Essential software for new systems
This is just a quick personal reference so I don’t have to guess and notice that I forgot something important.
Automaattinen sisällysluettelo / Automatically generated Table of Contents
Security
-
microcode
- propietary, but otherwise CPU holes are going to be gaping open. Refer totail -n +1 /sys/devices/system/cpu/vulnerabilities/*
- Debian calls this as
amd64-microcode
orintel-microcode
- Arch knows them as
amd-ucode
orintel-ucode
and won’t load it for you, you will have toinitrd /intel-ucode.img
yourself instantly afterlinux
and beforeinitrd /initramfs-linux-lts.img
…
- Debian calls this as
-
ufw
for Deb-based orfirewalld
on Fedora (and Kali and Arch Linux, if you so choose in the last) -
sshguard
for mitigating shared systems where others refuse to use keys -
needrestart
for knowing when updates actually require services to be restarted or a kernel upgrade happens and requires reboot- Arch users may prefer
checkservices
fromarchlinux-contrib
- Arch users may prefer
-
molly-guard
so you won’t accidentallyreboot
orpoweroff
production rather than local machine. -
apt-listchanges
changelogs are worth knowing when updating. -
apt-listbugs
known bugs are especially nice when performing bigger updates. -
chrony
- security demands the time to be correct, Chrony supports NTS and is proper NTP server instead of just SNTP like systemd-timesyncd.- alternatively configure
systemd-timesyncd
- alternatively configure
-
unbound
- my choice for both DNSSEC validating and DNS-over-TLS, even if I had it connect to upstream dns[crypt]proxy- alternatively configure
systemd-resolved
. Simultaneouslysystemd-networkd
may be a good idea.
- alternatively configure
-
unattended-upgrades
ordnf-automatic
so security updates are at least downloaded if not even directly installed (see configuration and systemd units!)- if
dnf-automatic
, considersudo systemctl enable dnf-automatic-install.{timer,service}
or at leastsudo systemctl enable dnf-automatic-download.{timer,service}
- if
Usability
-
nvim git tmux zsh mosh
- good luck without these if cryptographic operations are taking ages, consider something likehaveged
. It’s controversial, so if there are no issues, don’t install a random number generator.- userspace oom killer, may avoid frozen systems, much more pleasant than
actually having to deal with a frozen system.
-
earlyoom
- remember to
sudo systemctl enable --now earlyoom
- remember to
-
systemd-oomd
- remember to
sudo systemctl enable --now systemd-oomd
- https://codeberg.org/Aminda/shell-things/src/branch/cxefa/etc/systemd/oomd.conf.d
- remember to
-
-
zram-tools
- small compressed swap in RAM- Remember to check configs! Fedora:
/etc/zram.conf
sudo systemctl enable --now zramswap.service zram-swap.service
- Remember to check configs! Fedora:
-
thermald
for additional help keeping system cool, especially intelsudo systemctl enable --now thermald
-
vnstat
- help for observing bandwidth usage -
yggdrasil
- essential for getting through Carrier Grade NAT whether there is IPv6 or not. Also gives static internal IPv6 reducing need for dynamic DNS. -
tlp
- for laptop power management, especially ThinkPad.sudo tlp-stat | less
sudo systemctl enable --now tlp
Essential system configuration
Since software being present and doing nothing may not actually do anything.
Debian console
-
sudo dpkg-reconfigure console-setup
- ensure UTF-8 and select Terminus
-
sudo dpkg-reconfigure keyboard-configuration
- compose key
Terminus on Fedora
After installing the package, adjust /etc/vconsole.conf
e.g.:
KEYMAP="fi"
FONT="ter-v16v"
Maybe sudo updatedb
and locate ter-v16v
at first though?
Terminus on Arch Linux
See Fedora, but change the FONT
to "ter-132b"
instead.
SSD
sudo systemctl enable --now fstrim.timer
- check that
/etc/fstab
hasnoatime
so every file access isn’t written to the disk. BTRFS filesystems should also havessd
flag.- NEVER ENABLE
atime
,relatime
ornorelatime
under the threat of suffering especially on BTRFS. I have been doing fine without it for years, it will not help any issue, unless you want read operations to cause writes and eat space…
- NEVER ENABLE
BTRFS
- The above applies,
/etc/fstab
must havenoatime
. -
compress=zstd:0
may be helpful. It enables zstd compression, which is an integrated feature of BTRFS, with the default compression level (3 at the time of writing). The BTRFS devs are most likely wiser than me and can provide a reasonable balance between efficiency and CPU use.- Alternatively
compress-force=zstd:0
may be used, but that might bring extra CPU usage in compressing what cannot be compressed.- Test on Lumina: 20G free -> 24G free.
