. Create 80 GB type “ext4” mount / and 4 GB type “Swap”. Write change to disk.

Beware, there is a USB flash disk appear in the partition menu. It is shown as “SCSI1 (0.0.0) (sda)” on my laptop.

In package manager, I choose 

• Xfce
• Standard system utility

For special purpose installation choose debian blend. Release of debian pure blend can be read on www.debian.org/blends/.

Finally, restart your laptop. Press F2 to enter bios. At boot menu, select debian boot manager first and then windows. Debian grub has the option to enter windows not vice versa.

If you wish, to select windows as default grub selection, edit /etc/default/grub

GRUB_DEFAULT=2

Save it and run

# update-grub

Debian 13: Using Ventoy to create bootable flash disk for multiple ISO

Download ventoy from www.ventoy.net, choose tar.gz. At this documentation wrote, it was ventoy-1.1.07-linux.tar.gz.

Extract it here, it will create directory ventoy-1.1.07. You can move directory from download to your home.

To avoid any typo or wrong device storage, it is recommended to use GUI. Insert you new or unused flash disk and open ventoy GUI, from terminal

$ cd ventoy-1.1.07/
$ ./VentoyGUI.x86_64&

It will ask root/sudo password. Click Install and you will get warning all data will be destroyed and flash disk will be formatted. Wait until finish.

Unmount your flash disk. Remove and reinsert your flash disk. You can add your iso file into your flash disk.

Note: Do not store your iso files too deep under subdirectory. 

Sample Directory:

Ventoy
-- debian
   -- debian-13.1.0-amd64-netinst.iso
-- windows
   -- 

Note:  size of debian-13.1.0-amd64-netinst.iso is more then 700MB which it is not fit into CD ROM anymore.

Use flash disk USB 3.0 or above. I use Adata flash disk USB 3.0.

It is hard to find CD or DVD in Indonesia.  Almost software is distribute directly from cloud, no disk media anymore. Some provide flash disk installer in part of package.

 

 

Debian 13: solving error ring 2 stalled on HP 15-AF109AX AMD A8-7410 APU Radeon R5

Laptop:

AMD A8-7410 APU Radeon R5 GCN 1.2 (Spectre)
HP 15-AF109AX 

symptom: Screen flickering continuously at some interval  time

Dmesg error:

[ 3806.507278] radeon 0000:00:01.0: ring 2 stalled for more than 29348msec
[ 3806.507310] radeon 0000:00:01.0: GPU lockup (current fence id 0x000000000000038f last fence id 0x0000000000000390 on ring 2)

Which non free firmware? These are generation AMD Graphics Processor

Use radeon for older then GCN and RDNA

Use amdgpu for Graphic Core Next/GCN generation

1. GCN 1.0 Radion HD 7000
2. GCN 2.0 Radeon 200
3. GCN 3.0 Radeon 300
4. GCN 4.0 Radeon 400/500/600
5. GCN 5.0 Radeon RX Vega, Radeon VII

Use  ROCm for RDNA

1. RDNA 1 Radeon RX 5000
2. RDNA 2 Radeon RX 6000
3. RDNA 3 Radeon RX 7000
4. RDNA 4 Radeon RX 8000 

Install firmware, you need add non-free repository

# apt-get install firmware-amd-graphics  

Check firmware loaded

# lspci -k | grep -A 3 VGA
00:01.0 VGA compatible controller: Advanced Micro Devices, Inc. [AMD/ATI] Mullins [Radeon R4/R5 Graphics] (rev 45)
    Subsystem: Hewlett-Packard Company Device 80cc
    Kernel driver in use: radeon
    Kernel modules: radeon, amdgpu

or

# lspci -nn | grep VGA


The Mullins Accelerated Processing Units (APUs), which include the Radeon R4/R5 Graphics, use the GCN 1.1 architecture.  Googling for yours if necessary. Create/Edit /etc/X11/xorg.conf.d/20-radeon.conf 

Section "Device"
    Identifier "AMD Graphics"
    Driver "amdgpu"
    Option "TearFree" "true"
EndSection

If your card is GCN 1.0 and 1.2 ("Southern Islands" or "Sea Islands" cards) , for potentially better performance and Vulkan support, you need to add kernel parameter. Edit /etc/default/grub and add parameter

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash radeon.cik_support=0 amdgpu.cik_support=1"

update grub

# update-grub update-grub

Example old AMD Graphic

• Wrestler [Radeon HD 6310] 

google-chrome use gpu acceleration, this can also causing ring 2 stalled. Disabling google-chrome gpu accelerated.

