hoborg/homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Reorganize and update docs

Browse Source
This commit is contained in:
Krejczinger Árpád
2025-07-31 20:18:16 +02:00
parent 50144e083e
commit e3889870e5
12 changed files with 741 additions and 475 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
README.md
View File

@@ -29,13 +29,23 @@ Setting up a personal homelab using a ThinkPad laptop running Arch Linux to move
- ✅ Development environment setup completed - ✅ Development environment setup completed
- Next: Network domain setup and self-hosted services - Next: Network domain setup and self-hosted services
## Documentation & TODO Lists ## Documentation Structure
**[troubleshooting.md](troubleshooting.md)** - General troubleshooting for any issues found ### Quick Start Guide
1. **System Setup**: Follow [system-setup.md](system-setup.md) for Arch installation and configuration
2. **Network Security**: Configure SSH, DNS, and VPN using [network-security.md](network-security.md)
3. **Services**: Plan and deploy applications from [services.md](services.md)
4. **Tasks**: Track progress in [TODO.md](TODO.md)
5. **Issues**: Find solutions in [troubleshooting.md](troubleshooting.md)
- [x] **[arch-install-notes.md](arch-install-notes.md)** - Installation process and core system setup ### Documentation Files
- [ ] **[arch-linux-setup.md](arch-linux-setup.md)** - General Arch Linux configuration tasks - **[system-setup.md](system-setup.md)** - Complete Arch Linux installation, TTY config, desktop setup
- [ ] **[yadm-setup-notes.md](yadm-setup-notes.md)** - Dotfiles management and development environment setup - **[network-security.md](network-security.md)** - SSH hardening, DuckDNS, WireGuard VPN, firewall setup
- [ ] **[ssh-setup-guide.md](ssh-setup-guide.md)** - SSH configuration and security hardening - **[services.md](services.md)** - Self-hosted services: Git hosting, cloud storage, media server
- [ ] **[network-planning.md](network-planning.md)** - Network setup, DNS, and security planning - **[TODO.md](TODO.md)** - Centralized task list with progress tracking by category
- [ ] **[self-hosted-services.md](self-hosted-services.md)** - Planning for git hosting and cloud storage - **[troubleshooting.md](troubleshooting.md)** - Hardware issues, software problems, and solutions
### Current Configuration
- **System**: Arch Linux with XFCE desktop, ter-124b TTY font, Colemak layout
- **Security**: SSH hardened, DuckDNS configured (ak-homelab.duckdns.org)
- **Development**: yadm dotfiles, tmux with temperature monitoring, zsh with proper history

59
TODO.md Normal file
View File

@@ -0,0 +1,59 @@
# Homelab TODO List
## High Priority
- [x] Reorganize documentation structure *(completed - new file structure)*
- [ ] Configure WireGuard VPN server for secure remote access
- [ ] Set up firewall rules and port forwarding
## Network & Security
- [x] DuckDNS dynamic DNS setup *(completed - ak-homelab.duckdns.org)*
- [x] SSH security hardening *(documented in network-security.md)*
- [ ] WireGuard VPN server configuration
- [ ] Router port forwarding configuration
- [ ] UFW firewall setup and rules
- [ ] fail2ban for intrusion prevention
## System Configuration
- [x] Arch Linux installation and basic setup *(completed)*
- [x] TTY configuration with ter-124b font *(completed)*
- [x] Caps lock → backspace mapping in TTY *(completed)*
- [x] Dotfiles management with yadm *(completed)*
- [x] Temperature monitoring in tmux *(completed)*
- [x] Zsh history sharing between sessions *(completed)*
- [ ] Fix TTY colors for better code readability
- [ ] Configure automatic system backups
## Desktop & Applications
- [ ] Add windows-like bottom panel icons
- [ ] Install additional browsers as backup
- [ ] Add dmenu run shortcut
- [ ] Later: Test awesomewm once again, consider migration
- [x] Install Deskflow for multi-device setup
- [ ] Mount and configure /data drive
- [ ] Copy backups from USB drives
* Not sure if necessary, some files may already be on the PC
* [ ] First: Do a bit of "duplication check" across various devices and USBs, make a plan of what to store where
## Services & Self-Hosting
- [ ] Install and configure Gitea for Git hosting
- [ ] Set up Nextcloud for file synchronization
- Consider alternative: Copyparty, Owncloud, maybe some others
- [ ] Configure Jellyfin media server
- Also check alternatives, decide if it's needed at all
- [ ] Implement monitoring stack (Prometheus/Grafana)
- Also consider alternatives, make setup simple and FOSS only
- [ ] Set up reverse proxy with SSL certificates
## Hardware & Troubleshooting
- [ ] Fix bluetooth audio connectivity issues
- [ ] Investigate tmux battery indicator missing until config reload
- [x] Figure out drag and drop window tiling solution -> workaround with keyboard shortcuts
- [ ] Install multimedia codecs and applications
- [ ] Set up printer/scanner support if needed
## Security & Maintenance
- [ ] Configure automatic security updates
- [ ] Set up system monitoring and alerting
- [ ] Implement backup strategy for services
- [ ] Regular security audit and updates
- [ ] Document recovery procedures

