doc/note/setup/setup-debian.txt


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161


How to Setup debian for MY needs
================================

TODO: INSTALL PRINTER PACKAGES!!
TODO: Document how to install certbot.


## Base system

Install base system through debians ISO installers. Usually net installer is
fine.

Do NOT install ANY additional bloat! Eg untick ALL extra software like desktops
etc. Even disable the standard-system-utilities option.


## Install core tools

ALWAYS use '--no-install-recommends' when installing something to prevent
useless bloat to be installed.

  && apt install -y --no-install-recommends vim net-tools openssh-server openssh-client bash bash-completion


## Setup firewall

WARN: Does NOT setup the effective rules. Rules need to be filled in by admin.

WARN: This snippet may cut-off network connections. Including your remote shell!

  && $SUDO apt install -y --no-install-recommends iptables iptables-persistent \
  && printf '# TODO add contents here\n' | $SUDO tee /etc/iptables/src-default >/dev/null \
  && printf '\n[WARN ] Needs more setup: /etc/iptables/src-default\n\n' \
  && printf '%s\n' \
       '## Apply from file' '' \
       'cat /etc/iptables/src-default | $SUDO iptables-restore' '' \
       '## store current session as default' '' \
       '$SUDO iptables-save | $SUDO tee /etc/iptables/rules.v4 > /dev/null' \
       | $SUDO tee /etc/iptables/README >/dev/null \
  && printf '# TODO setup file contents\n' | $SUDO tee /etc/iptables/src-default4 >/dev/null \
  && printf '%s\n' \
       '*filter' '' \
       '# Loopback' \
       '-A INPUT  -i lo -j ACCEPT' \
       '-A OUTPUT -o lo -j ACCEPT' '' \
       '# Log blocked connection attemps' \
       '-A INPUT   -j LOG --log-prefix "Fw6BadInn: " --log-level 6' \
       '-A FORWARD -j LOG --log-prefix "Fw6BadFwd: " --log-level 6' \
       '-A OUTPUT  -j LOG --log-prefix "Fw6BadOut: " --log-level 6' '' \
       '# Disallow any non-whitelisted packets' \
       '-A INPUT   -j DROP' \
       '-A FORWARD -j REJECT' \
       '-A OUTPUT  -j REJECT' '' \
       'COMMIT' | $SUDO tee /etc/iptables/src-default6 >/dev/null \
  && printf '%s\n' \
       '*filter' \
       '-A INPUT   -j ACCEPT' \
       '-A FORWARD -j ACCEPT' \
       '-A OUTPUT  -j ACCEPT' \
       'COMMIT' | $SUDO tee /etc/iptables/src-allowAll4 >/dev/null \
  && $SUDO touch /etc/iptables/src-tmp \


## Mount home partition

# /etc/fstab
UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx  /mnt/nameOfHdd  ext4  noatime  0  2
/mnt/nameOfHdd/home  /home  none  bind  0  0


## Configure Locale

- In "/etc/locale.gen" Enable all of:
  "de_CH.UTF-8 UTF-8", "de_CH ISO-8859-1", "en_DK.UTF-8 UTF-8", "en_DK ISO-8859-1".
- Run "locale-gen".
- Check list with "locale -a".
- Change "/etc/default/locale" contents to:
    LANG=en_DK.UTF-8
    LANGUAGE="en_US:en"


## Install Desktop Env

  && $SUDO apt install -y --no-install-recommends xorg openbox mate-terminal lightdm light-locker feh scrot lxpanel qalculate-gtk gmrun gnome-system-monitor \
  && mkdir ~/.config ~/.config/openbox || true \
  && update-alternatives `# TODO needs args` \

Populate "/etc/environment" as described by "./etc-environment".


## Install whatever needed

  && $SUDO apt install -y --no-install-recommends \
       `# basic CLI` \
       vim htop pv openssh-client iptables iptables-persistent xxd zip unzip xz-utils p7zip-full \
       file trash-cli ncat curl ntp \
       `# basic UI (vim-gtk required for system clipboard)` \
       vim-gtk3 firefox-esr pcmanfm file-roller thunderbird chromium okular \
       `# software devel` \
       git sqlite3 manpages-dev gdb qemu-utils qemu-system-x86 qemu-system-arm wireshark samba \
       tigervnc-viewer jq universal-ctags \
       `# network config` \
       iwgtk \
       `# server` \
       nginx-light avahi-daemon  \
       `# mDNS client & tools` \
       libnss-mdns avahi-utils \
       `# multimedia` \
       pulseaudio pavucontrol vlc audacity eom darktable gimp hugin lame flac opus-tools ffmpeg \
       `# encryption` \
       keepassxc gpg \
       `# UI customization` \
       gnome-themes-extra darkmint-gtk-theme dconf-cli \
       `# Office Suite` \
       libreoffice-writer libreoffice-calc libreoffice-draw libxrender1 libgl1 \
       fonts-crosextra-caladea fonts-crosextra-carlito fonts-dejavu fonts-liberation \
       fonts-liberation2 fonts-linuxlibertine fonts-noto-core fonts-noto-mono fonts-noto-ui-core \
       fonts-sil-gentium-basic pdftk-java \
       `# Cups Printing` \
       cups avahi-daemon \
       `# Graphics processing` \
       imagemagick \
       `# Low level ` \
       lm-sensors fancontrol exfat-fuse exfatprogs \
       `# Others` \
       systemd-sysv bc rsync qrencode libxml2-utils adb \
       `# Nvidia graphics (open)` \
       mesa-utils clinfo mesa-opencl-icd \
       `# Nvidia graphics (non-free, DoesNotWorkYet)` \
       nvidia-detect nvidia-tesla-470-driver linux-headers-amd64 \


## Cups Printing

# Example "/etc/cups/cupsd.conf"
#
# [online doc](https://www.cups.org/doc/man-cupsd.conf.html)
#
ServerAdmin root@localhost
LogLevel warn
#
WebInterface Yes
Listen localhost:631
Listen /run/cups/cups.sock
ServerTokens None
#
DefaultPaperSize A4
MaxJobTime 1800
PreserveJobFiles 86400
DefaultShared Yes
#ServerName example.com
#DNSSDHostName example.com
FilterNice 8
#
# Keep the original <foobar> stuff that is following in original file
#

To discover printer URIs use "ippfind".