To the extent possible under law, Per Jensen has waived allcopyright and related or neighboring rights to this work.
> set FLASH=Secondary > set BootDrive=81 80 F0 FF # For stock kernels echo "options libata force=short40c,1.1:mwdma2" > /etc/modprobe.d/libata.conf update-initramfs -u # For custom kernels append="libata.force=short40c,1.1:mwdma2" # Second Gotcha, Debian Installer messes up GRUB2/MBR dpkg-reconfigure grub-pcSo if that's the reason you are reading this, congratulations, you can stop reading now...
dd if=/dev/sdc|gzip>myImage.img.gzNotice we compress the data on-the-fly with gzip, as gigabyte files can be quite unwieldy. When we want to restore our box, we can simply write that image out again, or we can configure a completely new box, like so:
zcat myImage.gz|dd of=/dev/sdcThis process takes roughly a minute or two per gigabyte. This is quite the steal, compared to repeating the steps in this guide, each taking as much as an hour.
sudo minicom -sReplicate the following settings:
sudo minicomThis will bring you to the main screen. To exit hit "ctrl+a" followed by "q". Try doing this now, then connect a Soekris box and power it on. You should now see a bunch of text flickering across the screen, if you don't, try changing the serial port, mess around in your bios, load random modules and pray. Hint: /dev/ttyS0 is synonym for COM1, for USB try /dev/ttyUSB0 or /dev/ttyACM0. You can usually find out the name of the tty device using dmesg, e.g. "dmesg|grep serial".
> set ConSpeed=19200 > set PCIROMS=Enabled > set PXEBoot=Enabled > set FLASH=Secondary > set BootDelay=3 > set BootDrive=81 80 F0 FFVerify the settings with "show" before rebooting. Re-verify after reboot (ctrl+p), as the BootDrive setting sometimes doesn't stick. Normally you would just pop in a prepared CF and connect over Ethernet. However, this reference is divided into stages, the first one being the initial installation. So, how do we install a new Debian system onto an empty CF when there is no CD/FD/USB boot support?
boot f0F0(zero) is the BIOS code for eth0 (the first Ethernet port), like 0x80 for primary IDE, 0x81 for secondary, etc.. Make sure a cable is connected first. You will now see something like:
CLIENT MAC ADDR: 00 00 24 C8 B2 10Those numbers are important and you should write them down, it is the MAC address of the Ethernet device, which we will use to configure the DHCP server to hand out the necessary information to begin the installation.
apt-get install isc-dhcp-server tftpd-hpa nano /etc/dhcp/dhcpd.confHere is an example dhcpd.conf, modify to fit your needs:
authoritative;
ddns-update-style interim;
option domain-name-servers 10.0.0.1;
default-lease-time 600;
max-lease-time 7200;
log-facility local7;
subnet 10.0.0.0 netmask 255.255.255.0 {
range 10.0.0.101 10.0.0.199;
option domain-name "home";
option subnet-mask 255.255.255.0;
option broadcast-address 10.0.0.255;
option domain-name-servers 10.0.0.1;
option routers 10.0.0.1;
default-lease-time 259200;
max-lease-time 518400;
}
host soekris {
filename "pxelinux.0";
server-name "10.0.0.1";
next-server 10.0.0.1;
hardware ethernet 00:00:24:c8:b2:10;
fixed-address 10.0.0.90;
}
host mybox {
hardware ethernet 00:00:00:00:00:42;
fixed-address 10.0.0.42;
}
Replace the MAC address (hardware ethernet) with the one we got from the previous step. Be sure to use the correct syntax (lower case, colons instead of spaces). Server-name refers to the TFTP server, usually the same box. The filename referenced is pxelinux.0, which is the default name for Debian net-installers. So let's set that up now.
We'll start by fetching a Debian netboot image and configure it for serial console @19200n8.
wget http://ftp.dk.debian.org/debian/dists/wheezy/main/installer-i386/current/images/netboot/netboot.tar.gz tar zxvf netboot.tar.gz -C /srv/tftp rm netboot.tar.gz /srv/tftp/pxelinux.cfg mkdir /srv/tftp/pxelinux.cfgRemember to restart the dhcp server:
cat >> /srv/tftp/pxelinux.cfg/default << EOF DEFAULT soekris LABEL soekris kernel debian-installer/i386/linux append vga=normal initrd=debian-installer/i386/initrd.gz -- quiet console=ttyS0,19200n8 PROMPT 0 TIMEOUT 0 EOF
/etc/init.d/isc-dhcp-server restartWe are now ready to start the installation, returning to the Soekris box enter the BIOS (ctrl + p) and type "boot f0".