43
arch-install-notes.md
View File

@@ -1,43 +0,0 @@
# Arch Linux Installation Notes
## Pre-Installation Checklist
- [x] Download Arch Linux ISO
- [x] Create bootable USB drive
- [x] Backup any important data on ThinkPad
- [x] Note ThinkPad hardware specs for driver compatibility
## Installation Steps
### Boot and Initial Setup
- [x] Boot from USB
- [x] Set keyboard layout if needed: `loadkeys us`
- [x] Verify UEFI boot: `ls /sys/firmware/efi/efivars`
- [x] Connect to internet (wifi-menu or ethernet)
### Partitioning
- [x] List disks: `fdisk -l`
- [x] Create partitions (EFI, swap, root)
- [x] Format partitions
- [x] Mount filesystems
### Base System Installation
- [x] Update package database: `pacman -Sy`
- [x] Install base system: `pacstrap /mnt base linux linux-firmware`
- [x] Generate fstab: `genfstab -U /mnt >> /mnt/etc/fstab`
- [x] Chroot: `arch-chroot /mnt`
### System Configuration
- [x] Set timezone
- [x] Configure locale
- [x] Set hostname
- [x] Configure network
- [x] Set root password
- [x] Install bootloader (GRUB)
- [x] Create user account with sudo privileges
## Post-Installation Priorities
- [x] Install SSH server: `pacman -S openssh`
- [x] Enable SSH service: `systemctl enable sshd`
- [x] Create user account with proper sudo access
- [x] Basic network configuration
See [arch-linux-setup.md](arch-linux-setup.md) for comprehensive post-installation tasks.

36
arch-linux-setup.md
View File

@@ -1,36 +0,0 @@
# Arch Linux General Setup Tasks
## Package Management & System Setup
- [x] Install essential packages (git, base-devel)
- [x] Set up AUR access (yay/paru)
- [ ] Configure automatic system backups with Timeshift
- [ ] Install and configure firewall (ufw)
- [ ] Set up system monitoring tools
## Development Environment
- [x] Install and configure yadm: `pacman -S yadm`
- [x] Clone dotfiles: `yadm clone git@gitlab.com:akrejczinger/dotfiles.git`
- [x] Set up preferred shell and terminal (zsh with vi-mode, comprehensive config)
- [x] Install development tools and configure submodules (nvim, tmux, ranger)
## Desktop Environment & Applications
- [ ] Install Deskflow for multi-device setup
- [x] Configure XFCE settings and themes (Greybird-dark, Papirus-Maia icons)
- [ ] Install multimedia codecs and applications
- [ ] Set up printer/scanner support if needed
- [ ] Copy backups from USBs etc.
- [ ] Mount the /data drive and check if all files still work
Not sure which nvme drive it is, see paper notes at my desk
## Security & Maintenance
- [ ] Configure automatic updates
Is this a good idea? I should periodically update manually
- [ ] Set up fail2ban for intrusion prevention
- [ ] Create regular maintenance scripts
- [ ] Configure log rotation and cleanup
## Hardware-Specific (ThinkPad)
- [x] Install ThinkPad-specific utilities
- [ ] Configure power management
- [x] Set up function key mappings
- [x] Test hardware components (WiFi, Bluetooth, etc.)

33
network-planning.md
View File

@@ -1,33 +0,0 @@
# Network Planning
## Current Network Setup
- Document your current router/modem setup
- Note internal IP range (usually 192.168.1.x or 10.0.0.x)
## SSH Access Planning
### Local Network Access
- [ ] Assign static IP to ThinkPad
- [ ] Configure SSH key authentication
- [ ] Test SSH from WSL machine
### External Access (Optional)
- [ ] Research dynamic DNS services (DuckDNS, No-IP)
- [ ] Configure router port forwarding (if needed)
- [ ] Set up VPN for secure remote access
## Domain Setup Options
### Local Domain
- [ ] Configure local DNS (Pi-hole, router settings)
- [ ] Use .local domain for internal services
### Public Domain
- [ ] Register domain name
- [ ] Configure DNS records
- [ ] Set up reverse proxy (nginx, Caddy)
## Security Considerations
- [ ] Change default SSH port
- [ ] Disable root SSH login
- [ ] Configure fail2ban
- [ ] Set up firewall rules (iptables/ufw)
- [ ] Regular security updates

