Install and configure SSH on Debian or Ubuntu

SSH is a protocol that enables secure connections over unsecured networks. It supports the use of asymmetric encryption for user authentication. Private keys are kept locally, while public keys are stored on the remote machine.

The following configuration disables root logins on the remote machine. Only users belonging to the group ssh-users may establish a connection. Access to the remote machine is tied to the local user’s private key.

In this example, the name of the remote machine is debian-server, which has the address 192.168.1.10 on the network. sid is a user on debian-server, whereas bookworm is a user on the local machine. Choose an encryption passphrase to secure the private key that you will generate in Step 5.

On the remote machine

Step 1

Install the secure shell server with the following command:

$ sudo apt install --yes openssh-server

Step 2

If you are using ufw as a host-based firewall

Configure ufw to allow connections to the secure shell server.

$ sudo ufw limit ssh

If you are using firewalld as a host-based firewall

Configure firewalld to allow connections to the secure shell server.

$ sudo -- bash -c 'firewall-cmd --zone=public --add-service=ssh --permanent && firewall-cmd --reload && firewall-cmd --info-zone=public'

Step 3

Restrict access to the remote machine to members of a specific group. Start by creating the group ssh-users.

$ sudo addgroup --system ssh-users

Add the user sid to the group ssh-users.

$ sudo adduser sid ssh-users

On the local machine

Step 4

Install the secure shell client with the following command.

$ sudo apt install openssh-client

Step 5

Generate a new key pair for the local user bookworm:

$ ssh-keygen -t ed25519 -o -a 100

Save the key pair to the directory /home/bookworm/.ssh/. Choose a name that facilitates easy identification.

Enter file in which to save the key (/home/bookworm/.ssh/id_ed25519): ~/.ssh/id_ed25519-debian-server

The use of an appropriate passphrase to secure the private key is mandatory.

Step 6

Create the file ~/.ssh/config to configure the secure shell client.

$ nano ~/.ssh/config

Add the follwing minimal entry for the host debian-server.

Host debian-server
   Hostname 192.168.1.10
   IdentitiesOnly yes

Step 7

Deploy the public key with the following command.

$ ssh-copy-id -i ~/.ssh/id_ed25519-debian-server.pub sid@debian-server

Step 8

Log into the remote machine.

$ ssh -i ~/.ssh/id_ed25519-debian-server sid@debian-server

When prompted to confirm the authenticity of the host debian-server, type yes and press [Enter].

The authenticity of host 'debian-server (192.168.1.10)' can't be established.
ED25519 key fingerprint is SHA256:C9RxLLVbvFwVJc0L4JHzcuHQSaPHJZe/GrRDvqy6rAG.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? 

In the next step, enter the passphrase for your private key.

Enter passphrase for key '/home/bookworm/.ssh/id_ed25519-debian-server':

Step 9

On the remote machine, download a file to harden the ssh server. You are encouraged to inspect its contents.

$ sudo -- bash -c 'wget -P /etc/ssh/sshd_config.d/ --show-progress https://edafe.de/debian/sshd_config.conf'

Activate the modifications on the remote machine.

$ sudo systemctl restart ssh.service

Step 9

On the local machine, open a new terminal window and run the following command.

$ $ ssh -i ~/.ssh/id_ed25519-debian-server sid@debian-server

In the next step, enter the passphrase for your private key.

Enter passphrase for key '/home/bookworm/.ssh/id_ed25519-debian-server':

Display the active configuration for the remote ssh server and verify its settings, paying particular attention to options for maxauthtries, permitrootlogin and passwordauthentication.

$ sudo sshd -T

All done!

For more in-depth information, please see stribika’s post-Snowden advice on hardening OpenSSH server installations.

The book SSH The Secure Shell by Daniel Barrett, Richard Silverman and Robert Byrnes is still useful today and has information on other clever stuff you can do with SSH.

Install OneDrive Client for Linux on Debian or Ubuntu

The OneDrive Client for Linux connects your Debian or Ubuntu system to Microsoft’s OneDrive Personal, OneDrive for Business, OneDrive for Office365, Sharepoint and other such deployments.

Step 1

Install the OneDrive Client from the Debian or Ubuntu repository.

$ sudo -- bash -c 'apt update && apt install --yes onedrive'

Step 2

Begin to connect the client to your OneDrive account.

