Frieder Schlesier 092c4424af | ||
---|---|---|
.archive | ||
.bin | ||
.config/kitty | ||
.ssh | ||
bin | ||
etc | ||
fschl | ||
scripts | ||
sway | ||
waybar | ||
wireguard | ||
.aliases | ||
.bashrc | ||
.gitconfig | ||
.gitignore | ||
.path | ||
.profile | ||
.vimrc | ||
.xsessionrc | ||
20-thinkpad.conf | ||
LICENSE.md | ||
Makefile | ||
README-guix.org | ||
README.org | ||
Systems.org | ||
publish.el | ||
restic-cheatsheet.org |
README.org
fschl dotfiles
My personal computing environment.
Features
- reproducable machine setup (GNU Guix)
- keyboard-based environment (Sway wm)
- efficient, keyboard based (Emacs + CLI tools)
- portable password management (KeepassXC)
- similar environment on Desktop, Laptop, Android
- for Laptop: encrypted boot + home partitions
-
TODO Can you get things done without your computer?
- Rescue+Recover friends laptops/computers
- panic-ops using a friends laptop
Security
SSH Hardening
SSH key generation
# ED25519 keys are favored over RSA keys when backward compatibility ''is not required''.
# This is only compatible with OpenSSH 6.5+ and fixed-size (256 bytes).
$ ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_host_$(date +%Y-%m-%d) -C "Key to HOST for user-xyz"
# Fallback for really old systems (why do you still have those??)
# RSA keys are favored over ECDSA keys when backward compatibility ''is required'',
# thus, newly generated keys are always either ED25519 or RSA (NOT ECDSA or DSA).
$ ssh-keygen -t rsa -b 8192 -f ~/.ssh/id_rsa_host_$(date +%Y-%m-%d) -C "Key to HOST for user-xyz"
$ ssh-copy-id -i ~/.ssh/<file>.pub -p 22 user@host
GnuPG
- https://wiki.mozilla.org/Security/Key_Management
- https://keyring.debian.org/creating-key.html
-
https://wiki.debian.org/Subkeys
~/.gnupg/gpg.conf
:personal-digest-preferences SHA512 SHA384 cert-digest-algo SHA256 default-preference-list SHA512 SHA384 AES256 ZLIB BZIP2 ZIP Uncompressed keyid-format 0xlong
Backup Secure Keys
- get 2 USB thumb drives
- on each, create 2 partitions (ext4, you will never use them on any windows device anyway)
- https://wiki.archlinux.org/index.php/Dm-crypt/Device_Encryption
Nowadays it's mere chance to find a USB thumb drive with less than 4GB storage. Though, you want a dedicated drive to transport your password database, ssh keys and GPG keys. Those don't require more than a couple MB. So what to do with the remaining space?
Scenarios:
- You visit friends, only have your keys with you and you have to check your mails, assist a colleague in some network/ops emergency or just securely look up some confidential information.
- A family member calls: their HDD just died and you are asked to quickly help out on recovery.
Boot into a safe environment, having all your credentials available in a secure manner. Have a bootable forensics toolbox around to quickly get going in a familiar setup.
Solution: multi-boot!
Thumb Drive Setup
3 partitions: boot+isos, luks encrypted, unencrypted partition for non-sensitive data
TODO
[0/5]
- explain setup, ideas, practises
- add HOWTO
- Check new bootable USB solution: https://ventoy.net/en/index.html
- move to ansible for easier modularization of setup
- OR: give GUIX a shot
Moving to Arch
-
official repository setup: https://wiki.archlinux.org/title/Official_repositories#multilib
multiplib
is required for wine
- Sound troubleshooting: https://wiki.archlinux.org/title/Advanced_Linux_Sound_Architecture/Troubleshooting#HDMI
- Skype, VSCode: use
yay
NEXT Moving to Guix
- btrfs for snapshots, easier backups
- encrypted
/boot
+/home
partitions - separate subvolumes for
/gnu
,var
,swap
- MOVE: https://www.draketo.de/software/package-guix.html
ImageMagick Notes
convert multiple .png files into multipage pdf with downscaling
convert filePrefix*.png -resize 1240x1753 \
-extent 1240x1753 -gravity center \
-units PixelsPerInch -density 150x150 multipage.pdf