232
network-security.md Normal file
View File

@@ -0,0 +1,232 @@
# Network & Security Configuration
Complete guide for securing and networking your homelab.
## SSH Security Setup
### Initial Configuration
```bash
# Generate SSH key pair
ssh-keygen -t ed25519 -C "homelab-key" -f ~/.ssh/homelab_ed25519
# Copy public key to target
ssh-copy-id -i ~/.ssh/homelab_ed25519.pub user@target
```
### SSH Hardening
Edit `/etc/ssh/sshd_config`:
```
# Disable root login
PermitRootLogin no
# Use key-based authentication only
PasswordAuthentication no
PubkeyAuthentication yes
# Change default port (optional)
Port 2222
# Restrict users
AllowUsers hoborg
# Security settings
Protocol 2
X11Forwarding no
AllowTcpForwarding no
ClientAliveInterval 300
ClientAliveCountMax 2
MaxAuthTries 3
MaxStartups 2
```
Restart SSH: `sudo systemctl restart sshd`
### SSH Client Configuration
Create `~/.ssh/config`:
```
Host homelab
HostName your-domain.duckdns.org
User hoborg
Port 2222
IdentityFile ~/.ssh/homelab_ed25519
ServerAliveInterval 60
```
## Dynamic DNS with DuckDNS
### Account Setup
1. Create account at duckdns.org
2. Create subdomain: `ak-homelab.duckdns.org`
3. Get token from dashboard
### Automatic IP Updates
Update script at `~/.local/scripts/duckdns.py` (Python implementation)
Cron job for automatic updates:
```bash
# Update every 5 minutes
*/5 * * * * /home/hoborg/.local/scripts/duckdns.py >/dev/null 2>&1
```
### Testing
```bash
# Check current IP
curl -s https://ipinfo.io/ip
# Verify DNS resolution
nslookup ak-homelab.duckdns.org
```
## VPN Setup with WireGuard
### Server Configuration
Install WireGuard: `pacman -S wireguard-tools`
Generate keys:
```bash
wg genkey | tee server_private.key | wg pubkey > server_public.key
```
Server config `/etc/wireguard/wg0.conf`:
```ini
[Interface]
PrivateKey = <SERVER_PRIVATE_KEY>
Address = 10.0.0.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = <CLIENT_PUBLIC_KEY>
AllowedIPs = 10.0.0.2/32
```
### Client Configuration
Generate client keys:
```bash
wg genkey | tee client_private.key | wg pubkey > client_public.key
```
Client config:
```ini
[Interface]
PrivateKey = <CLIENT_PRIVATE_KEY>
Address = 10.0.0.2/24
DNS = 1.1.1.1
[Peer]
PublicKey = <SERVER_PUBLIC_KEY>
Endpoint = ak-homelab.duckdns.org:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
```
### Enable VPN
```bash
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
```
## Firewall Configuration
### UFW Setup
```bash
# Install and enable UFW
pacman -S ufw
sudo ufw enable
# Default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing
# SSH access
sudo ufw allow 2222/tcp
# WireGuard
sudo ufw allow 51820/udp
# HTTP/HTTPS for services
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
```
### Advanced Rules
```bash
# Rate limiting for SSH
sudo ufw limit 2222/tcp
# Allow from specific networks
sudo ufw allow from 192.168.1.0/24 to any port 22
# Log denied connections
sudo ufw logging on
```
## Network Security Best Practices
### Port Management
- **Change default ports**: SSH (2222), WireGuard (51820)
- **Close unused ports**: Regular port scans with nmap
- **Port forwarding**: Only forward necessary ports
### Access Control
- **VPN-first approach**: Access services through VPN tunnel
- **IP whitelisting**: Restrict access to known IPs when possible
- **Rate limiting**: Prevent brute force attacks
### Monitoring
- **Log analysis**: Monitor `/var/log/auth.log` for SSH attempts
- **Network monitoring**: Use netstat/ss to check listening ports
- **Intrusion detection**: Consider fail2ban for automated blocking
## Router Configuration
### Port Forwarding
Forward these ports to your homelab server:
- SSH: External port → Internal 2222
- WireGuard: 51820 → 51820
- Web services: 80/443 → 80/443 (if needed)
### Security Settings
- **Disable WPS**: Turn off WiFi Protected Setup
- **Strong WiFi password**: WPA3 with complex passphrase
- **Guest network**: Separate network for guests
- **Firmware updates**: Keep router firmware current
## Network Planning
### IP Address Scheme
- **Router**: 192.168.1.1
- **Homelab server**: 192.168.1.100 (static)
- **DHCP range**: 192.168.1.10-99
- **VPN subnet**: 10.0.0.0/24
### DNS Configuration
- **Primary DNS**: Router (192.168.1.1)
- **Secondary DNS**: 1.1.1.1, 8.8.8.8
- **Local domain**: homelab.local
- **Dynamic DNS**: ak-homelab.duckdns.org
### Service Architecture
```
Internet → Router → Homelab Server
┌─────────────────────────────┐
│ SSH (2222) │
│ WireGuard VPN (51820) │
│ Web Services (80/443) │
│ Monitoring & Logging │
└─────────────────────────────┘
```
## Backup and Recovery
### Configuration Backups
- **SSH keys**: Store securely, separate from server
- **WireGuard configs**: Document peer configurations
- **Firewall rules**: Export UFW rules with `ufw status numbered`
### Network Documentation
- **IP mappings**: Document static assignments
- **Port forwards**: List all forwarded ports and purposes
- **Access credentials**: Secure storage of passwords/keys

46
self-hosted-services.md
View File

@@ -1,46 +0,0 @@
# Self-Hosted Services Planning
## Git Repository Hosting
### Options to Research
- **Gitea**: Lightweight, Go-based, minimal resource usage
- **Forgejo**: Gitea fork, community-driven development
- **GitLab CE**: Feature-rich but more resource intensive
- **Gogs**: Simple, lightweight alternative
### Requirements
- [ ] Web interface for repository management
- [ ] Git over SSH and HTTPS
- [ ] User management and permissions
- [ ] Issue tracking (optional)
- [ ] CI/CD integration (future consideration)
### Installation Considerations
- Docker deployment vs native installation
- Database requirements (SQLite vs PostgreSQL)
- Reverse proxy setup for HTTPS
- Backup strategy for repositories
## Cloud Storage Solutions
### Options to Research
- **Nextcloud**: Full-featured, extensive app ecosystem
- **ownCloud**: Original project, stable and mature
- **Seafile**: Performance-focused file sync
- **Syncthing**: Decentralized sync (no server needed)
### Requirements
- [ ] File synchronization across devices
- [ ] Web interface for file management
- [ ] Mobile app support
- [ ] Calendar and contacts sync
- [ ] Document editing (optional)
## Service Integration
- Single sign-on between services
- Shared storage for configuration backups
- Monitoring and logging setup
- Automated backups and disaster recovery
## Resource Planning
- Estimate RAM and storage requirements
- Consider containerization with Docker/Podman
- Plan for service discovery and networking

