¶ Incus Windows 7 VM
¶ Install (in Virtualbox)
- Download "untouched" Windows 7 iso. I used
GSP1RMCPRXFRER_EN_DVD.iso. - Create VM in VirtualBox, with VirtIO controller for boot disk. Attached to the SATA controller should be the windows iso (first) and the virtio drivers:
The Virtio drivers must be exactly version 0.1.173-9.
- Boot into Windows install
- No hard disks will appear. Click the 'install drivers' button and navigate to the Virtio disk. Install the vioscsi driver.
- Install as normal
- Shut down
¶ Transfer to Incus
- Convert VDI disk image
% qemu-img convert -f vdi -O qcow2 win.vdi win.qcow2
- Use incus-migrate to create new VM from disk image
% sudo incus-migrate
[sudo] password for ostheer:
The local Incus server is the target [default=yes]:
Would you like to create a container (1) or virtual-machine (2)?: 2
Name of the new instance: suremark
Please provide the path to a disk, partition, or qcow2/raw/vmdk image file: win.qcow2
Does the VM support UEFI booting? [default=yes]: no
Instance to be created:
Name: suremark
Project: default
Type: virtual-machine
Source: win.qcow2
Source format: qcow2
Config:
security.csm: "true"
security.secureboot: "false"
Additional overrides can be applied at this stage:
1) Begin the migration with the above configuration
2) Override profile list
3) Set additional configuration options
4) Change instance storage pool or volume size
5) Change instance network
Please pick one of the options above [default=1]:
Converting image "win.qcow2" to raw format before importing
Instance suremark successfully created
- Install the network (NetKVM) driver from the Virtio iso.
¶ Firewall exception
If applicable
add rule inet filter input iifname incusbr0 ip daddr 10.6.123.1 ip saddr 10.6.123.74 accept
add rule inet filter input ip protocol udp th dport 67 accept
¶ Disable networking (don't do this)
This is how networking can be disabled for the VM, but I'm not doing that since we need it.
% incus network acl create restrict-all
Network ACL restrict-all created
% incus network acl rule add restrict-all ingress action=drop
% incus network acl rule add restrict-all egress action=drop
% incus config device set win10 eth0 security.acls=restrict-all
¶ Activate
- Download Microsoft-Activation-Scripts-master.zip from https://massgrave.dev/.
- Run
MAS_AIOas admin - Use the "TSforge" method to activate
¶ IBM drivers & print server
¶ Install office
- Create ISO, since apparently torrents these days just include a bunch of loose files
mkisofs -o ofis2007.iso some-dir-with-office-files
I actually needed to zip (
zip -r office-2007.zip Office\ 2007) the files before creating an ISO from them, or the installer would tell me the files are corrupted when trying to install them in Windows, because the isofs mangles the file names.
- Mount ISO
incus config device add win10 ofijs disk source=/somewhere/ofis2007.iso
Remove attached device later with
incus config device remove win10 ofijs
¶ Install Emoji font
seguiemj.ttf
¶ Install IBM SureMark 4610 driver
- On Windows, install the
kb2864202update. Then install the XHCI driver (pnputil -i -a *.inf). - Redirect the Suremark usb device. This is trivial using the virt-viewer gui, but should be done pesistently as follows:
incus config device add suremark printer usb vendorid='04b3' productid='4535'
On Arch Linux, the
qemu-hw-usb-redirectandqemu-hw-usb-hostpackages must be installed for this to work.
- Download driver
- Install with XP (SP3) compat option. During installation,you need to add a new "RSS port", click the "USB" option. Adding the port takes a while, and after the dialog window disappeared, the port was not added in the list. I cancelled the installation and started it again, and then suddenly the port immediately showed up, so I could just click it without having to add a new port again.
¶ Receiving printable files
¶ Install netcat
- Install netcat on Windows
¶ Office macro
Add macro to empty receipt file. When Word is started with this macro (see runner script below), it will open the file file.docx and paste its contents into he active document (empty_receipt.docx, which has the correct page size and margins). It will then print it and exit.
- Create/Download
empty_receipt.docfile - Alt+F11 to open scipring thingy
- F7 to open code view
- Past macro below
- Save and close document (macro is saved as part of document)
- Quit Word. Reopen document. It might/will block the macro content. Do something to stop blocking it by default. Click the link "Open Trust Center" on the bottom of the dialog window. There, under "Trusted Locations", I could add
C:\Users\sureto a list of trusted dirs. Under "Macro Settings", select "Enable all macros" and check "Trust access to the VBA project object model" (why not).
