dotfiles/README.org

* fschl dotfiles

part of my personal computing environment. mainly contains
configuration files for sway, some useful addons and system tools
(git, terminal, ssh, backup). This repository also has some notes on
security considerations when setting up a Linux system.

The relevant things for my workflows can be found in [[https://git.fschl-co.de/fschl/emacs]].

** (future) Features

   - reproducable machine setup (GNU Guix)
   - keyboard-based environment (Sway wm)
   - efficient, keyboard based (Emacs + CLI tools)
   - portable password management (KeepassXC)
   - similar environment on Desktop, Laptop, Android
   - for Laptop: encrypted boot + home partitions
   - TODO Can you get things done without *your* computer?
     - Rescue+Recover friends laptops/computers
     - panic-ops using a friends laptop

** Security

*** SSH Hardening

     - https://blog.g3rt.nl/upgrade-your-ssh-keys.html
     - https://stribika.github.io/2015/01/04/secure-secure-shell.html
     - https://wiki.mozilla.org/Security/Guidelines/OpenSSH#OpenSSH_client
     - see ~/etc/ssh/ssh_config~ and ~.ssh/config~

*** SSH key generation

ED25519 keys are favored over RSA keys when backward compatibility ''is not required''.
This is only compatible with OpenSSH 6.5+ and fixed-size (256 bytes).

#+BEGIN_SRC bash
  $ ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_host_$(date +%Y-%m-%d) -C "Key to HOST for user-xyz"
#+END_SRC

Fallback for really old systems (why do you still have those??) RSA
keys are favored over ECDSA keys when backward compatibility ''is
required'', thus, newly generated keys are always either ED25519 or
RSA (NOT ECDSA or DSA).

#+BEGIN_SRC bash
  $ ssh-keygen -t rsa -b 8192 -f ~/.ssh/id_rsa_host_$(date +%Y-%m-%d) -C "Key to HOST for user-xyz"

  $ ssh-copy-id -i ~/.ssh/<file>.pub -p 22 user@host
#+END_SRC

*** SSH-Agent

automatically start agent, add keys to agent (after using it for the first time) when entering passphrase.
integrates with KeepassXC ([[https://github.com/keepassxreboot/keepassxc/blob/develop/docs/topics/SSHAgent.adoc][GH:KeePass > Docs > SSH-Agent]])

*** GnuPG

- https://wiki.mozilla.org/Security/Key_Management
- https://keyring.debian.org/creating-key.html
- https://wiki.debian.org/Subkeys

 ~~/.gnupg/gpg.conf~:

 #+BEGIN_SRC bash
 personal-digest-preferences SHA512 SHA384
 cert-digest-algo SHA256
 default-preference-list SHA512 SHA384 AES256 ZLIB BZIP2 ZIP Uncompressed
 keyid-format 0xlong
 #+END_SRC

*** Backup Secure Keys

     - get 2 USB thumb drives
     - on each, create 2 partitions (ext4, you will never use them on any windows device anyway)
     - https://wiki.archlinux.org/index.php/Dm-crypt/Device_Encryption

     Nowadays it's mere chance to find a USB thumb drive with less than 4GB storage.
     Though, you want a dedicated drive to transport your password database, ssh keys and GPG keys.
     Those don't require more than a couple MB. So what to do with the remaining space?

     Scenarios:

     - You visit friends, only have your keys with you and you have to check your mails, assist a colleague
       in some network/ops emergency or just securely look up some confidential information.
     - A family member calls: their HDD just died and you are asked to quickly help out on recovery.

     Boot into a safe environment, having all your credentials available in a secure manner.
     Have a bootable forensics toolbox around to quickly get going in a familiar setup.

     Solution: multi-boot!

**** Thumb Drive Setup

     3 partitions: boot+isos, luks encrypted, unencrypted partition for non-sensitive data

** TODO [0/5]

   - [ ] explain setup, ideas, practises
   - [ ] add HOWTO
   - [ ] Check new bootable USB solution: https://ventoy.net/en/index.html
   - [ ] move to ansible for easier modularization of setup
   - [ ] OR: give GUIX a shot

** Notes on Arch

   - official repository setup: https://wiki.archlinux.org/title/Official_repositories#multilib
     - ~multiplib~ is required for wine
   - Sound troubleshooting: https://wiki.archlinux.org/title/Advanced_Linux_Sound_Architecture/Troubleshooting#HDMI
   - Skype, VSCode: use ~yay~