1. Language, Country and Locale: English, Denmark, en_US.UTF8 2. Network: eth0, dhcp, soekris, home, ftp.dk.debian.org no proxy 3. Partitioning: Manual, the following scheme was used: sdb1 (CF) as max size Primary (Beginning) ext3 for / with noatime option. Continue despite lack of swap (choose no when asked) 4. Password: Root password is set to "changeme" (hint hint, nudge nudge) 5. Users: Forced on us, so we make a "randomdent" and delete it when done. 6. Software selection: Standard, ssh. We want a mostly clean system. 7. Grub: Yes and yes, unfortunately, installer is bugged and installs to wrong MBR, so: 8. Do not hit <continue>, instead, <Go Back> and select "Execute a shell": # installer mounts root on /target, and a dev/ on top of it mount --bind /proc /target/proc mount --bind /sys /target/sys chroot /target /bin/bash --loginIf you accidently rebooted (and the CF is a dud), don't worry, just follow the next chapter to get back into a working chroot, and then come back here.
# If an invalid libata.force option is used, the kernel will just panic! # So this option must only be used on a net5501 featuring both a CF and HD. echo "options libata force=short40c,1.1:mwdma2" > /etc/modprobe.d/libata.conf # Try not to mess with the .force, the documentation is wrong, the syntax broken, kernel, panic.Next we optimize the initrd, the Soekris has trouble working with large initrd's (and initrd's won't work in anything but GRUB2 either, at least as of Wheezy), revert to using device names instead of UUID's, update the initrd, and re-install GRUB to, heck, to ALL MBR's, it's the only way to be safe against random GRUB freezes.
sed -i 's/MODULES=most/MODULES=dep/' /etc/initramfs-tools/initramfs.conf #sed -i 's/#GRUB_DISABLE_LINUX_UUID=true/GRUB_DISABLE_LINUX_UUID=true/' /etc/default/grub # Update the INITRD update-initramfs -u # The Debian Installer will probably mess up the device.map # Verify the order, the CF should be hd1, manually correct if wrong grub-install --recheck /dev/sdb nano /boot/grub/device.map # Be Safe, check off all MBR's, otherwise GRUB2 can confuse itself and freeze! # It should automatically run "update-grub" for you as well. dpkg-reconfigure grub-pc exit exitFinish and Reboot.
dmesg|grep ata|grep configuredIf it says something like MWDMA2 for 1.1 and UDMA/100 for 1.0, then you're golden. If however 1.0 has been set to an abysmal PIO4, then you're effed. That means you have a CF card that the Soekris box simply cannot work with, and although your box is usable, your HD will be very slow. I highly recommend simply buying a new CF at this stage and starting over. You are of course welcome to play with libata force settings (remember to rebuild the initrd), your best bet is probably libata dma=1 instead of force, however, last I tried, I tried all combinations, and no luck, sorry.
userdel -r randomdent rm /etc/udev/rules.d/70-persistent-net.rules rm /lib/udev/rules.d/75-persistent-net-generator.rulesIf you've successfully rebooted and things seems to be working, well, that makes what we have right now a pristine system, and that is a really good place to take a break, "halt" the system, and image it:
dd if=/dev/sdc|gzip>soekris-pristine.img.gzYou don't have to, of course, but you might thank yourself later, as the above steps can be very tedious to reproduce.
