├── .buildconfig ├── .editorconfig ├── .gitignore ├── CNAME ├── LICENSE ├── README.md ├── gpg.md ├── management.md ├── openscap-auditing.md ├── personal.yml ├── post_install.yml └── windows-game-streaming.md /.buildconfig: -------------------------------------------------------------------------------- 1 | [default] 2 | name=Default 3 | runtime=host 4 | config-opts= 5 | run-opts= 6 | prefix= 7 | app-id= 8 | postbuild= 9 | prebuild= 10 | default=true 11 | -------------------------------------------------------------------------------- /.editorconfig: -------------------------------------------------------------------------------- 1 | root = true 2 | 3 | [*] 4 | charset = utf-8 5 | end_of_line = lf 6 | insert_final_newline = true 7 | trim_trailing_whitespace = true 8 | 9 | [*.{py,rst,ini}] 10 | indent_style = space 11 | indent_size = 4 12 | 13 | [*.yml] 14 | indent_style = space 15 | indent_size = 2 -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.retry 2 | -------------------------------------------------------------------------------- /CNAME: -------------------------------------------------------------------------------- 1 | desktop.davidstrauss.net -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2016 David Strauss 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Desktop Configuration 2 | 3 | * Current distribution: **Fedora 41 Silverblue** 4 | * Current hardware: **AMD X570 + 5900X + RX580 Desktop**, **ThinkPad T16 Gen 1** 5 | 6 | ## Upstream Watchlist 7 | 8 | * Migration of Fedora Silverblue to use `bootupd` 9 | * [Silverblue GitHub Issue](https://github.com/fedora-silverblue/issue-tracker/issues/120) 10 | * [Fedora Change Page](https://fedoraproject.org/wiki/Changes/FedoraSilverblueBootupd) 11 | 12 | ## Data to Back Up 13 | * `~/.gnupg/` 14 | * `~/.password-store/` 15 | * `~/.gitconfig` 16 | * `~/.pki/` 17 | 18 | ## Machine Setup 19 | 20 | ### Operating System Installation 21 | 22 | 1. Initialize a thumb drive using the [Fedora Media Writer](https://fedoraproject.org/wiki/How_to_create_and_use_Live_USB#Quickstart:_Using_Fedora_Media_Writer) using an image from [Fedora Silverblue](https://silverblue.fedoraproject.org/). 23 | 1. On ThinkPad, enable Microsoft's third-party Secure Boot CA in "BIOS." 24 | 1. Boot to the Fedora Silverblue install media. 25 | 1. Reclaim disk space. Disk encryption is good; either use [Opal](https://en.wikipedia.org/wiki/Opal_Storage_Specification) (weaker) or [LUKS](https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup) (stronger). 26 | 27 | ### System Configuration 28 | 29 | 1. Reboot into the newly installed Fedora, enable additional repositories, and set up the first user. 30 | 1. Update Fedora using the GNOME Software Center (and reboot). 31 | 1. Switch to Flatpak for Firefox, install system-level tools and CLI utilities, and reboot: 32 | 33 | flatpak install flathub org.mozilla.firefox 34 | rpm-ostree override remove firefox firefox-langpacks 35 | rpm-ostree install ansible gnome-boxes gnome-tweak-tool google-chrome-stable libvirt-daemon-config-network ltunify pass powertop python3-psutil steam-devices 36 | 37 | 1. Configure newly installed packages and desktop environment settings: 38 | 39 | sudo systemctl enable --now virtnetworkd-ro.socket 40 | cd ~/Downloads/ 41 | curl https://raw.githubusercontent.com/davidstrauss/desktop-configuration/main/post_install.yml > post_install.yml 42 | ansible-playbook --check -vvv post_install.yml # Optional Very Verbose Dry Run 43 | ansible-playbook post_install.yml # Many dconf configs seem to fail unless already correctly set. 44 | 45 | 1. Configure git (if not restoring `~/.gitconfig`): 46 | 47 | git config --global user.name "David Strauss" 48 | git config --global user.email name@example.com 49 | git config --global init.defaultBranch main 50 | git config --global color.ui auto 51 | 52 | 1. Set battery charging thresholds (on laptop): 53 | 54 | echo 10 | sudo tee /sys/class/power_supply/BAT0/charge_start_threshold 55 | echo 90 | sudo tee /sys/class/power_supply/BAT0/charge_stop_threshold 56 | #Configuring thresholds for the second battery doesn't seem to work yet. 57 | #echo 10 | sudo tee /sys/class/power_supply/BAT1/charge_start_threshold 58 | #echo 90 | sudo tee /sys/class/power_supply/BAT1/charge_stop_threshold 59 | 60 | 1. To disable Steam scaling: `Steam` -> `Settings` -> `Interface` -> `Enlarge text and icons based on monitor size (requires restart)`. 