diff --git a/n/essentialsoftware.md b/n/essentialsoftware.md new file mode 100644 index 0000000..55a6fa9 --- /dev/null +++ b/n/essentialsoftware.md @@ -0,0 +1,67 @@ +--- +layout: null +permalink: /n/essentialsoftware.html +sitemap: false +--- + +# Essential software for new systems + +This is just a quick personal reference so I don't have to guess. + + + + +- [Security](#security) +- [Usability](#usability) +- [Offtopic system configuration](#offtopic-system-configuration) + - [Debian-based](#debian-based) + - [SSD](#ssd) + + + +## Security + +- `microcode` - propietary, but otherwise CPU holes are going to be gaping open. Refer to `tail -n +1 /sys/devices/system/cpu/vulnerabilities/*` + - Debian calls this as `amd64-microcode` or `intel-microcode` +- `ufw` for Deb-based or `firewalld` on Fedora +- `sshguard` for mitigating shared systems where others refuse to use keys +- `needrestart` for knowing when updates actually require services to be restarted or a kernel upgrade happens and requires reboot +- `molly-guard` so you won't accidentally `reboot` or `poweroff` production rather than local machine. +- `apt-listchanges` changelogs are worth knowing when updating. +- `apt-listbugs` known bugs are especially nice when performing bigger updates. +- `chrony` - security demands the time to be correct, Chrony supports NTS and is proper NTP server instead of just SNTP like systemd-timesyncd. +- `unbound` - my choice for both DNSSEC validating and DNS-over-TLS, even if I had it connect to upstream dns\[crypt\]proxy +- `unattended-upgrades` or `dnf-automatic` so security updates are at least downloaded if not even directly installed (see configuration and systemd units!) + +## Usability + +- `nvim git tmux zsh` - good luck without these +- if cryptographic operations are taking ages, consider something like `haveged`. It's controversial, so if there are no issues, don't install a random number generator. +- `earlyoom` - may avoid frozen systems, much more pleasant than dealing with a frozen system + - remember to `sudo systemctl enable --now earlyoom` +- `zram-tools` - small compressed swap in RAM + - Remember to check configs! Fedora: `/etc/zram.conf` + - `sudo systemctl enable --now zramswap.service zram-swap.service` +- `thermald` for additional help keeping system cool, especially intel + - `sudo systemctl enable --now thermald` +- `vnstat` - help for observing bandwidth usage +- `yggdrasil` - essential for getting through Carrier Grade NAT whether there is IPv6 or not. Also gives static internal IPv6 reducing need for dynamic DNS. +- `tlp` - for laptop power management, especially ThinkPad. + - `sudo tlp-stat | less` + - `sudo systemctl enable --now tlp` + +## Offtopic system configuration + +This is just too close to not mention here (and was besides in my planning issue): + +### Debian-based + +- `sudo dpkg-reconfigure console-setup` + - ensure UTF-8 and select Terminus +- `sudo dpkg-reconfigure keyboard-configuration` + - compose key + +### SSD + +- `sudo systemctl enable --now fstrim.timer` +- check that `/etc/fstab` has `noatime` so every file access isn't written to the disk. BTRFS filesystems should also have `ssd` flag.