diff --git a/README.md b/README.md index b449b77..0ac6795 100644 --- a/README.md +++ b/README.md @@ -29,13 +29,23 @@ Setting up a personal homelab using a ThinkPad laptop running Arch Linux to move - ✅ Development environment setup completed - Next: Network domain setup and self-hosted services -## Documentation & TODO Lists +## Documentation Structure -**[troubleshooting.md](troubleshooting.md)** - General troubleshooting for any issues found +### Quick Start Guide +1. **System Setup**: Follow [system-setup.md](system-setup.md) for Arch installation and configuration +2. **Network Security**: Configure SSH, DNS, and VPN using [network-security.md](network-security.md) +3. **Services**: Plan and deploy applications from [services.md](services.md) +4. **Tasks**: Track progress in [TODO.md](TODO.md) +5. **Issues**: Find solutions in [troubleshooting.md](troubleshooting.md) -- [x] **[arch-install-notes.md](arch-install-notes.md)** - Installation process and core system setup -- [ ] **[arch-linux-setup.md](arch-linux-setup.md)** - General Arch Linux configuration tasks -- [ ] **[yadm-setup-notes.md](yadm-setup-notes.md)** - Dotfiles management and development environment setup -- [ ] **[ssh-setup-guide.md](ssh-setup-guide.md)** - SSH configuration and security hardening -- [ ] **[network-planning.md](network-planning.md)** - Network setup, DNS, and security planning -- [ ] **[self-hosted-services.md](self-hosted-services.md)** - Planning for git hosting and cloud storage +### Documentation Files +- **[system-setup.md](system-setup.md)** - Complete Arch Linux installation, TTY config, desktop setup +- **[network-security.md](network-security.md)** - SSH hardening, DuckDNS, WireGuard VPN, firewall setup +- **[services.md](services.md)** - Self-hosted services: Git hosting, cloud storage, media server +- **[TODO.md](TODO.md)** - Centralized task list with progress tracking by category +- **[troubleshooting.md](troubleshooting.md)** - Hardware issues, software problems, and solutions + +### Current Configuration +- **System**: Arch Linux with XFCE desktop, ter-124b TTY font, Colemak layout +- **Security**: SSH hardened, DuckDNS configured (ak-homelab.duckdns.org) +- **Development**: yadm dotfiles, tmux with temperature monitoring, zsh with proper history diff --git a/TODO.md b/TODO.md new file mode 100644 index 0000000..df4fb4f --- /dev/null +++ b/TODO.md @@ -0,0 +1,59 @@ +# Homelab TODO List + +## High Priority +- [x] Reorganize documentation structure *(completed - new file structure)* +- [ ] Configure WireGuard VPN server for secure remote access +- [ ] Set up firewall rules and port forwarding + +## Network & Security +- [x] DuckDNS dynamic DNS setup *(completed - ak-homelab.duckdns.org)* +- [x] SSH security hardening *(documented in network-security.md)* +- [ ] WireGuard VPN server configuration +- [ ] Router port forwarding configuration +- [ ] UFW firewall setup and rules +- [ ] fail2ban for intrusion prevention + +## System Configuration +- [x] Arch Linux installation and basic setup *(completed)* +- [x] TTY configuration with ter-124b font *(completed)* +- [x] Caps lock → backspace mapping in TTY *(completed)* +- [x] Dotfiles management with yadm *(completed)* +- [x] Temperature monitoring in tmux *(completed)* +- [x] Zsh history sharing between sessions *(completed)* +- [ ] Fix TTY colors for better code readability +- [ ] Configure automatic system backups + +## Desktop & Applications +- [ ] Add windows-like bottom panel icons +- [ ] Install additional browsers as backup +- [ ] Add dmenu run shortcut +- [ ] Later: Test awesomewm once again, consider migration +- [x] Install Deskflow for multi-device setup +- [ ] Mount and configure /data drive +- [ ] Copy backups from USB drives + * Not sure if necessary, some files may already be on the PC + * [ ] First: Do a bit of "duplication check" across various devices and USBs, make a plan of what to store where + +## Services & Self-Hosting +- [ ] Install and configure Gitea for Git hosting +- [ ] Set up Nextcloud for file synchronization + - Consider alternative: Copyparty, Owncloud, maybe some others +- [ ] Configure Jellyfin media server + - Also check alternatives, decide if it's needed at all +- [ ] Implement monitoring stack (Prometheus/Grafana) + - Also consider alternatives, make setup simple and FOSS only +- [ ] Set up reverse proxy with SSL certificates + +## Hardware & Troubleshooting +- [ ] Fix bluetooth audio connectivity issues +- [ ] Investigate tmux battery indicator missing until config reload +- [x] Figure out drag and drop window tiling solution -> workaround with keyboard shortcuts +- [ ] Install multimedia codecs and applications +- [ ] Set up printer/scanner support if needed + +## Security & Maintenance +- [ ] Configure automatic security updates +- [ ] Set up system monitoring and alerting +- [ ] Implement backup strategy for services +- [ ] Regular security audit and updates +- [ ] Document recovery procedures diff --git a/arch-install-notes.md b/arch-install-notes.md deleted file