61 | 62 | ## Wireguard VPN Setup 63 | 64 | sudo nmcli connection import type wireguard file "$filename" 65 | 66 | ## Workarounds 67 | 68 | * Intel laptop CPUs sometimes need "panel self refresh" or c-states altered to fix glitches: 69 | 70 | rpm-ostree kargs --append=i915.enable_psr=0 71 | rpm-ostree kargs --append=intel_idle.max_cstate=2 72 | 73 | * *Probably obsolete for Fedora 41+:* `bootupctl` won't yet adopt on Silverblue. 74 | 75 | # Update grub and other boot partition artifacts 76 | # Source: https://github.com/fedora-silverblue/issue-tracker/issues/543#issuecomment-2048350047 77 | # 78 | # Enter a root shell on the host (i.e. not in a toolbox) 79 | $ sudo -i 80 | 81 | # Make a backup of the content of the EFI partition 82 | $ cd /boot/efi/ 83 | $ cp -a EFI EFI.bkp 84 | 85 | # Copy updated bootloader versions 86 | $ cp /usr/lib/ostree-boot/efi/EFI/BOOT/{BOOTIA32.EFI,BOOTX64.EFI,fbia32.efi,fbx64.efi} /boot/efi/EFI/BOOT/ 87 | $ cp /usr/lib/ostree-boot/efi/EFI/fedora/{BOOTIA32.CSV,BOOTX64.CSV,grubia32.efi,grubx64.efi,mmia32.efi,mmx64.efi,shim.efi,shimia32.efi,shimx64.efi} /boot/efi/EFI/fedora/ 88 | 89 | # Only needed if it exists already on your system 90 | $ cp /usr/lib/ostree-boot/efi/EFI/fedora/shimx64.efi /boot/efi/EFI/fedora/shimx64-fedora.efi 91 | 92 | # Sync changes to the disk 93 | $ sync 94 | 95 | # Reboot and clean up backups 96 | 97 | # Enter a root shell on the host (i.e. not in a toolbox) 98 | $ sudo -i 99 | 100 | # Make a backup of the content of the EFI partition 101 | $ cd /boot/efi/ 102 | $ rm -ri ./EFI.bkp 103 | 104 | # Sync changes to the disk 105 | $ sync 106 | 107 | # Update shim another way: 108 | wget https://kojipkgs.fedoraproject.org//packages/shim/15.8/3/x86_64/shim-x64-15.8-3.x86_64.rpm # https://koji.fedoraproject.org/koji/buildinfo?buildID=2423319 109 | sudo rpm-ostree usroverlay # We only need the side-effects of package installation outside the immutable system. 110 | sudo rpm -i --reinstall shim-*.rpm 111 | 112 | * Missing Flatpak icons (untested fix): 113 | 114 | sudo gtk-update-icon-cache -f /var/lib/flatpak/exports/share/icons/hicolor/ 115 | sudo gtk4-update-icon-cache -f /var/lib/flatpak/exports/share/icons/hicolor/ 116 | 117 | ## Coexistence with Windows 118 | 119 | After a complete wipe of the EFI partition, Windows won't have its required resources to boot. 120 | 121 | 1. Boot from Windows install media (F8 for the boot menu on Asus boards and F12 on ThinkPad). 122 | 1. Use `diskpart` to assign a drive letter (like `G`) to the EFI partition (which should be labeled `System`). 123 | 1. Restore boot files: 124 | 125 | G:\EFI 126 | bootrec /rebuildbcd 127 | 128 | 1. Booting to Windows 10 should now appear as an option from the recovery menus. 129 | 1. Use the GUI boot repair tool, or [attempt it from the CLI](https://superuser.com/a/1111656). 130 | 1. Review BIOS/firmware settings to restore Fedora Linux as the default. 131 | 1. Switch to BLS and add Windows into the Linux boot menu: 132 | 133 | sudo grub2-switch-to-blscfg 134 | sudo grub2-mkconfig -o /boot/grub2/grub.cfg 135 | 136 | ## Upgrading 137 | 138 | 1. _Only if needed:_ Remove RPM Fusion repositories for current Fedora: 139 | 140 | rpm-ostree remove rpmfusion-free-release-$(rpm -E %fedora)-1.noarch 141 | 142 | 1. Rebase on the next release (and resolve issues with any missing packages): 143 | 144 | rpm-ostree rebase fedora:fedora/$(expr $(rpm -E %fedora) + 1)/x86_64/silverblue 145 | 146 | 1. _Only if needed:_ Add RPM Fusion repositories for next Fedora: 147 | 148 | rpm-ostree install https://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(expr $(rpm -E %fedora) + 1).noarch.rpm 149 | 150 | 1. Reboot. 