mkdir /target mount /dev/sdb1 /target mount --bind /dev /target/dev mount --bind /proc /target/proc mount --bind /sys /target/sys chroot /target /bin/bash --login # grub2 nano /etc/default/grub nano /boot/grub/device.map update-grub # || grub-install /dev/sdb # || dpkg-reconfigure grub-pc # grub1 nano /boot/grub/menu.lst grub-install /dev/sdb # lilo nano /etc/lilo.conf lilo # extlinux nano /boot/extlinux.conf cat /usr/lib/extlinux/mbr.bin > /dev/sdb # fsck fsck.ext3 /dev/sdb exit rebootIf the boot-loader actually works, you are generally better off just using single-user mode for repairs (that would be the "recovery mode" entry in grub2, for others, or in general, just append "1" to the boot options). If the filesystem checks out, you can remount it read-write like so:
mount -o remount,noatime,rw /
sed -i 's/#FSCKFIX=no/FSCKFIX=yes/' /etc/default/rcS sed -i 's/#RAMLOCK=yes/RAMLOCK=no/' /etc/default/tmpfs sed -i 's/#RAMSHM=yes/RAMSHM=no/' /etc/default/tmpfs sed -i 's/#RAMTMP=no/RAMTMP=yes/' /etc/default/tmpfs tune2fs -c 0 -i 0 /dev/sdb1 tune2fs -c 0 -i 0 /dev/sda1With root on flash, it is possible to keep the hd powered down most of the time:
apt-get install hdparm
cat >> /etc/hdparm.conf << EOF
/dev/sda {
spindown_time = 60
}
EOF
I should probably mention that I used to just put a hdparm line in rc.local, but since wheezy, I couldn't get that to work at all, the hdparm package will do all sorts of stuff behind your back which overwrites whatever you do, so now, use the hdparm.conf. So if you had this problem, now you know why. Another thing to note is that I also failed to reliably power down the hd if I used ext4 (it would keep waking up, regardless of mkfs and fstab options), and this is why we stick to ext3. And on the thought of disks, most combinations outside of keeping the hd as master and the flash as slave, despite being root, resulted in problematic performance, which is why we stick to reversed sda and sdb.# /etc/fstab (man 5 fstab) /dev/sdb1 / ext3 noatime,errors=remount-ro 0 1 /dev/sda1 /mnt ext3 noatime 0 2 #/dev/sdc1 /mnt/usb vfat rw,user,noauto,uid=1000,gid=100,fmask=133,dmask=022 0 0And a few personal tweaks;
# make life a little more quiet sed -i 's/session optional pam_motd.so/#session optional pam_motd.so/' /etc/pam.d/login sed -i 's/session optional pam_motd.so/#session optional pam_motd.so/' /etc/pam.d/sshd # if you want to create users at this point and want groups to mean a damn sed -i 's/# GROUP=100/GROUP=100/' /etc/default/useradd sed -i 's/USERGROUPS=yes/USERGROUPS=no/' /etc/adduser.conf
sed -i 's/deb-src/#deb-src/' /etc/apt/sources.list echo 'Acquire::Languages "none";' > /etc/apt/apt.conf.d/99translations apt-get update apt-get upgrade # must haves apt-get install fuse mc screen sudo fortunes fortunes-bofh-excuses sed -i 's/#user_allow_other/user_allow_other/' /etc/fuse.conf sed -i 's/#startup_message off/startup_message off/' /etc/screenrc sed -i 's/vbell on/vbell off/' /etc/screenrc # network tools apt-get install arping bind9utils ncftp rsync apt-get --no-install-recommends install nmap # network services apt-get install bind9 esmtp-run isc-dhcp-server ntp nullidentd openbsd-inetd tftpd-hpa # we use esmtp instead of broken exim4, settings to follow... apt-get purge exim4 exim4-base exim4-config exim4-daemon-light # remove fluff that got installed (optional; nfs, apt, grub dualboot probe) apt-get purge rpcbind nfs-common at libevent-2.0-5 libnfsidmap2 libtirpc1 apt-get purge installation-report tasksel tasksel-data aptitude aptitude-common apt-get purge os-prober # stuff I use, just ignore this #apt-get install cfv p7zip-full par2 parchive rtorrent unrar-free unzip #apt-get install mediatomb-daemon samba # clean up after our selves apt-get clean # clean up after debian sed -i 's/do_symlinks = yes/do_symlinks = no/' /etc/kernel-img.conf rmdir /media /opt rm /initrd.img /vmlinuzDebian still depends on a mail server, how quaint, we will oblige, just not with exim, let's use something simple which actually fits into the way e-mail works now (using gmail as sample provider). A forwarder:
# /etc/esmtprc (man 5 esmtprc) hostname=smtp.gmail.com:587 username=randomdent@gmail.com password=clrtxtyesmuhahaha starttls=required mda "/usr/bin/procmail -d %T"And call me old fashioned, but let's use inetd for the rare things (in case you don't know, it's a legacy daemon which in turn only spawns processes once a connection is made on the relevant port)
# append this to /etc/inetd.conf (man 5 inetd.conf) ident stream tcp nowait nobody /usr/sbin/nullidentd nullidentd tftp dgram udp wait root /usr/sbin/in.tftpd /usr/sbin/in.tftpd -s /srv/tftpWant to have your own time server?
