Lock Down Your Laptop With OpenBSD: Part 2

So you've got a nice fresh OpenBSD install on your laptop, and you're excited to use it. However the desktop environment it comes with is absolutely horrifying to use. Following up from the installation of OpenBSD found on This Blog Post, it is time to tweak out OpenBSD to have a nice and custom desktop tailored to your needs.

I will be configuring i3 window manager, although the setup process for a more well-known desktop environment (like GNOME or XFCE) is very similar in terms of setup.

Since I opted for i3, there's a lot more manual configuration- but the reward is much greater in terms of the ability to customize it. Anyways, this machine doesn't configure itself- so lets dive right in!

Installing Required Software

I wanted for a somewhat custom look, so this is what I set out to install:

To install these, I logged in as root and ran the following command in the terminal (once connected to internet):

pkg_add i3-gaps i3status rofi rxvt-unicode chromium irssi w3m vim openbsd-backgrounds

With this completed and out of the way, configuration of the OS is now much easier and we're ready to actually begin configuration.

First Tweaks

There's a console at the login prompt that isn't my taste, so I wanted to disable it. To do so, run:

sed -i 's/xconsole/#xconsole/' /etc/X11/xenodm/Xsetup_0
echo 'xset b off' >> /etc/X11/xenodm/Xsetup_0

The first command comments out the execution of XConsole at the login screen, while the second one disables system beeps at the prompt.

Next thing is enabling the ability to save us some battery life, since we are installing on a laptop:

rcctl enable apmd
rcctl set apmd flags -A
rcctl start apmd

Apmd is the Advanced Power Management Daemon, and automatically handles the power draw for your system for you.

Since I created a user other than root during installation (let's call the username joe), it's critical to give the account access to doas.

echo 'permit persist keepenv joe' > /etc/doas.conf

The doas command on OpenBSD is actually slated to be the successor to sudo on most platforms, due to it's simplicity and ease of use. Many Linux systems already provide doas as an alternative to sudo due to how well it runs, and this one line just grants the same access you would normally have when using it. However, you can also restrict the access to specific commands depending on the user.

We want to also make the user a member of the staff group, as this group has access to more system resources than plain old users:

usermod -G staff joe

While we're at it, we might as well bump up some of the resource limits even further so our system will run like a dream.

Modify the staff: entry in /etc/login.conf to look like this:

staff:\
  :datasize-cur=1024M:\
  :datasize-max=8192M:\
  :maxproc-cur=512:\
  :maxproc-max=1024:\
  :openfiles-cur=4096:\
  :openfiles-max=8192:\
  :stacksize-cur=32M:\
  :ignorenologin:\
  :requirehome@:\
  :tc=default:

Then, append this to /etc/sysctl.conf:

# shared memory limits (chrome needs a ton)
kern.shminfo.shmall=3145728
kern.shminfo.shmmax=2147483647
kern.shminfo.shmmni=1024

# semaphores
kern.shminfo.shmseg=1024
kern.seminfo.semmns=4096
kern.seminfo.semmni=1024

kern.maxproc=32768
kern.maxfiles=65535
kern.bufcachepercent=90
kern.maxvnodes=262144
kern.somaxconn=2048

NOTE: If a setting exists already and is already higher than what you plan to replace it with, don't touch it. You'll just slow the system down.

What this does is allow for larger amounts of memory to be used by the user and allows the OS to have larger amounts of shared memory.

Awesome, Now let's get suspend working! First we need to run

mkdir /etc/apm

and then append the following to /etc/apm/suspend:

#!/bin/sh
pkill -USR1 xidle

We can now run chmod +x /etc/apm/suspend and it will work properly.

Reboot to apply these changes.

FINALLY Setting Up The Desktop

First things first, we will want to configure GTK because the default keybindings are that of emacs- and it stinks gets the job done, but I don't prefer it. To switch to more normal keybindings, run the command

mkdir -p ~/.config/gtk-3.0

and then append the following to ~/.config/gtk-3.0/settings.ini:

[Settings]
gtk-theme-name=Adwaita
gtk-icon-theme-name=Adwaita
gtk-font-name=Arimo 9
gtk-toolbar-style=GTK_TOOLBAR_ICONS
gtk-toolbar-icon-size=GTK_ICON_SIZE_SMALL_TOOLBAR
gtk-button-images=1
gtk-menu-images=1
gtk-enable-event-sounds=1
gtk-enable-input-feedback-sounds=1
gtk-xft-antialias=1
gtk-xft-hinting=1
gtk-xft-hintstyle=hintslight
gtk-xft-rgba=rgb
gtk-cursor-theme-size=0
gtk-cursor-theme-name=Default
gtk-key-theme-name=Default

Now we need to copy the default i3status to /etc:

cp /usr/local/share/examples/i3status/i3status.conf /etc

Failure to do this will cause i3status to crash on launch.