$ onedrive --synchronize

You will be presented with a message similar to the following:

Configuring Global Azure AD endpoints
Authorize this app visiting:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id&scope=Files.ReadWrite%20Files.ReadWrite.all%20Sites.Read.All%Sites.ReadWrite.All%20offline_accessresponse_type=code&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient

Enter the response uri:

In the above dialog, copy or [Ctrl + Click] the URI beginning with https://login.microsoftonline.com/.

In a web browser

Use the URI from the previous step to sign into your Microsoft account. You will be redirected to a response URI displaying a blank page. Copy the response URI from the address field of your browser.

In the terminal

Paste the response URI into the terminal. On successful authentication, the OneDrive Client will connect to your Microsoft account and begin to download your data.

Initializing the Synchronization Engine …
Syncing changes from OneDrive …
Creating local directory:
Downloading file … done.
Uploading differences of ~/OneDrive
Uploading new items of ~/OneDrive

Step 3

After downloading your data to ~/OneDrive, validate the configuration of the client.

$ onedrive --display-config

If required, you may change the default configuration.

Step 4

Enable OneDrive Client for the local user bookworm.

$ sudo -- bash -c 'systemctl enable onedrive@bookworm.service && systemctl start onedrive@bookworm.service && systemctl status onedrive@bookworm.service'

All done!

How to install Espanso from source on Debian 12 Bookworm

Currently available Espanso packages fail to install on Debian 12 because of unmet dependencies. Given that I depend on Espanso to expand text shortcuts and insert special characters, I was stuck on Debian 11. Until now!

The following instructions have also been tested with Debian 11.

After completing the installation, Espanso 2.2.0 for Wayland will be installed on your system and enabled for the current user.

Compiling Espanso from source code

Side-step any dependency problems by compliling Espanso from source and moving the binary into place.

Step 1

Install the required C/C++ compiler and some additional tools.

$ sudo apt-get install --yes build-essential curl git wl-clipboard libxkbcommon-dev libdbus-1-dev libwxgtk3.*-dev libssl-dev

Step 2

Install the required Rust compiler, which is managed by the rustup tool.

$ curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh&&source ~/.bashrc

Press [Enter] to proceed with the installation.

Current installation options:

1) Proceed with instalation (default)
2) Customize installation
3) Cancel installation
>

Install cargo-make, which is required during the build process.

$ cargo install --force cargo-make

Step 3

Get the source code by cloning the Espanso repository to the local directory ~/.local/src/espanso.

$ git clone --progress https://github.com/federico-terzi/espanso ~/.local/src/espanso

Step 4

Compile the Espanso binary in release mode and as a Wayland-only build.

$ cargo make --cwd ~/.local/src/espanso --profile release --env NO_X11=true build-binary

Move the binary to the /usr/local/bin directory.

$ sudo mv ~/.local/src/espanso/target/release/espanso /usr/local/bin/

Step 5

Give Espanso the permissions it requires for operation.

$ sudo setcap "cap_dac_override+p" $(which espanso)

Check to see if the Espanso binary was installed successfuly.

$ espanso --version

Step 6

Integrate Espanso into the system by registering it as a systemd service.

$ espanso service register

Start Espanso.

$ espanso start&& espanso status

Step 7

In GNOME, remove the conflicting default shortcut for activating the window menu.

Settings > Keyboard > Keyboard Shortcuts > View and Customize Shortcuts > Windows > Activate the window menu > [Backspace]

From now on, use [Alt + Space] to open Espanso’s Search bar.

All Done!

Please keep in mind that Wayland support at this point has some known limitations. Most notably, “there is currently no support for App-specific configurations“.

Big thank you to Federico Terzi for creating such a useful tool for us all to use!

Install and configure nullmailer using Fastmail as a smarthost

If you want to receive status updates from your Debian or Ubuntu system in your inbox, you need to employ the help of a mail tansfer agent (MTA). nullmailer is a relay-only forwarding MTA that can be used as an alternative to more complex MTAs such as Exim, Sendmail or Postfix. Instructions for setting up Exim are available for comparison.

nullmailer can be configured to use Fastmail as a smarthost and hence ensure the deliverability of your messages. In principle, these instructions should also be applicable to service providers other than Fastmail.

