My journey to get Alpine + Wayland + River to work on ThinkPad T14 G3 AMD
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Inga 🏳‍🌈 8ea3b74ef6 updated code-oss info 2 weeks ago
dotfiles backlight 2 weeks ago
global updated configs 2 weeks ago
LICENSE Initial commit 1 year ago updated code-oss info 2 weeks ago

Table of Contents


My journey to get Alpine + Wayland + River to work on ThinkPad T14 G3 AMD (21CF004PGE)

Preparing hardware

Disable secure boot and fn-lock in bios (so that F-keys work as F-keys by default and require Fn for their secondary multimedia functions).

Installing Alpine

Put alpine standard image on Ventoy USB, load it from Ventoy in GRUB mode.



doas apk add nano

In /etc/apk/repositories, comment out the version you installed, add edge (main, community, testing), since some of the packages we're going to install (river, element-desktop) only exist in testing.


doas apk update
doas apk upgrade

(note that this might break GRUB:

Usable editor by default (not vi)

doas apk add micro
doas apk del nano
echo "export EDITOR=micro" >>.profile
echo "permit setenv { EDITOR=\$EDITOR } :wheel" | tee -a /etc/doas.d/doas.conf

Login manager (needed for desktop)

doas apk add elogind polkit-elogind
doas rc-update add elogind
doas rc-update add polkit
doas apk add greetd greetd-agreety
doas rc-update add greetd

Also: edit /etc/inittab and comment out line enabling getty on tty1, otherwise both agreety and getty will run simultaneously, preventing login on tty1. (TODO: Find links.)


Make sure that everything works: log in on tty1, check that e.g. XDG_RUNTIME_DIR is set in env.

Installing river

doas apk add river river-doc
doas apk add adwaita-icon-theme foot ttf-dejavu
doas setup-devd udev
doas apk add mesa-dri-gallium mesa-va-gallium
install -Dm0755 /usr/share/doc/river/examples/init -t ~/.config/river


doas apk add xwayland

because the latest river in testing is built in a way that requires xwayland (see also:

Try to run with



dbus-run-session -- river

You should see the blue screen of river. Try to open terminal with Win+Shift+Enter. Try to exit with Win+Shift+E.

Login manager

To get to river after logging in on tty1, and get back to tty1 after exiting river, change /etc/greetd/config.toml

command = "agreety --cmd \"dbus-run-session -- river\""

and reboot.

Installing Waybar

doas apk add waybar font-roboto font-awesome

and add startup section at the end of river init file (~/.config/river/init):

# startup
riverctl spawn "waybar"


doas apk add way-displays
mkdir .config/way-displays

and create .config/way-displays/cfg.yaml with the following: TODO

HiDPI - cursors

And in order to have decently sized mouse cursors instead of the tiniest ones, add the following line to the top of .config/river/init:

riverctl xcursor-theme Adwaita 24

This will only affect river itself, the cursor will stay tiny in waybar and firefox and maybe other applications. To solve this:

doas apk add gsettings-desktop-schemas
gsettings set org.gnome.desktop.interface cursor-theme 'Adwaita'

HiDPI - terminal

In terminal (not in terminal emulator in WM; you can always switch to the new terminal with Ctrl+Alt+F2)

doas apk add terminus-font
setfont /usr/share/console-fonts/ter-132n.psf.gz

If it looks decent: change consolefont in /etc/conf.d/consolefont to "ter-132n.psf.gz" and doas rc-update add consolefont boot


In order to not have to create wrapper scripts for all apps:

Create /usr/local/bin/inga-river (and later chmod +x /usr/local/bin/inga-river) with the following content.

and replace \"dbus-run-session -- river\" with inga-river in /etc/greetd/config.toml.


doas apk add gnome-keyring

Add following lines to /usr/local/bin/inga-river before the call to river:

eval $(gnome-keyring-daemon)

Reboot, login, make sure with ps aux | grep key that keyring daemon is running.