151 | 152 | ## Mobile Phone Setup 153 | 154 | 1. Install [OpenKeychain](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) and [Password Store](https://play.google.com/store/apps/details?id=dev.msfjarvis.aps). 155 | 1. Generate a new SSH key. 156 | 1. Add the new key to the git server. 157 | 1. Clone the repository. 158 | 1. Copy the private key stub `EXAMPLE.asc` to the phone. If downloaded from Google Drive, it may need to get copied into another app as text and re-saved using a [one or another](https://play.google.com/store/apps/details?id=com.maskyn.fileeditor) [plain text editors](https://play.google.com/store/apps/details?id=com.rhmsoft.edit.pro). Drive likes to convert the `.asc` file to a PDF on download. 159 | 1. OpenKeychain > Import Key from File 160 | 1. Choose the `.asc` file. 161 | 162 | ## Smart Cards 163 | 164 | ### Tested Hardware 165 | 166 | #### In Current Use 167 | 168 | * Reader and card: YubiKey 5 and 5C 169 | 170 | #### Previously Used and Tested 171 | 172 | *Instructions may be out of date for these cards.* 173 | 174 | * Reader and card: YubiKey Neo and Neo-N 175 | * Reader and card: YubiKey 4 and 4 Nano 176 | * Card only: [Fidesmo Dual Interface](http://shop.fidesmo.com/product/fidesmo-card-dual-interface) 177 | * Reader only: [JK-A0100 Series Smartcard Keyboard](http://cherryamericas.com/product/jk-a0100eu-smartcard-keyboard/): Use `enable-pinpad-varlen` in `.gnupg/gpg-agent.conf` for secure PIN entry. The specific tested model was JK-A0100EU-2. 178 | * Reader only: Identiv SCM SPR 532: Should work with secure PIN entry out of the box 179 | * Reader only: Lenovo ThinkPad T-series built-in: No secure PIN entry available 180 | 181 | #### Resources 182 | 183 | * [LWN Article: A comparison of cryptographic keycards](https://lwn.net/Articles/736231/) 184 | * [OpenKeychain Compatibility](https://github.com/open-keychain/open-keychain/wiki/Security-Tokens) 185 | 186 | ### Using an Existing Smart Card 187 | 188 | 1. Complete machine setup (above). 189 | 2. Import any existing smart card keys (that were set up according to the directions below): 190 | 191 | gpg2 --card-edit 192 | > fetch 193 | > quit 194 | gpg2 --card-status 195 | 196 | 3. Import any other keys: 197 | 198 | gpg2 --keyserver hkps://keys.openpgp.org --recv-key $KEYID 199 | gpg2 --keyserver pool.sks-keyservers.net --recv-key $KEYID # Another database to try. 200 | gpg2 --keyserver pgp.mit.edu --recv-key $KEYID # Another database to try. 201 | 202 | 4. Add trust to any necessary keys: 203 | 204 | gpg2 --edit-key $KEYID 205 | gpg> trust 206 | Your decision? 5 207 | gpg> quit 208 | 209 | ### Setting Up a New Smart Card 210 | 211 | 1. Complete machine setup (above). 212 | 1. If it's a YubiKey, enable OpenPGP: 213 | 214 | * For YubiKey Neo or YubiKey 4: 215 | 216 | sudo dnf install ykpers 217 | ykpersonalize -m6 218 | 219 | * YubiKey 5 seems to ship with OpenPGP enabled. To verify and get other information: 220 | 221 | sudo dnf install -y swig gcc pcsc-lite-devel python-devel # Can be in Fedora Toolbox 222 | pip install --user yubikey-manager # Can be in Fedora Toolbox 223 | ykman openpgp info # Must be outside Toolbox to use PC/SC APIs 224 | 225 | 1. Configure the card, generate a key pair, and upload the key: 226 | 227 | gpg2 --change-pin # Change both the PIN (default is 123456) 228 | # and the Admin PIN (default is 12345678). 229 | # I use pwgen for the admin PIN. 230 | gpg2 --card-edit 231 | gpg/card> admin 232 | gpg/card> key-attr # On YubiKey firmware 5.2.3+, choose ECC and Curve 25519 for each option. Older keys and firmwares don't support this. 233 | gpg/card> generate # Perform the off-card backup (which is only a shim private key, anyway). 