In the following example configuration, debian is the hostname, bookworm the local username and linus.torvalds@fastmail.com the Fastmail username.

Step 1

Log into your Fastmail account and set up a new app password for SMTP authentication.

Step 2

Create the new directory /etc/nullmailer and the file /etc/nullmailer/adminaddr.

$ sudo mkdir /etc/nullmailer && sudo nano /etc/nullmailer/adminaddr

Your Fastmail username is the only entry in /etc/nullmailer/adminaddr.

linus.torvalds@fastmail.com

Step 3

Install the required packages.

$ sudo apt-get install --yes nullmailer mailutils

Step 4

Perform the initial configuration using debconf. Reconfigure nullmailer at any time after the initial installation using the following comand.

$ sudo dpkg-reconfigure nullmailer

Setting the mail name

Set the system mail name. If you are setting up on a home network, you should use home.arpa as the domain name.

Configuring nullmailer

Mailname of your system:

debian.home.arpa

Ok

Configuring the smarthost

Set the Fastmail server as the smarthost. Use the app password you set in Step 1.

Configuring nullmailer

Smarthosts:

smtp.fastmail.com smtp --port=587 --auth-login --starttls --user=linus.torvalds@fastmail.com --pass=password

Ok

Step 5

Test your configuration with the following command.

echo "Test mail from nullmailer on debian.home.arpa to the local root user and forwarded on to Fastmail" | mail -s "Test nullmailer" root

Check your Inbox, Linus!

Install Syncthing for continuous file synchronisation on Debian or Ubuntu

Syncthing is an open source tool that synchronises data across multiple devices. It transfers your files peer-to-peer, without the requirement to upload your information to the cloud. Packages are available for Android, Windows, macOS and Linux (including Synology DSM).

The usefulness of this project cannot be overstated.

Running the Syncthing stable channel

Syncthing is included in the Debian and Ubuntu repositories, respectively. These instructions are targeting the latest release of the Syncthing stable channel. It is therefore necessary to add the Syncthing repository to your list of APT sources.

In the following example, bookworm is the local username.

Step 1

Add the Syncthing release key for validation of packages downloaded from the Syncthing repository.

$ sudo curl -o /usr/share/keyrings/syncthing-archive-keyring.gpg https://syncthing.net/release-key.gpg

Step 2

Add the Syncthing repository.

$ echo "deb [signed-by=/usr/share/keyrings/syncthing-archive-keyring.gpg] https://apt.syncthing.net/ syncthing stable" | sudo tee /etc/apt/sources.list.d/syncthing.list

Step 3

Install Syncthing on your system.

$ sudo -- bash -c 'apt update && apt install --yes syncthing apt-transport-https'

Step 4

Enable Syncthing for the local user bookworm.

$ sudo -- bash -c 'systemctl enable syncthing@bookworm.service && systemctl start syncthing@bookworm.service && systemctl status syncthing@bookworm.service'

Step 5

You may need to edit your firewall settings to open ports for incoming and outgoing traffic.

If you are using ufw as a host-based firewall

Configure ufw to allow connections to Syncthing.

$ sudo ufw limit syncthing

If you are using firewalld as a host-based firewall

Configure firewalld to allow connections to Syncthing.

$ sudo -- bash -c 'firewall-cmd --zone=public --add-service=syncthing --permanent && firewall-cmd --reload && firewall-cmd --info-zone=public'

Step 6

Access the Syncthing configuration page by using your browser to navigate to the following address:

http://localhost:8384

Step 7

Complete your setup by referring to the Syncthing documentation.

Install Cockpit on Debian 12 Bookworm

Cockpit is a web-based management tool for Linux systems. It aims to simplify management tasks while maintaining compatibility with other administration tools.

Step 1

Cockpit requires the use of the firewalld service to be able to make changes to your firewall rules.

If you are using ufw as a host-based firewall

Remove ufw before replacing it with firewalld.

$ sudo apt-get remove --purge --yes ufw

Install firewalld as a host-based firewall

Install firewalld and maintain ssh access as well as enabling cockpit to receive incoming connections.

$ sudo -- bash -c 'apt-get install --show-progress --yes firewalld && systemctl enable --now firewalld.service && firewall-cmd --zone=public --add-service=ssh --permanent && firewall-cmd --zone=public --add-service=cockpit --permanent && firewall-cmd --reload && firewall-cmd --info-zone=public'

Step 2

Proceed to install Cockpit and selected add-on applications.