mode 100644 index c6f5900..0000000 --- a/arch-install-notes.md +++ /dev/null @@ -1,43 +0,0 @@ -# Arch Linux Installation Notes - -## Pre-Installation Checklist -- [x] Download Arch Linux ISO -- [x] Create bootable USB drive -- [x] Backup any important data on ThinkPad -- [x] Note ThinkPad hardware specs for driver compatibility - -## Installation Steps -### Boot and Initial Setup -- [x] Boot from USB -- [x] Set keyboard layout if needed: `loadkeys us` -- [x] Verify UEFI boot: `ls /sys/firmware/efi/efivars` -- [x] Connect to internet (wifi-menu or ethernet) - -### Partitioning -- [x] List disks: `fdisk -l` -- [x] Create partitions (EFI, swap, root) -- [x] Format partitions -- [x] Mount filesystems - -### Base System Installation -- [x] Update package database: `pacman -Sy` -- [x] Install base system: `pacstrap /mnt base linux linux-firmware` -- [x] Generate fstab: `genfstab -U /mnt >> /mnt/etc/fstab` -- [x] Chroot: `arch-chroot /mnt` - -### System Configuration -- [x] Set timezone -- [x] Configure locale -- [x] Set hostname -- [x] Configure network -- [x] Set root password -- [x] Install bootloader (GRUB) -- [x] Create user account with sudo privileges - -## Post-Installation Priorities -- [x] Install SSH server: `pacman -S openssh` -- [x] Enable SSH service: `systemctl enable sshd` -- [x] Create user account with proper sudo access -- [x] Basic network configuration - -See [arch-linux-setup.md](arch-linux-setup.md) for comprehensive post-installation tasks. diff --git a/arch-linux-setup.md b/arch-linux-setup.md deleted file mode 100644 index 9e7e120..0000000 --- a/arch-linux-setup.md +++ /dev/null @@ -1,36 +0,0 @@ -# Arch Linux General Setup Tasks - -## Package Management & System Setup -- [x] Install essential packages (git, base-devel) -- [x] Set up AUR access (yay/paru) -- [ ] Configure automatic system backups with Timeshift -- [ ] Install and configure firewall (ufw) -- [ ] Set up system monitoring tools - -## Development Environment -- [x] Install and configure yadm: `pacman -S yadm` -- [x] Clone dotfiles: `yadm clone git@gitlab.com:akrejczinger/dotfiles.git` -- [x] Set up preferred shell and terminal (zsh with vi-mode, comprehensive config) -- [x] Install development tools and configure submodules (nvim, tmux, ranger) - -## Desktop Environment & Applications -- [ ] Install Deskflow for multi-device setup -- [x] Configure XFCE settings and themes (Greybird-dark, Papirus-Maia icons) -- [ ] Install multimedia codecs and applications -- [ ] Set up printer/scanner support if needed -- [ ] Copy backups from USBs etc. -- [ ] Mount the /data drive and check if all files still work - Not sure which nvme drive it is, see paper notes at my desk - -## Security & Maintenance -- [ ] Configure automatic updates - Is this a good idea? I should periodically update manually -- [ ] Set up fail2ban for intrusion prevention -- [ ] Create regular maintenance scripts -- [ ] Configure log rotation and cleanup - -## Hardware-Specific (ThinkPad) -- [x] Install ThinkPad-specific utilities -- [ ] Configure power management -- [x] Set up function key mappings -- [x] Test hardware components (WiFi, Bluetooth, etc.) diff --git a/network-planning.md b/network-planning.md deleted file mode 100644 index 7cbb839..0000000 --- a/network-planning.md +++ /dev/null @@ -1,33 +0,0 @@ -# Network Planning - -## Current Network Setup -- Document your current router/modem setup -- Note internal IP range (usually 192.168.1.x or 10.0.0.x) - -## SSH Access Planning -### Local Network Access -- [ ] Assign static IP to ThinkPad -- [ ] Configure SSH key authentication -- [ ] Test SSH from WSL machine - -### External Access (Optional) -- [ ] Research dynamic DNS services (DuckDNS, No-IP) -- [ ] Configure router port forwarding (if needed) -- [ ] Set up VPN for secure remote access - -## Domain Setup Options -### Local Domain -- [ ] Configure local DNS (Pi-hole, router settings) -- [ ] Use .local domain for internal services - -### Public Domain -- [ ] Register domain name -- [ ] Configure DNS records -- [ ] Set up reverse proxy (nginx, Caddy) - -## Security Considerations -- [ ] Change default SSH port -- [ ] Disable root SSH login -- [ ] Configure fail2ban -- [ ] Set up firewall rules (iptables/ufw) -- [ ] Regular security updates \ No newline at end of file diff --git a/network-security.md b/network-security.md new file mode 100644 index 0000000..2951240 --- /dev/null +++ b/network-security.md @@ -0,0 +1,232 @@ +# Network & Security Configuration + +Complete guide for securing and networking your homelab. + +## SSH Security Setup + +### Initial Configuration +```bash +# Generate SSH key pair +ssh-keygen -t ed25519 -C "homelab-key" -f ~/.ssh/homelab_ed25519 + +# Copy public key to target +ssh-copy-id -i ~/.ssh/homelab_ed25519.pub user@target +``` + +### SSH Hardening +Edit `/etc/ssh/sshd_config`: +``` +# Disable root login +PermitRootLogin no + +# Use key-based authentication only +PasswordAuthentication no +PubkeyAuthentication yes + +# Change default port (optional) +Port 2222 + +# Restrict