$ google-chrome-stable --disable-gpu --disable-software-rasterizer

Create script to run start_chrome.sh

#!/bin/bash
google-chrome-stable --disable-gpu --disable-software-rasterizer "$@" &

Make it runnable

$ chmod 764 ./start_chrome.sh


 

Debian 13: using systemd-resolved to replace old way to resolving dns

Install systemd-resolved 

# apt-get install  systemd-resolved

Enable it

# systemctl enable systemd-resolved

Old fashion /etc/resolv.conf 

# Generated by NetworkManager
nameserver 45.90.28.186
nameserver 8.8.8.8
nameserver 1.1.1.1

Change/Edit configuration file /etc/systemd/resolved.conf 

DNS=45.90.28.186 8.8.8.8 1.1.1.1
DNSOverTLS=yes

Optional

DNS=45.90.28.186 8.8.8.8#dns.google 8.8.4.4#dns.google 2001:4860:4860::8888#dns.google 2001:4860:4860::8844#dns.google 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2006:4700:4700::1111#cloudflare-dns.com 2606:4700:4700:1001#cloudflare-dns.com
DNSOverTLS=yes 

Enable systemd-resolved in Network Manager, edit /etc/NetworkManager/NetworkManager.conf 

[main]
plugins=ifupdown,keyfile
dns=systed-resovled

Restart Network Manager

# systemctl restart NetworkManager

Restart systemd-resolved

# systemctl restart systemd-resolved


Test it

# nslookup duckduckgo.com
Server:        127.0.0.53
Address:    127.0.0.53#53

Non-authoritative answer:
Name:    duckduckgo.com
Address: 20.43.161.105

Done. This configuration can be used to protect your dns resolved from dns query hijacking. 

Handy diagnostics guide:  

Dig

# dig duckduckgo.com @1.1.1.1 +short
safe.duckduckgo.com.
202.169.44.80

Nslookup

# nslookup duckduckgo.com 8.8.8.8
Server:        8.8.8.8
Address:    8.8.8.8#53

Non-authoritative answer:
duckduckgo.com    canonical name = safe.duckduckgo.com.
Name:    safe.duckduckgo.com
Address: 202.169.44.80
Name:    safe.duckduckgo.com
Address: 2404:8000:11:2::2 

Whois

# whois 202.168.44.80 
% [whois.apnic.net]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

% Information related to '202.168.0.0 - 202.168.63.255'

% Abuse contact for '202.168.0.0 - 202.168.63.255' is 'hostmaster@tpgtelecom.com.au'

inetnum:        202.168.0.0 - 202.168.63.255
netname:        TPG-AU
descr:          TPG Internet Pty Ltd.
country:        AU
org:            ORG-TIPL2-AP
admin-c:        TH178-AP
tech-c:         TH178-AP
abuse-c:        AT937-AP
status:         ALLOCATED PORTABLE
remarks:        Australian Internet Service Provider (ISP)
remarks:        http://www.tpg.com.au

Curl

# curl -I https://www.duckduckgo.com
curl: (7) Failed to connect to www.duckduckgo.com port 443 after 4129 ms: Could not connect to server

Note: curl and whois showing duckduckgo.com directing to wrong address.

Debian 13: UEFI partition during installation process

Begin in 2011, computer manufacturers were moving to use UEFI and left BIOS. Today, it is mandatory for system with UEFI to have separate partition for EFI System Partition / ESP. 

ESP contain boot loader to start operating system. One ESP may contain some boot loader for different operating system. Size of ESP for windows and Debian is 500MB to avoid problem when update occurred. It means for multi OS with different boot loader, ESP partition required bigger size.

During Debian installation, at step configure partition, create:

• size: 500 MB or bigger
• type: "EFI System Partition (ESP)", "EFI System Partition" or similar

All partitions required in Debian 13 system are:

1. ESP: 500MB or bigger, will marked boot sector 0xEE
2. Swap: 2 times physical memory. IMO, for physical memory more then 16GB, swap size equal to physical memory or less.
3. root partition for single point mount /, or custom partition.