$ sudo apt-get install --show-progress --yes cockpit cockpit-machines cockpit-pcp nullmailer ssh tuned-utils

Step 3

By default, the Cockpit web console listens on port 9090 for connections. If you want to make changes from the default, use the following command to edit /etc/systemd/system/cockpit.socket.d/override.conf.

$ sudo systemctl edit cockpit.socket

The example below changes the web console port from 9090 to 9091 and restricts access to the localhost.

### Editing /etc/systemd/system/cockpit.socket.d/override.conf
### Anything between here and the comment below will become the new contents of the file

[Socket]
ListenStream=
ListenStream=127.0.0.1:9091

### Lines below this comment will be discarded

Use the following command for your changes to take effect.

$ sudo -- bash -c 'systemctl daemon-reload && systemctl restart cockpit.socket && systemctl status cockpit.socket'

Step 4

If you installed Cockpit on the local machine and changed the listening port to 9091, you can now access the Cockpit web console on https://localhost:9091.

The process of security

“Security is a process, not a product. Products provide some protection, but the only way to effectively do business in an insecure world is to put processes in place that recognize the inherent insecurity in the products.” Bruce Schneier acknowledges that perfect computer security probably doesn’t exist. He reminds us that we need to understand our risk of exposure in order to be able to manage it.
www.schneier.com

Trust the process, Tina!

How to install Debian 12 Bookworm with a GNOME desktop

Debian GNU/Linux was first released in 1993 and has been under active developement ever since. Today, the Debian Project unites thousands of contributors from across the globe with the aim of producing “an operating system distribution that is composed entirely of free software”.

This guide is intended to assist those who are installing Debian for the first time. It describes a straightforward path to a GNOME desktop. The number of applications is less in comparison to the default. Choose from more than 60000 official packages to tailor the system to your own requirements.

Debian and the new package formats

Debian stable is, above all else, focused on the task of maintaining bug-free software packages. It is the reason why Debian, in over 30 years, has gained a reputation for being “like a rock in an ever-swirling sea of updates”. It is also the reason why Debian stable does not keep up with the latest versions.

Universal package formats, such as Flatpak, Snap, or AppImage, are managed separately from conventional packaging systems and thus provide the end-user with added flexibility and choice. They solve the problem of stale distribution packages because newer versions can be installed without compromising the integrity of the underlying core.

Before you begin

In addition to the target computer, you should have access to a reasonably fast connection to the Internet. Ideally, your device would connect to your router by Ethernet cable. If your laptop does not have an Ethernet port, consider using the Plugable USB 3.0 Gigabit Ethernet Adapter.

Use Etcher to flash a bootable Debian CD image to a USB drive. Alternatively, you may wish to install Ventoy and boot directly from the image file.

Depending on your acutal requirements, there are different Debian CD images to choose from. In all likelihood, you are following these instructions to install on x86-64 hardware, for which a network install CD image amd64 would be the correct choice. It supports Intel as well as AMD processors and “includes non-free firmware for extra support for some awkward hardware”.

Choose a hostname and a username for your setup. In the examples which follow, debian is used as the hostname and bookworm as the username. Just remember to make the substitutions when executing commands that reference either.

Choose 1) an encryption passphrase to encrypt your storage device, 2) a user password to secure your user account, and 3) a root password to secure the root account.

Ensure that all of your data is safely backed up because formatting your storage device will erase all of its data.

After completing the installation, Debian GNU/Linux will be the only operating system on your computer.

Installing Debian GNU/Linux

If your computer uses the Unified Extensible Firmware Interface (UEFI) and you are unsure about which settings to use, you may wish to disable the Secure Boot option.

Step 1

After booting the system from the USB stick that you have prepared, continue by selecting the text based installer.

Step 2

Keep English as the language for the installation.

[!!] Select a language

Language: English

Step 3

Keep United States as the location for your system. This will also set United States as the default locale for the system environment. You will have an opportunity to set additional locales and adjust time zones at a later point during the installation.

[!!] Select your location

Country, territory or area: United States

Step 4

Use the keymap that is the correct one for your particular keyboard.

