Parameters

setup_user = user
setup_ssh_authorized_key = https://github.com/lorien.keys

About this document

This is fancy rendering of ansible rules which I use to install
linux on a new machine. See details at github.com/lorien/linux_setup.

Setup console font for non-GUI environment

For some reason debconf-set-selections does not affect on
dpkg-reconfigure console-setup. Working approach is to
change /etc/default/console-setup and then run dpkg-reconfigure console-setup.

Run command apt install console-setup

Add line CHARMAP="UTF-8" to file /etc/default/console-setup

Add line FONTFACE="VGA" to file /etc/default/console-setup

Add line FONTSIZE="16x32" to file /etc/default/console-setup

Add line CODESET="Uni1" to file /etc/default/console-setup

Run shell command dpkg-reconfigure --frontend noninteractive console-setup

Setup HTTPS support for APT repositories

Run command apt install apt-transport-https curl

Install bluetooth drivers

Run command apt install firmware-iwlwifi

Setup service for /etc/rc.local

Run command: systemctl enable rc-local

If file /etc/rc.local does not exist create it with content:

#!/bin/bash
exit 0

Run command: chmod 764 /etc/rc.local

Install rfkill to enable/disable bluetooth and wifi adapters

Run command apt install rfkill

Disable bluetooth

Run command: 

systemctl stop bluetooth \
    && systemctl disable bluetooth

Add line rfkill block bluetooth to file /etc/rc.local

Set up DNS

If file /etc/resolv.conf does not exist create it with content:

nameserver 8.8.8.8 # google
nameserver 77.88.8.8 # yandex

Run command: chattr +i /etc/resolv.conf

Setup standard debian bookworm repositories

Replace or create file /etc/apt/sources.list with content:

deb https://ftp.debian.org/debian/ bookworm contrib main non-free non-free-firmware
deb https://ftp.debian.org/debian/ bookworm-updates contrib main non-free non-free-firmware
deb https://security.debian.org/debian-security/ bookworm-security contrib main non-free non-free-firmware

Update APT cache with command apt update.

Install SSH Server and disable it

Run command apt install openssh-server

Run command: 

systemctl stop ssh \
    && systemctl disable ssh

Setup config files located at user home directory

If file /home/user/.xsession does not exist create it by copying /home/user/.xsession

Run commands:

chmod user:user /home/user/.xsession

Copy files from backup to user's home directory:
- .vimrc
- .config/awesome/rc.lua
- .bashrc.personal
- .tmux.conf
- .gitconfig
- .hgrc
- .pypirc (HAS TOKEN)
- .Xresources
- .xbindkeysrc
- ~/bin/
Add source ~/.bashrc.personal to "~/.bashrc"

Install sudo package and add user to sudo group

Run command apt install sudo

Add user user to group sudo

Setup vim editor

Run command apt install python3-venv git vim-nox

TODO
Also copy .vimrc to /root/.vimrc
sudo pip3 install black
Run vim, then inside thim run ":PlugInstall"
Run: update-alternatives --config editor # choose vim-nox
Run: select-editor # for current user, choose vim-nox
Run: sudo select-editor # for root, choose vim-nox

Copy docs
Symlink ~/doc/.ssh ~/.ssh

/etc/hosts

Install packages to run desktop environment

Run command apt install xorg xserver-xorg-input-synaptics xserver-xorg-input-all awesome slim dbus-x11 vim-gui-common xbindkeys rxvt-unicode xss-lock flameshot slock brightnessctl

Make urxvt default terminal emulator

Run shell command update-alternatives --set x-terminal-emulator /usr/bin/urxvt

Configure terminal emulator font

Run command apt install ttf-bitstream-vera

Possibly update "size=XX" in the line "URxvt ... font: xft:...size=XX"
xrdb ~/.Xresources

Install Network Manager and configure it

Run command apt install network-manager network-manager-gnome network-manager-openvpn

In [connection] section of NetworkManager config
you may want to use "stable" instead of "random"
if you want to keep your authentication state in
hotel/airport/etc wifi networks.