234 | # Use a key size of 3072 for RSA on YubiKey 4. Defaults are fine for NEO and YubiKey 5. 235 | # No expiration. 236 | gpg/card> quit # GPG will then print out data, including the key fingerprint 237 | # as a long, alphanumeric string. 238 | gpg2 --keyserver hkps://keys.openpgp.org --send-keys $FINGERPRINT 239 | gpg2 --keyserver hkp://pool.sks-keyservers.net --send-keys $FINGERPRINT 240 | gpg2 --keyserver hkp://pgp.mit.edu --send-keys $FINGERPRINT 241 | 242 | **Note:** Revocation certificates are backed up to `~/.gnupg/openpgp-revocs.d` 243 | 244 | 1. Display the public key in OpenSSH format: 245 | 246 | ssh-add -L 247 | 248 | 1. Optionally, export the "secret key," which will only be a stub (not the actual key, which is not obtainable). This is importable into OpenKeychain on Android. 249 | 250 | gpg2 --export-secret-key --armor $FINGERPRINT > $FINGERPRINT.asc # Back this up, too. 251 | 252 | 1. After this is finished, the card should work. You should also have `$FINGERPRINT.asc` and `$FINGERPRINT.rev` backed up. Google Drive and Dropbox are usually fine for this backup; these files cannot be used to impersonate or decrypt, only revoke. 253 | 254 | 1. To add to Password Store: 255 | 1. Connect one existing key that can already access passwords. 256 | 1. Verify that the existing key is unlocked by accessing a password. 257 | 1. Instruct Password Store to reencrypt to the desired keys: 258 | 259 | pass init $FINGERPRINT [...additional fingerprints...] # Ensure existing key is connected and unlocked first. 260 | 261 | ### Testing and Troubleshooting the Setup 262 | 263 | When there's an issue, we can narrow the problem down to an individual component or connection. 264 | 265 | * Test that the GPG agent is running and accessible (after an attempt at use): 266 | 267 | systemctl --user status gpg-agent.service 268 | ls -l $SSH_AUTH_SOCK 269 | 270 | # Optionally, stop it (which will cause reinitialization on use): 271 | systemctl --user stop gpg-agent.service 272 | 273 | * Test that the standard PIN counter hasn't been exhausted. It's the first number returned here: 274 | 275 | gpg2 --card-status|grep "PIN retry counter" 276 | 277 | * If the standard PIN counter has been exhausted, it's possible to unblock (using `gpg2 --card-edit` with `passwd`) as long as the third number (the mangement/admin PIN retry counter) wasn't also zero. 278 | 279 | * If even the management/admin PIN is exhausted, then the entire GPG module needs to be reset: [YubiKey instructions](https://www.yubico.com/support/knowledge-base/categories/articles/reset-applet-yubikey/) 280 | 281 | * Test the GPG-to-smart card connection and key trust. The following should prompt for the regular PIN and succeed: 282 | 283 | FINGERPRINT=`gpg2 --card-status | grep "General key info" | grep -o "/[[:alnum:]]* " | grep -o "[[:alnum:]]*"` 284 | echo "test" | gpg2 --sign --armor --local-user $FINGERPRINT 285 | 286 | * Test the OpenSSH client's connection to the GPG agent. The following should output the SSH public key: 287 | 288 | ssh-add -L 289 | 290 | ### One-Time or Test Usage of the Agent 291 | 292 | 1. Open a terminal. 293 | 2. If you're restarted your computer since using the agent, start it: 294 | 295 | gpg-agent --daemon --enable-ssh-support 296 | 297 | 3. In any shell where you want to use it, point OpenSSH to the GPG agent: 298 | 299 | export SSH_AUTH_SOCK=${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh # Or use the line shown in the output of starting the GPG agent 300 | 301 | ### Revoking a Key 302 | 303 | 1. If the key isn't imported locally, follow the "Using an Existing Smart Card" steps first (but skipping the "trust" step). 