There are 3 types boot process and its year period:

1. BIOS: old PC
2. BIOS + GPT PC 2000-2020 
3. ESP + GPT PC > 2020 

Debian 13: troubleshooting connecting to wifi using cmd nmcli

I prefer to use command line because mostly server does not  installed window manager. I need to familiar to use command line in any situation.

To show wifi radio enable

# nmcli radio wifi
enabled

To turn on radio wifi

# nmcli radio wifi on

To list available wifi

# nmcli device wifi list
IN-USE  BSSID              SSID   
...

To rescan available wifi

# nmcli dev wifi rescan

To connect to wifi access point

# nmcli device wifi connect "[your_SSID]" password "[your_password]"
...


To show connection

# nmcli connection show
NAME                UUID                                  TYPE      DEVICE
...

Note: parameter dev is short from device

Debian 13 icewm/openbox/fluxbox: using pavucontrol & pulseaudio

 Install pavucontrol & pulseaudio

# apt-get install pavucontrol pulseaudio
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
...


To run pavecontrol in terminal

$ pulseaudio&

Debian 13: install OpenBox, Fluxbox and IceWM with XFCE installed

Hardware:

• HP 15-AF109AX
  AMD A8-7410 APU 
• ASUS EEE PC 1215B
  AMD E-350 Processor

Compare 

Feature	Fluxbox	Openbox	IceWM
Ram idle	~60–100 MB	~80–120 MB	~80–150 MB
Panel	n/a	n/a	Yes
Toolbar	n/a	tint2	Yes, like Windows 95
Access menu	Right Click	Right Click	Toolbar like Windows 95
Application list	Manual only	Auto populate	Auto populate

To install fluxbox is straight forward.

# apt-get install fluxbox
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done


To install openbox is straight forward.

# apt-get install openbox
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  libid3tag0 libimlib2t64 libobrender32v5 libobt2v5 libspectre1 obconf scrot 

To install icewm is straight forward.

# apt-get install icewm
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done


To switch your Desktop into  OpenBox, Fluxbox or IceWM, logout and select tool on top-right icon to select openbox.

Right click to select application menu to launch. It is old fashion Unix Desktop terminal. If you ever used Solaris 8.0 workstation, it looks so closed. in Fluxbox, installed application needs to run by command in bash shell.

Do not remove XFCE (or existing Window Manager) if you are not familiar with OpenBox, Fluxbox or IceWM. You can switch to XFCE XFCE (or existing Window Manager) or openbox anytime you want.

NOTE: Do not expecting the performance likes a new PC, for office like libreoffice requires processor power to speed up.

Debian 13: pyhton3 setting virtual environment

Run once

Installing packages

As root

# sudo apt install python3 python3-pip python3-venv

As user for example user1

As user1

We create folder to store python3 packages for user1 folder name is mpyvenv

$ mkdir mypyenv
$ cd mypyenv
~/mypyenv$  python3 -m venv venv
~/mypyenv$ ls
venv

Every time entering virtual environment use this command

$ cd mypyenv
~/mypyenv$ source venv/bin/activate
(venv) [user]@[host]:~/mypyenv$

To exit virtual environment

(venv) [user]@[host]:~/mypyenv$ deactivate
~/mypyenv$ 

Note: 

1. put every python project under directory virtual environment, for this example I used mypyenv.
2. A user can have multiple virtual environment for each project. Each project must have a single entry point to root folder. 

References: chatgpt.com gemini.google.com

Debian 13: upgrading ASUS Eee PC 1215B from Debian 11 to Debian 13

ASUS Eee PC 1215B Release April 2011
AMD E-350 dual-core 1.6 GHz
AMD Radeon HD 6310 graphics 1366x768
Ram DDR3

It is recommended to use shell, during upgrade, desktop environment may be restarting and causing screen lock.

To get into shell, after Desktop login menu appear, press Ctrl + Alt + F1. To turn back into Desktop press Ctrl + Alt + F7.