[!!] Configure the keyboard

Keymap to use: your keyboard

Step 5

You will likely be asked to select the primary network interface for use during the installation. If network autoconfiguration fails, go back and try another interface from the list.

[!!] Configure the network

Network configuration method:

Retry network autoconfiguration
Retry network autoconfiguration with a DHCP hostname
Configure network manually

Do not configure the network at this time

Go Back

Step 6

Set the hostname for your system. In this example, we use debian as the hostname.

[!] Configure the network

Hostname: debian

Continue

Set the domain name for your system. If you are setting up on a home network, you should use home.arpa as the domain name.

[!] Configure the network

Domain name: home.arpa

Continue

Step 7

Leave the root password empty to ensure the standard user account will automatically be configured with sudo privileges.

[!!] Set up users and passwords

Root password: leave empty

Continue

Confirm the empty root password.

[!!] Set up users and passwords

Re-enter password to verify: leave empty

Continue

Create the standard user. In this example, we use Bookworm as the full name.

[!!] Set up users and passwords

Full name for the new user: Bookworm

Continue

Your username should start with a lower-case letter. In this example, bookworm is a reasonable choice.

[!!] Set up users and passwords

Username for your account: bookworm

Continue

Set a password for the new standard user.

[!!] Set up users and passwords

Choose a password for the new user: your user password

Continue

Confirm the password for the new standard user.

[!!] Set up users and passwords

Re-enter password to verify: your user password

Continue

Keep Eastern as the time zone for now.

[!] Configure the clock

Select your time zone: Eastern

Step 8

You may wish to partition your disk with LVM and protect your data with a 256 bit AES key.

[!!] Partition disks

Partitioning method: Guided - use entire disk and set up encrypted LVM

Be careful to select the correct target device for your system.

[!!] Partition disks

Select disk to partition: your target disk for installation

Choose to keep all files in one partition.

[!] Partition disks

Partitioning scheme: All files in one partition (recommended for new users)

Now write the changes to disk.

[!!] Partition disks

Write the changes to disk and configure LVM?

Yes

You may skip the overwriting of the disk with random data by selecting Cancel. Be aware, however, that skipping this step will lessen the quality of the encryption.

Step 9

Enter your encryption passphrase.

[!!] Partition disks

Encryption passphrase: your encryption passphrase

Continue

Confirm your encryption passphrase.

[!!] Partition disks

Re-enter passphrase to verify: your encryption passphrase

Continue

Step 10

Use the available space for partitioning your disk.

[!!] Partition disks

Amount of volume group to use for guided partitioning: max

Continue

Step 11

Write the changes to disk.

[!!] Partition disks

Finish partitioning and write changes to disk

Confirm writing the changes to disk.

[!!] Partition disks

Write the changes to disks?

Yes

Step 12

You may be asked to scan additional installation media.

[!] Configure the package manager

Scan extra installation media?

No

Step 13

Select your archive mirror country from the list.

[!] Configure the package manager

Debian  archive mirror country: your country

Select an archive mirror from the list. For the fastest downloads, use the site that is closest to you.

[!] Configure the package manager

Debian archive mirror: mirror closest to you

You probably won’t need to configure an HTTP proxy:

[!] Configure the package manager

HTTP proxy information (blank for none): leave empty

Continue

Step 14

The Debian Popularity Contest attempts to map the overall usage of Debian packages with information from installed systems, such as yours.

[!] Configuring popularity-contest

Participate in the package usage survey?

Yes

Step 15

Choose standard system utilities from the list of predefined software collections and deselect all other entries.

[!] Software selection

Choose software to install:
[ ] Debian desktop environment
[ ] GNOME
[*] standard system utilities

Continue

Step 16

You may be asked if you want to install the GRUB boot loader to your primary drive. Select your target disk from Step 8 as the drive for boot loader installation.

[!] Install the GRUB boot loader

Install the GRUB boot loader to your primary drive?

Yes

Step 17

Remove the installation media before booting into your new system.

[!!] Finish the installation

Installation complete

Continue

Step 18

Enter your encryption passphrase to boot into the system for the first time. In this example, the encrypted disk is labelled sda3_crypt.

Please unlock disk sda3_crypt: your encryption passphrase

Log into the system with your username and user password.

