Setup checklists
Debain Desktop
These instructions are used when getting a new machine
Install languages
Rust
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
Go
- Remove any previous go installation and install from download (command may require
sudo
)
rm -rf /usr/local/go && tar -C /usr/local -xzf go1.23.3.linux-amd64.tar.gz
- Ensure go is on PATH
export PATH=$PATH:/usr/local/go/bin
- Verify that go is installed
go version
Install Alacritty
-
#/usr/share/applications/alacritty.desktop [Desktop Entry] Type=Application TryExec=alacritty Exec=alacritty Icon=Alacritty Terminal=false Categories=System;TerminalEmulator;
wget -P ~/.local/share/fonts https://github.com/ryanoasis/nerd-fonts/releases/latest/download/FiraMono.zip \
&& cd ~/.local/share/fonts \
&& unzip FiraMono.zip \
&& rm FiraMono.zip \
&& fc-cache -fv
Install Starship
cargo install starship --locked
Switch from bash to zsh
sudo apt install zsh
chsh -s $(which zsh)
Load security items
chmod 0600 <key>
Load dotfiles and pre-requisites.
sudo apt install stow keychain
cd
git clone [email protected]:mark-pitblado/dotfiles.git.
cd ~/dotfiles
stow .
Install Neovim
Install commandline tools
cd ~/dotfiles
./rust-tools.sh
Install Catppuccin KDE theme
VPS
These instructions are for setting up a fresh VPS
Setup non-root user
adduser someuser
usermod -aG sudo someuser
su - someuser
sudo ls /
Install tmux
This will allow for sessions to be restored in the event that the ssh connection drops
sudo apt install tmux
Harden SSH
- Make sure that non-root user has a copy of public ssh-key. This will copy public keys from the local machine to the user on the vps
ssh-copy-id -i key_filepath someuser@someip
- Test the new key
ssh -i key_filepath someuser@someip
- Remove password authentication
sudo vim /etc/ssh/sshd_config
Set PasswordAuthentication
to no
Set PermitRootLogin
to no
Set UsePAM
to no
- Change the port for ssh
Set Port
to some other value
- Reload the changes
sudo systemctl reload ssh
Install Docker
- Uninstall any existing docker packages from the distribution
for pkg in docker.io docker-doc docker-compose podman-docker containerd runc; do sudo apt-get remove $pkg; done
- Add the docker GPG key
sudo apt-get update
sudo apt-get install ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc
- Add the respository to apt
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
Add user to docker group
sudo usermod -aG docker someuser
Install fail2ban
sudo apt update
sudo apt install fail2ban
Confirm that the service is running
systemctl status fail2ban.service
Enable ufw firewall
- Install ufw
sudo apt install ufw
- Set defaults
sudo ufw default deny incoming
sudo ufw default allow outgoing
- Allow ssh (as a minimum)
Danger
If this step is not performed and verified, it could result in being locked out of the VPS (as all ports will be closed off). Do this step slowly, and verify that it is done correctly before enabling the ufw service.
sudo ufw allow ssh
sudo ufw show added
After confirming everything looks good, activate the configuration.
sudo ufw enable
- To check the status of ufw, the following command can be used
sudo ufw status
Setup Caddy Server
- Install caddy
sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https curl
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy
After running the above, caddy will automatically be activated. No need to use caddy run
.
- Create a caddy file
- Reload the server with the caddy file once written. At this point, 80 and 443 should be open so that caddy can get a certificate.
caddy reload
On This Page
- Debain Desktop
- Install languages
- Rust
- Go
- Install Alacritty
- Install Starship
- Switch from bash to zsh
- Load security items
- Load dotfiles and pre-requisites.
- Install Neovim
- Install commandline tools
- Install Catppuccin KDE theme
- VPS
- Setup non-root user
- Install tmux
- Harden SSH
- Install Docker
- Add user to docker group
- Install fail2ban
- Enable ufw firewall
- Setup Caddy Server