Edit /etc/apt/sources.list

#main
# 11 to 12
deb https://deb.debian.org/debian bookworm main contrib non-free-firmware non-free
# 12 to 13
#deb https://deb.debian.org/debian trixie main contrib non-free-firmware non-free

#mirror auto
# 11 to 12
deb http://mirror.unair.ac.id/debian bookworm main contrib
# 12 to 13
#deb http://mirror.unair.ac.id/debian trixie main contrib

#security
# 11 to 12
deb https://security.debian.org/debian-security bookworm-security main contrib non-free-firmware non-free
# 12 to 13
#deb https://security.debian.org/debian-security trixie-security main contrib non-free-firmware non-free

#update
# 11 to 12
deb https://deb.debian.org/debian bookworm-updates main contrib non-free-firmware non-free
# 12 to 13
#deb https://deb.debian.org/debian trixie-updates main contrib non-free-firmware non-free

#backport
# 11 to 12
deb http://deb.debian.org/debian bookworm-backports main
# 12 to 13
#deb http://deb.debian.org/debian trixie-backports main

As mention in Debian official website, you can not directly upgrade from Debian 11 to Debian 13. You need to upgrade it in sequence

Upgrade Debian 11 to Debian 12

Edit /etc/apt/sources.list, remove '#' any line containing bookworm and add '#' any line containing trixie.

1. Update Repository
   # apt-get update
2. Take full upgrade
   # apt full-upgrade
3. Restart and perform clean up
   # apt-get autoclean && apt-get autoremove -y

This toke 2 hours and 30 minutes. 

This error occurred when we just perform apt upgrade --without-new-pkgs, make restart and upgrade to Debian 13

Preparing to unpack .../base-files_13.8_amd64.deb ...


******************************************************************************
*
* The base-files package cannot be installed because
* /bin is a directory, but should be a symbolic link.
*
* Please install the usrmerge package to convert this system to merged-/usr.
*
* For more information please read https://wiki.debian.org/UsrMerge.
*
******************************************************************************


dpkg: error processing archive /var/cache/apt/archives/base-files_13.8_amd64.deb
 (--unpack):
 new base-files package pre-installation script subprocess returned error exit s
tatus 1
Errors were encountered while processing:
 /var/cache/apt/archives/base-files_13.8_amd64.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)


Upgrade Debian 12 to Debian 13

Edit /etc/apt/sources.list, add '#' any line containing bookworm and remove '#' any line containing trixie.

1. Update Repository
   # apt-get update
2. Take full upgrade
   # apt full-upgrade
3. Restart and perform clean up
   # apt-get autoclean && apt-get autoremove -y

This toke 3 hours to upgrade 1.945 packages with size 1.388 MB.

Total hours are 5 hours and 30 minutes, with all applications upgraded to latest version.

Debian 13: Ops, something is wrong during upgrading from Debian 12 to Debian 13

If something wrong during upgrade debian 12 to debian 13, so the installation did not finish, here is my share how to solved it. 

In my case, screen got locked, so I need to manual power off and restart the Laptop.

Normal boot to linux won't work, if possible during selecting menu in grub, select "Advanced Option" and select "Recovery Mode". If you can not go into grub menu, you need to use Debian rescue CD/USB, I use minimal (net install CD),

If you use CD/USB, you will rescue your Debian using chroot. 

To repair grub using CD/USB, you need to enter your drive.

To repair broken upgrade using CD/USB, you need to select your Debian partition and mounting /boot partition.

If you using CD/USB rescue, when repair has completed, type exit from chroot

Command to repair broken upgrade process:

# dpkg --configure -a
....
# apt --fix-broken install 
....
# apt full-upgrade
...-
# grub-update
...
# grub-install /dev/sda
....