Debian GNU/Linux 12 debian tty1

debian login: bookworm
Password: your user password

Step 19

Set the password for the root user by entering the following command. You will be asked for your user password to obtain sudo privileges first.

$ sudo passwd root

Step 20

Install a minimal GNOME desktop.

$ sudo apt-get install --yes gnome-core

If you are installing into a virtual machine, use this additional command to enable copy and paste between the host and the guest.

$ sudo apt-get install --yes spice-vdagent

Step 22

Restart your system.

$ sudo reboot

Step 23

Enter your encryption passphrase to boot into the system.

Please unlock disk sda3_crypt: your encryption passphrase

Log into the GNOME desktop environment.

Step 24

Select Show Applications from the the panel at the bottom of the screen or press [Super + a] and open the Settings application. On most keyboards, the [Super] key is the one with the Windows logo printed on it. Continue by adding the following keyboard shortcuts:

Terminal application

Settings > Keyboard > Keyboard Shortcuts > View and Customize Shortcuts > Custom Shortcuts > Add Shortcuts
Name: Launch Terminal

Command: gnome-terminal

Shortcut: [Super + t]

File manager

Settings > Keyboard > Keyboard Shortcuts > View and Customize Shortcuts: Home folder
Shortcut: [Super + f]

Web browser

Settings > Keyboard > Keyboard Shortcuts > View and Customize Shortcuts: Launch web browser
Shortcut: [Super + b]

Maximising windows vertically

Settings > Keyboard > Keyboard Shortcuts > View and Customize Shortcuts: Maximize window vertically
Shortcut: [Ctrl + Super + ↑]

Step 25

From within the GNOME desktop, open Firefox ESR by using the shortcut [Super + b] and re-open these instructions at edafe.de/step25.

Open a terminal with the shortcut [Super + t] and, where applicable, use copy and paste to enter the commands set out on this page. Be careful not to miss any punctuation.

Step 26

Set the time zone for your area.

$ sudo dpkg-reconfigure tzdata
Configuring tzdata

Geographic area: your area

Ok

Step 27

Configure locales for all the languages that your system is going to be used with. Use UTF-8 locales wherever possible.

$ sudo dpkg-reconfigure locales

In this example, German and Japanese locales are generated in addition to the default locale for the system environment.

Configuring locales

Locales to be generated:

[*] de_DE.UTF-8 UTF-8
[*] en_US.UTF-8 UTF-8
[*] ja_JP.UTF-8 UTF-8

OK

Keep en_US.UTF-8 as the default locale for the system environment.

Configuring locales

Default locale for the system environment:

en_US.UTF-8

OK

Step 28

The Desktop was disabled in GNOME 3.28. This decision was not universally popular at the time. However, developers pointed to the fact that, as an unmaintained feature, it stood in the way of other improvements. The following command hides the now orphaned Desktop folder from view.

$ echo Desktop >> ~/.hidden

Step 29

Install additonal Debian packages to give you a functional GNOME desktop.

$ sudo apt-get install --show-progress --yes apostrophe aptitude cheese cups curl debian-reference deja-dup file-roller foliate foomatic-db-compressed-ppds gcolor3 gnome-clocks gnome-color-manager gnome-connections gnome-dictionary gnome-epub-thumbnailer gnome-firmware gnome-keysign gnome-maps gnome-mpv gnome-power-manager gnome-session-canberra gnome-shell-extension-bluetooth-quick-connect gnome-shell-extension-dashtodock gnome-shell-extension-no-annoyance gnome-shell-extension-tiling-assistant gnome-shell-extensions-extra gnome-software-plugin-flatpak gnome-software-plugin-snap gnome-sound-recorder gnome-tweaks gnome-video-effects-frei0r gpodder mpv-mpris nautilus-share neofetch network-manager-config-connectivity-debian network-manager-openconnect-gnome network-manager-openvpn-gnome network-manager-ssh-gnome network-manager-vpnc-gnome ooo-thumbnailer pdfarranger plymouth-themes printer-driver-cups-pdf playerctl rhythmbox-plugin-alternative-toolbar rhythmbox-plugin-cdrecorder rsync seahorse seahorse-daemon seahorse-nautilus shotwell smbclient soundconverter ssh-askpass-gnome synaptic transmission-gtk task-laptop ufw unattended-upgrades wireguard yubioath-desktop && sudo ufw enable

Step 30

Replace the text output during system boot with a graphical splash screen.