# /etc/ntp.conf (man 5 ntp.conf) server 0.debian.pool.ntp.org iburst server 1.debian.pool.ntp.org iburst server 2.debian.pool.ntp.org iburst server 3.debian.pool.ntp.org iburst server 127.127.1.1 fudge 127.127.1.1 stratum 8 refid NIST restrict default kod notrap nomodify nopeer noquery restrict 10.0.0.0 mask 255.255.255.0 nomodify restrict 127.127.0.0 mask 255.255.0.0 nomodify restrict 127.0.0.1 broadcast 10.0.0.255And a sample /etc/rc.local file:
#!/bin/sh -e if [ -x /etc/iptables ]; then /etc/iptables fi mkdir -pm 777 /run/rtorrent #su - myuser -c "screen -dmS torrent rtorrent" #fun with leds; for reference, net5501 module not included in debian #echo heartbeat > /sys/class/leds/net5501\:1/trigger #echo none > /sys/class/leds/net5501\:1/trigger #echo 1 > /sys/class/leds/net5501\:1/brightness #echo 0 > /sys/class/leds/net5501\:1/brightness exit 0Useful aliases and fancy shell:
# append some of this to /etc/profile alias ll='ls -al --color' alias pa='ps aux' alias ka='killall' alias k='kill -9' #alias mc='mc -b' if [[ "$PS1" && "$BASH" && "`id -u`" -gt 1000 ]]; then /bin/echo -e "\nWelcome to $HOSTNAME\n.... and your fortune O'day is:\n" /usr/games/fortune /bin/echo -e fiDisable IPv6 if unused:
echo net.ipv6.conf.all.disable_ipv6=1 > /etc/sysctl.d/disableipv6.conf echo "AddressFamily inet" >> /etc/ssh/sshd_configRecommended SSH options:
echo 'UseDNS no' >> /etc/ssh/sshd_config sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config sed -i 's/ HashKnownHosts yes/ HashKnownHosts no/' /etc/ssh/ssh_config /etc/init.d/ssh restartService defaults (yes, this is how you disable a service in debian, proper) :
#remove these only if you don't want them enabled on this box @ boot; # update-rc.d -f bind9 remove # update-rc.d -f isc-dhcp-server remove #we use inetd for tftp now... update-rc.d -f tftpd-hpa removeTo re-enable a service, you do this:
update-rc.d bind9 defaultsIf this is hard to remember, apt-get install rcconf.
/etc/init.d name start|stop|restart
#!/bin/sh
# /etc/iptables (man iptables && cry)
export WAN=eth0
export LAN=eth1
# Flush Rules
iptables -F
iptables -t nat -F
# Setup default policies to handle unmatched traffic
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# Lock our services so they only work from the LAN
iptables -I INPUT 1 -i ${LAN} -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -p UDP --dport bootps ! -i ${LAN} -j REJECT
iptables -A INPUT -p UDP --dport domain ! -i ${LAN} -j REJECT
# Allow access to our local services on WAN
iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT
iptables -A INPUT -p TCP --dport ftp -i ${WAN} -j ACCEPT
iptables -A INPUT -p TCP --dport http -i ${WAN} -j ACCEPT
iptables -A INPUT -p TCP --dport auth -i ${WAN} -j ACCEPT
# Drop TCP / UDP packets to privileged ports
iptables -A INPUT -p TCP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP
iptables -A INPUT -p UDP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP
# Finally we add the rules for NAT
iptables -I FORWARD -i ${LAN} -d 10.0.0.0/255.255.255.0 -j DROP
iptables -A FORWARD -i ${LAN} -s 10.0.0.0/255.255.255.0 -j ACCEPT
iptables -A FORWARD -i ${WAN} -d 10.0.0.0/255.255.255.0 -j ACCEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
# Tell the kernel that ip forwarding is OK
echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done
# Port Forwarding
# First Example is a redirection from port 1337 to port 1873 to local ip .69
iptables -t nat -A PREROUTING -p tcp --dport 1337 -i ${WAN} -j DNAT --to 10.0.0.69:1873
# Second Example is a tcp range from 6881 to 6999 to local ip on .42
iptables -t nat -A PREROUTING -p tcp --dport 6881:6999 -i ${WAN} -j DNAT --to 10.0.0.42
# http://www.gentoo.org/doc/en/home-router-howto.xml
exit 0
