265 lines
9.1 KiB
Org Mode
265 lines
9.1 KiB
Org Mode
* fschl dotfiles
part of my personal computing environment. mainly contains
configuration files for sway, some useful addons and system tools
(git, terminal, ssh, backup). This repository also has some notes on
security considerations when setting up a Linux system.
The relevant things for my workflows can be found in [[https://git.fschl-co.de/fschl/emacs]].
** (future) Features
- reproducable machine setup (GNU Guix)
- keyboard-based environment (Sway wm)
- efficient, keyboard based (Emacs + CLI tools)
- portable password management (KeepassXC)
- similar environment on Desktop, Laptop, Android
- for Laptop: encrypted boot + home partitions
- TODO Can you get things done without *your* computer?
- Rescue+Recover friends laptops/computers
- panic-ops using a friends laptop
** Security
*** SSH Hardening
- https://blog.g3rt.nl/upgrade-your-ssh-keys.html
- https://stribika.github.io/2015/01/04/secure-secure-shell.html
- https://wiki.mozilla.org/Security/Guidelines/OpenSSH#OpenSSH_client
- see ~/etc/ssh/ssh_config~ and ~.ssh/config~
*** SSH key generation
ED25519 keys are favored over RSA keys when backward compatibility ''is not required''.
This is only compatible with OpenSSH 6.5+ and fixed-size (256 bytes).
#+BEGIN_SRC bash
$ ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_host_$(date +%Y-%m-%d) -C "Key to HOST for user-xyz"
Fallback for really old systems (why do you still have those??) RSA
keys are favored over ECDSA keys when backward compatibility ''is
required'', thus, newly generated keys are always either ED25519 or
#+BEGIN_SRC bash
$ ssh-keygen -t rsa -b 8192 -f ~/.ssh/id_rsa_host_$(date +%Y-%m-%d) -C "Key to HOST for user-xyz"
$ ssh-copy-id -i ~/.ssh/<file>.pub -p 22 user@host
*** SSH-Agent
automatically start agent, add keys to agent (after using it for the first time) when entering passphrase.
integrates with KeepassXC ([[https://github.com/keepassxreboot/keepassxc/blob/develop/docs/topics/SSHAgent.adoc][GH:KeePass > Docs > SSH-Agent]])
*** GnuPG
- https://wiki.mozilla.org/Security/Key_Management
- https://keyring.debian.org/creating-key.html
- https://wiki.debian.org/Subkeys
#+BEGIN_SRC bash
personal-digest-preferences SHA512 SHA384
cert-digest-algo SHA256
default-preference-list SHA512 SHA384 AES256 ZLIB BZIP2 ZIP Uncompressed
keyid-format 0xlong
*** Backup Secure Keys
- get 2 USB thumb drives
- on each, create 2 partitions (ext4, you will never use them on any windows device anyway)
- https://wiki.archlinux.org/index.php/Dm-crypt/Device_Encryption
Nowadays it's mere chance to find a USB thumb drive with less than 4GB storage.
Though, you want a dedicated drive to transport your password database, ssh keys and GPG keys.
Those don't require more than a couple MB. So what to do with the remaining space?
- You visit friends, only have your keys with you and you have to check your mails, assist a colleague
in some network/ops emergency or just securely look up some confidential information.
- A family member calls: their HDD just died and you are asked to quickly help out on recovery.
Boot into a safe environment, having all your credentials available in a secure manner.
Have a bootable forensics toolbox around to quickly get going in a familiar setup.
Solution: multi-boot!
**** Thumb Drive Setup
3 partitions: boot+isos, luks encrypted, unencrypted partition for non-sensitive data
** TODO [0/5]
- [ ] explain setup, ideas, practises
- [ ] add HOWTO
- [ ] Check new bootable USB solution: https://ventoy.net/en/index.html
- [ ] move to ansible for easier modularization of setup
- [ ] OR: give GUIX a shot
** Notes on Arch
- official repository setup: https://wiki.archlinux.org/title/Official_repositories#multilib
- ~multiplib~ is required for wine
- Sound troubleshooting: https://wiki.archlinux.org/title/Advanced_Linux_Sound_Architecture/Troubleshooting#HDMI
- Skype, VSCode: use ~yay~
** TODO Fedora
- fedora project
- try https://ghostty.org/docs/install/binary
- different Desktop/Workstation spins (Gnome, KDE, sway...)
