* fschl dotfiles part of my personal computing environment. mainly contains configuration files for sway, some useful addons and system tools (git, terminal, ssh, backup). This repository also has some notes on security considerations when setting up a Linux system. The relevant things for my workflows can be found in [[https://git.fschl-co.de/fschl/emacs]]. ** (future) Features - reproducable machine setup (GNU Guix) - keyboard-based environment (Sway wm) - efficient, keyboard based (Emacs + CLI tools) - portable password management (KeepassXC) - similar environment on Desktop, Laptop, Android - for Laptop: encrypted boot + home partitions - TODO Can you get things done without *your* computer? - Rescue+Recover friends laptops/computers - panic-ops using a friends laptop ** Security *** SSH Hardening - https://blog.g3rt.nl/upgrade-your-ssh-keys.html - https://stribika.github.io/2015/01/04/secure-secure-shell.html - https://wiki.mozilla.org/Security/Guidelines/OpenSSH#OpenSSH_client - see ~/etc/ssh/ssh_config~ and ~.ssh/config~ *** SSH key generation ED25519 keys are favored over RSA keys when backward compatibility ''is not required''. This is only compatible with OpenSSH 6.5+ and fixed-size (256 bytes). #+BEGIN_SRC bash $ ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_host_$(date +%Y-%m-%d) -C "Key to HOST for user-xyz" #+END_SRC Fallback for really old systems (why do you still have those??) RSA keys are favored over ECDSA keys when backward compatibility ''is required'', thus, newly generated keys are always either ED25519 or RSA (NOT ECDSA or DSA). #+BEGIN_SRC bash $ ssh-keygen -t rsa -b 8192 -f ~/.ssh/id_rsa_host_$(date +%Y-%m-%d) -C "Key to HOST for user-xyz" $ ssh-copy-id -i ~/.ssh/.pub -p 22 user@host #+END_SRC *** SSH-Agent automatically start agent, add keys to agent (after using it for the first time) when entering passphrase. integrates with KeepassXC ([[https://github.com/keepassxreboot/keepassxc/blob/develop/docs/topics/SSHAgent.adoc][GH:KeePass > Docs > SSH-Agent]]) *** GnuPG - https://wiki.mozilla.org/Security/Key_Management - https://keyring.debian.org/creating-key.html - https://wiki.debian.org/Subkeys ~~/.gnupg/gpg.conf~: #+BEGIN_SRC bash personal-digest-preferences SHA512 SHA384 cert-digest-algo SHA256 default-preference-list SHA512 SHA384 AES256 ZLIB BZIP2 ZIP Uncompressed keyid-format 0xlong #+END_SRC *** Backup Secure Keys - get 2 USB thumb drives - on each, create 2 partitions (ext4, you will never use them on any windows device anyway) - https://wiki.archlinux.org/index.php/Dm-crypt/Device_Encryption Nowadays it's mere chance to find a USB thumb drive with less than 4GB storage. Though, you want a dedicated drive to transport your password database, ssh keys and GPG keys. Those don't require more than a couple MB. So what to do with the remaining space? Scenarios: - You visit friends, only have your keys with you and you have to check your mails, assist a colleague in some network/ops emergency or just securely look up some confidential information. - A family member calls: their HDD just died and you are asked to quickly help out on recovery. Boot into a safe environment, having all your credentials available in a secure manner. Have a bootable forensics toolbox around to quickly get going in a familiar setup. Solution: multi-boot! **** Thumb Drive Setup 3 partitions: boot+isos, luks encrypted, unencrypted partition for non-sensitive data ** TODO [0/5] - [ ] explain setup, ideas, practises - [ ] add HOWTO - [ ] Check new bootable USB solution: https://ventoy.net/en/index.html - [ ] move to ansible for easier modularization of setup - [ ] OR: give GUIX a shot ** Notes on Arch - official repository setup: https://wiki.archlinux.org/title/Official_repositories#multilib - ~multiplib~ is required for wine - Sound troubleshooting: https://wiki.archlinux.org/title/Advanced_Linux_Sound_Architecture/Troubleshooting#HDMI - Skype, VSCode: use ~yay~ ** TODO Fedora - fedora project - different Desktop/Workstation spins (Gnome, KDE, sway...) - =dnf= package