• fschl dotfiles
  • (future) Features
  • Security
    • SSH Hardening
    • SSH key generation
    • SSH-Agent
    • GnuPG
    • Backup Secure Keys
      • Thumb Drive Setup
  • [0/5]
  • Notes on Arch
  • Fedora
    • Basic Packages
    • setup dotfiles and emacs
    • Tools and Usability stuff
    • setup development stuff
  • NEXT Moving to Guix
    • Disk partitioning
  • ImageMagick Notes

fschl dotfiles

part of my personal computing environment. mainly contains configuration files for sway, some useful addons and system tools (git, terminal, ssh, backup). This repository also has some notes on security considerations when setting up a Linux system.

The relevant things for my workflows can be found in https://git.fschl-co.de/fschl/emacs.

(future) Features

• reproducable machine setup (GNU Guix)
• keyboard-based environment (Sway wm)
• efficient, keyboard based (Emacs + CLI tools)
• portable password management (KeepassXC)
• similar environment on Desktop, Laptop, Android
• for Laptop: encrypted boot + home partitions

• TODO Can you get things done without your computer?

  • Rescue+Recover friends laptops/computers
  • panic-ops using a friends laptop

Security

SSH Hardening

• https://blog.g3rt.nl/upgrade-your-ssh-keys.html
• https://stribika.github.io/2015/01/04/secure-secure-shell.html
• https://wiki.mozilla.org/Security/Guidelines/OpenSSH#OpenSSH_client
• see /etc/ssh/ssh_config and .ssh/config

SSH key generation

ED25519 keys are favored over RSA keys when backward compatibility ''is not required''. This is only compatible with OpenSSH 6.5+ and fixed-size (256 bytes).

  $ ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_host_$(date +%Y-%m-%d) -C "Key to HOST for user-xyz"

Fallback for really old systems (why do you still have those??) RSA keys are favored over ECDSA keys when backward compatibility ''is required'', thus, newly generated keys are always either ED25519 or RSA (NOT ECDSA or DSA).

  $ ssh-keygen -t rsa -b 8192 -f ~/.ssh/id_rsa_host_$(date +%Y-%m-%d) -C "Key to HOST for user-xyz"

  $ ssh-copy-id -i ~/.ssh/<file>.pub -p 22 user@host

SSH-Agent

automatically start agent, add keys to agent (after using it for the first time) when entering passphrase. integrates with KeepassXC (GH:KeePass > Docs > SSH-Agent)

GnuPG

• https://wiki.mozilla.org/Security/Key_Management
• https://keyring.debian.org/creating-key.html

• https://wiki.debian.org/Subkeys

  ~/.gnupg/gpg.conf:

  personal-digest-preferences SHA512 SHA384
  cert-digest-algo SHA256
  default-preference-list SHA512 SHA384 AES256 ZLIB BZIP2 ZIP Uncompressed
  keyid-format 0xlong

Backup Secure Keys

• get 2 USB thumb drives
• on each, create 2 partitions (ext4, you will never use them on any windows device anyway)
• https://wiki.archlinux.org/index.php/Dm-crypt/Device_Encryption

Nowadays it's mere chance to find a USB thumb drive with less than 4GB storage. Though, you want a dedicated drive to transport your password database, ssh keys and GPG keys. Those don't require more than a couple MB. So what to do with the remaining space?

Scenarios:

• You visit friends, only have your keys with you and you have to check your mails, assist a colleague in some network/ops emergency or just securely look up some confidential information.
• A family member calls: their HDD just died and you are asked to quickly help out on recovery.

Boot into a safe environment, having all your credentials available in a secure manner. Have a bootable forensics toolbox around to quickly get going in a familiar setup.

Solution: multi-boot!

