Installing Debian 12 on PC Engines ALIX

This guide provides detailed instructions for installing Debian 12 (Bookworm) on PC Engines ALIX system boards with comprehensive write protection mechanisms. While tested on the ALIX.2d13, these instructions should work for other ALIX models as well.

Hardware Requirements

• PC Engines ALIX board (tested on ALIX.2d13)
• CompactFlash card (minimum 1GB recommended)
• Serial console cable
• Host computer with CF card reader

Prerequisites

Before starting the installation, ensure you have:

• Root access on your host machine
• Serial console access (115200 baud rate)
• Basic familiarity with the Linux command line
• Debootstrap installed on your host system (apt install debootstrap)

1. BIOS Configuration

1. Remove the CF card from the ALIX board
2. Connect the serial console and power up the board
3. Enter BIOS by pressing ‘s’ during boot
4. Set console baud rate to 115200
5. Save and exit BIOS

2. Environment Setup

First, set up the environment variables we’ll use throughout the installation:

# Replace sdX with your CF card's device name (e.g., sdb)
export CFDRIVE=/dev/sdX

# Set your preferred mount point for the installation
# You can change this to any location you prefer, e.g., /bootstrap
export BOOTSTRAP_MP=/mnt/bootstrap

3. Preparing the CompactFlash Card

# Create dedicated mount points for the installation
mkdir -p ${BOOTSTRAP_MP}/boot

# Unmount any auto-mounted partitions
umount ${CFDRIVE}{1,2} 2>/dev/null || true

# Clear partition table
dd if=/dev/zero of=${CFDRIVE} bs=512 count=1 conv=notrunc

# Create partitions
parted --script $CFDRIVE \
    mklabel msdos \
    unit mib \
    mkpart primary ext4 1MiB 500MiB \
    toggle 1 boot \
    mkpart primary ext4 500MiB 100%

# Format partitions
mkfs.ext4 -L boot ${CFDRIVE}1
mkfs.ext4 -L root ${CFDRIVE}2

# Mount filesystems
mount ${CFDRIVE}2 ${BOOTSTRAP_MP}
mount ${CFDRIVE}1 ${BOOTSTRAP_MP}/boot

4. Installing Base System

# Install base system
debootstrap --verbose --arch i386 bookworm ${BOOTSTRAP_MP} http://ftp.debian.org/debian

# Create etc directory and handle DNS configuration
mkdir -p ${BOOTSTRAP_MP}/etc
# Remove existing symlink if present
rm -f ${BOOTSTRAP_MP}/etc/resolv.conf
# Create new resolv.conf with public DNS
echo "nameserver 8.8.8.8" > ${BOOTSTRAP_MP}/etc/resolv.conf

# Note: After installation, systemd-resolved will manage DNS configuration
# The temporary resolv.conf is only needed during installation

# Bind mount special filesystems
for dir in /dev /dev/pts /proc /sys; do
    mkdir -p ${BOOTSTRAP_MP}$dir
    mount --bind $dir ${BOOTSTRAP_MP}$dir
done

# Enter chroot
LANG=C linux32 chroot ${BOOTSTRAP_MP} /bin/bash

5. System Configuration (Inside Chroot)

Configure Storage with Write Protection

# Configure fstab with write protection
cat > /etc/fstab <<EOF
# file system    mount point   type    options                                 dump pass
/dev/sda2       /             ext4    noatime,commit=120,errors=remount-ro    0    1
/dev/sda1       /boot         ext4    ro,noatime,nosuid,nodev                 0    2
tmpfs           /tmp          tmpfs   defaults,noatime,mode=1777              0    0
tmpfs           /var/log      tmpfs   defaults,noatime,size=32M               0    0
tmpfs           /var/tmp      tmpfs   defaults,noatime                        0    0
tmpfs           /var/run      tmpfs   defaults,noatime                        0    0
EOF

Configure Package Sources

cat > /etc/apt/sources.list <<EOF
deb http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
deb http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
deb http://security.debian.org/ bookworm-security main contrib non-free non-free-firmware
EOF

# Update and install essential packages
apt update
apt upgrade
apt install linux-image-686 grub-pc ssh vim dialog locales htop tmux \
    systemd-timesyncd systemd-resolved sysfsutils logrotate

Configure GRUB for Serial Console

cat > /etc/default/grub <<EOF
GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT=""
GRUB_CMDLINE_LINUX="console=tty0 console=ttyS0,115200n8"
GRUB_TERMINAL=serial
GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1"
EOF

# Install and configure GRUB
grub-install --boot-directory=/boot --modules=part_msdos ${CFDRIVE}
grub-mkconfig -o /boot/grub/grub.cfg

Network Configuration

Configure network interfaces using predictable device names:

# Configure first NIC (DHCP)
cat > /etc/systemd/network/enp0s9.network <<EOF
[Match]
Name=enp0s9

[Network]
DHCP=yes
EOF

# Configure second NIC (Static IP)
cat > /etc/systemd/network/enp0s11.network <<EOF
[Match]
Name=enp0s11

[Network]
Address=192.168.1.1/24
#Gateway=192.168.1.254    # Uncomment if needed
#DNS=8.8.8.8             # Uncomment if needed
EOF

Basic System Configuration

# Set hostname (choose a meaningful name based on the server's purpose)
# Examples:
#   backup-box     # if used as a backup server
#   gateway        # if used as a router/gateway
#   monitoring     # if used for network monitoring
#   firewall       # if used as a firewall
echo backup-box > /etc/hostname
echo "127.0.0.1 backup-box" >> /etc/hosts

# Enable essential services
systemctl enable systemd-networkd
systemctl enable systemd-resolved
systemctl enable systemd-timesyncd

# Create symbolic link for DNS resolution
ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf

LED Configuration

cat > /etc/sysfs.conf <<EOF
devices/platform/leds-gpio/leds/alix:1/brightness = 1
devices/platform/leds-gpio/leds/alix:2/trigger = disk-activity
devices/platform/leds-gpio/leds/alix:3/trigger = netdev
devices/platform/leds-gpio/leds/alix:3/rx = 1
devices/platform/leds-gpio/leds/alix:3/tx = 1
devices/platform/leds-gpio/leds/alix:3/device_name = enp0s9
EOF

Optional: Firewall Configuration

If you want to set up a basic firewall, you can install and configure nftables:

# Install nftables
apt install nftables

# Basic firewall configuration
cat > /etc/nftables.conf <<EOF
#!/usr/sbin/nft -f

flush ruleset

table inet filter {
    chain input {
        type filter hook input priority 0;

        # Accept localhost and established connections
        iif lo accept
        ct state established,related accept

        # SSH access
        tcp dport 22 ct state new accept

        # ICMPv6 essential
        meta nfproto ipv6 icmpv6 type { destination-unreachable, packet-too-big, 
            time-exceeded, parameter-problem, echo-request, echo-reply } accept

        # Drop everything else
        counter drop
    }
}
EOF

# Enable nftables
systemctl enable nftables

Create User Account

# Add user and set passwords
useradd -m -s /bin/bash admin
passwd admin
passwd root

6. Finalize Installation

# Exit chroot
exit

# Unmount all filesystems in reverse order
umount -l ${BOOTSTRAP_MP}/dev/pts
umount -l ${BOOTSTRAP_MP}/dev
umount -l ${BOOTSTRAP_MP}/sys
umount -l ${BOOTSTRAP_MP}/proc
umount ${BOOTSTRAP_MP}/boot
umount ${BOOTSTRAP_MP}

# Remove bootstrap directory
rmdir ${BOOTSTRAP_MP}

sync

7. First Boot and Verification

1. Insert the CF card into the ALIX board
2. Connect serial console and power up
3. Log in as root and verify:

   # Check mounted filesystems
   mount

   # Verify network interfaces
   ip addr

   # Test connectivity on enp0s9
   ping -c 3 8.8.8.8

   # If configured, test enp0s11
   ping -c 3 192.168.1.1

   # Check system logs are in RAM
   df -h /var/log

   # Verify LED functionality
   ls -l /sys/class/leds/alix\:*

Important Notes

• Network Interface Names: Modern Debian systems use predictable network interface naming (e.g., enp0s9, enp0s11) instead of the traditional eth0/eth1 names. The configuration in this guide uses these predictable names.
• DNS Resolution: During installation, we temporarily configure a static DNS server to ensure package installation works correctly. After installation, systemd-resolved will manage DNS configuration.
• Hostname Selection: Choose a hostname that reflects the server’s purpose (e.g., backup-box, gateway, monitoring) rather than the hardware model. This makes it easier to identify the server’s role in your network.

Write Protection Verification

The system includes several measures to minimize writes to the CF card:

1. Read-only /boot partition
2. Temporary filesystems (tmpfs) for volatile data
3. noatime mount option
4. Delayed write commits (120 seconds)

Monitor write activity:

apt install sysstat
iostat -d 1

Troubleshooting

Network Issues

• If network interfaces show different names, check:

  ls /sys/class/net/

And adjust network configuration files accordingly.

Mount Issues During Installation

• If you get “device is busy” errors during unmounting:

  # Use lazy unmount
  umount -l /path/to/mount

DNS Resolution Issues

• If DNS resolution fails:

  # Verify resolver configuration
  cat /etc/resolv.conf

  # Check if systemd-resolved is running
  systemctl status systemd-resolved

Maintenance Tips

1. Regular maintenance:

   # Update system safely
   apt update
   apt upgrade

   # Check disk usage
   df -h

   # Monitor write activity
   iostat -d 1

2. Backup your configuration:

   # Create backup of important configs
   tar czf /tmp/alix-configs.tar.gz /etc/