Sudo for GUI apps

doas apk add polkit-gnome, and add riverctl spawn /usr/lib/polkit-gnome/polkit-gnome-authentication-agent to your river config.


doas apk add bemenu, and then add this line into your river config:

riverctl map normal Super R spawn 'pidof bemenu-run || bemenu-run -i -n'


doas apk add grimshot, then add this line to river config:

riverctl map normal None Print spawn 'grimshot copy area'


Works by default, use Ctrl+Shift+C and Ctrl+Shift+V in foot

Emoji keyboard

doas apk add rofi-emoji rofi-emoji-wayland wtype font-noto-emoji and add this line to your river config

riverctl map normal Super period spawn 'rofi -modi emoji -show emoji'

(For some reason it broke after reboot and only copies things to clipboard, even though wtype continues to work without any problems)


doas apk add dunst
dunst &
dunstify test

You should get a notification with the text "test".

Then add riverctl spawn "dunst" to the startup section of your river config.

TODO: wired-notify instead of dunst (currently not packaged for alpine)

Other software


doas apk add firefox

go to about:support and make sure that Window Protocol is wayland, not xwayland. (it should be wayland because MOZ_ENABLE_WAYLAND is set to 1 by inga-river)

For some reason, while sound in general works fine in firefox (after following the steps from Hardware section), in WebRTC pages there is crackling much louder than the actual voices, making it unusable for voice/video calls/meetings.


doas apk add chromium

It should also be wayland by default, but you can check it by doas apk add xeyes && xeyes.

In order for screen sharing to work, go to chrome://flags/#enable-webrtc-pipewire-capturer and enable it. Note though that every time you screenshare, there will be two promps from xdg-desktop-portal, one for picking a source, and another for actually sharing.


doas apk add yubikey-manager
doas addgroup YOUR_USER plugdev

(not sure if the two commands above are necessary)


doas rc-service pcscd start
doas rc-update add pcscd

Yubikey should work in Chrome


doas apk add ouch to avoid having to remember tar flags etc, and instead do ouch decompress archive.tar.gz (for any archive format).


doas apk add git
git config --global credential.helper --store


doas apk add telegram-desktop


doas apk add element-desktop



TODO 2024

With default settings, laptop goes to sleep after some idle period. When it wakes up, the root fs is readonly, meaning that I have to restart the laptop.

Adding acpiphp.disable=1 and pcie_aspm=off to grub config does not solve the issue.

Disabling S0ix in UEFI only made things worse: even though cat /sys/power/mem_sleep reported that S3 (deep) is default, after system goes to sleep it is impossible to wake it up, it does not react to key or power button presses.

What did solve the issue was:

  • reenable S0ix in BIOS,
  • doas apk add linux-firmware-amdgpu,
  • editing GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub to add the following options: acpiphp.disable=1 pcie_aspm=off acpi_osi='Windows 2020' iommu=soft.

Now after waking up (after being suspended with doas pm-suspend from pm-utils package) root fs is still readwrite. But sometimes network disappears after wakeup.

For suspend on lid close and unsuspend on open, follow :

doas mkdir -p /etc/acpi/LID
doas micro /etc/acpi/LID/00000080

should have the following content

exec pm-suspend

and then

doas chmod +x /etc/acpi/LID/00000080
doas rc-service acpid restart


TODO 2024

Otherwise, alpine wiki describes how to configure WiFi using iwd.


doas apk add enlighten
doas rc-service udev restart

and add the following lines to river config:

riverctl map $mode None XF86MonBrightnessUp   spawn "BACKLIGHT_DEVICE=amdgpu_bl1 enlighten +5%"
riverctl map $mode None XF86MonBrightnessDown spawn "BACKLIGHT_DEVICE=amdgpu_bl1 enlighten -5%"

Backlight control with Fn+F5/F6 should work now.

(amdgpu_bl0 is specific for this laptop; value for others can be obtained from /sys/class/backlight/)


Disregard this:

find /sys/devices/platform/i8042/ -name name | xargs grep -Fl TrackPoint

to find which serio corresponds to trackpoint, then

echo 70 | doas tee /sys/devices/platform/i8042/serio1/sensitivity

for reasonably low sensitivity (does not persist; for persistence TODO separate udev rule).

Instead of configuring sensitivity, it's probably better to configure pointer speed in river.

Find your trackpoint with riverctl list-inputs | grep -i trackpoint, it will look like 2:10:TPPS/2_Elan_TrackPoint.