To manage boot efi using efibootmgr

# apt install efibootmgr
# efibootmgr
BootCurrent: 0002
Timeout: 5 seconds
BootOrder: 0001,3001,0002,2001,2002,2003
Boot0001* Windows Boot Manager    HD(2,GPT,41ed4da9-8f99-445d-b3dc-d37f4ad717da,0x109000,0x32000)/File(\EFI\Microsoft\Boot\bootmgfw.efi)57494e444f5753000100000088000000780000004200430044004f0042004a004500430054003d007b00390064006500610038003600320063002d0035006300640064002d0034006500370030002d0061006300630031002d006600330032006200330034003400640034003700390035007d00000061000100000010000000040000007fff0400
Boot0002* debian    HD(2,GPT,41ed4da9-8f99-445d-b3dc-d37f4ad717da,0x109000,0x32000)/File(\EFI\debian\shimx64.efi)
Boot2001* USB Drive (UEFI)    RC
Boot2002* Internal CD/DVD ROM Drive (UEFI)    RC
Boot3000* Internal Hard Disk or Solid State Disk    RC
Boot3001* Internal Hard Disk or Solid State Disk    RC
Boot3002* Internal Hard Disk or Solid State Disk    RC
# efibootmgr --bootorder Boot0002,Boot0001

Laptop HP Model 15-af109AX, Boot Manager is handled by Bios. This model may be not supported in Debian 13 (No problem in Debian 12), I can not change boot order using BIOS nor efibootmgr. To select boot loader, you need to press F9 button.

 

Debian 13: upgrade from debian 12 bookworm to debian 13 trixie

It is recommended to use shell, during upgrade, desktop environment may be restarting and causing screen lock.

To get into shell, after Desktop login menu appear, press Ctrl + Alt + F1. To turn back into Desktop press Ctrl + Alt + F7.

Current version

# cat /etc/debian_version
12.11

Edit /etc/apt/source.list

#deb cdrom:[Debian GNU/Linux 12.0.0 _Bookworm_ - Official amd64 NETINST with firmware 20230610-10:21]/ bookworm main non-free-firmware

#main
#deb https://deb.debian.org/debian bookworm main contrib non-free-firmware non-free
deb https://deb.debian.org/debian trixie main contrib non-free-firmware non-free

#mirror auto
#deb http://httpredir.debian.org/debian bookworm main contrib
deb http://httpredir.debian.org/debian trixie main contrib

#security
#deb https://security.debian.org/debian-security bookworm-security main contrib non-free-firmware non-free
deb https://security.debian.org/debian-security trixie-security main contrib non-free-firmware non-free

#update
#deb https://deb.debian.org/debian bookworm-updates main contrib non-free-firmware non-free
deb https://deb.debian.org/debian trixie-updates main contrib non-free-firmware non-free

#backport
#deb http://deb.debian.org/debian bookworm-backports main
deb http://deb.debian.org/debian trixie-backports main

Updating repository

# apt-get update
Hit:1 https://dl.google.com/linux/chrome/deb stable InRelease                 
Hit:2 https://deb.debian.org/debian trixie InRelease                           
Hit:3 https://security.debian.org/debian-security trixie-security InRelease   
Hit:4 https://deb.debian.org/debian trixie-updates InRelease                   
Hit:5 http://deb.debian.org/debian trixie-backports InRelease                 
Hit:6 http://httpredir.debian.org/debian trixie InRelease   
Reading package lists... Done

Performing minimal upgrade

# apt upgrade --without-new-pkgs

During minimal upgrade, your system may request you to restart some services, allow it. Take some coffee.....

Restart your Debian. This is optional, just make sure system run proper minimal upgrade. 

Performing full upgrade

# apt full-upgrade

Full upgrade may takes sometimes. 

Restart your Debian and perform clean up

# apt-get autoclean && apt-get autoremove -y
...
$ cat /etc/debian_version
13.0
$ uname -an
Linux hpkakiang 6.12.38+deb13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.12.38-1 (2025-07-16) x86_64 GNU/Linux

Debian 13: trixie release

NOTE: 

1. Debian 13 trixie does not support i386 architecture. Users running i386 systems should not upgrade to trixie.  You can run 32 bit application on Debian 13 trixie using 32 bit support. 
2. Debian 12 bookworm does not cover any i586 processor, minimum processor requirement is i686. 
3. Debian 11 bullseye is latest version support i386. 

Debian 13 trixie release uses Linux kernel 6.12 LTS series.