- =dnf= package manager, install updates on reboot
- "Atomic Desktop", uses Fedora/RedHat CoreOS with rpm-ostree + flatpaks
- has problems with video playback (in firefox)
- setup syncthing service
#+begin_src bash
sudo systemctl enable --now syncthing@USER.service
- setup wireguard
- add and configure some modern tools:
*** Basic Packages
#+name: update and install packages
#+begin_src bash
sudo dnf update
sudo dnf group install sway-desktop-environment
sudo dnf -y install \
ImageMagick \
bat \
brightnessctl \
cascadia-code-nf-fonts \
cmake \
duf \
emacs \
eza \
fd-find \
fuzzel \
gammastep \
gammastep-indicator \
gimp \
glances \
gparted \
grimshot \
helix \
htop \
isync \
keepassxc \
kitty \
libtool \
network-manager-applet \
notmuch \
papirus-icon-theme-dark \
papirus-icon-theme-light \
ripgrep \
rustup \
syncthing \
udiskie \
virt-manager \
wireguard-tools \
wofi \
*** setup dotfiles and emacs
#+name: link dotfiles and emacs
#+begin_src bash
ln -s /home/fschl/git/dotfiles/.config/dunst /home/fschl/.config/dunst
ln -s /home/fschl/git/dotfiles/.config/git /home/fschl/.config/git
ln -s /home/fschl/git/dotfiles/.config/sway /home/fschl/.config/sway
ln -s /home/fschl/git/dotfiles/.config/waybar /home/fschl/.config/waybar
ln -s /home/fschl/git/dotfiles/.config/helix/languages.toml /home/fschl/.config/helix/languages.toml
ln -s /home/fschl/git/dotfiles/.config/helix/config.toml /home/fschl/.config/helix/config.toml
git clone https://gitlab.com/fschl/emacs-config ~/git/emacs
cd ~/git/emacs
git submodule update --init --recursive
ln -s /home/fschl/git/emacs /home/fschl/.config/emacs
*** Tools and Usability stuff
Install [[https://github.com/typst/typst][Typst]] modern replacement for LaTeX, see [[https://github.com/qjcg/awesome-typst][GH: awesome-typst]]
- [ ] add [[https://github.com/typst/packages][typst/packages]] (letter, CV)
- [ ] https://github.com/Sematre/typst-letter-pro
- [ ] https://github.com/mintyfrankie/brilliant-CV
#+begin_src sh
cargo install --locked starship
cargo install --locked typst-cli
cargo install jinja-lsp
cargo install lsp-ai
cargo install --git https://github.com/Myriad-Dreamin/tinymist --locked tinymist
Install [[https://difftastic.wilfred.me.uk/][difftastic]] ([[https://github.com/Wilfred/difftastic][Github]]), for improved diff highlighting.
#+begin_src sh
cargo install --locked difftastic
*** setup development stuff
and then try =uv=:
#+begin_src bash
sudo dnf install python3-lsp-server+all
curl -LsSf https://astral.sh/uv/install.sh | sh
uv tool install ruff@latest
** NEXT Moving to Guix
- btrfs for snapshots, easier backups
- encrypted =/boot= + =/home= partitions
- separate subvolumes for =/gnu=, =/var=, =swap=
- [ ] MOVE: https://www.draketo.de/software/package-guix.html
*** Disk partitioning
- https://github.com/david-cortes/snapper-in-debian-guide?tab=readme-ov-file
- https://wiki.archlinux.org/title/Snapper#Suggested_filesystem_layout
- https://reckoning.dev/blog/ubuntu-btrfs-guide/
- https://wiki.systemcrafters.net/guix/nonguix-installation-guide/#partition-the-disks
- https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html
- https://git.sr.ht/~abcdw/rde/tree/master/item/examples/README
- https://guix.gnu.org/manual/en/html_node/Mapped-Devices.html
- Mapped Devices example in *RDE*: https://git.sr.ht/~abcdw/rde/tree/master/item/examples/src/rde-configs/hosts/ixy.scm
** ImageMagick Notes
convert multiple .png files into multipage pdf with downscaling
#+begin_src bash
convert filePrefix*.png -resize 1240x1753 \
-extent 1240x1753 -gravity center \
-units PixelsPerInch -density 150x150 multipage.pdf
lower resolution:
#+begin_src bash
convert filePrefix*.png -resize 620x876 \
-extent 629x876 -gravity center \
-units PixelsPerInch -density 100x100 multipage.pdf
combine multiple pdf file into one multipage file
#+begin_src sh
gs -dBATCH -dNOPAUSE -q -sDEVICE=pdfwrite -sOutputFile=result.pdf sourceFilePrefix-*.pdf
I read the answer like ImageMagick uses ghostscript internally.
source: https://stackoverflow.com/questions/14738911/imagemagick-combine-2-generated-pdfs-into-1-multi-page-file