* fschl dotfiles

My personal computing environment.

** Features

   - reproducable machine setup (GNU Guix)
   - keyboard-based environment (Sway wm)
   - efficient, keyboard based (Emacs + CLI tools)
   - portable password management (KeepassXC)
   - similar environment on Desktop, Laptop, Android
   - for Laptop: encrypted boot + home partitions
   - TODO Can you get things done without *your* computer?
     - Rescue+Recover friends laptops/computers
     - panic-ops using a friends laptop

** Security

*** SSH Hardening

     - https://blog.g3rt.nl/upgrade-your-ssh-keys.html
     - https://stribika.github.io/2015/01/04/secure-secure-shell.html
     - https://wiki.mozilla.org/Security/Guidelines/OpenSSH#OpenSSH_client
     - see ~/etc/ssh/ssh_config~ and ~.ssh/config~

*** SSH key generation

     #+BEGIN_SRC bash
       # ED25519 keys are favored over RSA keys when backward compatibility ''is not required''.
       # This is only compatible with OpenSSH 6.5+ and fixed-size (256 bytes).
       $ ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_host_$(date +%Y-%m-%d) -C "Key to HOST for user-xyz"

       # Fallback for really old systems (why do you still have those??)
       # RSA keys are favored over ECDSA keys when backward compatibility ''is required'',
       # thus, newly generated keys are always either ED25519 or RSA (NOT ECDSA or DSA).
       $ ssh-keygen -t rsa -b 8192 -f ~/.ssh/id_rsa_host_$(date +%Y-%m-%d) -C "Key to HOST for user-xyz"

       $ ssh-copy-id -i ~/.ssh/<file>.pub -p 22 user@host
     #+END_SRC

*** GnuPG

 - https://wiki.mozilla.org/Security/Key_Management
 - https://keyring.debian.org/creating-key.html
 - https://wiki.debian.org/Subkeys

  ~~/.gnupg/gpg.conf~:
     
  #+BEGIN_SRC bash
  personal-digest-preferences SHA512 SHA384
  cert-digest-algo SHA256
  default-preference-list SHA512 SHA384 AES256 ZLIB BZIP2 ZIP Uncompressed
  keyid-format 0xlong
  #+END_SRC

*** Backup Secure Keys

     - get 2 USB thumb drives
     - on each, create 2 partitions (ext4, you will never use them on any windows device anyway)
     - https://wiki.archlinux.org/index.php/Dm-crypt/Device_Encryption

     Nowadays it's mere chance to find a USB thumb drive with less than 4GB storage.
     Though, you want a dedicated drive to transport your password database, ssh keys and GPG keys.
     Those don't require more than a couple MB. So what to do with the remaining space?

     Scenarios:

     - You visit friends, only have your keys with you and you have to check your mails, assist a colleague
       in some network/ops emergency or just securely look up some confidential information.
     - A family member calls: their HDD just died and you are asked to quickly help out on recovery.

     Boot into a safe environment, having all your credentials available in a secure manner.
     Have a bootable forensics toolbox around to quickly get going in a familiar setup.

     Solution: multi-boot!

**** Thumb Drive Setup

     3 partitions: boot+isos, luks encrypted, unencrypted partition for non-sensitive data

** TODO [0/5]

   - [ ] explain setup, ideas, practises
   - [ ] add HOWTO
   - [ ] Check new bootable USB solution: https://ventoy.net/en/index.html
   - [ ] move to ansible for easier modularization of setup
   - [ ] OR: give GUIX a shot

** Moving to Arch

   - official repository setup: https://wiki.archlinux.org/title/Official_repositories#multilib
     - ~multiplib~ is required for wine
   - Sound troubleshooting: https://wiki.archlinux.org/title/Advanced_Linux_Sound_Architecture/Troubleshooting#HDMI
   - Skype, VSCode: use ~yay~

** NEXT Moving to Guix

- btrfs for snapshots, easier backups
- encrypted =/boot= + =/home= partitions
- separate subvolumes for =/gnu=, =var=, =swap=
  
- [ ] MOVE: https://www.draketo.de/software/package-guix.html

*** Disk partitioning

- https://reckoning.dev/blog/ubuntu-btrfs-guide/
- https://wiki.systemcrafters.net/guix/nonguix-installation-guide/#partition-the-disks
- https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html
- https://git.sr.ht/~abcdw/rde/tree/master/item/examples/README
  - https://guix.gnu.org/manual/en/html_node/Mapped-Devices.html
  - Mapped Devices example in *RDE*: https://git.sr.ht/~abcdw/rde/tree/master/item/examples/src/rde-configs/hosts/ixy.scm

** ImageMagick Notes

convert multiple .png files into multipage pdf with downscaling
#+begin_src bash
  convert filePrefix*.png -resize 1240x1753 \
          -extent 1240x1753 -gravity center \
          -units PixelsPerInch -density 150x150 multipage.pdf
#+end_src