users +AllowUsers hoborg + +# Security settings +Protocol 2 +X11Forwarding no +AllowTcpForwarding no +ClientAliveInterval 300 +ClientAliveCountMax 2 +MaxAuthTries 3 +MaxStartups 2 +``` + +Restart SSH: `sudo systemctl restart sshd` + +### SSH Client Configuration +Create `~/.ssh/config`: +``` +Host homelab + HostName your-domain.duckdns.org + User hoborg + Port 2222 + IdentityFile ~/.ssh/homelab_ed25519 + ServerAliveInterval 60 +``` + +## Dynamic DNS with DuckDNS + +### Account Setup +1. Create account at duckdns.org +2. Create subdomain: `ak-homelab.duckdns.org` +3. Get token from dashboard + +### Automatic IP Updates +Update script at `~/.local/scripts/duckdns.py` (Python implementation) + +Cron job for automatic updates: +```bash +# Update every 5 minutes +*/5 * * * * /home/hoborg/.local/scripts/duckdns.py >/dev/null 2>&1 +``` + +### Testing +```bash +# Check current IP +curl -s https://ipinfo.io/ip + +# Verify DNS resolution +nslookup ak-homelab.duckdns.org +``` + +## VPN Setup with WireGuard + +### Server Configuration +Install WireGuard: `pacman -S wireguard-tools` + +Generate keys: +```bash +wg genkey | tee server_private.key | wg pubkey > server_public.key +``` + +Server config `/etc/wireguard/wg0.conf`: +```ini +[Interface] +PrivateKey = +Address = 10.0.0.1/24 +ListenPort = 51820 +PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE +PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE + +[Peer] +PublicKey = +AllowedIPs = 10.0.0.2/32 +``` + +### Client Configuration +Generate client keys: +```bash +wg genkey | tee client_private.key | wg pubkey > client_public.key +``` + +Client config: +```ini +[Interface] +PrivateKey = +Address = 10.0.0.2/24 +DNS = 1.1.1.1 + +[Peer] +PublicKey = +Endpoint = ak-homelab.duckdns.org:51820 +AllowedIPs = 0.0.0.0/0 +PersistentKeepalive = 25 +``` + +### Enable VPN +```bash +sudo systemctl enable wg-quick@wg0 +sudo systemctl start wg-quick@wg0 +``` + +## Firewall Configuration + +### UFW Setup +```bash +# Install and enable UFW +pacman -S ufw +sudo ufw enable + +# Default policies +sudo ufw default deny incoming +sudo ufw default allow outgoing + +# SSH access +sudo ufw allow 2222/tcp + +# WireGuard +sudo ufw allow 51820/udp + +# HTTP/HTTPS for services +sudo ufw allow 80/tcp +sudo ufw allow 443/tcp +``` + +### Advanced Rules +```bash +# Rate limiting for SSH +sudo ufw limit 2222/tcp + +# Allow from specific networks +sudo ufw allow from 192.168.1.0/24 to any port 22 + +# Log denied connections +sudo ufw logging on +``` + +## Network Security Best Practices + +### Port Management +- **Change default ports**: SSH (2222), WireGuard (51820) +- **Close unused ports**: Regular port scans with nmap +- **Port forwarding**: Only forward necessary ports + +### Access Control +- **VPN-first approach**: Access services through VPN tunnel +- **IP whitelisting**: Restrict access to known IPs when possible +- **Rate limiting**: Prevent brute force attacks + +### Monitoring +- **Log analysis**: Monitor `/var/log/auth.log` for SSH attempts +- **Network monitoring**: Use netstat/ss to check listening ports +- **Intrusion detection**: Consider fail2ban for automated blocking + +## Router Configuration + +### Port Forwarding +Forward these ports to your homelab server: +- SSH: External port → Internal 2222 +- WireGuard: 51820 → 51820 +- Web services: 80/443 → 80/443 (if needed) + +### Security Settings +- **Disable WPS**: Turn off WiFi Protected Setup +- **Strong WiFi password**: WPA3 with complex passphrase +- **Guest network**: Separate network for guests +- **Firmware updates**: Keep router firmware current + +## Network Planning + +### IP Address Scheme +- **Router**: 192.168.1.1 +- **Homelab server**: 192.168.1.100 (static) +- **DHCP range**: 192.168.1.10-99 +- **VPN subnet**: 10.0.0.0/24 + +### DNS Configuration +- **Primary DNS**: Router (192.168.1.1) +- **Secondary DNS**: 1.1.1.1, 8.8.8.8 +- **Local domain**: homelab.local +- **Dynamic DNS**: ak-homelab.duckdns.org + +### Service Architecture +``` +Internet → Router → Homelab Server + ↓ + ┌─────────────────────────────┐ + │ SSH (2222) │ + │ WireGuard VPN (51820) │ + │ Web Services (80/443) │ + │ Monitoring & Logging │ + └─────────────────────────────┘ +``` + +## Backup and Recovery + +### Configuration Backups +- **SSH keys**: Store securely, separate from server +- **WireGuard configs**: Document peer configurations +- **Firewall rules**: Export UFW rules with `ufw status numbered` + +### Network Documentation +- **IP mappings**: Document static assignments +- **Port forwards**: List all forwarded ports and purposes +- **Access credentials**: Secure storage of passwords/keys \ No newline at end of file diff --git a/self-hosted-services.md b/self-hosted-services.md deleted file mode 100644 index 4351389..0000000 --- a/self-hosted-services.md +++ /dev/null @@ -1,46 +0,0 @@ -# Self-Hosted Services Planning - -## Git Repository Hosting -### Options to Research -- **Gitea**: Lightweight, Go-based, minimal resource usage -- **Forgejo**: Gitea fork, community-driven development -- **GitLab CE**: Feature-rich but more resource intensive -- **Gogs**: Simple, lightweight alternative - -### Requirements -- [ ] Web interface for repository management -- [ ] Git over SSH and HTTPS -- [ ] User management and permissions -- [ ] Issue tracking (optional) -- [ ] CI/CD integration (future consideration) - -### Installation Considerations -- Docker deployment vs native installation -- Database requirements (SQLite vs PostgreSQL) -- Reverse proxy setup for HTTPS -- Backup strategy for repositories - -## Cloud Storage Solutions -### Options to Research -- **Nextcloud**: Full-featured, extensive app ecosystem -- **ownCloud**: Original project, stable and mature -- **Seafile**: Performance-focused file sync -- **Syncthing**: Decentralized sync (no server needed) - -### Requirements -- [ ] File synchronization across devices -- [ ] Web interface for file management -- [ ] Mobile app support -- [ ] Calendar and contacts sync -- [ ] Document editing (optional) - -## Service Integration -- Single sign-on between services -- Shared storage for configuration backups -- Monitoring and logging setup -- Automated backups and disaster recovery - -## Resource Planning -- Estimate RAM and storage requirements -- Consider containerization with Docker/Podman -- Plan for service discovery and networking \ No newline at end of file diff --git a/services.md b/services.md new file mode 100644 index 0000000..6292440 --- /dev/null +++ b/services.md @@ -0,0 +1,223 @@ +# Services & Applications + +Planning and configuration for self-hosted services and applications. + +## Git Repository Hosting + +### Service Options +- **Gitea**: Lightweight, Go-based, minimal resource usage ✅ *Recommended* +- **Forgejo**: Gitea fork, community-driven development +- **GitLab CE**: Feature-rich but more resource intensive +- **Gogs**: Simple, lightweight alternative + +### Gitea Installation +```bash +# Create gitea user +sudo useradd -r -s /bin/false -d /var/lib/gitea gitea + +# Download and install +wget https://dl.gitea.io/gitea/latest/gitea-linux-amd64 +sudo mv gitea-linux-amd64 /usr/local/bin/gitea +sudo chmod +x /usr/local/bin/gitea + +# Create directories +sudo mkdir -p /var/lib/gitea/{custom,data,log} +sudo chown -R gitea:gitea /var/lib/gitea/ +sudo chmod -R 750 /var/lib/gitea/ +``` + +### Configuration +- **Database**: SQLite for simplicity, PostgreSQL for production +- **Port**: 3000 (internal), reverse proxy for HTTPS +- **SSH**: Port 2222 for git operations +- **Features**: Web interface, issue tracking, organizations + +## Cloud Storage Solutions + +### Service Options +- **Copyparty**: Quite new self-hosted file storage solution, must investigate! +- **Nextcloud**: Full-featured, extensive app ecosystem ✅ *Recommended* +- **ownCloud**: Original project, stable and mature +- **Seafile**: Performance-focused file sync +- **Syncthing**: Decentralized sync (no server needed) + +### Nextcloud Installation +```bash +# Via snap (recommended) +sudo snap install nextcloud + +# Or via Docker +docker run -d \ + --name nextcloud \ + -p 8080:80 \ + -v nextcloud_data:/var/www/html \ + nextcloud +``` +Personal notes: Not a fan of snap, isn't there an AUR package? +Go with docker otherwise + +### Features +- File synchronization across devices +- Video files, game installers -> high prio +- Self-hosted git mirrors of favorite FOSS projects -> medium prio +- Calendar and contacts (CalDAV/CardDAV) -> low prio +- Document editing (OnlyOffice/Collabora) -> low prio +- Photo management and sharing -> low prio +- Mobile apps available? + +## Media Management + +### Jellyfin Media Server +```bash +# Install via AUR +yay -S jellyfin-server jellyfin-web + +# Enable service +sudo systemctl enable jellyfin +sudo systemctl start jellyfin +``` + +Configuration: +- **Port**: 8096 (web interface) +- **Media paths**: `/data/movies`, `/data/tv`, `/data/music` +- **Transcoding**: Hardware acceleration if available + +### Photo Management +- **PhotoPrism**: AI-powered photo management +- **Immich**: Modern photo backup solution +- **LibrePhotos**: Privacy-focused alternative + +## Monitoring & Logging + +### System Monitoring +```bash +# Prometheus + Grafana stack +docker-compose up -d prometheus grafana node-exporter +``` + +### Log Management +- **Centralized logging**: rsyslog or journald +- **Log rotation**: logrotate configuration +- **Analysis**: grep, awk, or ELK stack for advanced needs + +### Health Checks +- **Uptime monitoring**: Simple HTTP checks +- **Service status**: systemd service monitoring +- **Disk space**: Automated alerts for low space + +## Containerization Strategy + +### Docker Setup +```bash +# Install Docker +pacman -S docker docker-compose +sudo systemctl enable docker + +# Add user to docker group +sudo usermod -aG docker hoborg +``` + +### Container Management +- **Orchestration**: Docker Compose for multi-service apps +- **Storage**: Named volumes for persistent data +- **Networking**: Custom networks for service isolation +- **Updates**: Watchtower for automated