Then add the following to your river config:

riverctl input 2:10:TPPS/2_Elan_TrackPoint accel-profile adaptive
riverctl input 2:10:TPPS/2_Elan_TrackPoint pointer-accel -0.5


Based on

doas apk add pipewire wireplumber rtkit pipewire-alsa
#doas addgroup YOURUSER rtkit



Make sure that everything works (with wpctl status, pw-cat -p YOURFILE.flac or just opening YouTube in FF).

Then make pipewire start automatically: in river config, add another startup line:

riverctl spawn "/usr/libexec/pipewire-launcher"

Control volume with wpctl. And change the handlers for XF86Audio (adding -repeat and replacing the spawned command):

riverctl map -repeat $mode None XF86AudioRaiseVolume spawn 'wpctl set-volume -l 1.0 @DEFAULT_AUDIO_SINK@ 1%+'
riverctl map -repeat $mode None XF86AudioLowerVolume spawn 'wpctl set-volume -l 1.0 @DEFAULT_AUDIO_SINK@ 1%-'
riverctl map $mode None XF86AudioMute spawn 'wpctl set-mute @DEFAULT_AUDIO_SINK@ toggle'

Note that the internal microphone does not work and is not detected by pipewire. (This still holds on P14s G4 in 2024.) Only external microphones work.

Mic mute button

doas apk add alsa-tools

Add the following to the river config:

riverctl map $mode None XF86AudioMicMute spawn 'amixer --card 1 set "Capture" toggle'

(Editing ACPI hooks no longer needed on P14s G4 in 2024.)


Should work after following the steps for "Audio".

Can be tested in


Screen sharing

doas apk add xdg-desktop-portal xdg-desktop-portal-wlr

Create /usr/local/bin/inga-xdg-desktop-portal-wlr with the following:

killall /usr/libexec/xdg-desktop-portal
killall /usr/libexec/xdg-desktop-portal-wlr

and to your river config

riverctl spawn "inga-xdg-desktop-portal-wlr"

(for some reason xdg-desktop-portal gets started automatically and after that newly started xdg-desktop-portal-wlr does not work; we need to kill that xdg-desktop-portal first)

Also create .config/xdg-desktop-portal-wlr/config with the following:


Prevent firefox sharing indicator from taking the entire tile

Add the following lines to river config (before the last exec line):

riverctl float-filter-add title "Firefox — Sharing Indicator"
riverctl float-filter-add title 'Firefox — Sharing Indicator'

(TODO: check which kind of quotes works)

Development (containers)

Unprivileged LXC (ran without privileges on host), with routing

(based partially on and

Note that docker won't work inside this container, you'll need to create container using privileged LXD, as described in the next section (see for more details on why this doesn't work).

Networking (host)

(assuming that your internet-connected interface is eth0, and that you want to use subnet for the container)

Add the following to /etc/network/interfaces:

auto br0
iface br0 inet static
	bridge-ports dummy0
	bridge-stp 0

and do

doas apk add bridge
doas modprobe dummy
echo dummy | doas tee -a /etc/modules
echo 1 | doas tee -a /proc/sys/net/ipv4/ip_forward
doas apk add iptables
doas rc-update add iptables
doas iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
doas iptables --append FORWARD --in-interface br0 -j ACCEPT
doas /etc/init.d/iptables save

Containers support

doas apk add lxc lxcfs lxc-download xz gnupg
echo "$(id -un):10000000:5000000" | doas tee -a /etc/subuid
echo "$(id -un):10000000:5000000 | doas tee -a /etc/subgid
echo "$(id -un) veth br0 10" | doas tee -a /etc/lxc/lxc-usernet
doas rc-update add cgroups lxc lxcfs dbus

Creating container

Create `~/.config/lxc/CONTAINERNAME.conf" with the following content: = veth = up = br0 = = = veth-if-0
# this is not a mistype, 500K should be enough for all your nesting needs, and 5M in /etc/subuid should be enough if you want to create any other containers
lxc.idmap = u 0 10000000 500000
lxc.idmap = g 0 10000000 500000

lxc.include = /usr/share/lxc/config/nesting.conf
lxc.apparmor.allow_nesting = 1
lxc.seccomp.allow_nesting = 1 = proc sys cgroup:rw:force


lxc-create -n CONTAINERNAME -f .config/lxc/CONTAINERNAME.conf -t download
# pick OS (alpine/edge/amd64 in my case)
lxc-start -n CONTAINERNAME # make sure it does not produce any errors
lxc-attach --clear-env -n CONTAINERNAME

You'll get into a container root console.