# /etc/network/interfaces (man 5 interfaces) auto lo iface lo inet loopback auto eth0 iface eth0 inet dhcp # Examples; eth0 for wan, eth1 for lan, # matches the /etc/iptables example. #iface eth0 inet static # address 87.53.93.23 # netmask 255.255.255.240 # broadcast 87.53.93.31 # gateway 87.53.93.17 #auto eth1 #iface eth1 inet static # address 10.0.0.1 # netmask 255.255.255.0 # broadcast 10.0.0.255Next we want to prepare the box for standard network services like dhcpd, bind, tftp(with netboot image) etc., but leave them disabled. Having these services handy might prove to be very useful in case we need to perform rescue operations on-site with PXE, or we need to re-configure an existing Soekris box to take over the routers role in case that box dies or whatever, plenty of unknown scenarious on the horizon, and best to have the tools readily available, it only costs us a megabyte. It also turns our network of Soekris boxes into a self-sustaining ecology, nifty.
# configure the network nano /etc/network/interfaces nano /etc/resolv.conf /etc/init.d/networking restart nano /etc/hostname nano /etc/hosts hostname myhostname # configure network services nano /etc/bind/named.conf.local nano /etc/dhcp/dhcpd.conf # configure services ls /etc/init.d #update-rc.d -f name remove #update-rc.d name defaults #|| rc-conf # configure logging nano /etc/rsyslog.conf # configure routing/fw #nano /etc/sysctl.conf #nano /etc/iptables #chmod +x /etc/iptables #/etc/iptables halt # pop cf in workstation dd if=/dev/sdc|gzip>soekris-prepped.img.gz
apt-get update refreshes package database apt-get upgrade upgrades all packages to latest version apt-get install $pkg download/installs $pkg plus dependencies apt-get remove $pkg removes a package again apt-get clean removes temporary downloaded files apt-cache show $pkg display information about a package apt-cache search $1 search for packages with name/description $1 dpkg --search $1 which packages owns file $1 dpkg -L $pkg show the contents of package $pkg dpkg -l simplest way to show what's installed, combine with |grepThere are many frontends for these basic programs (feta, aptitude, tasksel, dselect, synaptic), but they are usually not very good and tend to corrupt (aptitude).
dpkg-buildpackage -rfakeroot dpkg-scanpackages . /dev/null|gzip>~/packages/Packages.gz dpkg-scansources . /dev/null|gzip>~/packages/Sources.gzFollowing these steps you should be able to customize existing packages. You can often find what you need (new packages or newer versions) in the unstable or experimental branch and then backport them using this approach. Use http://packages.debian.org/ to locate the package, when found you'll notice 3 source links (.dsc, .orig.tar.gz, .diff.gz) top-right, wget those and extract as mentioned above.
apt-get -y install build-essential libncurses5-dev cd /mnt/somewhere_not_on_flash! wget http://www.kernel.org/pub/linux/kernel/v3.0/linux-3.6.tar.bz2 wget http://www.kernel.org/pub/linux/kernel/v3.0/patch-3.6.11.bz2 wget http://debian.takhis.net/soekris/config tar jxf linux-3.6.tar.bz2 mv config linux-3.6/.config cd linux-3.6Above we've also retrieved a custom configuration file, this particular one is optimized for the soekris net5501, with some of the following build in options (including the pata driver, so we don't even need an initrd):
CONFIG_MGEODE_LX=y Processor / Family / Geode GX/LX CONFIG_SCx200=y Bus / NatSemi SCx200 support CONFIG_NET5501=y Bus / Soekris Engineering net5501 CONFIG_CS5535_MFGPT=y Drivers / Misc / CS5536 Geode MFGPT CONFIG_PATA_CS5536=y Drivers / SATA / SFF / BMDMA / CS5536 CONFIG_BLK_DEV_SD=y Drivers / SCSI / SCSI disk CONFIG_VIA_RHINE=y Drivers / Network / Ethernet / Via Rhine CONFIG_SERIAL_8250=y Drivers / Char / Serial / 8250 + Console CONFIG_HW_RANDOM_GEODE=y Drivers / Char / H Random Number G / Geode CONFIG_SCx200_ACB=y Drivers / I2C / Bus / Geode Access CONFIG_GPIO_CS5535=y Drivers / GPIO / CS5536 GPIO CONFIG_MFD_CS5535=y Drivers / Multifunction / CS5536 CONFIG_LEDS_GPIO=y Drivers / LED / Class + GPIO + Triggers CONFIG_EXT3_FS=y File systems / EXT3 CONFIG_CRYPTO_DEV_GEODE=y Cryptographic / Hardware / GeodeYou might also be wanting to apply a few patches to your kernel, the procedure is quite simple:
bzcat ../patch-3.6.11.bz2|patch -p1You want to start tweaking it, adding whatever you need yourself, removing what little there is that you don't like, etc.