manager, install updates on reboot - "Atomic Desktop", uses Fedora/RedHat CoreOS with rpm-ostree + flatpaks - has problems with video playback (in firefox) - setup syncthing service #+begin_quote https://src.fedoraproject.org/rpms/syncthing/tree/rawhide #+end_quote #+begin_src bash sudo systemctl enable --now syncthing@USER.service #+end_src - setup wireguard https://fedoramagazine.org/configure-wireguard-vpns-with-networkmanager/ - add and configure some modern tools: https://github.com/ibraheemdev/modern-unix?tab=readme-ov-file *** Basic Packages #+name: update and install packages #+begin_src bash sudo dnf update sudo dnf group install sway-desktop-environment sudo dnf -y install \ ImageMagick \ bat \ brightnessctl \ cascadia-code-nf-fonts \ cmake \ duf \ emacs \ eza \ fd-find \ fuzzel \ gammastep \ gammastep-indicator \ gimp \ glances \ gparted \ grimshot \ htop \ isync \ keepassxc \ kitty \ libtool \ network-manager-applet \ notmuch \ papirus-icon-theme-dark \ papirus-icon-theme-light \ ripgrep \ rustup \ syncthing \ udiskie \ virt-manager \ wireguard-tools \ wofi \ youtube-dl rustup_init #+end_src #+RESULTS: *** setup dotfiles and emacs #+name: link dotfiles and emacs #+begin_src bash ln -s /home/fschl/git/dotfiles/.config/dunst /home/fschl/.config/dunst ln -s /home/fschl/git/dotfiles/.config/git /home/fschl/.config/git ln -s /home/fschl/git/dotfiles/.config/sway /home/fschl/.config/sway ln -s /home/fschl/git/dotfiles/.config/waybar /home/fschl/.config/waybar git clone https://gitlab.com/fschl/emacs-config ~/git/emacs cd ~/git/emacs git submodule update --init --recursive ln -s /home/fschl/git/emacs /home/fschl/.config/emacs #+end_src *** Tools and Usability stuff Install [[https://github.com/typst/typst][Typst]] modern replacement for LaTeX, see [[https://github.com/qjcg/awesome-typst][GH: awesome-typst]] - [ ] add [[https://github.com/typst/packages][typst/packages]] (letter, CV) - [ ] https://github.com/Sematre/typst-letter-pro - [ ] https://github.com/mintyfrankie/brilliant-CV #+begin_src sh cargo install --locked starship cargo install --locked typst-cli #+end_src Install [[https://difftastic.wilfred.me.uk/][difftastic]] ([[https://github.com/Wilfred/difftastic][Github]]), for improved diff highlighting. #+begin_src sh cargo install --locked difftastic #+end_src *** setup development stuff https://realpython.com/dependency-management-python-poetry/ #+begin_src bash sudo dnf install python3-lsp-server+all #+end_src ** NEXT Moving to Guix - btrfs for snapshots, easier backups - encrypted =/boot= + =/home= partitions - separate subvolumes for =/gnu=, =/var=, =swap= - [ ] MOVE: https://www.draketo.de/software/package-guix.html *** Disk partitioning - https://github.com/david-cortes/snapper-in-debian-guide?tab=readme-ov-file - https://wiki.archlinux.org/title/Snapper#Suggested_filesystem_layout - https://reckoning.dev/blog/ubuntu-btrfs-guide/ - https://wiki.systemcrafters.net/guix/nonguix-installation-guide/#partition-the-disks - https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html - https://git.sr.ht/~abcdw/rde/tree/master/item/examples/README - https://guix.gnu.org/manual/en/html_node/Mapped-Devices.html - Mapped Devices example in *RDE*: https://git.sr.ht/~abcdw/rde/tree/master/item/examples/src/rde-configs/hosts/ixy.scm ** ImageMagick Notes convert multiple .png files into multipage pdf with downscaling #+begin_src bash convert filePrefix*.png -resize 1240x1753 \ -extent 1240x1753 -gravity center \ -units PixelsPerInch -density 150x150 multipage.pdf #+end_src lower resolution: #+begin_src bash convert filePrefix*.png -resize 620x876 \ -extent 629x876 -gravity center \ -units PixelsPerInch -density 100x100 multipage.pdf #+end_src combine multiple pdf file into one multipage file #+begin_src sh gs -dBATCH -dNOPAUSE -q -sDEVICE=pdfwrite -sOutputFile=result.pdf sourceFilePrefix-*.pdf #+end_src I read the answer like ImageMagick uses ghostscript internally. source: https://stackoverflow.com/questions/14738911/imagemagick-combine-2-generated-pdfs-into-1-multi-page-file