(but still inside this container apk cgroups start will produce errors and mount everything in /sys/fs/cgroups except for openrc as nobody:nobody, and won't mount openrc at all, and nested containers won't work.)

Networking (container)

In container root console, check if network is up with ifconfig. If there are no IPv4 address for eth0, you'll have to configure it manually, by editing /etc/network/interfaces. The easiest way to do it is by

doas micro ~/.local/share/lxc/CONTAINERNAME/rootfs/etc/network/interfaces`

on the host.

In the end the file should look like

auto eth0
iface eth0 inet static
hostname $(hostname)

Then rc-service networking restart, and check ifconfig. If everything is right, there should be an ipv4 address in ifconfig, and ping inside container and ping inside host should work.

ping inside container should work too, thanks for routing.

Now, if ping does not work, configure DNS in container:

echo nameserver >> /etc/resolv.conf
echo nameserver >> /etc/resolv.conf

(or add them using micro on the host, as you did for interfaces)

Make sure ping works. APK should work too: apk add micro neofetch

Creating an user inside container

In container root shell:

adduser USERNAME wheel
echo "permit persist :wheel" >> /etc/doas.d/doas.conf

Now exit root shell (just with exit), and try lxc-console -n CONTAINERNAME. You should be able to log in using the new username and password. (To exit lxc console, use Ctrl+A, Q).

Alternatively: unprivileged LXC using LXD / Incus (ran as privileged service on host)

Security notes

Note that with LXD, unprivileged containers run under root, which is not supposed to give them any extra privileges (source:, but this implies that:

Containers can only be managed with LXD using root access. Which means either doas for every command (including connecting to the container shell), or adding your user to the lxd group which will have access to LXD daemon, which will effectively give your user passwordless sudo (since access to LXD daemon can trivially be used to gain root privileges), so that any process running under your user can trivially gain root privileges on the host (which is for some reason not considered by LXD maintainers to be a problem).

DO NOT add your user to the lxd group, and DO NOT uncomment --group lxd in /etc/conf.d/lxd

Instead the secure way of doing things would probably be to only use lxd as a root, and connect to the container using ssh.

Containers support

As simple as

doas apk add incus incus-client
doas rc-update add incusd
doas rc-service start incusd
doas incus admin init

Networking with routing should work automatically.

SSH support

doas apk add openssh-client
ssh-keygen -t ed25519

(Also make sure that echo $SSH_AUTH_SOCK is not empty; it shouldn't be if gnome-keyring-daemon is configured properly.)

Creating container

doas incus launch images:alpine/edge -c security.nesting=true -c security.privileged=false -c security.idmap.isolated=true -c security.idmap.size=6553600 test-alpine-container
doas incus exec test-alpine-container -- /bin/ash

Networking should work inside of container.

Then, in target container (from root, lxc-attach/lxc exec)

apk add openssh doas
rc-update add sshd
rc-service sshd start

adduser YOUR_USER wheel

Check IP of container with ifconfig, and then on host,

ssh-copy-id CONTAINER_IP


Accessing dev sites running inside container

On host, create new FF profile for that purpose only. In its about:config, enable network.proxy.allow_hijacking_localhost (so that requests to localhost are proxied too).

With squid (HTTP/HTTPS only, ran as a service)

In container: doas apk add squid, and edit /etc/squid/squid/conf accordingly (most likely you'll only need to change local network definition to match the subnet shared between the host and the container).


doas rc-update add squid
doas rc-service squid start

(Note that squid requires devfs service to be running).

Configure FF profile to use squid proxy running inside of container.

It is not clear how to get websockets working with squid, information on the web is very sparse.

