Setup checklists

Debain Desktop

These instructions are used when getting a new machine

Install languages

Rust

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

Go

  1. Remove any previous go installation and install from download (command may require sudo)
rm -rf /usr/local/go && tar -C /usr/local -xzf go1.23.3.linux-amd64.tar.gz
  1. Ensure go is on PATH
export PATH=$PATH:/usr/local/go/bin
  1. Verify that go is installed
go version

Install Alacritty

  • #/usr/share/applications/alacritty.desktop
    [Desktop Entry]
    Type=Application
    TryExec=alacritty
    Exec=alacritty
    Icon=Alacritty
    Terminal=false
    Categories=System;TerminalEmulator;
    
wget -P ~/.local/share/fonts https://github.com/ryanoasis/nerd-fonts/releases/latest/download/FiraMono.zip \
&& cd ~/.local/share/fonts \
&& unzip FiraMono.zip \
&& rm FiraMono.zip \
&& fc-cache -fv

Install Starship

cargo install starship --locked

Switch from bash to zsh

sudo apt install zsh
chsh -s $(which zsh)

Load security items

chmod 0600 <key>

Load dotfiles and pre-requisites.

sudo apt install stow keychain
cd
git clone [email protected]:mark-pitblado/dotfiles.git.
cd ~/dotfiles
stow .

Install Neovim

Neovim

Install commandline tools

cd ~/dotfiles
./rust-tools.sh

Install Catppuccin KDE theme

VPS

These instructions are for setting up a fresh VPS

Setup non-root user

adduser someuser
usermod -aG sudo someuser
su - someuser
sudo ls /

Install tmux

This will allow for sessions to be restored in the event that the ssh connection drops

sudo apt install tmux

Harden SSH

  1. Make sure that non-root user has a copy of public ssh-key. This will copy public keys from the local machine to the user on the vps
ssh-copy-id -i key_filepath someuser@someip
  1. Test the new key
ssh -i key_filepath someuser@someip
  1. Remove password authentication
sudo vim /etc/ssh/sshd_config

Set PasswordAuthentication to no

Set PermitRootLogin to no

Set UsePAM to no

  1. Change the port for ssh

Set Port to some other value

  1. Reload the changes
sudo systemctl reload ssh

Install Docker

  1. Uninstall any existing docker packages from the distribution
for pkg in docker.io docker-doc docker-compose podman-docker containerd runc; do sudo apt-get remove $pkg; done
  1. Add the docker GPG key
sudo apt-get update
sudo apt-get install ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc
  1. Add the respository to apt
echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian \
  $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update

Add user to docker group

sudo usermod -aG docker someuser

Install fail2ban

sudo apt update
sudo apt install fail2ban

Confirm that the service is running

systemctl status fail2ban.service

Enable ufw firewall

  1. Install ufw
sudo apt install ufw
  1. Set defaults
sudo ufw default deny incoming
sudo ufw default allow outgoing
  1. Allow ssh (as a minimum)
sudo ufw allow ssh
sudo ufw show added

After confirming everything looks good, activate the configuration.

sudo ufw enable
  1. To check the status of ufw, the following command can be used
sudo ufw status

Setup Caddy Server

  1. Install caddy
sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https curl
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy

After running the above, caddy will automatically be activated. No need to use caddy run.

  1. Create a caddy file
  2. Reload the server with the caddy file once written. At this point, 80 and 443 should be open so that caddy can get a certificate.
caddy reload