255 lines
8.6 KiB
Org Mode
255 lines
8.6 KiB
Org Mode
* fschl dotfiles
|
|
|
|
part of my personal computing environment. mainly contains
|
|
configuration files for sway, some useful addons and system tools
|
|
(git, terminal, ssh, backup). This repository also has some notes on
|
|
security considerations when setting up a Linux system.
|
|
|
|
The relevant things for my workflows can be found in [[https://git.fschl-co.de/fschl/emacs]].
|
|
|
|
** (future) Features
|
|
|
|
- reproducable machine setup (GNU Guix)
|
|
- keyboard-based environment (Sway wm)
|
|
- efficient, keyboard based (Emacs + CLI tools)
|
|
- portable password management (KeepassXC)
|
|
- similar environment on Desktop, Laptop, Android
|
|
- for Laptop: encrypted boot + home partitions
|
|
- TODO Can you get things done without *your* computer?
|
|
- Rescue+Recover friends laptops/computers
|
|
- panic-ops using a friends laptop
|
|
|
|
** Security
|
|
|
|
*** SSH Hardening
|
|
|
|
- https://blog.g3rt.nl/upgrade-your-ssh-keys.html
|
|
- https://stribika.github.io/2015/01/04/secure-secure-shell.html
|
|
- https://wiki.mozilla.org/Security/Guidelines/OpenSSH#OpenSSH_client
|
|
- see ~/etc/ssh/ssh_config~ and ~.ssh/config~
|
|
|
|
*** SSH key generation
|
|
|
|
ED25519 keys are favored over RSA keys when backward compatibility ''is not required''.
|
|
This is only compatible with OpenSSH 6.5+ and fixed-size (256 bytes).
|
|
|
|
#+BEGIN_SRC bash
|
|
$ ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_host_$(date +%Y-%m-%d) -C "Key to HOST for user-xyz"
|
|
#+END_SRC
|
|
|
|
Fallback for really old systems (why do you still have those??) RSA
|
|
keys are favored over ECDSA keys when backward compatibility ''is
|
|
required'', thus, newly generated keys are always either ED25519 or
|
|
RSA (NOT ECDSA or DSA).
|
|
|
|
#+BEGIN_SRC bash
|
|
$ ssh-keygen -t rsa -b 8192 -f ~/.ssh/id_rsa_host_$(date +%Y-%m-%d) -C "Key to HOST for user-xyz"
|
|
|
|
$ ssh-copy-id -i ~/.ssh/<file>.pub -p 22 user@host
|
|
#+END_SRC
|
|
|
|
*** SSH-Agent
|
|
|
|
automatically start agent, add keys to agent (after using it for the first time) when entering passphrase.
|
|
integrates with KeepassXC ([[https://github.com/keepassxreboot/keepassxc/blob/develop/docs/topics/SSHAgent.adoc][GH:KeePass > Docs > SSH-Agent]])
|
|
|
|
*** GnuPG
|
|
|
|
- https://wiki.mozilla.org/Security/Key_Management
|
|
- https://keyring.debian.org/creating-key.html
|
|
- https://wiki.debian.org/Subkeys
|
|
|
|
~~/.gnupg/gpg.conf~:
|
|
|
|
#+BEGIN_SRC bash
|
|
personal-digest-preferences SHA512 SHA384
|
|
cert-digest-algo SHA256
|
|
default-preference-list SHA512 SHA384 AES256 ZLIB BZIP2 ZIP Uncompressed
|
|
keyid-format 0xlong
|
|
#+END_SRC
|
|
|
|
*** Backup Secure Keys
|
|
|
|
- get 2 USB thumb drives
|
|
- on each, create 2 partitions (ext4, you will never use them on any windows device anyway)
|
|
- https://wiki.archlinux.org/index.php/Dm-crypt/Device_Encryption
|
|
|
|
Nowadays it's mere chance to find a USB thumb drive with less than 4GB storage.
|
|
Though, you want a dedicated drive to transport your password database, ssh keys and GPG keys.