Thumb Drive Setup

3 partitions: boot+isos, luks encrypted, unencrypted partition for non-sensitive data

TODO [0/5]

• explain setup, ideas, practises
• add HOWTO
• Check new bootable USB solution: https://ventoy.net/en/index.html
• move to ansible for easier modularization of setup
• OR: give GUIX a shot

Notes on Arch

• official repository setup: https://wiki.archlinux.org/title/Official_repositories#multilib

  • multiplib is required for wine
• Sound troubleshooting: https://wiki.archlinux.org/title/Advanced_Linux_Sound_Architecture/Troubleshooting#HDMI
• Skype, VSCode: use yay

TODO Fedora

• fedora project
• different Desktop/Workstation spins (Gnome, KDE, sway…)
• dnf package manager, install updates on reboot

• "Atomic Desktop", uses Fedora/RedHat CoreOS with rpm-ostree + flatpaks

  • has problems with video playback (in firefox)

• setup syncthing service

  https://src.fedoraproject.org/rpms/syncthing/tree/rawhide

    sudo systemctl enable --now syncthing@USER.service

• setup wireguard https://fedoramagazine.org/configure-wireguard-vpns-with-networkmanager/
• add and configure some modern tools: https://github.com/ibraheemdev/modern-unix?tab=readme-ov-file

Basic Packages

  sudo dnf update
  sudo dnf group install sway-desktop-environment
  sudo dnf -y install \
       ImageMagick \
       bat \
       brightnessctl \
       cascadia-code-nf-fonts \
       cmake \
       duf \
       emacs \
       eza \
       fd-find \
       fuzzel \
       gammastep \
       gammastep-indicator \
       gimp \
       glances \
       gparted \
       grimshot \
       htop \
       isync \
       keepassxc \
       kitty \
       libtool \
       network-manager-applet \
       notmuch \
       papirus-icon-theme-dark \
       papirus-icon-theme-light \
       ripgrep \
       rustup \
       syncthing \
       udiskie \
       virt-manager \
       wireguard-tools \
       wofi \
       youtube-dl

  rustup_init

setup dotfiles and emacs

  ln -s /home/fschl/git/dotfiles/.config/dunst /home/fschl/.config/dunst
  ln -s /home/fschl/git/dotfiles/.config/git /home/fschl/.config/git
  ln -s /home/fschl/git/dotfiles/.config/sway /home/fschl/.config/sway
  ln -s /home/fschl/git/dotfiles/.config/waybar /home/fschl/.config/waybar

  git clone https://gitlab.com/fschl/emacs-config ~/git/emacs
  cd ~/git/emacs
  git submodule update --init --recursive
  ln -s /home/fschl/git/emacs /home/fschl/.config/emacs

Tools and Usability stuff

Install Typst modern replacement for LaTeX, see GH: awesome-typst

• add typst/packages (letter, CV)

  • https://github.com/Sematre/typst-letter-pro
  • https://github.com/mintyfrankie/brilliant-CV

  cargo install --locked starship
  cargo install --locked typst-cli

Install difftastic (Github), for improved diff highlighting.

  cargo install --locked difftastic

setup development stuff

https://realpython.com/dependency-management-python-poetry/

  sudo dnf install python3-lsp-server+all

NEXT Moving to Guix

• btrfs for snapshots, easier backups
• encrypted /boot + /home partitions
• separate subvolumes for /gnu, /var, swap
• MOVE: https://www.draketo.de/software/package-guix.html

Disk partitioning

• https://github.com/david-cortes/snapper-in-debian-guide?tab=readme-ov-file
• https://wiki.archlinux.org/title/Snapper#Suggested_filesystem_layout
• https://reckoning.dev/blog/ubuntu-btrfs-guide/
• https://wiki.systemcrafters.net/guix/nonguix-installation-guide/#partition-the-disks
• https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html

• https://git.sr.ht/~abcdw/rde/tree/master/item/examples/README

  • https://guix.gnu.org/manual/en/html_node/Mapped-Devices.html
  • Mapped Devices example in RDE: https://git.sr.ht/~abcdw/rde/tree/master/item/examples/src/rde-configs/hosts/ixy.scm

ImageMagick Notes

convert multiple .png files into multipage pdf with downscaling

  convert filePrefix*.png -resize 1240x1753 \
          -extent 1240x1753 -gravity center \
          -units PixelsPerInch -density 150x150 multipage.pdf

lower resolution:

  convert filePrefix*.png -resize 620x876 \
          -extent 629x876 -gravity center \
          -units PixelsPerInch -density 100x100 multipage.pdf

combine multiple pdf file into one multipage file

  gs -dBATCH -dNOPAUSE -q -sDEVICE=pdfwrite -sOutputFile=result.pdf sourceFilePrefix-*.pdf

I read the answer like ImageMagick uses ghostscript internally. source: https://stackoverflow.com/questions/14738911/imagemagick-combine-2-generated-pdfs-into-1-multi-page-file