updates + +## Reverse Proxy Configuration + +### Nginx Setup +```bash +# Install nginx +pacman -S nginx certbot certbot-nginx + +# Basic configuration +server { + server_name ak-homelab.duckdns.org; + + location /gitea/ { + proxy_pass http://localhost:3000/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + } + + location /nextcloud/ { + proxy_pass http://localhost:8080/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + } +} +``` + +### SSL Certificates +```bash +# Let's Encrypt via certbot +sudo certbot --nginx -d ak-homelab.duckdns.org +``` + +## Backup Strategy + +### Configuration Backups +- **Service configs**: Docker volumes, /etc configs +- **Database dumps**: Regular automated backups +- **Storage**: External drive or cloud backup + +### Automated Backups +```bash +#!/bin/bash +# backup-services.sh +DATE=$(date +%Y%m%d) + +# Backup Gitea +tar -czf /backup/gitea-$DATE.tar.gz /var/lib/gitea/ + +# Backup Nextcloud data +rsync -av /var/snap/nextcloud/common/nextcloud/data/ /backup/nextcloud-$DATE/ + +# Database backup +sudo -u postgres pg_dump gitea > /backup/gitea-db-$DATE.sql +``` + +## Resource Planning + +### Hardware Requirements +- **RAM**: 4GB minimum, 8GB recommended +- **Storage**: + - System: 50GB SSD + - Data: 1TB+ HDD for media/files +- **Network**: Gigabit Ethernet preferred + +### Service Resource Usage +| Service | RAM | CPU | Storage | Port | +|---------|-----|-----|---------|------| +| Gitea | 200MB | Low | 5GB+ | 3000 | +| Nextcloud | 512MB | Medium | 10GB+ | 8080 | +| Jellyfin | 1GB | High* | Media | 8096 | +| Monitoring | 500MB | Low | 2GB | 3000/9090 | + +*High during transcoding + +## Security Considerations + +### Service Hardening +- **Regular updates**: Automated security patches +- **Access control**: VPN-only access when possible +- **Authentication**: Strong passwords, 2FA where available +- **Network isolation**: Separate VLANs or containers + +### Data Protection +- **Encryption**: Full disk encryption (LUKS) +- **Backups**: Encrypted offsite backups +- **Access logs**: Monitor service access patterns +- **Fail2ban**: Automatic IP blocking for repeated failures + +## Future Expansion + +### Additional Services to Consider +- **Home Assistant**: ABSOLUTELY NOT +- **Bitwarden/Vaultwarden**: Password management + - How is this better than keepassxc + filesync? +- **Pi-hole**: Network-wide ad blocking +- **Wireguard UI**: Web interface for VPN management +- **Bookstack**: Documentation wiki + - What is this for? How does it compare to Logseq? +- **FreshRSS**: RSS feed aggregator diff --git a/ssh-setup-guide.md b/ssh-setup-guide.md deleted file mode 100644 index 2ed5015..0000000 --- a/ssh-setup-guide.md +++ /dev/null @@ -1,207 +0,0 @@ -# SSH Connection Setup Guide - -## On the Arch Linux ThinkPad (Server Side) - -### 1. Install and Enable SSH Server -```bash -# Install OpenSSH -sudo pacman -S openssh - -# Enable and start SSH service -sudo systemctl enable sshd -sudo systemctl start sshd - -# Check if SSH is running -sudo systemctl status sshd -``` - -### 2. Configure SSH Server -```bash -# Edit SSH configuration -sudo nano /etc/ssh/sshd_config - -# Recommended security settings: -# Port 22 (or change to custom port) -# PermitRootLogin no -# PasswordAuthentication yes (initially, then switch to key-based) -# PubkeyAuthentication yes - -# Restart SSH after configuration changes -sudo systemctl restart sshd -``` - -### 3. Get the ThinkPad's IP Address -```bash -# Find local IP address -ip addr show -# or -hostname -I -``` - -### 4. Configure Firewall (if using ufw) -```bash -# Install and enable firewall -sudo pacman -S ufw -sudo ufw enable - -# Allow SSH connections -sudo ufw allow ssh -# or for custom port: sudo ufw allow 2222 -``` - -## On WSL/Windows PC (Client Side) - -### 1. Generate SSH Key Pair (if not already done) -```bash -# Generate new SSH key -ssh-keygen -t ed25519 -C "your-email@example.com" - -# Or use RSA if ed25519 not supported -ssh-keygen -t rsa -b 4096 -C "your-email@example.com" - -# Keys will be saved to ~/.ssh/id_ed25519 and ~/.ssh/id_ed25519.pub -``` - -### 2. Copy Public Key to ThinkPad -```bash -# Method 1: Using ssh-copy-id (easiest) -ssh-copy-id username@thinkpad-ip-address - -# Method 2: Manual copy -cat ~/.ssh/id_ed25519.pub | ssh username@thinkpad-ip-address "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys" - -# Method 3: SCP the key file -scp ~/.ssh/id_ed25519.pub username@thinkpad-ip-address:~/.ssh/authorized_keys -``` - -### 3. Test SSH Connection -```bash -# Connect using password initially -ssh username@thinkpad-ip-address - -# After key setup, should connect without password -ssh username@thinkpad-ip-address -``` - -### 4. Create SSH Config for Easy Access -```bash -# Edit SSH config -nano ~/.ssh/config - -# Add entry for ThinkPad -Host thinkpad - HostName thinkpad-ip-address - User your-username - Port 22 - IdentityFile ~/.ssh/id_ed25519 - -# Now you can connect with: ssh thinkpad -``` - -## Security Hardening (After Key-Based Auth Works) - -### On ThinkPad: -```bash -# Edit