With SSH tunnel (supports websockets)

Alternatively, without any need to squid:

  • Configure container for tunnelling support (no idea why it is required for tunnelling to work:
    • On LXC: add lxc.cgroup.devices.allow = c 10:200 rwm to your ~/.config/lxc/CONTAINERNAME.conf file;
    • On LXD: doas lxc config set CONTAINERNAME raw.lxc="lxc.cgroup.devices.allow = c 10:200 rwm";
    • (of course, restart the container after that);
  • Enable AllowTcpForwarding and PermitTunnel in /etc/ssh/sshd_config (and of course restart sshd);
  • On host, ssh CONTAINER_IP -ND TUNNEL_PORT (TUNNEL_PORT can be anything above 1024 to avoid requiring root privileges);
  • On host, in target FF profile, configure proxy to use SOCKS v5 proxy on CONTAINER_IP:CONTAINER_PORT (leave HTTP / HTTPS proxy empty), and check "Proxy DNS when using Socks v5" checkbox.
  • Note that it will only work as long as ssh tunnelling command on host is running. So you'll need to run it again after reboot etc. Or wrap it in a service for OpenRC.

VS Code Remote

Note that VS Code (and all related products) has a protection intended to prevent OSS variants from connecting to proprietary versions of VS code. However, apparently, it is implemented in such a way that it prevents even different OSS products from connecting to each other. Only "Code OSS" is packaged for Alpine (until is implemented); and only VSCodium has official server-side builds, so you'll need to use custom server-side builds with Code OSS.

Steps to get it running, assuming that you already have keyring and key-based SSH auth (with non-RSA key) configured:

In container (one of the sources:

doas apk add gcompat libstdc++ curl bash git

and enable AllowTcpForwarding and PermitTunnel in /etc/ssh/sshd_config.

On host (where you intend to run IDE client):

doas apk add code-oss

Patch code-oss manifests

(TODO: figure how to optimize this step without having to manually patch them after every update)

In /usr/lib/code-uss/resources/app:

  • Update product.json: add commit field corresponding to the matching release of openvscode-server.

Additionally, if there is no openvscode-server of the exact same version (for example, latest code-oss in aports at some point was 1.83.1, but openvscode-server was only released for 1.83.0):

Run code-oss, add "Open Remote - SSH" extension by jeanp413.

Go to its settings, and:

  • Set "Server Download Url Template" to${version}/openvscode-server-v${version}-${os}-${arch}.tar.gz (otherwise it will download VSCodium server-side builds by default).
  • Set "Experimental: Server Binary Name" to openvscode-server (otherwise it will try to launch remote code-server-oss which does not exist and never will, taking its name from Code OSS product.json).

You'll get remote button under the marketplace button. Go there, add your host, right-click it, connect. Connection should be successful, and you should see "connected to remote" on Code OSS main screen.

Work around certain musl incompatibilities

Some openvscode-server versions cannot start on Alpine (

In order to solve this, after Open Remote - SSH extension downloaded and unpacked REH binaries and displayed an error saying that it could not start the remote server:

SSH into the container, go to ~/.vscode-server-oss/bin/COMMIT_NAME/,

doas apk add ouch
ouch decompress
rm node
cp node-v18.15.0-linux-x64-musl/bin/node .

(replacing 18.15.0 with the appropriate version from for your version of openvscode-server) and tell Code OSS to try again.

"Open folder" should take you to the remote directory structure, allowing you to open projects hosted in container. All code-related extensions will also work in remote context, isolated from the parent system and unable to affect it, no matter what malicious npm packages get installed into container.


For container terminal apps to be usable:

doas apk add ncurses-terminfo

(inside LXC)

TODO once nesting in LXC works (reference:

(inside LXD)

As simple as

doas apk add docker
doas rc-update docker start
doas docker run hello-world

in the guest.

For networked docker containers, doas lxc config edit CONTAINERNAME, add linux.kernel_modules: br_netfilter to the config: section, and restart container (doas lxc restart CONTAINERNAME).


  • Fix internal mic
  • Docker in containers ran by unprivileged users
  • Make river usable
  • Make waybar usable (+waybar fonts)
  • nushell + starship instead of ash
  • Mail client
  • Fix call audio in firefox
  • WiFi