Sub appendPrintClose()
MyFile = "C:\Users\sure\suremark\file.docx"
On Error GoTo CloseProgram:
add_text_from_docx myPath & MyFile
print_now
CloseProgram:
Application.Quit SaveChanges:=False
End Sub
Sub add_text_from_docx(MyFile)
Selection.Collapse Direction:=wdCollapseEnd
Selection.InsertFile FileName:=MyFile, Link:=False
End Sub
Sub print_now()
'Print the file without margins warning
With Application
'Turn off DisplayAlerts
.DisplayAlerts = wdAlertsNone
'Print document
'Background print must be turned off to prevent message
.PrintOut Background:=False
'Turn on DisplayAlerts again
.DisplayAlerts = wdAlertsAll
End With
End Sub
¶ Runner script
After the above is done, this will print netcatted documents.
:loop
ncat -l -p 8080 -o file.docx > nul
"C:\Program Files\Microsoft Office\OFFICE12\WINWORD.EXE" empty_receipt.doc /mappendPrintClose
goto loop
@pause
Create a shortcut to this script in C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup to start it automatically at boot.
Make sure the location this is running matches the path in the vba macro.
¶ Print a document
On the host;
cat file.docx | netcat -N 10.238.132.69 8000
¶ Sending faxes
¶ Backend (Python)
See github
May be used like this
curl -X POST "http://localhost:8000/chat" \
-H "Authorization: strikt-geheim" \
-H "Content-Type: multipart/form-data" \
-F "file=@./some-image.png" \
-F "text=funny text goes here"
Deployed as;
incus launch images:debian/bookworm suremark-backend
incus shell suremark-backend
apt install python3-virtualenv wget cron
echo "SUREMARK_SECRET=strikt-geheim" > /etc/cron.d/suremark
echo "@reboot user /home/user/.venv/bin/python /home/user/server.py 10.84.244.180 --listen 0.0.0.0" >> /etc/cron.d/suremark
useradd -m -s /bin/bash user
su - user
wget https://raw.githubusercontent.com/Ostheer/IBM4610_bot/refs/heads/master/server.py
wget https://raw.githubusercontent.com/Ostheer/IBM4610_bot/refs/heads/master/requirements-server.txt
virtualenv .venv
source .venv/bin/activate
pip install -r requirements-server.txt
exit
reboot
¶ Frontend (Telegram bot)
incus launch images:debian/bookworm suremark-telegrambot
incus shell suremark-telegrambot
apt install python3-virtualenv wget cron
echo "SUREMARK_SECRET=strikt-geheim" > /etc/cron.d/suremark
echo "BOT_TOKEN=ook-geheim" >> /etc/cron.d/suremark
echo "SUREMARK_BACKEND_ADDRESS=10.100.196.106" >> /etc/cron.d/suremark
echo "BOT_ADMIN=482780937" >> /etc/cron.d/suremark
echo "@reboot user /home/user/.venv/bin/python /home/user/client-telegrambot.py" >> /etc/cron.d/suremark
useradd -m -s /bin/bash user
su - user
wget https://raw.githubusercontent.com/Ostheer/IBM4610_bot/refs/heads/master/client-telegrambot.py
virtualenv .venv
source .venv/bin/activate
pip install python-telegram-bot requests
exit
reboot
¶ Frontend (Vue app by Rik)
¶ Debian host
Debian Bookworm running Incus on an ancient X200 Thinkpad.
¶ Incus
echo "deb http://deb.debian.org/debian bookworm-backports main contrib non-free non-free-firmware" | sudo tee /etc/apt/sources.list
sudo apt install qemu-system-x86/bookworm-backports qemu-system-common/bookworm-backports qemu-system-data/bookworm-backports seabios/bookworm-backports
sudo apt install incus
¶ Port forward
This is only required when not running the backend on the same machine.
Add the following content to /etc/nftables.conf (in addition to an actual firewall):
Make sure to enable nftables in systemd, else the conf does not get loaded at boot.
Also make sure that the ifname and daddr make sense.
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority filter;
}
chain forward {
type filter hook forward priority filter;
}
chain output {
type filter hook output priority filter;
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority dstnat;
iifname "wls1" tcp dport 8000 dnat to 10.100.196.85:8000
}
}
¶ Lid & suspend
Add/uncomment HandleLidSwitch=ignore in /etc/systemd/logind.conf.
To disable suspend, create this file /etc/systemd/sleep.conf.d/nosuspend.conf:
[Sleep]
AllowSuspend=no
AllowHibernation=no
AllowSuspendThenHibernate=no
AllowHybridSleep=no
If that doesn't work, execute sudo systemctl mask sleep.target suspend.target hibernate.target hybrid-sleep.target (both from the Debian Wiki).
Online, some people suggest this:
In /etc/gdm3/greeter.dconf-defaults, add/uncomment:
sleep-inactive-ac-type='nothing'
sleep-inactive-battery-type='nothing'
And then run sudo systemctl reload gdm; sudo systemctl reload gdm3.
But that didn't work for me. In general, disabling suspend on Debian is kind of a hassle for some reason.
It is not sufficient to disable auto-suspend in the system settings menu, as that seems to be per-user and is not effective when a user never opens a graphical session.