SSH config to disable password authentication -sudo nano /etc/ssh/sshd_config - -# Basic hardening settings: -# PasswordAuthentication no -# PermitEmptyPasswords no -# ChallengeResponseAuthentication no -# PermitRootLogin no -# Protocol 2 - -# Advanced hardening (optional): -# Port 2222 # Change from default port 22 -# MaxAuthTries 3 -# ClientAliveInterval 300 -# ClientAliveCountMax 2 -# AllowUsers your-username # Restrict to specific users - -# Restart SSH -sudo systemctl restart sshd -``` - -### Additional Security Steps: -- [ ] **Change SSH port**: Edit `Port 22` to custom port (e.g., `Port 2222`) -- [ ] **Install fail2ban**: `sudo pacman -S fail2ban && sudo systemctl enable fail2ban` -- [ ] **Configure firewall**: Update ufw rules for new SSH port if changed -- [ ] **Set up dynamic DNS**: For remote access (DuckDNS, No-IP, Cloudflare) -- [ ] **Consider VPN**: For secure remote access instead of exposing SSH - -## Setting Up Hostname Resolution - -### Method 1: Using /etc/hosts (Simple, Local Only) - -#### On WSL/Linux: -```bash -# Edit hosts file -sudo nano /etc/hosts - -# Add entry for ThinkPad -192.168.1.100 thinkpad -192.168.1.100 thinkpad.local - -# Now you can use: ssh username@thinkpad -``` - -#### On Windows: -```cmd -# Edit hosts file (run as Administrator) -notepad C:\Windows\System32\drivers\etc\hosts - -# Add the same entries: -192.168.1.100 thinkpad -192.168.1.100 thinkpad.local -``` - -### Method 2: Set Static Hostname on ThinkPad -```bash -# On ThinkPad, set a memorable hostname -sudo hostnamectl set-hostname thinkpad - -# Edit /etc/hosts on ThinkPad to include itself -sudo nano /etc/hosts -# Add: 127.0.0.1 thinkpad thinkpad.local -``` - -### Method 3: Router-Level DNS (Best for Multiple Devices) -- Access your router's admin panel (usually 192.168.1.1 or 192.168.0.1) -- Look for "DHCP Reservations" or "Static IP" settings -- Assign a static IP to ThinkPad's MAC address -- Set hostname in router's DNS settings - -### Update SSH Config -```bash -# Update ~/.ssh/config to use hostname -nano ~/.ssh/config - -Host thinkpad - HostName thinkpad # or thinkpad.local - User your-username - Port 22 - IdentityFile ~/.ssh/id_ed25519 -``` - -## Troubleshooting - -### Common Issues: -- **Connection refused**: Check if sshd is running, firewall allows SSH -- **Permission denied**: Verify username/password, check authorized_keys permissions -- **Key not working**: Ensure correct permissions on ~/.ssh (700) and authorized_keys (600) - -### Debug Commands: -```bash -# Check SSH service status -sudo systemctl status sshd - -# View SSH logs -sudo journalctl -u sshd - -# Test SSH config -sudo sshd -t - -# Connect with verbose output -ssh -v username@thinkpad-ip-address -``` \ No newline at end of file diff --git a/system-setup.md b/system-setup.md new file mode 100644 index 0000000..e17ffe7 --- /dev/null +++ b/system-setup.md @@ -0,0 +1,158 @@ +# System Setup Guide + +Complete guide for Arch Linux installation and system configuration. + +## Initial Installation + +### Pre-installation +1. Boot from Arch ISO +2. Verify boot mode: `ls /sys/firmware/efi/efivars` +3. Connect to internet: `iwctl` for WiFi +4. Update system clock: `timedatectl set-ntp true` + +### Disk Preparation +1. List disks: `fdisk -l` +2. Partition the disk: `cfdisk /dev/sdX` + - EFI partition: 512M, type EFI System + - Root partition: remaining space, type Linux filesystem +3. Format partitions: + ```bash + mkfs.fat -F32 /dev/sdX1 # EFI + mkfs.ext4 /dev/sdX2 # Root + ``` +4. Mount filesystems: + ```bash + mount /dev/sdX2 /mnt + mkdir /mnt/boot + mount /dev/sdX1 /mnt/boot + ``` +Current partition setup is a quite fragmented leftover from my dual-booting days. Later we should wipe the leftover +Windows drive for extra storage, but first we should confirm there's no essential files there +(unlikely since it wasn't booted for months, mostly using other windows PC) + +### System Installation +1. Install base packages: `pacstrap /mnt base linux linux-firmware` +2. Generate fstab: `genfstab -U /mnt >> /mnt/etc/fstab` +3. Chroot: `arch-chroot /mnt` +4. Set timezone: `ln -sf /usr/share/zoneinfo/Europe/Budapest /etc/localtime` +5. Generate hardware clock: `hwclock --systohc` +6. Configure locale: + - Edit `/etc/locale.gen`, uncomment `en_US.UTF-8 UTF-8` + - Run: `locale-gen` + - Create `/etc/locale.conf`: `LANG=en_US.UTF-8` +7. Set hostname: `echo "homelab" > /etc/hostname` +8. Configure hosts file +9. Set root password: `passwd` +10. Install bootloader: `pacman -S grub efibootmgr` +11. Install GRUB: `grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB` +12. Generate config: `grub-mkconfig -o /boot/grub/grub.cfg` + +## Post-Installation Setup + +### User Management +```bash +# Create user +useradd -m -G wheel -s /bin/bash hoborg +passwd hoborg + +# Configure sudo +pacman -S sudo +visudo # Uncomment %wheel ALL=(ALL) ALL +``` + +### Essential Packages +```bash +pacman -S git base-devel openssh networkmanager +systemctl enable NetworkManager +systemctl enable sshd +``` + +### AUR Access +```bash +# Install yay AUR helper +git clone https://aur.archlinux.org/yay.git +cd yay +makepkg -si +``` + +## Desktop Environment + +### XFCE Installation +```bash +pacman -S xfce4 xfce4-goodies lightdm lightdm-gtk-greeter +systemctl enable lightdm +``` + +### Themes and Appearance +- **Window Manager Theme**: Matcha-dark-aliz +- **Icons**: Papirus-Maia +- **Fonts**: + - System: Install Nerd Fonts (`ttf-iosevkaterm-nerd ttf-jetbrains-mono-nerd`) + - TTY: ter-124b (12x24 bold) + +## Development Environment + +### Dotfiles Management +```bash +# Install yadm +pacman -S yadm + +# Clone dotfiles +yadm clone git@gitlab.com:akrejczinger/dotfiles.git +``` + +### Shell Configuration +- **Shell**: zsh with antidote plugin manager +- **Terminal**: wezterm with Catppuccin theme +- **Multiplexer**: tmux with catppuccin theme and temperature monitoring +- **Editor**: neovim with lazy.nvim plugin manager + +### Key Configurations +- **Keyboard Layout**: Colemak (US variant in X11) +- **TTY Layout**: Colemak with caps lock → backspace via systemd service +- **Font Fallbacks**: Noto fonts for Unicode support + +## TTY Configuration + +### Font and Layout +```bash +# Configure /etc/vconsole.conf +KEYMAP=colemak +FONT=ter-124b +FONT_MAP=8859-1 +``` + +### Caps Lock Fix +Caps lock mapped to backspace via systemd service: +```bash +# /etc/systemd/system/caps-backspace.service +sudo setkeycodes 3a 14 # Map caps scancode to backspace keycode +``` + +### Color Scheme +TTY colors configured in `.zshrc` for better readability. + +## System Maintenance + +### Package Management +- Regular updates: `yay -Syu` +- Orphaned packages: `yay -Yc` +- Cache cleanup: `yay -Sc` + +### Backup Strategy +- Dotfiles: yadm + git repository +- System configs: Document in this guide +- User data: External backup solution + +## Hardware-Specific Notes + +### ThinkPad Optimizations +- **Temperature Monitoring**: Available via `sensors` command +- **Battery Management**: TLP for power optimization +- **Trackpad**: libinput with natural scrolling +- **Function Keys**: Media keys work out of box + +### Network Configuration +- **WiFi**: NetworkManager with GUI applet +- **Ethernet**: Automatic DHCP +- **Bluetooth**: bluez with pulseaudio integration diff --git a/troubleshooting.md b/troubleshooting.md index 0953e40..68d51f3 100644 --- a/troubleshooting.md +++ b/troubleshooting.md @@ -6,6 +6,7 @@ Then `sudo systemctl restart bluetooth` UPDATE: It's still not fixed :( Trying `yay -S pipewire wireplumber` +TODO test it again # Touchpad scroll direction (libinput) @@ -76,11 +77,11 @@ Synaptics scroll direction options: **Issue:** After running the theme switcher script, tmux sessions and existing terminals don't reflect the new theme until restarted. -**Temporary workaround:** +**Temporary workaround:** - Restart tmux sessions: `tmux kill-server && tmux` - Open new terminal windows -**TODO:** +**TODO:** - Investigate tmux theme reload without killing sessions - Check if terminal emulator supports theme change signals - Improve theme script to handle live theme updates @@ -99,7 +100,7 @@ set -g @catppuccin_window_tabs_enabled off **Alternative:** Configure explicit window text for both states: ``` set -g @catppuccin_window_default_text "#W" -set -g @catppuccin_window_current_text "#W" +set -g @catppuccin_window_current_text "#W" ``` Also ensure automatic renaming is enabled: @@ -126,7 +127,7 @@ fc-cache -f **Root cause:** Terminal emulator not configured to use Nerd Font as primary font. -**Solution:** +**Solution:** 1. Install Nerd Fonts: ```bash sudo pacman -S ttf-iosevkaterm-nerd ttf-jetbrains-mono-nerd @@ -137,8 +138,8 @@ fc-cache -f 3. For wezterm, ensure config includes: ```lua config.font = wezterm.font_with_fallback { - 'IosevkaTerm Nerd Font', - 'JetBrainsMono Nerd Font Mono', + 'IosevkaTerm Nerd Font', + 'JetBrainsMono Nerd Font Mono', 'Noto Color Emoji' } ``` @@ -152,8 +153,51 @@ printf "Icons: \\ue702 \\uf121 \\uf015 \\uf07b\\n" **Comprehensive coverage achieved with:** - `noto-fonts` (base unicode) -- `noto-fonts-cjk` (Chinese/Japanese/Korean) +- `noto-fonts-cjk` (Chinese/Japanese/Korean) - `noto-fonts-emoji` (color emoji) - `noto-fonts-extra` (additional scripts) Successfully displays: Egyptian hieroglyphs, Cuneiform, Nordic runes, Hungarian rovás, Arabic, Chinese, Japanese, Korean, Thai, Hindi, Hebrew, Greek, Tamil. + +# Cannot tile windows by drag and dropping + +Keyboard workaround: Go to Settings > Window Manager > Keyboard, set up tiling shortcuts (set to Super+arrow keys) + +# Additional Known Issues (TODO Items) + +## Tmux battery indicator missing until config reload + +**Issue:** Battery indicator doesn't appear in tmux status line immediately after starting tmux. + +**Temporary workaround:** Reload tmux config with `Prefix + r` or restart tmux session. + +**Status:** Investigation needed + +## TTY fallbacks needed + +**Issue:** When not in X11/graphical mode, nvim and tmux need proper fallback configurations. + +**Status:** Completed + +**Solutions implemented:** +- ✅ **nvim:** TTY