Personal Debian setup

This document is a step-by-step process to reproduce the setup I like for a fresh Debian install. As such, it is unlikely to fit your needs and preferences and is mainly aimed for me.

Installing Debian stable with FDE

Follow the detailed guide here.

Add current user to sudo group

Your default user might not be part of the sudo group at first:

Enable Debian backports

Debian backports are useful to get the latest packages for non-critical tools. To install it, follow the instructions on https://backports.debian.org/Instructions/ which are simply:

To search / install a package from the backports, just add the flag -t bullseye-backports to your usual apt commands:

In case your sources.list file gets messed up, refer to the examples here: https://wiki.debian.org/SourcesList#Example_sources.list

Install base packages

Let's now install base packages for this host: unless specified otherwise, those can be installed from stable.

sudo apt install python3-pip vim-nox syncthing kitty restic keepassxc qemu-system fzf ufw zsh zsh-autosuggestions zsh-syntax-highlighting imagemagick libimage-exiftool-perl ffmpeg mpv sct qutebrowser higan age htop tree tmux curl pulseeffects rsync ncdu wipe tldr ruby-dev xclip screenfetch gparted nmap grc gpick libjs-pdf pdftk scdoc unrar bitlbee bitlbee-dev bitlbee-plugin-mastodon autoconf libtool libglib2.0-dev gawk okular libncurses5 libncurses5-dev gamemode ncal shellcheck asciidoc libgraph-easy-perl libldap2-dev libidn11-dev xsel espeak apt-transport-https anacron qalc pandoc feh sox php php-mbstring dnsmasq chafa/bullseye-backports pipx/bullseye-backports 7zip/bullseye-backports && sudo ufw enable && tldr -u

Those packages should already be present but check anyway:

Ruby dependencies

sudo gem install nanoc fastimage exifr redcarpet rouge nokogiri rest-client builder adsf puma

Also get the following app as user:

gem install --user-install twterm

Python packages with pipx

for pkg in "glances" "yt-dlp" "frida-tools" "objection" "pex" "termdown" "tuir" "b2"; do pipx install "$pkg"; done

Also this, which doesn't work with pipx at the moment:

python3 -m pip install --user em-keyboard

Rust and Rust packages

Install rust with rustup: https://www.rust-lang.org/tools/install

Use cargo to install those packages next:

cargo install bottom
cargo install felix

Nim support

Install Nim with choosenim:

curl https://nim-lang.org/choosenim/init.sh -sSf | sh

Once it's done, install nimlsp for vim support:

nimble install nimlsp

Everything else is already set in your ~/.zshrc and ~/.vimrc.

Install faereld

Faereld is a time tracking tool. To install it, clone and install the repo I forked to fix a numpy dependency version issue:

cd faereld
pipx install .

The database and settings will be synced with dotfiles, later on in this document.

Install bottom (system monitor)

Follow instructions here: https://github.com/ClementTsang/bottom#installation

Install chatgpt for CLI usage

pipx install git+https://github.com/mmabrouk/chatgpt-wrapper
pipx install pytest-playwright --include-deps

playwright install firefox
chatgpt install # log in from the spawned firefox browser and exit

# You can now use chatgpt from your CLI

Symlink youtube-dl to yt-dlp

Streaming Youtube videos through youtube-dl with mpv can be slow: there are command flags to use yt-dlp instead, but this doesn't always work with old versions of mpv.

The most straightforward option is to just symlink youtube-dl to yt-dlp:

which youtube-dl # /usr/bin/youtube-dl
which yt-dlp # /home/ovelny/.local/bin/yt-dlp
sudo rm /usr/bin/youtube-dl
sudo ln -s /home/ovelny/.local/bin/yt-dlp /usr/bin/youtube-dl

Other packages fetched elsewhere

Those programs are to be found manually on the interwebs, installation is straightforward:

Configure DNS

I can't believe things are so complicated just to get this simple scenario working:

But here we are. To make this work, follow those steps:

# Ensure dnsmasq is installed
apt search dnsmasq

# Append the following lines in /etc/dnsmasq.conf

# Disable and stop systemd-resolved
sudo systemctl disable systemd-resolved.service
sudo systemctl stop systemd-resolved

# Add the following line in the [main] section of /etc/NetworkManager/NetworkManager.conf:

# Delete the symlink /etc/resolv.conf
sudo rm /etc/resolv.conf

# Restart everything
sudo systemctl restart dnsmasq
sudo systemctl restart NetworkManager

# Ensure everything works with / without a VPN accordingly. Reboot if necessary.

Enable ping from guest machines in QEMU

Permissions need to be enabled to ping from your attack box:

# Get your current user's gid (will likely be 1000)

# Give ping permissions to this gid
sudo echo "net.ipv4.ping_group_range = <gid> <gid>" >> /etc/sysctl.conf

# Apply changes
sudo /sbin/sysctl -p

Take care of graphics drivers

Depending on your machine, setting up graphics drivers will probably need to enable nonfree and contrib repos. Check document online for Debian + your graphic card.

Add noatime options for disks

Append the noatime option to each disk listed in /etc/fstab. Easy optimization no matter if you're using a SSD or HDD. Reboot and continue.

Disable system sounds

In sound, mute system sounds. That's it.

Adjust mouse sensitivity


Change power menu settings

In power, choose:

Change default programs

Set music + video to mpv. That's it.

Change shell to zsh

chsh -s $(which zsh)

Restart shell and check with echo $ZSH_VERSION that it worked.

Disable wayland

Using wayland with gnome is asking for trouble, even in 2022. To disable it, edit /etc/gdm3/daemon.conf and uncomment the WaylandEnable=false, save and reboot.

To check if X11 is now used, run loginctl to grab the session ID, then run loginctl show-session <ID> -p Type.

Restore dotfiles

Start by restoring dotfiles: we'll have to launch syncthing manually once, before the autostart file takes over after this step.

Run syncthing (remove default folder too) and start syncing the ~/.dotfiles directory. In advanced options, choose to ignore syncing permissions.

Then sync the ~/bin in the same way and run chmod +x ~/bin/dot. Also sync the ~/sync directory while you're at it.

Run ~/bin/dot install and reboot. The updated zsh theme and automatic syncthing startup should be proof enough that your dotfiles are restored.

Set up bitlbee

Uncomment and change the following lines in /etc/bitlbee/bitlbee.conf:

DaemonInterface =
DaemonPort = 6667

Restore the /var/lib/bitlbee/ovelny.xml file (you know where to find it) and then run systemctl enable bitlbee and systemctl restart bitlbee. The only thing left is to set up the discord plugin, follow the instructions here: https://github.com/sm00th/bitlbee-discord

For weird reasons however, the plugin files have unnecessary permissions after install, fix this with the following:

sudo chmod 644 /usr/lib/bitlbee/discord.so
sudo chmod 644 /usr/lib/bitlbee/discord.la

Everything else should be working with the dotfiles you restored earlier, which include irssi config files.

Configure custom shortcuts

Automount drives

Set your secondary hard drive and others to automount: when using gnome-disks, this is simply done by selecting your drive > click on settings > edit mount options > disable user session defaults. Reboot to check this is working once done.

Configure gnome tweaks

Restore SSH and GPG keys

You know where to find your keys.

For SSH:

For GPG:

Restic config and restore

Restic's "key" is already present in ~/.dotfiles, and its symlink can be found in ~/.config/restic/restic_key.gpg after running the previous steps.

You can use that key to decrypt restic's repo with the following flag:

restic --password-command "gpg --decrypt --default-recipient-self /home/ovelny/.config/restic/restic_key.gpg" <rest-of-the-command>...

Ensure that your restic repository is intact by running restic --password-command "<...>" -r /<repo-path> check.

Since we're aiming for a fresh install, we're not going to restore the entire /home directory. Only the following should be restored:

The rest is either already present thanks to syncthing or located in the second drive — at the time of writing this document.

The second drive — whatever its location is — can be restored entirely with the exception of the Steam directory. That one can be kept away unless you need to restore a save someday.

