dotfiles/README.org

165 lines
5.9 KiB
Org Mode
Raw Normal View History

* fschl dotfiles
2024-05-08 22:41:39 +02:00
part of my personal computing environment. mainly contains
configuration files for sway, some useful addons and system tools
(git, terminal, ssh, backup). This repository also has some notes on
security considerations when setting up a Linux system.
2024-05-08 22:41:39 +02:00
The relevant things for my workflows can be found in [[https://git.fschl-co.de/fschl/emacs]].
** (future) Features
2024-03-05 14:20:35 +01:00
- reproducable machine setup (GNU Guix)
- keyboard-based environment (Sway wm)
- efficient, keyboard based (Emacs + CLI tools)
- portable password management (KeepassXC)
- similar environment on Desktop, Laptop, Android
- for Laptop: encrypted boot + home partitions
- TODO Can you get things done without *your* computer?
- Rescue+Recover friends laptops/computers
- panic-ops using a friends laptop
2024-03-05 14:20:35 +01:00
** Security
2024-03-05 14:20:35 +01:00
*** SSH Hardening
- https://blog.g3rt.nl/upgrade-your-ssh-keys.html
- https://stribika.github.io/2015/01/04/secure-secure-shell.html
- https://wiki.mozilla.org/Security/Guidelines/OpenSSH#OpenSSH_client
2022-04-02 09:56:50 +02:00
- see ~/etc/ssh/ssh_config~ and ~.ssh/config~
2024-03-05 14:20:35 +01:00
*** SSH key generation
2024-05-08 22:41:39 +02:00
ED25519 keys are favored over RSA keys when backward compatibility ''is not required''.
This is only compatible with OpenSSH 6.5+ and fixed-size (256 bytes).
#+BEGIN_SRC bash
$ ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_host_$(date +%Y-%m-%d) -C "Key to HOST for user-xyz"
#+END_SRC
2022-04-02 09:56:50 +02:00
2024-05-08 22:41:39 +02:00
Fallback for really old systems (why do you still have those??) RSA
keys are favored over ECDSA keys when backward compatibility ''is
required'', thus, newly generated keys are always either ED25519 or
RSA (NOT ECDSA or DSA).
2022-10-01 19:45:55 +02:00
2024-05-08 22:41:39 +02:00
#+BEGIN_SRC bash
$ ssh-keygen -t rsa -b 8192 -f ~/.ssh/id_rsa_host_$(date +%Y-%m-%d) -C "Key to HOST for user-xyz"
$ ssh-copy-id -i ~/.ssh/<file>.pub -p 22 user@host
#+END_SRC
2024-03-05 14:20:35 +01:00
*** GnuPG
2024-05-08 22:41:39 +02:00
- https://wiki.mozilla.org/Security/Key_Management
- https://keyring.debian.org/creating-key.html
- https://wiki.debian.org/Subkeys
~~/.gnupg/gpg.conf~:
2024-05-08 22:41:39 +02:00
#+BEGIN_SRC bash
personal-digest-preferences SHA512 SHA384
cert-digest-algo SHA256
default-preference-list SHA512 SHA384 AES256 ZLIB BZIP2 ZIP Uncompressed
keyid-format 0xlong
#+END_SRC
2024-03-05 14:20:35 +01:00
*** Backup Secure Keys
2018-11-12 11:48:41 +01:00
- get 2 USB thumb drives
- on each, create 2 partitions (ext4, you will never use them on any windows device anyway)
- https://wiki.archlinux.org/index.php/Dm-crypt/Device_Encryption
2018-11-12 11:48:41 +01:00
Nowadays it's mere chance to find a USB thumb drive with less than 4GB storage.
Though, you want a dedicated drive to transport your password database, ssh keys and GPG keys.
Those don't require more than a couple MB. So what to do with the remaining space?
Scenarios:
- You visit friends, only have your keys with you and you have to check your mails, assist a colleague
2018-11-12 11:48:41 +01:00
in some network/ops emergency or just securely look up some confidential information.
- A family member calls: their HDD just died and you are asked to quickly help out on recovery.
Boot into a safe environment, having all your credentials available in a secure manner.
Have a bootable forensics toolbox around to quickly get going in a familiar setup.