** TODO Fedora

- fedora project
- different Desktop/Workstation spins (Gnome, KDE, sway...)
- =dnf= package manager, install updates on reboot
- "Atomic Desktop", uses Fedora/RedHat CoreOS with rpm-ostree + flatpaks
  - has problems with video playback (in firefox)
- setup syncthing service
  #+begin_quote
  https://src.fedoraproject.org/rpms/syncthing/tree/rawhide
  #+end_quote
  #+begin_src bash
    sudo systemctl enable --now syncthing@USER.service
  #+end_src
- setup wireguard
  https://fedoramagazine.org/configure-wireguard-vpns-with-networkmanager/
- add and configure some modern tools:
  https://github.com/ibraheemdev/modern-unix?tab=readme-ov-file

*** Basic Packages
  #+name: update and install packages
  #+begin_src bash
    sudo dnf update
    sudo dnf group install sway-desktop-environment
    sudo dnf -y install \
         ImageMagick \
         bat \
         brightnessctl \
         cascadia-code-nf-fonts \
         cmake \
         duf \
         emacs \
         eza \
         fd-find \
         fuzzel \
         gammastep \
         gammastep-indicator \
         gimp \
         glances \
         gparted \
         grimshot \
         htop \
         isync \
         keepassxc \
         kitty \
         libtool \
         network-manager-applet \
         notmuch \
         papirus-icon-theme-dark \
         papirus-icon-theme-light \
         ripgrep \
         rustup \
         syncthing \
         udiskie \
         virt-manager \
         wireguard-tools \
         wofi \
         youtube-dl

    rustup_init
  #+end_src

  #+RESULTS:

*** setup dotfiles and emacs
  #+name: link dotfiles and emacs
  #+begin_src bash
    ln -s /home/fschl/git/dotfiles/.config/dunst /home/fschl/.config/dunst
    ln -s /home/fschl/git/dotfiles/.config/git /home/fschl/.config/git
    ln -s /home/fschl/git/dotfiles/.config/sway /home/fschl/.config/sway
    ln -s /home/fschl/git/dotfiles/.config/waybar /home/fschl/.config/waybar

    git clone https://gitlab.com/fschl/emacs-config ~/git/emacs
    cd ~/git/emacs
    git submodule update --init --recursive
    ln -s /home/fschl/git/emacs /home/fschl/.config/emacs
  #+end_src

*** Tools and Usability stuff

Install [[https://github.com/typst/typst][Typst]] modern replacement for LaTeX, see [[https://github.com/qjcg/awesome-typst][GH: awesome-typst]]

- [ ] add [[https://github.com/typst/packages][typst/packages]] (letter, CV)
  - [ ] https://github.com/Sematre/typst-letter-pro
  - [ ] https://github.com/mintyfrankie/brilliant-CV
#+begin_src sh
  cargo install --locked starship
  cargo install --locked typst-cli
#+end_src

Install [[https://difftastic.wilfred.me.uk/][difftastic]] ([[https://github.com/Wilfred/difftastic][Github]]), for improved diff highlighting.
#+begin_src sh
  cargo install --locked difftastic
#+end_src

*** setup development stuff

https://realpython.com/dependency-management-python-poetry/
  #+begin_src bash
    sudo dnf install python3-lsp-server+all
  #+end_src

** NEXT Moving to Guix

- btrfs for snapshots, easier backups
- encrypted =/boot= + =/home= partitions
- separate subvolumes for =/gnu=, =/var=, =swap=

- [ ] MOVE: https://www.draketo.de/software/package-guix.html

*** Disk partitioning

- https://github.com/david-cortes/snapper-in-debian-guide?tab=readme-ov-file
- https://wiki.archlinux.org/title/Snapper#Suggested_filesystem_layout
- https://reckoning.dev/blog/ubuntu-btrfs-guide/
- https://wiki.systemcrafters.net/guix/nonguix-installation-guide/#partition-the-disks
- https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html
- https://git.sr.ht/~abcdw/rde/tree/master/item/examples/README
  - https://guix.gnu.org/manual/en/html_node/Mapped-Devices.html
  - Mapped Devices example in *RDE*: https://git.sr.ht/~abcdw/rde/tree/master/item/examples/src/rde-configs/hosts/ixy.scm

** ImageMagick Notes

convert multiple .png files into multipage pdf with downscaling
#+begin_src bash
  convert filePrefix*.png -resize 1240x1753 \
          -extent 1240x1753 -gravity center \
          -units PixelsPerInch -density 150x150 multipage.pdf
#+end_src

lower resolution:
#+begin_src bash
  convert filePrefix*.png -resize 620x876 \
          -extent 629x876 -gravity center \
          -units PixelsPerInch -density 100x100 multipage.pdf
#+end_src

combine multiple pdf file into one multipage file
#+begin_src sh
  gs -dBATCH -dNOPAUSE -q -sDEVICE=pdfwrite -sOutputFile=result.pdf sourceFilePrefix-*.pdf
#+end_src

I read the answer like ImageMagick uses ghostscript internally.
source: https://stackoverflow.com/questions/14738911/imagemagick-combine-2-generated-pdfs-into-1-multi-page-file