304 | 2. If you don't have the revocation certificate (`.rev`) backed up but have the private key: 305 | 306 | gpg2 --gen-revoke --output=$FINGERPRINT.rev $FINGERPRINT 307 | 308 | 3. Import the revocation: 309 | 310 | gpg2 --import $FINGERPRINT.rev # May need to remove colon before the five dashes from file. 311 | 312 | 4. Publish the revocation: 313 | 314 | gpg2 --keyserver hkps://keys.openpgp.org --send-keys $FINGERPRINT 315 | gpg2 --keyserver hkps://hkps.pool.sks-keyservers.net --send-keys $FINGERPRINT 316 | gpg2 --keyserver hkp://pgp.mit.edu --send-keys $FINGERPRINT 317 | 318 | ## Go Development 319 | 320 | Configure `go get` to use SSH-based authentication: 321 | 322 | git config --global url.git@github.com:.insteadOf https://github.com/ 323 | 324 | ## PHP Development 325 | 326 | **This section is not yet updated for Fedora 30 Silverblue.** 327 | 328 | 1. Install packages: 329 | 330 | sudo dnf install -y nginx mariadb mariadb-server php php-fpm php-mysqlnd php-dbg php-cli php-bcmath php-phpass php-mbstring php-opcache php-gd php-pecl-apcu php-pecl-xdebug 331 | 332 | 2. Install, start, and configure the database: 333 | 334 | sudo systemctl start mariadb 335 | mysql_secure_installation 336 | 337 | 3. Create a directory for web projects (and enable web server access to directories of that type): 338 | 339 | chmod 711 ~ 340 | mkdir ~/public_html 341 | sudo setsebool -P httpd_enable_homedirs 1 # Enables use of ~/public_html by nginx and PHP-FPM. 342 | sudo setsebool -P httpd_execmem 1 # Enables PHP's regex compilation. 343 | sudo setsebool -P httpd_builtin_scripting 1 # Hope to fix: https://bugzilla.redhat.com/show_bug.cgi?id=1510717 344 | sudo setsebool -P httpd_unified 1 # Same here. 345 | sudo setsebool -P httpd_enable_cgi 1 # Same here. 346 | 347 | 4. Add support for `~/public_html` to nginx using `/etc/nginx/default.d/userdir.conf`: 348 | 349 | ```conf 350 | location @drupal { 351 | error_log /var/log/nginx/userdir.log notice; 352 | #rewrite_log on; 353 | rewrite ^/~([^/]+)/([^/]+)(.*)\?(.*)$ /~$1/$2/index.php?q=$3&$4; 354 | rewrite ^/~([^/]+)/([^/]+)(/.*?)$ /~$1/$2/index.php?q=$3; 355 | } 356 | 357 | location ^~ /~ { 358 | error_log /var/log/nginx/userdir.log notice; 359 | 360 | location ~ ^/~(?[^/]+)(?/.+\.php)$ { 361 | root /home/$username/public_html; 362 | try_files $path =404; 363 | fastcgi_index index.php; 364 | include fastcgi_params; 365 | fastcgi_param SCRIPT_FILENAME $document_root$path; 366 | fastcgi_param SCRIPT_NAME /~$username$path; 367 | fastcgi_pass php-fpm; 368 | } 369 | 370 | location ~ ^/~(?[^/]+)(?/.+?)?$ { 371 | root /home/$username/public_html; 372 | try_files $path @drupal; 373 | } 374 | } 375 | ``` 376 | 377 | 5. Configure some PHP-related options: 378 | 379 | echo "apc.rfc1867=1" | sudo tee -a /etc/php.d/40-apcu.ini # Upload progress tracking. 380 | 381 | 6. Start services for development (each time they're needed): 382 | 383 | sudo systemctl start mariadb php-fpm nginx 384 | 385 | 7. Use `~/public_html/$PROJECT/` as the web root, accessible via `http://localhost/~$USER/$PROJECT/`. 386 | 387 | 8. If new files with the wrong context get added, fix the selinux context: 388 | 389 | restorecon -R ~/public_html 390 | 391 | ## OpenMW 392 | 393 | 1. Install the Flatpak: 394 | 395 | flatpak install flathub org.openmw.OpenMW 396 | 397 | 1. Download the "backup" file from GOG. 398 | 1. Extract the backup: 399 | 400 | mkdir morrowind 401 | mv setup_tes_morrowind_goty_2.0.0.7.exe morrowind/ 402 | cd morrowind 403 | innoextract setup_tes_morrowind_goty_2.0.0.7.exe 404 | #mv app/Data\ Files/* ~/.var/app/org.openmw.OpenMW/data/openmw/ 405 | 406 | ## Stable Diffusion 407 | 408 | ### Setup 409 | 410 | toolbox create stable-diffusion 411 | toolbox enter stable-diffusion 412 | sudo dnf upgrade -y 413 | sudo dnf install -y conda python3-opencv 414 | git clone git@github.com:CompVis/stable-diffusion.git 415 | cd stable-diffusion 416 | conda env create -f environment.yaml 417 | conda activate ldm 418 | mkdir -p models/ldm/stable-diffusion-v1/ 419 | curl https://huggingface.co/CompVis/stable-diffusion-v-1-4-original/blob/main/sd-v1-4.ckpt > models/ldm/stable-diffusion-v1/model.ckpt 420 | 421 | ### Operation 422 | 423 | cd ~/stable-diffusion 424 | python3 