mikaela.github.io/n/essentialsoftware.md

4.2 KiB
Raw Blame History

Essential software for new systems

{{ page.excerpt }}

Automaattinen sisällysluettelo / Automatically generated Table of Contents

Security

  • microcode - propietary, but otherwise CPU holes are going to be gaping open. Refer to tail -n +1 /sys/devices/system/cpu/vulnerabilities/*
    • Debian calls this as amd64-microcode or intel-microcode
  • ufw for Deb-based or firewalld on Fedora
  • sshguard for mitigating shared systems where others refuse to use keys
  • needrestart for knowing when updates actually require services to be restarted or a kernel upgrade happens and requires reboot
  • molly-guard so you wont accidentally reboot or poweroff production rather than local machine.
  • apt-listchanges changelogs are worth knowing when updating.
  • apt-listbugs known bugs are especially nice when performing bigger updates.
  • chrony - security demands the time to be correct, Chrony supports NTS and is proper NTP server instead of just SNTP like systemd-timesyncd.
    • alternatively configure systemd-timesyncd
  • unbound - my choice for both DNSSEC validating and DNS-over-TLS, even if I had it connect to upstream dns[crypt]proxy
    • alternatively configure systemd-resolved. Simultaneously systemd-networkd may be a good idea.
  • unattended-upgrades or dnf-automatic so security updates are at least downloaded if not even directly installed (see configuration and systemd units!)
    • if dnf-automatic, consider sudo systemctl enable dnf-automatic-install.{timer,service} or at least sudo systemctl enable dnf-automatic-download.{timer,service}

Usability

  • nvim git tmux zsh - good luck without these
  • if cryptographic operations are taking ages, consider something like haveged. Its controversial, so if there are no issues, dont install a random number generator.
  • userspace oom killer, may avoid frozen systems, much more pleasant than actually having to deal with a frozen system.
    • earlyoom
      • remember to sudo systemctl enable --now earlyoom
    • systemd-oomd
      • remember to sudo systemctl enable --now systemd-oomd
  • zram-tools - small compressed swap in RAM
    • Remember to check configs! Fedora: /etc/zram.conf
    • sudo systemctl enable --now zramswap.service zram-swap.service
  • thermald for additional help keeping system cool, especially intel
    • sudo systemctl enable --now thermald
  • vnstat - help for observing bandwidth usage
  • yggdrasil - essential for getting through Carrier Grade NAT whether there is IPv6 or not. Also gives static internal IPv6 reducing need for dynamic DNS.
  • tlp - for laptop power management, especially ThinkPad.
    • sudo tlp-stat | less
    • sudo systemctl enable --now tlp

Offtopic system configuration

This is just too close to not mention here (and was besides in my planning issue):

Debian-based

  • sudo dpkg-reconfigure console-setup
    • ensure UTF-8 and select Terminus
  • sudo dpkg-reconfigure keyboard-configuration
    • compose key

SSD

  • sudo systemctl enable --now fstrim.timer
  • check that /etc/fstab has noatime so every file access isnt written to the disk. BTRFS filesystems should also have ssd flag.
    • NEVER ENABLE atime, relatime or norelatime under the threat of suffering especially on BTRFS. I have been doing fine without it for years, it will not help any issue, unless you want read operations to cause writes and eat space…