|
|
Those don't require more than a couple MB. So what to do with the remaining space?
|
|
|
|
Scenarios:
|
|
|
|
- You visit friends, only have your keys with you and you have to check your mails, assist a colleague
|
|
in some network/ops emergency or just securely look up some confidential information.
|
|
- A family member calls: their HDD just died and you are asked to quickly help out on recovery.
|
|
|
|
Boot into a safe environment, having all your credentials available in a secure manner.
|
|
Have a bootable forensics toolbox around to quickly get going in a familiar setup.
|
|
|
|
Solution: multi-boot!
|
|
|
|
**** Thumb Drive Setup
|
|
|
|
3 partitions: boot+isos, luks encrypted, unencrypted partition for non-sensitive data
|
|
|
|
** TODO [0/5]
|
|
|
|
- [ ] explain setup, ideas, practises
|
|
- [ ] add HOWTO
|
|
- [ ] Check new bootable USB solution: https://ventoy.net/en/index.html
|
|
- [ ] move to ansible for easier modularization of setup
|
|
- [ ] OR: give GUIX a shot
|
|
|
|
** Notes on Arch
|
|
|
|
- official repository setup: https://wiki.archlinux.org/title/Official_repositories#multilib
|
|
- ~multiplib~ is required for wine
|
|
- Sound troubleshooting: https://wiki.archlinux.org/title/Advanced_Linux_Sound_Architecture/Troubleshooting#HDMI
|
|
- Skype, VSCode: use ~yay~
|
|
|
|
** TODO Fedora
|
|
|
|
- fedora project
|
|
- different Desktop/Workstation spins (Gnome, KDE, sway...)
|
|
- =dnf= package manager, install updates on reboot
|
|
- "Atomic Desktop", uses Fedora/RedHat CoreOS with rpm-ostree + flatpaks
|
|
- has problems with video playback (in firefox)
|
|
- setup syncthing service
|
|
#+begin_quote
|
|
https://src.fedoraproject.org/rpms/syncthing/tree/rawhide
|
|
#+end_quote
|
|
#+begin_src bash
|
|
sudo systemctl enable --now syncthing@USER.service
|
|
#+end_src
|
|
- setup wireguard
|
|
https://fedoramagazine.org/configure-wireguard-vpns-with-networkmanager/
|
|
- add and configure some modern tools:
|
|
https://github.com/ibraheemdev/modern-unix?tab=readme-ov-file
|
|
|
|
*** Basic Packages
|
|
#+name: update and install packages
|
|
#+begin_src bash
|
|
sudo dnf update
|
|
sudo dnf group install sway-desktop-environment
|
|
sudo dnf -y install \
|
|
ImageMagick \
|
|
bat \
|
|
brightnessctl \
|
|
cascadia-code-nf-fonts \
|
|
cmake \
|
|
duf \
|
|
emacs \
|
|
eza \
|
|
fd-find \
|
|
fuzzel \
|
|
gammastep \
|
|
gammastep-indicator \
|
|
gimp \
|
|
glances \
|
|
gparted \
|
|
grimshot \
|
|
htop \
|
|
isync \
|
|
keepassxc \
|
|
kitty \
|
|
libtool \
|
|
network-manager-applet \
|
|
notmuch \
|
|
papirus-icon-theme-dark \
|
|
papirus-icon-theme-light \
|
|
ripgrep \
|
|
rustup \
|
|
syncthing \
|
|
udiskie \
|
|
virt-manager \
|
|
wireguard-tools \
|
|
wofi \
|
|
youtube-dl
|
|
|
|
rustup_init
|
|
#+end_src
|
|
|
|
#+RESULTS:
|
|
|
|
*** setup dotfiles and emacs
|
|
#+name: link dotfiles and emacs
|
|
#+begin_src bash
|
|
ln -s /home/fschl/git/dotfiles/.config/dunst /home/fschl/.config/dunst
|
|
ln -s /home/fschl/git/dotfiles/.config/git /home/fschl/.config/git