scripts/txt2img.py --prompt "a photograph of an astronaut riding a horse" --plms 425 | 426 | ## BIOS Updates 427 | 428 | First, acquire the update. For ThinkPads, use [Lenovo's My Products tool](https://account.lenovo.com/us/en/myproducts), click on the product model (after adding yours), then Top Downloads > View All, and finally the "Bootable CD" ISO. 429 | 430 | ### USB Thumb Drive Method 431 | 432 | 1. Install the conversion utility into a Toolbox: 433 | 434 | toolbox enter 435 | sudo dnf install -y geteltorito 436 | 437 | 2. Write it to a raw drive image: 438 | 439 | geteltorito -o update.img downloaded.iso 440 | 441 | 3. Open the `update.img` in the Disks utility and restore it to the USB drive. 442 | 4. Boot from that drive. 443 | 444 | ### GRUB2 EFI Chainloader Method 445 | 446 | 1. **First Time:** Setup: 447 | 448 | rpm-ostree install syslinux p7zip p7zip-plugins # And reboot. 449 | 450 | ESPUUID=`sudo grub2-probe --target=fs_uuid /boot/efi/` 451 | cat >> 40_custom < my-private-key.asc 17 | 18 | 1. Remove the secret key from the local machine: 19 | 20 | gpg2 --delete-secret-key $CERTKEY 21 | 22 | ## Provision a New Smart Card 23 | 24 | 1. YubiKey Only: Set the mode: 25 | 26 | sudo ykpersonalize -m6 27 | 28 | 1. YubiKey Only: Reset the GPG module: 29 | 30 | ykman openpgp reset 31 | 32 | 1. Set the PIN and admin PIN: 33 | 34 | gpg2 --change-pin # Change both the PIN (default is 123456) 35 | # and the Admin PIN (default is 12345678). 36 | # I use pwgen for the admin PIN. 37 | 38 | 1. YubiKey 4+ Only: Configure the key lengths: 39 | 40 | gpg2 --card-edit 41 | gpg/card> admin 42 | gpg/card> key-attr # Choose RSA 3072 for each key type. 43 | 44 | 1. Add the new keys as subkeys on the card: 45 | 46 | gpg2 --edit-key $CERTKEY 47 | gpg> addcardkey # Repeat for signing, encryption, and authentication. 48 | 49 | ## Certify an Existing Smart Card 50 | 51 | @TODO 52 | -------------------------------------------------------------------------------- /management.md: -------------------------------------------------------------------------------- 1 | # Desktop Management Utilities 2 | 3 | This document catalogs potential management utilities for a deployment of Fedora-based desktops. 4 | 5 | ## Evaluation Criteria 6 | 7 | ### Requirements 8 | * Reporting on enrolled machine compliance 9 | * Reporting on applied security updates 10 | 11 | ### Pros 12 | * Operable against SaaS (e.g. hosted Chef, Azure AD) or lightweight cloud services (S3) 13 | * Can remediate security configuration, not just audit 14 | * Has provisioning-friendly design to accelerate new machine setup by IT 15 | * Can configure setups like GPG smart card support and GPG-SSH agent integration 16 | * Can support Windows or Mac desktops as well 17 | * Used by other organizations to management developer desktops 18 | 19 | ### Cons 20 | * Requires deployment of a complex, self-managed server (e.g. FreeIPA) 21 | 22 | ## Utilities 23 | 24 | ### Fleet Commander 25 | 26 | [Homepage](https://fleet-commander.org/) 27 | 28 | Fleet Commander provides desktop management in a form similar to Microsoft's Group Policy tools. However, because it stores the data differently than Group Policy, it cannot rely on a standard Windows Server (or Azure AD Domain Services) deployment; it must use FreeIPA. FreeIPA also supports Windows. 29 | 30 | ### Chef 31 | 32 | [Homepage](https://www.chef.io/) 33 | 34 | ### OpenSCAP 35 | 36 | [Guide for Fedora](https://static.open-scap.org/ssg-guides/ssg-fedora-guide-index.html) 37 | 38 | ### The Foreman 39 | 40 | [Homepage](https://theforeman.org/) 41 | 42 | The Foreman is primarily based on Puppet and can [aggregate OpenSCAP results](https://github.com/theforeman/foreman_openscap). 43 | 44 | ### Spacewalk 45 | 46 | [Homepage](https://spacewalkproject.github.io/) 47 | 48 | Spacewalk seems maintained but mostly deprecated in favor of The Foreman (with Katello). 