Run: ifdown
Comment out lines in /etc/network/interfaces related to wifi interface
Run: systemctl restart networking
Write to /etc/NetworkManager/conf.d/00-random-mac.conf:
[device]
wifi.scan-rand-mac-address=yes
[connection]
wifi.cloned-mac-address=random
ethernet.cloned-mac-address=random
Run: systemctl restart NetworkManager

Random MAC address and hostname

Pre-up hooks are built as symbolic links to post-down hooks
because NetworkManager does not call pre-up hooks when
setting up network connection.

Replace or create file /etc/network/if-post-down.d/zz_random_mac with content:

#!/bin/sh
#
# Randomize MAC address.
# This hook is not as same as default macchanger hook: this hook use -A flag.
# This hook is post-down because NetworkManager does not run pre-up hooks.
# There is also symlink to this file in pre-up

LOGFILE="/var/log/post_down_random_mac.log"
echo "DATE: $(date)" | tee -a $LOGFILE
echo "IFACE: $IFACE" | tee -a $LOGFILE
if [ "$IFACE" = "--all" -o "$IFACE" = "lo" -o "$IFACE" = "" ]; then
    echo "Ignoring interface [$IFACE]" | tee -a $LOGFILE
    exit 0
fi
/usr/bin/macchanger -A $IFACE 2>&1 | tee -a $LOGFILE

Run command: ln -s ../if-post-down.d/zz_random_mac /etc/network/if-pre-up.d/zz_random_mac

Replace or create file /etc/network/if-post-down.d/zz_random_hostname with content:

#!/bin/sh
#
# Randomize hostname.
# This hook is post-down because NetworkManager does not run pre-up hooks.
# There is also symlink to this file in pre-up

LOGFILE="/var/log/post_down_random_hostname.log"
echo "DATE: $(date)" | tee -a $LOGFILE
echo "IFACE: $IFACE" | tee -a $LOGFILE
if [ "$IFACE" = "--all" -o "$IFACE" = "lo" -o "$IFACE" = "" ]; then
    echo "Ignoring interface [$IFACE]" | tee -a $LOGFILE
    exit 0
fi
NEW_HOSTNAME=$(cat /dev/urandom | head -c 100 | md5sum | head -c 8)
echo "HOSTNAME: $(/usr/bin/hostname)" | tee -a $LOGFILE
echo "NEW HOSTNAME: $NEW_HOSTNAME" | tee -a $LOGFILE
/usr/bin/hostnamectl set-hostname $NEW_HOSTNAME 2>&1 | tee -a $LOGFILE

Run command: ln -s ../if-post-down.d/zz_random_hostname /etc/network/if-pre-up.d/zz_random_hostname

Disable avahi-daemon (MDNS) Publishing

Install avahi-daemon to ensure its config file exists

Run command apt install avahi-daemon

In file /etc/avahi/avahi-daemon.conf search for line matching ^\s*#?\s*disable-publishing\s*= and replace it with disable-publishing=yes. If no match, insert this line before EOF

Run command: systemctl restart avahi-daemon

Use https://dpi.lv/ to calculate DPI
Update "Xft.dpi: ..." line
xrdb ~/.Xresources

systemctl start slim
if network manager says "device not ready" for wifi card, then restart laptop
might be caused by old network settings in /etc/network/interfaces

download tarball from https://github.com/thesofproject/sof-bin/releases
unpack
sudo mv /lib/firmware/intel/sof* some_backup_location/
sudo mv /usr/local/bin/sof-* some_backup_location/ # optional
rsync -a sof-v1.7/ /lib/firmware/intel/sof/
rsync -a sof-tplg-v1.7/ /lib/firmware/intel/sof-tplg/
rsync tools-v1.7/ /usr/local/bin/

Install brave browser

Download document at https://brave-browser-apt-release.s3.brave.com/brave-browser-archive-keyring.gpg and save it to /usr/share/keyrings/brave-browser-archive-keyring.gpg , do nothing if file exists already

If file /etc/apt/sources.list.d/brave-browser-release.list does not exist create it with content:

deb [signed-by=/usr/share/keyrings/brave-browser-archive-keyring.gpg] https://brave-browser-apt-release.s3.brave.com/ stable main

Update APT cache with command apt update.