|
|
ln -s /home/fschl/git/dotfiles/.config/sway /home/fschl/.config/sway
|
|
ln -s /home/fschl/git/dotfiles/.config/waybar /home/fschl/.config/waybar
|
|
|
|
git clone https://gitlab.com/fschl/emacs-config ~/git/emacs
|
|
cd ~/git/emacs
|
|
git submodule update --init --recursive
|
|
ln -s /home/fschl/git/emacs /home/fschl/.config/emacs
|
|
#+end_src
|
|
|
|
*** Tools and Usability stuff
|
|
|
|
Install [[https://github.com/typst/typst][Typst]] modern replacement for LaTeX, see [[https://github.com/qjcg/awesome-typst][GH: awesome-typst]]
|
|
|
|
- [ ] add [[https://github.com/typst/packages][typst/packages]] (letter, CV)
|
|
- [ ] https://github.com/Sematre/typst-letter-pro
|
|
- [ ] https://github.com/mintyfrankie/brilliant-CV
|
|
#+begin_src sh
|
|
cargo install --locked starship
|
|
cargo install --locked typst-cli
|
|
#+end_src
|
|
|
|
Install [[https://difftastic.wilfred.me.uk/][difftastic]] ([[https://github.com/Wilfred/difftastic][Github]]), for improved diff highlighting.
|
|
#+begin_src sh
|
|
cargo install --locked difftastic
|
|
#+end_src
|
|
|
|
*** setup development stuff
|
|
|
|
https://realpython.com/dependency-management-python-poetry/
|
|
#+begin_src bash
|
|
sudo dnf install python3-lsp-server+all
|
|
#+end_src
|
|
|
|
** NEXT Moving to Guix
|
|
|
|
- btrfs for snapshots, easier backups
|
|
- encrypted =/boot= + =/home= partitions
|
|
- separate subvolumes for =/gnu=, =/var=, =swap=
|
|
|
|
- [ ] MOVE: https://www.draketo.de/software/package-guix.html
|
|
|
|
*** Disk partitioning
|
|
|
|
- https://github.com/david-cortes/snapper-in-debian-guide?tab=readme-ov-file
|
|
- https://wiki.archlinux.org/title/Snapper#Suggested_filesystem_layout
|
|
- https://reckoning.dev/blog/ubuntu-btrfs-guide/
|
|
- https://wiki.systemcrafters.net/guix/nonguix-installation-guide/#partition-the-disks
|
|
- https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html
|
|
- https://git.sr.ht/~abcdw/rde/tree/master/item/examples/README
|
|
- https://guix.gnu.org/manual/en/html_node/Mapped-Devices.html
|
|
- Mapped Devices example in *RDE*: https://git.sr.ht/~abcdw/rde/tree/master/item/examples/src/rde-configs/hosts/ixy.scm
|
|
|
|
** ImageMagick Notes
|
|
|
|
convert multiple .png files into multipage pdf with downscaling
|
|
#+begin_src bash
|
|
convert filePrefix*.png -resize 1240x1753 \
|
|
-extent 1240x1753 -gravity center \
|
|
-units PixelsPerInch -density 150x150 multipage.pdf
|
|
#+end_src
|
|
|
|
lower resolution:
|
|
#+begin_src bash
|
|
convert filePrefix*.png -resize 620x876 \
|
|
-extent 629x876 -gravity center \
|
|
-units PixelsPerInch -density 100x100 multipage.pdf
|
|
#+end_src
|
|
|
|
combine multiple pdf file into one multipage file
|
|
#+begin_src sh
|
|
gs -dBATCH -dNOPAUSE -q -sDEVICE=pdfwrite -sOutputFile=result.pdf sourceFilePrefix-*.pdf
|
|
#+end_src
|
|
|
|
I read the answer like ImageMagick uses ghostscript internally.
|
|
source: https://stackoverflow.com/questions/14738911/imagemagick-combine-2-generated-pdfs-into-1-multi-page-file
|