Debian 13 trixie ships with several desktop environments, such as:

1. GNOME 48
2. KDE Plasma 6.3
3. LXDE 13
4. LXQt 2.1.0
5. Xfce 4.20

A total of seven architectures are officially supported for trixie:

1. 64-bit PC (amd64),
2. 64-bit ARM (arm64),
3. ARM EABI (armel),
4. ARMv7 (EABI hard-float ABI, armhf),
5. 64-bit little-endian PowerPC (ppc64el),
6. 64-bit little-endian RISC-V (riscv64),
7. IBM System z (s390x)

Reference: www.debian.org/News/2025/20250809

Unix like OS not base on linux

Linux is a very popular open-source Unix-like operating system. Open-source Unix-like operating systems that are not based on Linux and are still actively developed. They are

1. FreeBSD
   Focus: Performance, advanced networking, storage
   Use Cases: Servers, firewalls, storage appliances (e.g., TrueNAS)
2. OpenBSD
   Focus: Security, correctness, simplicity
   Known for: Secure-by-default policies, clean codebase
3. NetBSD
   Focus: Portability — runs on almost any architecture
   Use Cases: Embedded systems, research, legacy hardware
4. DragonFly BSD
   Focus: Performance, advanced file system (HAMMER2), scalability
5. illumos
   Descendant of: OpenSolaris (which was derived from UNIX System V)
6. OpenIndiana
   Goal: Desktop/server OS based on illumos
7. SmartOS
   Focus: Cloud-native virtualization with zones, ZFS, DTrace
8. MidnightBSD
   Fork of FreeBSD, focused on desktop use
9. Darwin
   Apple's open-source core of macOS (not a complete OS itself)
   Basis for macOS and iOS

Most those operating system are intended to run as server connected directly to internet with advance stability and security. 

Debian 12: KVM Virtualization - creating guest (part 3)

To show available os for guest

$ virt-install --osinfo list | grep arch
archlinux

To use bridge add /etc/qemu/bridge.conf if not available and chmod file /usr/lib/qemu/qemu-bridge-helper
# mkdir /etc/qemu
# touch /etc/qemu/bridge.conf
# echo "allow br0" >> /etc/qemu/bridge.conf
# chmod u+s /usr/lib/qemu/qemu-bridge-helper


To create guest with name=guest01, disk size 10GB, Ram 2Gb (2048), virtual processor 2, os variant debian 12 (not available, we use debian11), boot from iso file: 

$ virt-install \
  --name guest01 \
  --memory 2048 \
  --vcpus 2 \
  --disk path=/home/dedetok/guests/guest01.qcoe2,size=10,bus=virtio \
  --cdrom /home/dedetok/Downloads/debian-12.11.0-amd64-netinst.iso \
  --nonetworks \
  --os-variant debian11 \
  --virt-type kvm

Parameters:

• --name: name to identify guest
• --ram: guest memory in megabytes
• --vcpus: number of cpu for guest
• --disk: path=<path_to_disk_image>,size=<disk_size_in_gb>,bus=virtio
  virtio is standard interface for virtual machines, it improve vm network performance
  
• --cdrom: install from iso file or CD/DVD/USB
• --nonetworks: no update or install from internet 
  or
  --network bridge=br0,model=virtio to use bridge network, see part 2
  For bridge see Network Bridge section
  

Options:

1. Graphics option
   • --graphics vnc: Enables VNC for graphical access. If virt-viewer is installed, it will automatically launch. If not, you'll need to manually connect using a VNC client like vinagre or remmina.
   • --graphics spice: Enables SPICE for graphical access. SPICE is generally considered more modern and efficient than VNC.
   • --graphics none: Disables graphical access and forces a text-mode installation using the serial console.
2. Disk option
   • Default folder for virtual disk /var/lib/libvirt/images/
     qcow2 offers features that raw (or img) doesn't:
   1. Snapshots: qcow2 allows you to create snapshots of your virtual machine's disk, enabling easy rollback to previous states.
   2. Compression: It can compress the disk image, potentially saving storage space.
   3. Sparse files: qcow2 supports sparse files, meaning it only allocates disk space for used portions of the image, which can be more efficient.
   • raw format (or just img when using virt-install) has no special features:
     It simply represents the raw data of the disk, which can be less flexible and potentially wasteful of disk space.