Solution: multi-boot!
2022-04-02 09:56:50 +02:00
**** Thumb Drive Setup
2018-11-23 18:26:40 +01:00
3 partitions: boot+isos, luks encrypted, unencrypted partition for non-sensitive data
2021-10-30 10:08:36 +02:00
** TODO [0/5]
- [ ] explain setup, ideas, practises
- [ ] add HOWTO
2021-10-30 10:08:36 +02:00
- [ ] Check new bootable USB solution: https://ventoy.net/en/index.html
2018-11-23 18:26:40 +01:00
- [ ] move to ansible for easier modularization of setup
2022-04-02 09:56:50 +02:00
- [ ] OR: give GUIX a shot
2022-03-11 16:51:43 +01:00
2024-05-08 22:41:39 +02:00
** Notes on Arch
2022-03-11 16:51:43 +01:00
- official repository setup: https://wiki.archlinux.org/title/Official_repositories#multilib
2022-04-02 09:56:50 +02:00
- ~multiplib~ is required for wine
2022-03-11 16:51:43 +01:00
- Sound troubleshooting: https://wiki.archlinux.org/title/Advanced_Linux_Sound_Architecture/Troubleshooting#HDMI
2022-04-02 09:56:50 +02:00
- Skype, VSCode: use ~yay~
2024-02-26 13:11:26 +01:00
2024-05-08 22:41:39 +02:00
** TODO Fedora
- fedora project
- different Desktop/Workstation spins (Gnome, KDE, sway...)
- =dnf= package manager, install updates on reboot
- "Atomic Desktop", uses Fedora/RedHat CoreOS with rpm-ostree + flatpaks
2024-06-01 21:55:13 +02:00
- setup syncthing service
#+begin_quote
https://src.fedoraproject.org/rpms/syncthing/tree/rawhide
#+end_quote
#+begin_src bash
sudo systemctl enable --now syncthing@USER.service
#+end_src
- setup wireguard
https://fedoramagazine.org/configure-wireguard-vpns-with-networkmanager/
- add and configure some modern tools:
https://github.com/ibraheemdev/modern-unix?tab=readme-ov-file
bat duf ripgrep eza fd-find dog
2024-05-08 22:41:39 +02:00
2024-02-26 13:11:26 +01:00
** NEXT Moving to Guix
2024-03-05 14:20:35 +01:00
- btrfs for snapshots, easier backups
- encrypted =/boot= + =/home= partitions
2024-05-08 22:41:39 +02:00
- separate subvolumes for =/gnu=, =/var=, =swap=
2024-03-05 14:20:35 +01:00
- [ ] MOVE: https://www.draketo.de/software/package-guix.html
*** Disk partitioning
- https://reckoning.dev/blog/ubuntu-btrfs-guide/
- https://wiki.systemcrafters.net/guix/nonguix-installation-guide/#partition-the-disks
- https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html
- https://git.sr.ht/~abcdw/rde/tree/master/item/examples/README
- https://guix.gnu.org/manual/en/html_node/Mapped-Devices.html
- Mapped Devices example in *RDE*: https://git.sr.ht/~abcdw/rde/tree/master/item/examples/src/rde-configs/hosts/ixy.scm
2024-02-26 13:11:26 +01:00
** ImageMagick Notes
convert multiple .png files into multipage pdf with downscaling
#+begin_src bash
convert filePrefix*.png -resize 1240x1753 \
-extent 1240x1753 -gravity center \
-units PixelsPerInch -density 150x150 multipage.pdf
#+end_src
2024-05-08 22:41:39 +02:00
lower resolution:
#+begin_src bash
convert filePrefix*.png -resize 620x876 \
-extent 629x876 -gravity center \
-units PixelsPerInch -density 100x100 multipage.pdf
#+end_src
combine multiple pdf file into one multipage file
#+begin_src sh
gs -dBATCH -dNOPAUSE -q -sDEVICE=pdfwrite -sOutputFile=result.pdf sourceFilePrefix-*.pdf
#+end_src
I read the answer like ImageMagick uses ghostscript internally.
source: https://stackoverflow.com/questions/14738911/imagemagick-combine-2-generated-pdfs-into-1-multi-page-file