Use the following to restore a specific file or directory with restic, which should also work nicely for the entire 2nd drive:

# Grab the ID of the snapshot you wanna use
restic --password-command "gpg --decrypt --default-recipient-self /home/ovelny/.config/restic/restic_key.gpg" -r /<path-of-restic-repo> snapshots 

# Restore a directory or file
restic --password-command "gpg --decrypt --default-recipient-self /home/ovelny/.config/restic/restic_key.gpg" -r /<path-of-restic-repo> restore <ID> --target /<where-to-restore-directory> --include /<path-of-directory-to-restore> 

Keep in mind however that the absolute path is restored, not only the directory's content. This is how restic works and there is currently no way around it (except for mounting restic's repo somewhere else, but I don't like that). Just mv the files accordingly and remove the emptied absolute path.

Symlink Music directory

Your music directory is currently located on your secondary hard drive: after restic restore, delete ~/Music and use a symlink to said drive's directory.

ln -s /<second-drive-path>/Music /home/ovelny/Music

Sync main directories with syncthing

The following directories should be synced with syncthing:

For those that are not synced already, the most pratical way is to delete the default directory if it already exists (like ~/Pictures). That way you're sure you won't sync anything the other way around, from your new machine to the "original" device — a bit brutal but feels safer.

For all directories, make sure to disable syncing permissions in advanced options.

Connect to the TUIs

Connect / login to the TUIs you're using:

All of those are actual aliases present in ~/bin, for twterm, tuir, etc.

Clone some repositories

mkdir ~/code && cd ~/code
git clone git@github.com:ovelny/vim-cursed.git
git clone git@github.com:ovelny/amulet.git
git clone git@github.com:ovelny/vessel.git
cd vessel && mkdir output
git clone git@github.com:ovelny/ovelny.github.io.git output

Set up .vimrc and install vim plugins

# Symlink vim config
ln -s /home/ovelny/code/vim-cursed/.vimrc /home/ovelny/.vimrc

# vim-plug installation
curl -fLo ~/.vim/autoload/plug.vim --create-dirs \

Next, run vim and execute :PlugInstall to install all plugins listed in ~/.vimrc.

Finally, the YouCompleteMe plugin requires a few more steps for a full installation: https://github.com/ycm-core/YouCompleteMe#linux-64-bit

Pylint and black are also required with the previous config:

python3 -m pip install --user pylint
python3 -m pip install --user black

Configure pulseeffects

Enable equalizer and select gstreamer_dance in presets.

Configure certs

You know where to find your certs.

sudo apt install libnss3-tools

certutil -d "sql:$HOME/.pki/nssdb" -A -i ~/Downloads/<your-burp-cert> -n "Burp Suite CA" -t C,,

# Repeat last command for zaproxy cert and delete them from their temporary location

Setup daily backups

The backup_moon script is already present in ~/bin. Ensure that it is executable with chmod +x ~/bin/backup_moon and add the following line with crontab -e:

# 0 4 * * * /home/ovelny/bin/backup_moon
0 7-17 * * * /usr/sbin/anacron -s -t $HOME/.anacron/etc/anacrontab -S $HOME/.anacron/spool

First line is kept for legacy purposes, just in case anacron isn't suitable later on.

While you're at it, also add the following line with crontab -e:

* * * * * /usr/bin/sct 4500

This sets the color temperature of your screen to a warmer one. This line is also ran during startup with your dotfiles, but weird X11 behavior with videos, games etc can reset that setting to the default temp sooo. I'm taking the nuclear option here, and let it re-run every minute.

You should also check if all the paths in backup_moon are still the same with your new install to manage backups, and change them accordingly. Also check ~/bin/restic and ~/bin/restic-b2 which are just wrappers to easily run restic with its key. Paths might need to be updated there too.

Configure b2 and setup weekly b2 backups

Run the following command to enter b2 credentials:

b2 authorize_account

After this step, you can run b2 get-account-info to check if everything is working.

Install and configure Brave browser

Install brave browser as directed on their website, then apply the following changes. Everything not mentioned should be left as default:

* select "show blocked info page" when a site is blocked

Enable them all except hide clock and check results.

Changing /etc/hosts

Consider changing /etc/hosts as described in your personal wiki.

All done

Congrats, add a wallpaper and you have a system you can call home now. Grab a coffee and enjoy.