As alternative to Brave Browser install Libre Wolf

See ~/bin/install_librewolf.sh

Powertop

sudo powertop --auto-tune # WTF how it works?

Sound

Run command apt install pulseaudio pavucontrol alsa-utils

Install and configure development tools

Run command apt install mariadb-client git mercurial p7zip-full unrar xz-utils libcurl4-openssl-dev libssl-dev build-essential strace screen tmux iotop python-is-python3 python3-venv dnsutils whois traceroute pkg-config python3-pip psmisc rsync

pip3 install --break-system-packages -U pip
pip3 install --break-system-packages -U \
cookiecutter virtualenv pytest tox twine \
autosort black isort

Proxychains

pip install -U mazer
pip install -U ansible
mazer install --namespace lorien git+https://github.com/lorien/cluster
# or
# cd /web
# git clone https://github.com/lorien/cluster
# mazer install -namespace lorien -e /web/cluster
anz.py role lorien.cluster.proxychains local

Setup using shared beeline internet

Add setting net.ipv4.ip_default_ttl = 65 to /etc/sysctl.conf and run sysctl -p

Install smartmontools

Run command apt install smartmontools

Disable IPv6, optional

Add setting net.ipv6.conf.all.disable_ipv6 = 1 to /etc/sysctl.conf and run sysctl -p

Add setting net.ipv6.conf.default.disable_ipv6 = 1 to /etc/sysctl.conf and run sysctl -p

In file /etc/default/grub search for line matching ^GRUB_CMDLINE_LINUX_DEFAULT="(.+)" and replace it with GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1 \1". If no match, insert this line before EOF

Run shell command update-grub

Install tools for power management on laptop

Run command apt install tlp

Install tools to configure display brightness

Run command apt install brightnessctl

sudo chown root:user /sys/devices/pci0000\:00/0000\:00\:02.0/drm/card0/card0-eDP-1/intel_backlight/brightness
sudo chmod g+rw /sys/devices/pci0000\:00/0000\:00\:02.0/drm/card0/card0-eDP-1/intel_backlight/brightness
Update ~/.xbindkeysrc
"brightnessctl s 10%-"
XF86MonBrightnessDown
"brightnessctl s +10%"
XF86MonBrightnessUp

On desktop, disable wifi power save

That helps to remove lags if you connect the desktop via ssh
from other machine
Put into /etc/NetworkManager/conf.d/default-wifi-powersave-on.conf:
[connection]
wifi.powersave = 2 # 2 means disable

Setup SSH daemon

Add key located at https://github.com/lorien.keys to SSH authorized keys of user root

Configure SSH server do not use password authentication

Add line PasswordAuthentication no to file /etc/ssh/sshd_config

Add line ChallengeResponseAuthentication no to file /etc/ssh/sshd_config

Run command: systemctl restart ssh

TRIM Operation for SSD

There is nothing to do. Systemd service "fstrim" is active by default.

Set low priority to use swap file

Add setting vm.swappiness = 1 to /etc/sysctl.conf and run sysctl -p

Install screenshot utils

Run command apt install flameshot

Setup system limits to run IDEA IDE

Add setting fs.inotify.max_user_watches = 524288 to /etc/sysctl.conf and run sysctl -p

Setup download directory

Run command: 

mkdir -p /home/user/Downloads \
    && chown user:user /home/user/Downloads

Run command: 

ln -s /home/user/Downloads /home/user/down \
    && chown user:user /home/user/down

Restart computer to ensure it works and starts normally

Run shell command reboot

Check list after restart

Run pavucontrol, go Output Devices tab. Ensure that output is not muted.