223
services.md Normal file
View File

@@ -0,0 +1,223 @@
# Services & Applications
Planning and configuration for self-hosted services and applications.
## Git Repository Hosting
### Service Options
- **Gitea**: Lightweight, Go-based, minimal resource usage ✅ *Recommended*
- **Forgejo**: Gitea fork, community-driven development
- **GitLab CE**: Feature-rich but more resource intensive
- **Gogs**: Simple, lightweight alternative
### Gitea Installation
```bash
# Create gitea user
sudo useradd -r -s /bin/false -d /var/lib/gitea gitea
# Download and install
wget https://dl.gitea.io/gitea/latest/gitea-linux-amd64
sudo mv gitea-linux-amd64 /usr/local/bin/gitea
sudo chmod +x /usr/local/bin/gitea
# Create directories
sudo mkdir -p /var/lib/gitea/{custom,data,log}
sudo chown -R gitea:gitea /var/lib/gitea/
sudo chmod -R 750 /var/lib/gitea/
```
### Configuration
- **Database**: SQLite for simplicity, PostgreSQL for production
- **Port**: 3000 (internal), reverse proxy for HTTPS
- **SSH**: Port 2222 for git operations
- **Features**: Web interface, issue tracking, organizations
## Cloud Storage Solutions
### Service Options
- **Copyparty**: Quite new self-hosted file storage solution, must investigate!
- **Nextcloud**: Full-featured, extensive app ecosystem ✅ *Recommended*
- **ownCloud**: Original project, stable and mature
- **Seafile**: Performance-focused file sync
- **Syncthing**: Decentralized sync (no server needed)
### Nextcloud Installation
```bash
# Via snap (recommended)
sudo snap install nextcloud
# Or via Docker
docker run -d \
--name nextcloud \
-p 8080:80 \
-v nextcloud_data:/var/www/html \
nextcloud
```
Personal notes: Not a fan of snap, isn't there an AUR package?
Go with docker otherwise
### Features
- File synchronization across devices
- Video files, game installers -> high prio
- Self-hosted git mirrors of favorite FOSS projects -> medium prio
- Calendar and contacts (CalDAV/CardDAV) -> low prio
- Document editing (OnlyOffice/Collabora) -> low prio
- Photo management and sharing -> low prio
- Mobile apps available?
## Media Management
### Jellyfin Media Server
```bash
# Install via AUR
yay -S jellyfin-server jellyfin-web
# Enable service
sudo systemctl enable jellyfin
sudo systemctl start jellyfin
```
Configuration:
- **Port**: 8096 (web interface)
- **Media paths**: `/data/movies`, `/data/tv`, `/data/music`
- **Transcoding**: Hardware acceleration if available
### Photo Management
- **PhotoPrism**: AI-powered photo management
- **Immich**: Modern photo backup solution
- **LibrePhotos**: Privacy-focused alternative
## Monitoring & Logging
### System Monitoring
```bash
# Prometheus + Grafana stack
docker-compose up -d prometheus grafana node-exporter
```
### Log Management
- **Centralized logging**: rsyslog or journald
- **Log rotation**: logrotate configuration
- **Analysis**: grep, awk, or ELK stack for advanced needs
### Health Checks
- **Uptime monitoring**: Simple HTTP checks
- **Service status**: systemd service monitoring
- **Disk space**: Automated alerts for low space
## Containerization Strategy
### Docker Setup
```bash
# Install Docker
pacman -S docker docker-compose
sudo systemctl enable docker
# Add user to docker group
sudo usermod -aG docker hoborg
```
### Container Management
- **Orchestration**: Docker Compose for multi-service apps
- **Storage**: Named volumes for persistent data
- **Networking**: Custom networks for service isolation
- **Updates**: Watchtower for automated updates
## Reverse Proxy Configuration
### Nginx Setup
```bash
# Install nginx
pacman -S nginx certbot certbot-nginx
# Basic configuration
server {
server_name ak-homelab.duckdns.org;
location /gitea/ {
proxy_pass http://localhost:3000/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
location /nextcloud/ {
proxy_pass http://localhost:8080/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
```
### SSL Certificates
```bash
# Let's Encrypt via certbot
sudo certbot --nginx -d ak-homelab.duckdns.org
```
## Backup Strategy
### Configuration Backups
- **Service configs**: Docker volumes, /etc configs
- **Database dumps**: Regular automated backups
- **Storage**: External drive or cloud backup
### Automated Backups
```bash
#!/bin/bash
# backup-services.sh
DATE=$(date +%Y%m%d)
# Backup Gitea
tar -czf /backup/gitea-$DATE.tar.gz /var/lib/gitea/
# Backup Nextcloud data
rsync -av /var/snap/nextcloud/common/nextcloud/data/ /backup/nextcloud-$DATE/
# Database backup
sudo -u postgres pg_dump gitea > /backup/gitea-db-$DATE.sql
```
## Resource Planning
### Hardware Requirements
- **RAM**: 4GB minimum, 8GB recommended
- **Storage**:
- System: 50GB SSD
- Data: 1TB+ HDD for media/files
- **Network**: Gigabit Ethernet preferred
### Service Resource Usage
| Service | RAM | CPU | Storage | Port |
|---------|-----|-----|---------|------|
| Gitea | 200MB | Low | 5GB+ | 3000 |
| Nextcloud | 512MB | Medium | 10GB+ | 8080 |
| Jellyfin | 1GB | High* | Media | 8096 |
| Monitoring | 500MB | Low | 2GB | 3000/9090 |
*High during transcoding
## Security Considerations
### Service Hardening
- **Regular updates**: Automated security patches
- **Access control**: VPN-only access when possible
- **Authentication**: Strong passwords, 2FA where available
- **Network isolation**: Separate VLANs or containers
### Data Protection
- **Encryption**: Full disk encryption (LUKS)
- **Backups**: Encrypted offsite backups
- **Access logs**: Monitor service access patterns
- **Fail2ban**: Automatic IP blocking for repeated failures
## Future Expansion
### Additional Services to Consider
- **Home Assistant**: ABSOLUTELY NOT
- **Bitwarden/Vaultwarden**: Password management
- How is this better than keepassxc + filesync?
- **Pi-hole**: Network-wide ad blocking
- **Wireguard UI**: Web interface for VPN management
- **Bookstack**: Documentation wiki
- What is this for? How does it compare to Logseq?
- **FreshRSS**: RSS feed aggregator

