swaywm@fedora, mostly emacs for everything
Go to file
Frieder Schlesier 1c6e30dc83 Merge branch 'master' of https://gitlab.com/fschl/dotfiles
* 'master' of https://gitlab.com/fschl/dotfiles:
  fix some typos
  add nvidia sources for nvidia-docker
  add missing programs
  update go install
  try to use spacemacs
  add primitive script to get image tags from hub.docker.com
2018-12-30 11:24:25 +01:00
.i3 Merge branch 'master' of https://gitlab.com/fschl/dotfiles 2018-12-30 11:24:25 +01:00
.ssh add ssh config template 2017-03-07 17:30:42 +01:00
.urxvt/ext updates. colors, urxvt, font-size script 2016-05-30 18:00:06 +02:00
bin Merge branch 'master' of https://gitlab.com/fschl/dotfiles 2018-12-30 11:24:25 +01:00
etc dirty update 2018-06-08 19:56:59 +02:00
scripts Merge branch 'master' of https://gitlab.com/fschl/dotfiles 2018-12-30 11:24:25 +01:00
.Xdefaults updates. colors, urxvt, font-size script 2016-05-30 18:00:06 +02:00
.Xresources reduce fading 2018-06-16 13:29:36 +02:00
.aliases updates 2018-10-23 18:22:03 +02:00
.bashrc move gopath to .path to activate on non-interactive shells 2018-11-23 18:15:07 +01:00
.dircolors finally fix dircolors 2018-06-16 13:26:42 +02:00
.dockerfunc Merge branch 'master' of https://gitlab.com/fschl/dotfiles 2018-12-30 11:24:25 +01:00
.gitconfig updates 2018-05-28 19:55:53 +02:00
.gitignore ignore private stuff 2016-09-13 10:33:58 +02:00
.path move gopath to .path to activate on non-interactive shells 2018-11-23 18:15:07 +01:00
.profile Merge branch 'master' of https://gitlab.com/fschl/dotfiles 2018-12-30 11:24:25 +01:00
.spacemacs Merge branch 'master' of https://gitlab.com/fschl/dotfiles 2018-12-30 11:24:25 +01:00
.tmux.conf dirty update 2018-06-08 19:56:59 +02:00
.vimrc dirty update 2018-06-08 19:56:59 +02:00
.xsessionrc moar cleanup 2016-04-13 18:09:07 +02:00
20-thinkpad.conf more updates 2015-12-26 12:05:14 +01:00
LICENSE.md its not 2016 anymore 2017-01-19 23:18:52 +01:00
Makefile fix some typos 2018-11-12 11:48:41 +01:00
README.org Merge branch 'master' of https://gitlab.com/fschl/dotfiles 2018-11-27 18:12:34 +01:00

README.org

fschl dotfiles

Things that make my linux life more comfortable, portable and secure. For debian, or debian-based distros. using i3wm.org on the desktop. And containers everywhere :)

inspired by https://github.com/jessfraz

Questions this repos tries to answer

  • How long does it take for you to set up a machine?
  • Do you have backups?
  • Are you using a password manager?
  • How do you transport your secrets?
  • Can you get things done without your computer?

    • Rescue+Recover friends laptops/computers
    • panic-ops using a friends laptop

Security

Hardening ssh

add this to `~/.ssh/config`:

# Ensure KnownHosts are unreadable if leaked - it is otherwise easier to know which hosts your keys have access to.
HashKnownHosts yes
# Host keys the client accepts - order here is honored by OpenSSH
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256

KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

generating keys

# RSA keys are favored over ECDSA keys when backward compatibility ''is required'',
# thus, newly generated keys are always either ED25519 or RSA (NOT ECDSA or DSA).
$ ssh-keygen -t rsa -b 8192 -f ~/.ssh/id_rsa_host_$(date +%Y-%m-%d) -C "Key to HOST for user-xyz"

# ED25519 keys are favored over RSA keys when backward compatibility ''is not required''.
# This is only compatible with OpenSSH 6.5+ and fixed-size (256 bytes).
$ ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_host_$(date +%Y-%m-%d) -C "Key to HOST for user-xyz"
GnuPG

`~/.gnupg/gpg.conf`:

personal-digest-preferences SHA512 SHA384
cert-digest-algo SHA256
default-preference-list SHA512 SHA384 AES256 ZLIB BZIP2 ZIP Uncompressed
keyid-format 0xlong
Managing logins & passphrases
  • use a secure, cross-platform, cloudless password manager, e.g keepass2
Backup Secure Keys

Nowadays it's mere chance to find a USB thumb drive with less than 4GB storage. Though, you want a dedicated drive to transport your password database, ssh keys and GPG keys. Those don't require more than a couple MB. So what to do with the remaining space?

Scenarios:

  • You visit friends, only have your keys with you and you have to check your mails, assist a colleague in some network/ops emergency or just securely look up some confidential information.
  • A family member calls: their HDD just died and you are asked to quickly help out on recovery.

Boot into a safe environment, having all your credentials available in a secure manner. Have a bootable forensics toolbox around to quickly get going in a familiar setup.

Solution: multi-boot!

thumb drive setup

3 partitions: boot+isos, luks encrypted, unencrypted partition for non-sensitive data

TODO [0/4]

  • explain setup, ideas, practises
  • add HOWTO
  • seperate sources.list setup for server/desktop/laptop
  • move to ansible for easier modularization of setup