make nconfigWhen done, you'll be wanting to make a backup of the file .config for future reference, or to use on another box. You can also retrieve the config used on any running box with a simple "zcat /proc/config.gz>.config". Nifty. Next up, building and installing our custom kernel:
make #make modules_install # if you enabled modules #make firmware_install # you really shouldn't be needing this cp arch/x86/boot/bzImage /boot # or scp to soekrisMake an entry in GRUB2: nano /etc/grub.d/40_custom
#!/bin/sh
exec tail -n +3 $0
menuentry "My Kernel" {
root=hd1,1
linux /boot/bzImage root=/dev/sdb1 ro console=ttyS0,19200n8 libata.force=short40c,1.1:mwdma2
}
But be careful, GRUB2 bugs out if the linux line is too long, case in point, append "quiet" to the line above and it won't boot, no, really. Finally, run "update-grub" to... update grub.wget http://soekris.com/media/software/changelog.txt wget http://soekris.com/media/software/b5501_132i.bin wget http://soekris.com/media/software/b5501_133.bin wget http://soekris.com/media/software/b5501_133c.bin # must be root, because of a lock file, no really sudo minicom -s sudo minicom # enter firmware (ctrl+p) download - # ctrl+a, then s, xmodem, tag with space and enter flashupdate reboot enjoy
wget http://ftp.dk.debian.org/debian/dists/jessie/main/installer-i386/current/images/netboot/netboot.tar.gz tar zxvf netboot.tar.gz -C /srv/tftp rm netboot.tar.gz /srv/tftp/pxelinux.cfg mkdir /srv/tftp/pxelinux.cfg cat >> /srv/tftp/pxelinux.cfg/default << EOF DEFAULT soekris LABEL soekris kernel debian-installer/i386/linux append initrd=debian-installer/i386/initrd.gz console=ttyS0,19200n8 -- console=ttyS0,19200n8 PROMPT 0 TIMEOUT 0 EOFSecond, GRUB2 is now unborked and will correctly prompt you for the desired MBR during installation, choose sdb, and reboot when prompted, remember to still perform the following steps after your first reboot:
sed -i 's/MODULES=most/MODULES=dep/' /etc/initramfs-tools/initramfs.conf echo "options libata force=short40c,1.1:mwdma2" > /etc/modprobe.d/libata.conf update-initramfs -u userdel -r randomdent rebootAnd skip to Part 3. Optimization and Cleanup. Most things in that chapter still applies, although if you wish to use systemd's journal (instead of rsyslog), timers (instead of cron), and time (instead of ntp), say;
install -d -g systemd-journal /var/log/journal setfacl -R -nm g:adm:rx,d:g:adm:rx /var/log/journal apt install systemd-cron apt purge rsyslog logrotate cron timedatectl set-ntp 1Some minor changes to services as well, mediatomb is no longer available (manually dpkg -i the mediatomb mediatomb-common & i386/mediatomb-daemon from sid) and samba no longer supports the "share" security setting, if you relied on that, simply change it to "user" and add "map to guest = Bad Password" to smb.conf, yes really, because that is more intuitive!
echo 'APT::Get::Assume-Yes "true";' > /etc/apt/apt.conf.d/99local echo 'APT::Get::Purge "true";' > /etc/apt/apt.conf.d/99local
To the extent possible under law, Per Jensen has waived all