49 | 50 | ### SSSD with Active Directory 51 | 52 | [Documentation](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/sssd-ad) 53 | -------------------------------------------------------------------------------- /openscap-auditing.md: -------------------------------------------------------------------------------- 1 | # OpenSCAP Auditing 2 | -------------------------------------------------------------------------------- /personal.yml: -------------------------------------------------------------------------------- 1 | - hosts: localhost 2 | tasks: 3 | - name: Use One Workspace 4 | dconf: 5 | key: /org/gnome/desktop/wm/preferences/num-workspaces 6 | value: 1 7 | - name: Disable Dynamic Workspaces in GNOME Shell 8 | dconf: 9 | key: /org/gnome/shell/overrides/dynamic-workspaces 10 | value: "false" 11 | - name: Disable Dynamic Workspaces in Mutter 12 | dconf: 13 | key: /org/gnome/mutter/dynamic-workspaces 14 | value: "false" 15 | - name: Use 24-hour clock 16 | dconf: 17 | key: /org/gnome/desktop/interface/clock-format 18 | value: "'24h'" 19 | -------------------------------------------------------------------------------- /post_install.yml: -------------------------------------------------------------------------------- 1 | - hosts: localhost 2 | tasks: 3 | - name: Install Firefox 4 | flatpak: 5 | name: org.mozilla.firefox 6 | - name: Install File Roller Archive Manager 7 | flatpak: 8 | name: org.gnome.FileRoller 9 | - name: Install Baobab File Usage Analyzer 10 | flatpak: 11 | name: org.gnome.baobab 12 | - name: Install Builder 13 | flatpak: 14 | name: org.gnome.Builder 15 | - name: Install Junction 16 | flatpak: 17 | name: re.sonny.Junction 18 | - name: Install Steam 19 | flatpak: 20 | name: com.valvesoftware.Steam 21 | - name: Install Camera Controls 22 | flatpak: 23 | name: hu.irl.cameractrls 24 | - name: Install the GIMP 25 | flatpak: 26 | name: org.gimp.GIMP 27 | - name: Install Inkscape 28 | flatpak: 29 | name: org.inkscape.Inkscape 30 | - name: Install Meld 31 | flatpak: 32 | name: org.gnome.meld 33 | - name: Install Fragments 34 | flatpak: 35 | name: de.haeckerfelix.Fragments 36 | - name: Install GHex Editor 37 | flatpak: 38 | name: org.gnome.GHex 39 | - name: Install Dconf Editor 40 | flatpak: 41 | name: ca.desrt.dconf-editor 42 | - name: Install GNOME Videos 43 | flatpak: 44 | name: org.gnome.Totem 45 | - name: Install GNU Octave 46 | flatpak: 47 | name: org.octave.Octave 48 | - name: Install LibreOffice 49 | flatpak: 50 | name: org.libreoffice.LibreOffice 51 | - name: Install Fedora Media Writer 52 | flatpak: 53 | name: org.fedoraproject.MediaWriter 54 | - name: Install Tube Converter 55 | flatpak: 56 | name: org.nickvision.tubeconverter 57 | - name: Install Apostrophe Markdown Editor 58 | flatpak: 59 | name: org.gnome.gitlab.somas.Apostrophe 60 | - name: Disable DConf Editor Warning 61 | dconf: 62 | key: /ca/desrt/dconf-editor/show-warning 63 | value: "false" 64 | - name: Interpret Caps Lock as Ctrl 65 | dconf: 66 | key: /org/gnome/desktop/input-sources/xkb-options 67 | value: "['caps:ctrl_modifier']" 68 | - name: Use LCD-Style Antialiasing 69 | dconf: 70 | key: /org/gnome/desktop/interface/font-antialiasing 71 | value: "'rgba'" 72 | - name: Automatically Remove Old Temporary Files 73 | dconf: 74 | key: /org/gnome/desktop/privacy/remove-old-temp-files 75 | value: "true" 76 | - name: Automatically Remove Old Trash Files 77 | dconf: 78 | key: /org/gnome/desktop/privacy/remove-old-trash-files 79 | value: "true" 80 | - name: Assume GNOME Software Has Been Used Before 81 | dconf: 82 | key: /org/gnome/software/first-run 83 | value: "false" 84 | - name: Show Seconds on the Desktop Clock 85 | dconf: 86 | key: /org/gnome/desktop/interface/clock-show-seconds 87 | value: "true" 88 | - name: Show Weekday on the Desktop Clock 89 | dconf: 90 | key: /org/gnome/desktop/interface/clock-show-weekday 91 | value: "true" 92 | - name: Use Natural Scrolling 93 | dconf: 94 | key: /org/gnome/desktop/peripherals/mouse/natural-scroll 