Return to note index?

Essential software for new systems

This is just a quick personal reference so I don’t have to guess and notice that I forgot something important.

Automaattinen sisällysluettelo / Automatically generated Table of Contents

Security

Usability

pipx

pipx automatically creates virtualenvs and is basically a package manager for apps written in Python. Here is a small list to remember in no particular order.

Just remember to pipx upgrade-all occassionally!

Fedora Atomic

By which I mean Fedora Kinoite unless otherwise specified. A system where everyone runs the same image, except that as this section shows, I add to it a bit…

# Ensure third party Fedora repos are available, this is part of KDE Prompt?
sudo fedora-third-party enable
# Layer packages I need on top of the base image.
sudo rpm-ostree install aircrack-ng android-tools btop clang darkman duperemove gamescope git-lfs gnome-console htop inxi mosh mpv neovim nmap pipx pre-commit sshguard steam-devices symlinks syncthing terminus-fonts-console tmux tor torsocks unbound zsh
# Disable bootscreen, ensure CPU vulnerability mitigation.
sudo rpm-ostree kargs --delete=rhgb --delete=quiet --append=mitigations=auto,nosmt
# I would additionally use lockdown=confidentiality (or lockdown=integrity if
# less privacy and security was required, but that prevents shipped osnoise
# module from working.

Consider also adding RPMFusion through their OSTree instructions. The Major releases uninstalling and installing is especially important so it switches from local package to layered package, which also affects all other third party repositories such as google-chrome-stable if it was added. While there is repository breakage risk stopping system upgrades, at least it will upgrade itself as opposed to errorring about being a local not upgraded package in the future.

Why RPMFusion? At least Broadcom BCM43142 wireless NIC requires sudo rpm-ostree install akmod-wl kernel-devel from rpmfusion-nonfree and there are likely other such devices/drivers as well.

Flatpaks

These also affect non-Fedora-Kinoite for which my first production installation was on Steam Deck and upon learning of flatpak uninstall --all, this section got out of paw so it got cut a bit.

Always remember that you don’t paste commands to terminal directly, use a text editor in the middle instead!

# Considering everything is installed from there, it should exist
sudo flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
# I need Nheko
sudo flatpak remote-add --if-not-exists nheko-nightly https://nheko.im/nheko-reborn/nheko/-/raw/master/nheko-nightly.flatpakrepo

Communication

sudo flatpak install --assumeyes nheko-nightly im.nheko.Nheko//master
sudo flatpak install --assumeyes com.discordapp.Discord im.dino.Dino org.briarproject.Briar org.signal.Signal org.squidowl.halloy org.telegram.desktop

Gayming

sudo flatpak install --assumeyes flathub com.heroicgameslauncher.hgl com.valvesoftware.Steam com.valvesoftware.Steam.CompatibilityTool.Proton-GE net.davidotek.pupgui2
# Note branch numbers for Heroic Games!
sudo flatpak install --assumeyes org.freedesktop.Platform.VulkanLayer.MangoHud//23.08 org.freedesktop.Platform.VulkanLayer.gamescope//23.08

General purpose

sudo flatpak install --assumeyes flathub com.dropbox.Client com.github.tchx84.Flatseal com.github.wwmm.easyeffects com.nextcloud.desktopclient.nextcloud com.rafaelmardojai.Blanket de.haeckerfelix.Shortwave it.mijorus.gearlever me.kozec.syncthingtk org.fedoraproject.MediaWriter org.kde.kate org.pulseaudio.pavucontrol org.qbittorrent.qBittorrent org.torproject.torbrowser-launcher org.mozilla.firefox org.videolan.VLC

Office

sudo flatpak install --assumeyes flathub org.libreoffice.LibreOffice org.libreoffice.LibreOffice.BundledExtension.Voikko
# May be huge, especially TeXlive
sudo flatpak install --assumeyes flathub org.freedesktop.Sdk.Extension.texlive org.kde.kile

Other essential atomic/kinoite/flatpak/gayming reading

Essential system configuration

Since software being present and doing nothing may not actually do anything.

Debian console

Terminus on Fedora

After installing the package, adjust /etc/vconsole.conf e.g.:

KEYMAP="fi"
FONT="ter-v16v"

Maybe sudo updatedb and locate ter-v16v at first though?

Terminus on Arch Linux

See Fedora, but change the FONT to "ter-132b" instead.

SSD

BTRFS

Swap

8 GB everywhere may be enough,

summarizing Gentoo.

No swap partition and swap file is acceptable (consider SSD)? See above for btrfs or as root

fallocate -l 8G /swap
chmod 600 /swap
mkswap /swap
swapon /swap

The /etc/fstab rule is: /swap none swap sw 0 0 and then it’s just a matter of sudo swapon -a

sudo

Consider these:

# Thanks Tails
Defaults timestamp_timeout=0
Defaults pwfeedback
Defaults lecture = always

Additionally Arch Linux should consider either

# Allow full sudo access to the group which is uncommented. The first is
# Debian.
#%sudoers ALL=(ALL:ALL) ALL
# Defaults to passwordless sudo on Debian.
#%wheel ALL=(ALL:ALL) ALL

systemd presets

You are practically guaranteed horrible time especially on Debian, unless /etc/systemd/system-preset has a whatever.preset saying disable * as some distributions consider it a good idea to autostart every installed service by default. I am unsure on whether this requires sudo systemctl daemon-reload to apply.

To return to the preset state of nothing autostarting, execute the dangerous if you don’t know what you are doing command sudo systemctl preset-all.

Debian

Remember to install apt-transport-tor!

sources.list

The mirror to use is https://deb.debian.org/debian.

/etc/apt/preferences.d/whatever

# Copied from https://www.wireguard.com/install/ (2020-01-11)
# Default priority appears to be 500, so 90 results to unstable being
# used when the package is not available anywhere else
Package: *
Pin: release a=unstable
Pin-Priority: 90

Package: *
Pin: release a=unstable-debug
Pin-Priority: 90

sshd

If nothing else, please at least

# ssh-keygen -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_ed25519_key

LogLevel VERBOSE
PermitRootLogin prohibit-password
PasswordAuthentication no
AuthenticationMethods publickey

Encrypted DNS

/etc/xdg/autostart

Not having terminal autostarting for all users is pain.

[Desktop Entry]
Terminal=true
Exec=kgx --command="bash --norc -c tmux"
Name=Tmux in Console
Icon=org.gnome.Console

aminda-*.{service,socket}

They workaround either me or the distribution messing things up. While at it, don’t forget /etc/sysctl.d

Remember!

Not quite configuration, but I am not going to start inventing a new place for it.

Accessing UEFI setup without key smashing

Recovering selinux policy issues

Removing all flatpaks

sudo flatpak uninstall --all --assumeyes

Now that overwhelmingly sinking into them has been resolved, you can reinstall a lot of them and feel overwhelmed again!

Return to note index?

Dear reader, you may be missing a content blocker! 🙀 Please consider installing one to protect yourself, and your close ones, from manipulation and targeted malvertising! Personally I love both Privacy Badger and uBlock Origin (with EFF DNT Policy Allowlist) together, while AdNauseam alone would be more direct protest tool to oppose how the internet is nowadays. Android users may be better served by Rethink while for iOS there is AdGuard. Learn more about targeted advertising! PS. I am sorry if you are already protected and this silly EasyList targeting(?) script doesn't detect that, thank you for taking the steps towards a safer internet! 💜