207
ssh-setup-guide.md
View File

@@ -1,207 +0,0 @@
# SSH Connection Setup Guide
## On the Arch Linux ThinkPad (Server Side)
### 1. Install and Enable SSH Server
```bash
# Install OpenSSH
sudo pacman -S openssh
# Enable and start SSH service
sudo systemctl enable sshd
sudo systemctl start sshd
# Check if SSH is running
sudo systemctl status sshd
```
### 2. Configure SSH Server
```bash
# Edit SSH configuration
sudo nano /etc/ssh/sshd_config
# Recommended security settings:
# Port 22 (or change to custom port)
# PermitRootLogin no
# PasswordAuthentication yes (initially, then switch to key-based)
# PubkeyAuthentication yes
# Restart SSH after configuration changes
sudo systemctl restart sshd
```
### 3. Get the ThinkPad's IP Address
```bash
# Find local IP address
ip addr show
# or
hostname -I
```
### 4. Configure Firewall (if using ufw)
```bash
# Install and enable firewall
sudo pacman -S ufw
sudo ufw enable
# Allow SSH connections
sudo ufw allow ssh
# or for custom port: sudo ufw allow 2222
```
## On WSL/Windows PC (Client Side)
### 1. Generate SSH Key Pair (if not already done)
```bash
# Generate new SSH key
ssh-keygen -t ed25519 -C "your-email@example.com"
# Or use RSA if ed25519 not supported
ssh-keygen -t rsa -b 4096 -C "your-email@example.com"
# Keys will be saved to ~/.ssh/id_ed25519 and ~/.ssh/id_ed25519.pub
```
### 2. Copy Public Key to ThinkPad
```bash
# Method 1: Using ssh-copy-id (easiest)
ssh-copy-id username@thinkpad-ip-address
# Method 2: Manual copy
cat ~/.ssh/id_ed25519.pub | ssh username@thinkpad-ip-address "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
# Method 3: SCP the key file
scp ~/.ssh/id_ed25519.pub username@thinkpad-ip-address:~/.ssh/authorized_keys
```
### 3. Test SSH Connection
```bash
# Connect using password initially
ssh username@thinkpad-ip-address
# After key setup, should connect without password
ssh username@thinkpad-ip-address
```
### 4. Create SSH Config for Easy Access
```bash
# Edit SSH config
nano ~/.ssh/config
# Add entry for ThinkPad
Host thinkpad
HostName thinkpad-ip-address
User your-username
Port 22
IdentityFile ~/.ssh/id_ed25519
# Now you can connect with: ssh thinkpad
```
## Security Hardening (After Key-Based Auth Works)
### On ThinkPad:
```bash
# Edit SSH config to disable password authentication
sudo nano /etc/ssh/sshd_config
# Basic hardening settings:
# PasswordAuthentication no
# PermitEmptyPasswords no
# ChallengeResponseAuthentication no
# PermitRootLogin no
# Protocol 2
# Advanced hardening (optional):
# Port 2222 # Change from default port 22
# MaxAuthTries 3
# ClientAliveInterval 300
# ClientAliveCountMax 2
# AllowUsers your-username # Restrict to specific users
# Restart SSH
sudo systemctl restart sshd
```
### Additional Security Steps:
- [ ] **Change SSH port**: Edit `Port 22` to custom port (e.g., `Port 2222`)
- [ ] **Install fail2ban**: `sudo pacman -S fail2ban && sudo systemctl enable fail2ban`
- [ ] **Configure firewall**: Update ufw rules for new SSH port if changed
- [ ] **Set up dynamic DNS**: For remote access (DuckDNS, No-IP, Cloudflare)
- [ ] **Consider VPN**: For secure remote access instead of exposing SSH
## Setting Up Hostname Resolution
### Method 1: Using /etc/hosts (Simple, Local Only)
#### On WSL/Linux:
```bash
# Edit hosts file
sudo nano /etc/hosts
# Add entry for ThinkPad
192.168.1.100 thinkpad
192.168.1.100 thinkpad.local
# Now you can use: ssh username@thinkpad
```
#### On Windows:
```cmd
# Edit hosts file (run as Administrator)
notepad C:\Windows\System32\drivers\etc\hosts
# Add the same entries:
192.168.1.100 thinkpad
192.168.1.100 thinkpad.local
```
### Method 2: Set Static Hostname on ThinkPad
```bash
# On ThinkPad, set a memorable hostname
sudo hostnamectl set-hostname thinkpad
# Edit /etc/hosts on ThinkPad to include itself
sudo nano /etc/hosts
# Add: 127.0.0.1 thinkpad thinkpad.local
```
### Method 3: Router-Level DNS (Best for Multiple Devices)
- Access your router's admin panel (usually 192.168.1.1 or 192.168.0.1)
- Look for "DHCP Reservations" or "Static IP" settings
- Assign a static IP to ThinkPad's MAC address
- Set hostname in router's DNS settings
### Update SSH Config
```bash
# Update ~/.ssh/config to use hostname
nano ~/.ssh/config
Host thinkpad
HostName thinkpad # or thinkpad.local
User your-username
Port 22
IdentityFile ~/.ssh/id_ed25519
```
## Troubleshooting
### Common Issues:
- **Connection refused**: Check if sshd is running, firewall allows SSH
- **Permission denied**: Verify username/password, check authorized_keys permissions
- **Key not working**: Ensure correct permissions on ~/.ssh (700) and authorized_keys (600)
### Debug Commands:
```bash
# Check SSH service status
sudo systemctl status sshd
# View SSH logs
sudo journalctl -u sshd
# Test SSH config
sudo sshd -t
# Connect with verbose output
ssh -v username@thinkpad-ip-address
```