To show version
$ virsh version
Compiled against library: libvirt 9.0.0
Using library: libvirt 9.0.0
Using API: QEMU 9.0.0
Running hypervisor: QEMU 7.2.17

Managing VM

To List guest cm
$ virsh list --all


Connect to vm
$ virsh console [vm_name]
or using virt-viewer
$ virt-viewer [vm_name]

To edit vm
$ virsh edit [vm_name]


To start vm
$ virsh start [vm_name]

to restart vm
$ virsh reboot [vm_name] --mode initctl

to force stoping vm
$ virsh destroy [vm_name]

to force shutdown vm
$ virsh shutdown [vm_name] --mode acpi

to suspend vm
$ virsh suspend [vm_name]

to resume vm after suspend
$ virsh resume [vm_name]

to reset vm (similiar to pressing reset button on physical PC)
$ virsh reset [vm_name]

Restarting KVM Daemon
# systemctl restart libvirtd

to remove vm and its storage permanently
$ virsh undefine --managed-save --remove-all-storage [vm_name]

To make vm auto run after host restart (run once)
$ virsh autostart [vm_name]

Network bridge

Network configuration file:

1. /etc/libvirt/qemu/networks/default.xmlfir active configuration
   
2. /usr/share/libvirt/networks/default.xml for template

To enable network bridge for guest:

1. turn up bridge interface
   
2. list all network using virsh net-list
   
3. if list is empty, define default network and edit default network to use existing bridge
4. start network bridge

To turn up bridge interface
# ifup br0

To show bridge interface
# brctl show
bridge name    bridge id        STP enabled    interfaces
br0        8000.9aa237b1bcc8    no        enp2s0


To show network bridge (if list empty, see define default network)
$ virsh net-list --all

To define default network
$ virsh net-define /usr/share/libvirt/networks/default.xml


To undefined default network
$ virsh net-undefine default

To edit default network
$ virsh net-edit default

Change default network using edit default netowrk
<network>
  <name>default</name>
  <uuid>84b29e1f-b2c3-4230-bc21-fba0143c026c</uuid>
  <forward mode='bridge'/>
  <bridge name='br0'/>
</network>

To start network bridge
$ virsh net-start default


To auto start network bridge
$ virsh net-autostart default

To add manually bridge network into vm edit vm and add
<domain type='kvm'>
...
 <devices>
    <interface type='bridge'>
      <mac address='52:54:00:87:65:f6'/>
      <source bridge='br0'/>
      <model type='virtio'/>
      <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
...

References:

• wiki.debian.org/KVM
• wiki.debian.org/DebianInstaller/Preseed
• wiki.debian.org/BridgeNetworkConnections
  

Debian: repair micro SD card command line

Detect your micro SD card

# dmesg
[  482.261836] scsi 1:0:0:0: Direct-Access     Multiple Card  Reader     1.00 PQ: 0 ANSI: 0
[  482.265756] sd 1:0:0:0: Attached scsi generic sg1 type 0
[  483.034812] sd 1:0:0:0: [sdb] 3911680 512-byte logical blocks: (2.00 GB/1.87 GiB)
[  483.036904] sd 1:0:0:0: [sdb] Write Protect is off
[  483.036931] sd 1:0:0:0: [sdb] Mode Sense: 03 00 00 00
[  483.038288] sd 1:0:0:0: [sdb] No Caching mode page found
[  483.038321] sd 1:0:0:0: [sdb] Assuming drive cache: write through
[  483.058653]  sdb: sdb1
[  483.066093] sd 1:0:0:0: [sdb] Attached SCSI removable disk
# lsblk
NAME   MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
sda      8:0    0 298.1G  0 disk
├─sda1   8:1    0 103.6G  0 part
├─sda2   8:2    0   450M  0 part
├─sda3   8:3    0     1K  0 part
├─sda5   8:5    0 120.2G  0 part
├─sda6   8:6    0     2G  0 part [SWAP]
└─sda7   8:7    0  71.8G  0 part /
sdb      8:16   1   1.9G  0 disk
└─sdb1   8:17   1   1.9G  0 part 

Repair file system micro SD card

# umount /dev/sdb1
umount: /dev/sdb1: not mounted.
# umount /dev/sdb
umount: /dev/sdb: not mounted.
# fsck.vfat -a -w /dev/sdb1

option:

• -a : automatic repair filesystem
• -w : write change immediately

Format if there is no data you can saved and you want fresh storage in micro SD card 

# mkfs.vfat /dev/sdb1
mkfs.fat 4.2 (2021-01-31)