Category: debian

A fail-safe for changing network config on headless servers

Lenovo Tiny PC

I’ve been setting up a Lenvo tiny system, which came with an M.2 wifi card. I’m going to probably replace it with another Intel GB / 2.5 GB adapter at some point, but right now I don’t really have a reason to. It is always a little scary when you make major changes to your network configuration on a headless system. This box isn’t physically far away, but it is indeed tucked away in another part of the house and I have no desire to bring a monitor over to it.

I realized, the wifi could serve a purpose in case I bork the bridge config somehow, or something unexpected breaks my configuration. Because I used wifi for the Debian netinstall, ifupdown already connects to wifi on boot, so there’s my failsafe. However, I don’t want or need that to stay up after the wired network is up. So I came up with this:

@reboot sleep 60 && ping -c 3 -I br0 10.0.0.1 >/dev/null 2>&1 && ifdown wlp2s0

Put this in root’s crontab, 60 seconds after cron starts it will try to ping something on the LAN, trying three times. If it can ping successfully, we bring down our backup interface. Beautiful.

This would make even more sense with a cheap USB network adapter just to have a failsafe if you’re experimenting and don’t want to lock yourself out of a system without a monitor (or even a physical serial port, for that matter).

Fail-safe, for what? – long version, for those so-inclined

Well, I wanted to be able to easily network some VMs on this thing, so I set up bridged networking. For those who don’t know, this is how Proxmox lets your VMs basically all share a NIC and each get a DHCP lease from your main network, no double-NAT nonsense, and no need to configure static routes either. I briefly did try ProxMox on this thing, and not to talk down of it but there is a reason I don’t use it… has way too much going on out of the box that I’ll never use. It is a great product, and it definitely has its place but I like the minimal-manual style of setting things up. If I wanted to take advantage of the cluster / high availability features or ZFS snapshots then it is a great way to save you a ton of hassle manually setting up some pretty complicated stuff… But I’m not doing anything that fancy. Proxmox IMO is overkill if you just need to run a few VMs, jails or containers. It is convenient as a “poor man’s KVM” though.

XScreenSaver Install Script for Debian MATE Desktop

XScreenSaver

MAKING IT BE (a little) LESS PAIN IN THE ASS

If you’re using Gnome/MATE screensaver (or locker), I’d recommend you don’t. Weather it is because you value X locking security, or just admit it they’re cool screensavers, toss that in the bin and install the real deal.. XScreenSaver.

I have written a script which takes care of all of the following:
1. On Debian, XScreenSaver needs you to manually specify 4 packages to get the program, “extra” savers, gl savers, and “gl extra” savers. This will get you the complete collection, as the author distributes it.
2. Remove MATE Screensaver
3. Apt pin / pref so MATE Screensaver isn’t reinstalled next time you run apt, because MATE Desktop thinks it needs it
4. Autostarts XScreenSaver
5. makes a soft link so you can still lock from the “System” menu up top, and click “Lock Screen”. Now XS will do it.

This will save me HOURS over time.

Get it here: http://lostgeek.net/files/xscreensaver-mate.sh

Trimming the fat from Raspberry Pi OS Lite

Some of you may know that I host this website on a Raspberry Pi 5. I use Raspberry Pi OS Lite, which is a minimal Debian-based operating system that is lean and minimal without excluding anything that would break any features of the Pi itself. I’ve got the 4 GB model, and I don’t think I’ve ever used more than 400-500 MB of RAM during normal server operation. So why slim it down even more? Well, more software equals a larger attack surface, more potential software bugs, and so on.

In a situation where I’m never using the built-in WiFi and Bluetooth radios, there’s no benefit in having their drivers loaded into the kernel. Having unused code running can only increase the likelihood of exploitation, unexpected behavior, bugs, or other unwanted results. These devices also consume power, albeit a small amount, and probably even less when they aren’t connected to a network or device.

Now, I’ve found the drivers on the Raspberry Pi to be pretty good. Honestly, I’ve never had an issue. But since I’m literally not using any wireless on this thing—it’s connected to my network switch with less than a foot of Cat6 Ethernet cable—why bother? If nothing else, you’ll free up a few megabytes of memory. Perhaps an even more tangible benefit is having fewer items cluttering your systemd services and process lists when you check with top or htop.

After removing the following, I saw my memory usage drop to just 125 MB initially. That’s 125 MB of memory used while running Debian 12, with my Apache2 HTTP/HTTPS server and Pi-hole DNS. That’s not bad—kind of impressive, actually!

  • Stopped & Disabled:
    • Audio (via config.txt)
    • avahi-daemon
    • bluetooth
    • ModemManager
    • NetworkManager
    • triggerhappy
    • wpa_supplicant

Most of these are self-explanatory. As for the less obvious names, avahi is sort of like Apple’s Bonjour service; it’s for mDNS/local device discovery. I knew I didn’t need it, but if you’re not sure, leave it alone. Triggerhappy is a hotkey daemon, which is an easy one to disable on my totally headless system. Audio can be disabled by commenting a line in /boot/firmware/config.txt:

dtparam=audio=off`

And since I was in there anyways, I also commented a couple other lines:

camera_auto_detect=1
display_auto_detect=1

ModemManager, Bluetooth, and wpa_supplicant can just be turned off if you don’t plan on using WiFi or Bluetooth.

sudo systemctl stop ModemManager
sudo systemctl disable ModemManager

Repeat the same two commands for the other daemons.

Now, I’m not making this a full tutorial, and there are two reasons for that. For starters, I’m feeling kind of lazy, and I don’t want to have to redo everything to make sure my directions are 100% correct.

If you want to get rid of NetworkManager too, you’ll want to set up networking manually first. In my case, I edited /etc/network/interfaces and added the following:

auto eth0
iface eth0 inet static
address 10.16.17.10/23
gateway 10.16.16.1
dns-search lan
dns-nameservers 10.16.16.1

If you’re not sure, just leave NetworkManager installed. In my case, I went with a static configuration because I didn’t want to have a daemon running for the DHCP client. If your subnet mask is 255.255.255.0, you would use /24.

But the other very real reason is: If you’re not confident yet in how to disable these things, you probably shouldn’t. Do a bit more research first anyways.

When making changes to your system, have an up-to-date backup because you never know when a change could leave you with a non-booting system. Also, when changing the networking system, it should go without saying that doing so can leave you locked out of a headless system. So only proceed if you have a means of getting back in to fix it should you mess up.

This is really more of a journal of my experience setting this up, for those with some experience to get ideas from. It isn’t meant as a tutorial by any means. I just wanted to share how I got my idle RAM usage down to 3%, with my services running.

© 2025 LostGeek.NET - All Rights Reserved. Powered by ClassicPress, NGINX, Debian GNU/Linux.