158
system-setup.md Normal file
View File

@@ -0,0 +1,158 @@
# System Setup Guide
Complete guide for Arch Linux installation and system configuration.
## Initial Installation
### Pre-installation
1. Boot from Arch ISO
2. Verify boot mode: `ls /sys/firmware/efi/efivars`
3. Connect to internet: `iwctl` for WiFi
4. Update system clock: `timedatectl set-ntp true`
### Disk Preparation
1. List disks: `fdisk -l`
2. Partition the disk: `cfdisk /dev/sdX`
- EFI partition: 512M, type EFI System
- Root partition: remaining space, type Linux filesystem
3. Format partitions:
```bash
mkfs.fat -F32 /dev/sdX1 # EFI
mkfs.ext4 /dev/sdX2 # Root
```
4. Mount filesystems:
```bash
mount /dev/sdX2 /mnt
mkdir /mnt/boot
mount /dev/sdX1 /mnt/boot
```
Current partition setup is a quite fragmented leftover from my dual-booting days. Later we should wipe the leftover
Windows drive for extra storage, but first we should confirm there's no essential files there
(unlikely since it wasn't booted for months, mostly using other windows PC)
### System Installation
1. Install base packages: `pacstrap /mnt base linux linux-firmware`
2. Generate fstab: `genfstab -U /mnt >> /mnt/etc/fstab`
3. Chroot: `arch-chroot /mnt`
4. Set timezone: `ln -sf /usr/share/zoneinfo/Europe/Budapest /etc/localtime`
5. Generate hardware clock: `hwclock --systohc`
6. Configure locale:
- Edit `/etc/locale.gen`, uncomment `en_US.UTF-8 UTF-8`
- Run: `locale-gen`
- Create `/etc/locale.conf`: `LANG=en_US.UTF-8`
7. Set hostname: `echo "homelab" > /etc/hostname`
8. Configure hosts file
9. Set root password: `passwd`
10. Install bootloader: `pacman -S grub efibootmgr`
11. Install GRUB: `grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB`
12. Generate config: `grub-mkconfig -o /boot/grub/grub.cfg`
## Post-Installation Setup
### User Management
```bash
# Create user
useradd -m -G wheel -s /bin/bash hoborg
passwd hoborg
# Configure sudo
pacman -S sudo
visudo # Uncomment %wheel ALL=(ALL) ALL
```
### Essential Packages
```bash
pacman -S git base-devel openssh networkmanager
systemctl enable NetworkManager
systemctl enable sshd
```
### AUR Access
```bash
# Install yay AUR helper
git clone https://aur.archlinux.org/yay.git
cd yay
makepkg -si
```
## Desktop Environment
### XFCE Installation
```bash
pacman -S xfce4 xfce4-goodies lightdm lightdm-gtk-greeter
systemctl enable lightdm
```
### Themes and Appearance
- **Window Manager Theme**: Matcha-dark-aliz
- **Icons**: Papirus-Maia
- **Fonts**:
- System: Install Nerd Fonts (`ttf-iosevkaterm-nerd ttf-jetbrains-mono-nerd`)
- TTY: ter-124b (12x24 bold)
## Development Environment
### Dotfiles Management
```bash
# Install yadm
pacman -S yadm
# Clone dotfiles
yadm clone git@gitlab.com:akrejczinger/dotfiles.git
```
### Shell Configuration
- **Shell**: zsh with antidote plugin manager
- **Terminal**: wezterm with Catppuccin theme
- **Multiplexer**: tmux with catppuccin theme and temperature monitoring
- **Editor**: neovim with lazy.nvim plugin manager
### Key Configurations
- **Keyboard Layout**: Colemak (US variant in X11)
- **TTY Layout**: Colemak with caps lock → backspace via systemd service
- **Font Fallbacks**: Noto fonts for Unicode support
## TTY Configuration
### Font and Layout
```bash
# Configure /etc/vconsole.conf
KEYMAP=colemak
FONT=ter-124b
FONT_MAP=8859-1
```
### Caps Lock Fix
Caps lock mapped to backspace via systemd service:
```bash
# /etc/systemd/system/caps-backspace.service
sudo setkeycodes 3a 14 # Map caps scancode to backspace keycode
```
### Color Scheme
TTY colors configured in `.zshrc` for better readability.
## System Maintenance
### Package Management
- Regular updates: `yay -Syu`
- Orphaned packages: `yay -Yc`
- Cache cleanup: `yay -Sc`
### Backup Strategy
- Dotfiles: yadm + git repository
- System configs: Document in this guide
- User data: External backup solution
## Hardware-Specific Notes
### ThinkPad Optimizations
- **Temperature Monitoring**: Available via `sensors` command
- **Battery Management**: TLP for power optimization
- **Trackpad**: libinput with natural scrolling
- **Function Keys**: Media keys work out of box
### Network Configuration
- **WiFi**: NetworkManager with GUI applet
- **Ethernet**: Automatic DHCP
- **Bluetooth**: bluez with pulseaudio integration