95 | value: "true" 96 | - name: Disable All GNOME Extensions 97 | dconf: 98 | key: /org/gnome/shell/enabled-extensions 99 | value: "@as []" 100 | - name: Configure F12 to Reset and Clear the Terminal 101 | dconf: 102 | key: /org/gnome/terminal/legacy/keybindings/reset-and-clear 103 | value: "'F12'" 104 | - name: Read Default Terminal Profile 105 | shell: "gsettings get org.gnome.Terminal.ProfilesList default | tr --delete \"'\"" 106 | register: terminal_default_profile 107 | tags: register 108 | - name: Terminal - Unlimited Scrollback 109 | dconf: 110 | key: /org/gnome/terminal/legacy/profiles:/:{{ terminal_default_profile.stdout }}/scrollback-unlimited 111 | value: "true" 112 | when: not ansible_check_mode 113 | - name: Create Environment Configuration Directory 114 | file: 115 | path: ~/.config/environment.d/ 116 | state: directory 117 | - name: Create Autostart Configuration Directory 118 | file: 119 | path: ~/.config/autostart/ 120 | state: directory 121 | - name: Disable GNOME Keyring Autostart 122 | copy: 123 | dest: "~/.config/autostart/gnome-keyring-ssh.desktop" 124 | content: | 125 | [Desktop Entry] 126 | Type=Application 127 | Name=SSH Key Agent 128 | Exec=/usr/bin/true 129 | Hidden=true 130 | - name: Configure SSH to Use the GPG Agent 131 | copy: 132 | dest: "~/.config/environment.d/50-ssh-agent.conf" 133 | content: | 134 | SSH_AGENT_PID= 135 | SSH_AUTH_SOCK=${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh 136 | - name: Create systemd User Session Directory 137 | file: 138 | path: ~/.config/systemd/user/ 139 | state: directory 140 | - name: Create a GPG Agent Service 141 | copy: 142 | dest: "~/.config/systemd/user/gpg-agent.service" 143 | content: | 144 | [Service] 145 | ExecStart=/usr/bin/gpg-agent --supervised --enable-ssh-support 146 | ExecReload=/usr/bin/gpgconf --reload gpg-agent 147 | - name: Create a GPG Agent Socket 148 | copy: 149 | dest: "~/.config/systemd/user/gpg-agent.socket" 150 | content: | 151 | [Socket] 152 | ListenStream=%t/gnupg/S.gpg-agent 153 | FileDescriptorName=std 154 | SocketMode=0600 155 | DirectoryMode=0700 156 | 157 | [Install] 158 | WantedBy=sockets.target 159 | - name: Create a GPG SSH Agent Socket 160 | copy: 161 | dest: "~/.config/systemd/user/gpg-agent-ssh.socket" 162 | content: | 163 | [Socket] 164 | ListenStream=%t/gnupg/S.gpg-agent.ssh 165 | FileDescriptorName=ssh 166 | Service=gpg-agent.service 167 | SocketMode=0600 168 | DirectoryMode=0700 169 | 170 | [Install] 171 | WantedBy=sockets.target 172 | - name: Reload user-level systemd configuration 173 | shell: systemctl --user daemon-reload 174 | - name: Enable and Start the GPG Agent Socket 175 | systemd: 176 | name: gpg-agent.socket 177 | state: started 178 | enabled: yes 179 | scope: user 180 | - name: Enable and Start the GPG SSH Agent Socket 181 | systemd: 182 | name: gpg-agent-ssh.socket 183 | state: started 184 | enabled: yes 185 | scope: user 186 | -------------------------------------------------------------------------------- /windows-game-streaming.md: -------------------------------------------------------------------------------- 1 | # Windows Game Streaming 2 | 3 | * NVIDIA Shield streaming server 4 | * Moonlight 5 | * NVIDIA Shield hardware 6 | 7 | ## Settings App 8 | 9 | * Settings > System > Display > Graphics Settings 10 | * Toggle off "Hardware-Accelerated GPU Scheduling" 11 | * Personalization > Taskbar > Taskbar items 12 | * Disable "Search" 13 | * Disable "Copilot" 14 | * Disable "Widgets" 15 | * Disable "Chat" 16 | 17 | ## Registry 18 | 19 | TKTK 20 | 21 | ## Group Policy 22 | 23 | 1. Winlogon automatic restart sign-on (ARSO) 24 | 1. [Documentation](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-) 25 | 26 | ## Uninstall 27 | 28 | * Camera 29 | * OneDrive 30 | * XBox Live 31 | * Maps 32 | * People 33 | * Weather 34 | * Feedback Hub 35 | * Cortana 36 | --------------------------------------------------------------------------------