- The compression will happen either the next time the file is written or can
be manually triggered through
sudo btrfs filesystem defragment -r "$PWD"
- Alternatively
- For swapfiles on btrfs partition, e.g.
btrfs filesystem mkswapfile --size 8G /swap
Swap
Zramswap is not enough. 8 GB everywhere may be enough, summarizing Gentoo.
No swap partition and swap file is acceptable (consider SSD)? See above for btrfs or as root
fallocate -l 8G /swap
chmod 600 /swap
mkswap /swap
swapon /swap
The /etc/fstab
rule is: /swap none swap sw 0 0
and then it’s
just a matter of sudo swapon -a
sudo
- https://codeberg.org/Aminda/shell-things/src/branch/cxefa/etc/sudoers.d
Consider these:
# Thanks Tails
Defaults timestamp_timeout=0
Defaults pwfeedback
Defaults lecture = always
Additionally Arch Linux should consider either
# Allow full sudo access to the group which is uncommented. The first is
# Debian.
#%sudoers ALL=(ALL:ALL) ALL
# Defaults to passwordless sudo on Debian.
#%wheel ALL=(ALL:ALL) ALL
systemd presets
You are practically guaranteed horrible time especially on Debian, unless
/etc/systemd/system-preset
has a whatever.preset
saying disable *
as some
distributions consider it a good idea to autostart every installed service by
default. I am unsure on whether this requires sudo systemctl daemon-reload
to
apply.
To return to the preset state of nothing autostarting, execute the dangerous
if you don’t know what you are doing command sudo systemctl preset-all
.
Debian
Remember to install apt-transport-tor
!
sources.list
The mirror to use is https://deb.debian.org/debian
.
/etc/apt/preferences.d/whatever
# Copied from https://www.wireguard.com/install/ (2020-01-11)
# Default priority appears to be 500, so 90 results to unstable being
# used when the package is not available anywhere else
Package: *
Pin: release a=unstable
Pin-Priority: 90
Package: *
Pin: release a=unstable-debug
Pin-Priority: 90
sshd
If nothing else, please at least
# ssh-keygen -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_ed25519_key
LogLevel VERBOSE
PermitRootLogin prohibit-password
PasswordAuthentication no
AuthenticationMethods publickey
Encrypted DNS
- https://codeberg.org/Aminda/shell-things/src/branch/cxefa/etc/systemd/resolved.conf.d
- https://codeberg.org/Aminda/shell-things/src/branch/cxefa/etc/unbound/unbound.conf.d
/etc/xdg/autostart
Not having terminal autostarting for all users is pain.
- https://codeberg.org/Aminda/shell-things/src/branch/cxefa/etc/xdg/autostart/kgx-tmux.desktop
[Desktop Entry]
Terminal=true
Exec=kgx --command="bash --norc -c tmux"
Name=Tmux in Console
Icon=org.gnome.Console
aminda-*.{service,socket]
They workaround either me or the distribution messing things up. While at it,
don’t forget /etc/sysctl.d
- https://codeberg.org/Aminda/shell-things/src/branch/cxefa/etc/systemd/system
Remember!
Not quite configuration, but I am not going to start inventing a new place for it.
Accessing UEFI setup without key smashing
- systemd: there is a
systemctl reboot --firmware-setup
(spotted here) - Plasma: in
systemsettings
sectiondesktop session
there is a checkbox to after next boot, enter UEFI settings (via reply to that) - Windows allows access to UEFI by pressing Shift while reboot
(said here) or
simply
shutdown -r -t 1 -fw
twice (said here). - GNOME: in the reboot after 60 seconds menu, hold alt to get into boot options (said here)
- In boot loader the command
fwsetup
should take you there (said here). And anyone using either grub or systemd-bootd has probably seen the menu entry. - efibootmgr:
efibootmgr —bootnext 0000 && reboot
(said or implied here)
Recovering selinux policy issues
- The Fedora advice is
sudo fixfiles -B onboot
, but that didn’t assist me. - Boot with flags
enforcing=0 autorelabel
to temporarily have permissive mode and automatic fixing. - What actually worked was booting with
enforcing=0
andsudo restorecon -R /