Lastly, let's configure i3 to actually launch. Open /etc/X11/xenodm/Xsession in a text editor and go to the end of the text file. There will be a portion saying exec fvwm. Remove that line entirely and replace it with exec i3. Now search for anything in this file saying xconsole and remove it (this prevents automatic launching of a console in your desktop.)

If running Intel Integrated Graphics, it may be wise to do one final modification to prevent screen tearing. To do this, run the following command:

mkdir /etc/X11/xorg.conf.d

This makes the xorg.conf.d directory. Now append the following contents to /etc/X11/xorg.conf.d/intel.conf:

Section "Device"
  Identifier "drm"
  Driver "intel"
  Option "TearFree" "true"
EndSection

This configures OpenBSD to play more nicely with your Intel Integrated Graphics.

Finally, type reboot to reboot your system. You should be able to log in as your normal user and have access to i3 window manager. It will provide a “first startup” wizard to go through. If unfamiliar with i3, it is a tiling window manager that uses keyboard shortcuts to manipulate windows.

Once the configuration has been generated, we will need to configure i3 a bit further to allow for rofi and urxvt to work. To tweak these, we first need to edit our ~/.Xdefaults file and add the following contents (note- this is the longest part of the entire task of getting a desktop working):

! === Rofi colors
rofi.color-window : argb:c82d303b, #7c8389, #1d1f21
rofi.color-normal : argb:3c1d1f21, #c4cbd4, argb:96404552, #4084d6, #f9f9f9
rofi.color-urgent : argb:2c1d1f21, #cc6666, argb:e54b5160, #a54242, #f9f9f9
rofi.color-active : argb:2c1d1f21, #65acff, argb:e44b5160, #4491ed, #f9f9f9
rofi.font : Noto Sans 14
rofi.hide-scrollbar : true

! === URXVT
URxvt*geometry : 80x30
"URxvt.font : 9x15
!Special
Xft*dpi : 96
Xft*antialias : true
Xft*hinting : true
Xft*hintstyle : hintslight
Xft*rgba : rgb
URxvt.cursorUnderline : true
URxvt*font : xft:Monospace:size=14:antialias=true
URxvt*letterSpace : -2
URxvt.background : #1d1f21
URxvt.foreground : #c5c8c6
URxvt.cursorColor : #c5c8c6
urxvt*transparent : tue
urxvt*shading : 30
URxvt*saveLines : 0
URxvt*scrollBar : false
!black
urxvt.color0 : #282a2e
urxvt.color8 : #373b41
!red
urxvt.color1 : #a54242
urxvt.color9 : #cc6666
!green
urxvt.color2 : #8c9440
urxvt.color10 : #b5bd68
!yellow
urxvt.color3 : #de835f
urxvt.color11 : #f0c674
!blue
urxvt.color4 : #5f819d
urxvt.color12 : #81a2be
!magenta
urxvt.color5 : #85678f
urxvt.color13 : #b294bb
!cyan
urxvt.color6 : #5e8d87
urxvt.color14 : #8abeb7
!white
urxvt.color7 : #707880
urxvt.color15 : #c5c8c6

This chunk of configuration sets rofi (our app launcher) into dark mode, and changes the default terminal colors to be a little easier on the eyes with a dark theme instead of a eye-scorching manilla color... Only one change to go!

Wrap-Up

Open ~/.config/i3/config in your editor and go around 45 down. You will notice a section that says “Start a terminal”. We want to change it's corresponding command to this:

bindsym $mod+Return exec /usr/local/bin/urxvt

This sets the i3 hotkey combo to execute urxvt instead of xterm.

Awesome! Since i3-gaps is installed, gaps between windows can be set up and configured if preferred. Otherwise, configuration is done, and you're able to install other software that you might want, such as Libreoffice, VLC, PCManFM, and other useful utilities (or games?)

Lastly, to set your desktop background, download a picture and save it to your preferred directory. In my case, it's located at /home/w00t/Pictures/wallpaper.png. Using my download location, I appended the following line to ~/.config/i3/config:

exec --no-startup-id "xwallpaper --stretch /home/w00t/Pictures/wallpaper.png"

Now my desktop wallpaper automatically sets itself on login.

There's other tweaks you can make- but this is meant to be enough to get to a system that's comfortable to work in and have an enjoyable time with OpenBSD. Until Next Time!

Source For Some Config Files: C0ffee.net

Liked This Content? Check Out Our Discord Community and Become an email subscriber!