58
troubleshooting.md
View File

@@ -6,6 +6,7 @@ Then `sudo systemctl restart bluetooth`
UPDATE: It's still not fixed :( UPDATE: It's still not fixed :(
Trying `yay -S pipewire wireplumber` Trying `yay -S pipewire wireplumber`
TODO test it again
# Touchpad scroll direction (libinput) # Touchpad scroll direction (libinput)
@@ -76,11 +77,11 @@ Synaptics scroll direction options:
**Issue:** After running the theme switcher script, tmux sessions and existing terminals don't reflect the new theme until restarted. **Issue:** After running the theme switcher script, tmux sessions and existing terminals don't reflect the new theme until restarted.
**Temporary workaround:** **Temporary workaround:**
- Restart tmux sessions: `tmux kill-server && tmux` - Restart tmux sessions: `tmux kill-server && tmux`
- Open new terminal windows - Open new terminal windows
**TODO:** **TODO:**
- Investigate tmux theme reload without killing sessions - Investigate tmux theme reload without killing sessions
- Check if terminal emulator supports theme change signals - Check if terminal emulator supports theme change signals
- Improve theme script to handle live theme updates - Improve theme script to handle live theme updates
@@ -99,7 +100,7 @@ set -g @catppuccin_window_tabs_enabled off
**Alternative:** Configure explicit window text for both states: **Alternative:** Configure explicit window text for both states:
``` ```
set -g @catppuccin_window_default_text "#W" set -g @catppuccin_window_default_text "#W"
set -g @catppuccin_window_current_text "#W" set -g @catppuccin_window_current_text "#W"
``` ```
Also ensure automatic renaming is enabled: Also ensure automatic renaming is enabled:
@@ -126,7 +127,7 @@ fc-cache -f
**Root cause:** Terminal emulator not configured to use Nerd Font as primary font. **Root cause:** Terminal emulator not configured to use Nerd Font as primary font.
**Solution:** **Solution:**
1. Install Nerd Fonts: 1. Install Nerd Fonts:
```bash ```bash
sudo pacman -S ttf-iosevkaterm-nerd ttf-jetbrains-mono-nerd sudo pacman -S ttf-iosevkaterm-nerd ttf-jetbrains-mono-nerd
@@ -137,8 +138,8 @@ fc-cache -f
3. For wezterm, ensure config includes: 3. For wezterm, ensure config includes:
```lua ```lua
config.font = wezterm.font_with_fallback { config.font = wezterm.font_with_fallback {
'IosevkaTerm Nerd Font', 'IosevkaTerm Nerd Font',
'JetBrainsMono Nerd Font Mono', 'JetBrainsMono Nerd Font Mono',
'Noto Color Emoji' 'Noto Color Emoji'
} }
``` ```
@@ -152,8 +153,51 @@ printf "Icons: \\ue702 \\uf121 \\uf015 \\uf07b\\n"
**Comprehensive coverage achieved with:** **Comprehensive coverage achieved with:**
- `noto-fonts` (base unicode) - `noto-fonts` (base unicode)
- `noto-fonts-cjk` (Chinese/Japanese/Korean) - `noto-fonts-cjk` (Chinese/Japanese/Korean)
- `noto-fonts-emoji` (color emoji) - `noto-fonts-emoji` (color emoji)
- `noto-fonts-extra` (additional scripts) - `noto-fonts-extra` (additional scripts)
Successfully displays: Egyptian hieroglyphs, Cuneiform, Nordic runes, Hungarian rovás, Arabic, Chinese, Japanese, Korean, Thai, Hindi, Hebrew, Greek, Tamil. Successfully displays: Egyptian hieroglyphs, Cuneiform, Nordic runes, Hungarian rovás, Arabic, Chinese, Japanese, Korean, Thai, Hindi, Hebrew, Greek, Tamil.
# Cannot tile windows by drag and dropping
Keyboard workaround: Go to Settings > Window Manager > Keyboard, set up tiling shortcuts (set to Super+arrow keys)
# Additional Known Issues (TODO Items)
## Tmux battery indicator missing until config reload
**Issue:** Battery indicator doesn't appear in tmux status line immediately after starting tmux.
**Temporary workaround:** Reload tmux config with `Prefix + r` or restart tmux session.
**Status:** Investigation needed
## TTY fallbacks needed
**Issue:** When not in X11/graphical mode, nvim and tmux need proper fallback configurations.
**Status:** Completed
**Solutions implemented:**
-**nvim:** TTY detection and color scheme fallback configured
-**Font:** Selected ter-124b (12x24 bold) for good readability
-**Keyboard:** Colemak layout with caps lock remapped to backspace
-**Caps lock fix:** Uses systemd service with `setkeycodes 3a 14`
**Configuration files:**
- `/etc/systemd/system/caps-backspace.service` - Permanent caps lock remapping
- TTY font testing script: `~/.local/scripts/test-fonts.sh`