detection and color scheme fallback configured +- ✅ **Font:** Selected ter-124b (12x24 bold) for good readability +- ✅ **Keyboard:** Colemak layout with caps lock remapped to backspace +- ✅ **Caps lock fix:** Uses systemd service with `setkeycodes 3a 14` + +**Configuration files:** +- `/etc/systemd/system/caps-backspace.service` - Permanent caps lock remapping +- TTY font testing script: `~/.local/scripts/test-fonts.sh` + +## TTY Caps Lock Not Working as Backspace + +**Issue:** With colemak keymap loaded, caps lock acts like Control instead of backspace in TTY. + +**Root cause:** Colemak keymap maps caps lock to Control, which conflicts with tmux navigation keys. + +**Solution:** Use `setkeycodes` to remap at scancode level: +```bash +sudo setkeycodes 3a 14 # Map caps lock scancode to backspace keycode +``` + +**Permanent fix:** Systemd service created at `/etc/systemd/system/caps-backspace.service` diff --git a/yadm-setup-notes.md b/yadm-setup-notes.md deleted file mode 100644 index 37e1326..0000000 --- a/yadm-setup-notes.md +++ /dev/null @@ -1,95 +0,0 @@ -# Yadm Dotfiles Setup Notes - -## Overview -Successfully configured yadm (Yet Another Dotfiles Manager) to manage personal dotfiles while preserving Arch Linux system functionality. - -## Setup Process - -### 1. Initial Yadm Installation and Clone -- ✅ Installed yadm: `pacman -S yadm` -- ✅ Cloned personal dotfiles repository: `yadm clone git@gitlab.com:akrejczinger/dotfiles.git` -- ✅ Created backup of existing dotfiles before merge: `~/dotfiles-backup/20250730_142945/` - -### 2. Dotfiles Merge Strategy -Rather than force-overwriting local files, manually merged each configuration file to preserve both: -- **Arch Linux system functionality** (session management, package integration) -- **Personal customizations** (themes, keybindings, development tools) - -### 3. Files Successfully Merged - -#### Shell Configuration -- **`.bashrc`**: Enhanced with yadm aliases, functions, and development tools -- **`.bash_profile`**: Added poetry PATH export -- **`.bash_logout`**: Replaced with yadm version (console clearing for privacy) -- **`.zshrc`**: Comprehensive setup with vi-mode, custom functions, 293-line config -- **`.profile`**: Merged X11/touchpad config with environment setup - -#### System Integration -- **`.xinitrc`**: Combined Arch session management with colemak keyboard layout -- **XFCE configs**: Enhanced window manager settings while preserving customizations - -### 4. Arch-Specific Optimizations -- **Linuxbrew disabled**: Commented out in all files (using pacman/AUR instead) -- **Session management preserved**: Kept Arch's comprehensive xinitrc.d integration -- **Performance optimizations**: Set `vblank_mode=xpresent` for better AMD graphics performance -- **Window manager enhancements**: Added `restore_on_move`, `zoom_pointer` features - -### 5. Submodule Management -- ✅ Resolved phantom `.config/nvm` submodule reference issue -- ✅ Successfully initialized all valid submodules: - - `.config/awesome` - AwesomeWM configuration - - `.config/nvim` - Neovim setup (updated to latest main branch) - - `.config/ranger/plugins/ranger_devicons` - File manager icons - - `.tmux/plugins/tpm` - Tmux Plugin Manager - -### 6. Configuration Highlights - -#### Development Tools -- **Zsh with vi-mode**: Enhanced terminal experience with custom keybindings -- **Git integration**: Custom functions (`fshow`, `vimgit`) for improved workflow -- **Archive extraction**: Universal `ex()` function for all archive types -- **Theme switching**: `light_theme`/`dark_theme` functions - -#### System Customization -- **Keyboard**: Colemak layout with custom xmodmap -- **Theme**: Greybird-dark with Papirus-Maia icons -- **Font**: Noto Sans 10 with proper font rendering settings -- **Cursor**: xcursor-breeze theme - -#### Security & Privacy -- **Console clearing**: Automatic screen clear on logout -- **SSH hardening**: Comprehensive security settings documented -- **Firewall configuration**: Planned fail2ban integration - -## Current State -- ✅ All dotfiles merged and committed to yadm repository -- ✅ Submodules properly initialized and updated -- ✅ Development environment fully functional -- ✅ Arch system integration preserved -- ✅ Personal customizations active - -## Next Steps -- Network configuration and static IP setup -- Dynamic DNS configuration for remote access -- Self-hosted service deployment preparation - -## Lessons Learned -1. **Manual merge approach** was correct - prevented loss of Arch-specific functionality -2. **Submodule cleanup** required removing phantom references from git index -3. **Platform-specific adjustments** (disabling linuxbrew) are essential for Arch -4. **Comprehensive backups** saved the day when conflicts arose - -## Commands Reference -```bash -# Yadm basic operations -yadm status -yadm add -yadm commit -m "message" - -# Submodule management -yadm submodule update --init --recursive -yadm submodule update --remote - -# Remove phantom submodule -yadm rm --cached -``` \ No newline at end of file