## TTY Caps Lock Not Working as Backspace
**Issue:** With colemak keymap loaded, caps lock acts like Control instead of backspace in TTY.
**Root cause:** Colemak keymap maps caps lock to Control, which conflicts with tmux navigation keys.
**Solution:** Use `setkeycodes` to remap at scancode level:
```bash
sudo setkeycodes 3a 14 # Map caps lock scancode to backspace keycode
```
**Permanent fix:** Systemd service created at `/etc/systemd/system/caps-backspace.service`

95
yadm-setup-notes.md
View File

@@ -1,95 +0,0 @@
# Yadm Dotfiles Setup Notes
## Overview
Successfully configured yadm (Yet Another Dotfiles Manager) to manage personal dotfiles while preserving Arch Linux system functionality.
## Setup Process
### 1. Initial Yadm Installation and Clone
- ✅ Installed yadm: `pacman -S yadm`
- ✅ Cloned personal dotfiles repository: `yadm clone git@gitlab.com:akrejczinger/dotfiles.git`
- ✅ Created backup of existing dotfiles before merge: `~/dotfiles-backup/20250730_142945/`
### 2. Dotfiles Merge Strategy
Rather than force-overwriting local files, manually merged each configuration file to preserve both:
- **Arch Linux system functionality** (session management, package integration)
- **Personal customizations** (themes, keybindings, development tools)
### 3. Files Successfully Merged
#### Shell Configuration
- **`.bashrc`**: Enhanced with yadm aliases, functions, and development tools
- **`.bash_profile`**: Added poetry PATH export
- **`.bash_logout`**: Replaced with yadm version (console clearing for privacy)
- **`.zshrc`**: Comprehensive setup with vi-mode, custom functions, 293-line config
- **`.profile`**: Merged X11/touchpad config with environment setup
#### System Integration
- **`.xinitrc`**: Combined Arch session management with colemak keyboard layout
- **XFCE configs**: Enhanced window manager settings while preserving customizations
### 4. Arch-Specific Optimizations
- **Linuxbrew disabled**: Commented out in all files (using pacman/AUR instead)
- **Session management preserved**: Kept Arch's comprehensive xinitrc.d integration
- **Performance optimizations**: Set `vblank_mode=xpresent` for better AMD graphics performance
- **Window manager enhancements**: Added `restore_on_move`, `zoom_pointer` features
### 5. Submodule Management
- ✅ Resolved phantom `.config/nvm` submodule reference issue
- ✅ Successfully initialized all valid submodules:
- `.config/awesome` - AwesomeWM configuration
- `.config/nvim` - Neovim setup (updated to latest main branch)
- `.config/ranger/plugins/ranger_devicons` - File manager icons
- `.tmux/plugins/tpm` - Tmux Plugin Manager
### 6. Configuration Highlights
#### Development Tools
- **Zsh with vi-mode**: Enhanced terminal experience with custom keybindings
- **Git integration**: Custom functions (`fshow`, `vimgit`) for improved workflow
- **Archive extraction**: Universal `ex()` function for all archive types
- **Theme switching**: `light_theme`/`dark_theme` functions
#### System Customization
- **Keyboard**: Colemak layout with custom xmodmap
- **Theme**: Greybird-dark with Papirus-Maia icons
- **Font**: Noto Sans 10 with proper font rendering settings
- **Cursor**: xcursor-breeze theme
#### Security & Privacy
- **Console clearing**: Automatic screen clear on logout
- **SSH hardening**: Comprehensive security settings documented
- **Firewall configuration**: Planned fail2ban integration
## Current State
- ✅ All dotfiles merged and committed to yadm repository
- ✅ Submodules properly initialized and updated
- ✅ Development environment fully functional
- ✅ Arch system integration preserved
- ✅ Personal customizations active
## Next Steps
- Network configuration and static IP setup
- Dynamic DNS configuration for remote access
- Self-hosted service deployment preparation
## Lessons Learned
1. **Manual merge approach** was correct - prevented loss of Arch-specific functionality
2. **Submodule cleanup** required removing phantom references from git index
3. **Platform-specific adjustments** (disabling linuxbrew) are essential for Arch
4. **Comprehensive backups** saved the day when conflicts arose
## Commands Reference
```bash
# Yadm basic operations
yadm status
yadm add <file>
yadm commit -m "message"
# Submodule management
yadm submodule update --init --recursive
yadm submodule update --remote
# Remove phantom submodule
yadm rm --cached <submodule-path>
```