$ sudo sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT="quiet"/GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"/' /etc/default/grub && sudo update-grub2

Step 31

Configure neofetch to display information about your system on the command-line.

$ echo -e '\n# use Neofetch to display information about the system\nif [ -f /usr/bin/neofetch ]; then\n clear && neofetch;\nfi' >> ~/.bashrc && source ~/.bashrc

Step 32

Enable the unattended installation of important upgrades.

$ sudo dpkg-reconfigure unattended-upgrades

Step 33

If in Step 5 you selected a wireless interface as the primary network interface for use during the installation, you will need to re-authenticate with the wireless network after rebooting.

Enable the Network Manager for the primary network interface and reboot your system.

$ sudo sed -i 's/managed=false/managed=true/' /etc/NetworkManager/NetworkManager.conf&&sudo sed -i '/# The primary network interface/,$d' /etc/network/interfaces&&sudo reboot

Step 34

Enable the installation of Flatpaks from Flathub.

$ sudo -- bash -c 'flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo'

Step 35

Install applications from Flathub.

$ sudo flatpak install --assumeyes flathub com.vixalien.sticky dev.geopjr.Collision dev.geopjr.Tuba io.gitlab.adhami3310.Converter org.cryptomator.Cryptomator org.gustavoperedo.FontDownloader org.libreoffice.LibreOffice org.keepassxc.KeePassXC

Step 36

Install applications from the Snap Store.

$ sudo snap install bitwarden chromium

Step 37

The snap directory in your home folder is not supposed to be accessed manually. Use the following command to hide it from view.

$ echo snap >> ~/.hidden

Step 38

By default, Debian installs the Extended Support Release (ESR) version of Firefox. The ESR receives crash fixes, security fixes and policy updates as needed.

The flatpak, on the other hand, installs the Rapid Release version of Firefox. In contrast to the ESR, the Rapid Release receives major updates at least every four weeks. Both versions can be used concurrently. When installed on your desktop, they are called Firefox ESR and Firefox Web Browser, respectively.

As an option, you may install Firefox Rapid Release and set it as the default browser.

$ sudo flatpak install --assumeyes org.mozilla.firefox && xdg-settings set default-web-browser org.mozilla.firefox.desktop

Consider using different themes to easily distinguish between the two versions.

Step 39

Prevent yourself from accidentally breaking Debian by reading about some of the most commonly made mistakes.

All done!

Strikes!

“… and when quizzed about the upcoming nurses strikes, the Conservative party chairman said that demands for a 19% pay rise for nurses would cost the NHS 10 billion pounds, which should instead be spent on NHS frontline services. Back to you, Chris.

Gaslighting fuckers! If nurses aren’t the NHS frontline?? I mean, what about ambulance drivers and and paramedics? Are they not frontline services? Give them a decent pay rise, you fuckers! They deserve it, find the money! You all spring into action every time you crash the economy, you can find the money then. Get ’round the table, make a decent offer. Instead, they’re sending in the army telling us the unions are holding the country to ransom. The unions!? Can we all just be clear about this? Our last prime minister blew a 30 billion pound hole in the economy overnight, test and trace cost us 37 billion pounds. Useless PPE wasted 8.7 billion pounds, which ended up in the pockets of Tory donors. A shambolically executed Brexit lost us 40 billion in tax revenue alone. Richi Sunak lost 11 billion pounds by overpaying interest on UK debt, and yet, you read the front pages, it’s nurses who were the ones who are greedy and irresponsible. It’s the fire service that’s holding the country to ransom, ’cause they all just decided they’d prefer to drink tea on a freezing picket line than save children from burning buildings. It wasn’t so long ago we were clapping them; hailing them as heroes. They were all considered key workers during the pandemic, weren’t they? Bus drivers, teachers, nurses. Now, they’re called lazy workshy fuckers. Postal workers, striking to save what’s left of the Royal Mail — it having been sold off to the lowest bidder for a quick buck by the millionaires in Westminster — but it’s your postman who is destroying the country!? The entire northern rail network is on the brink of collapse whilst rail companies and their shareholders make record profits, …but it’s that fat, lazy fucker behind the ticket desk, asking for a bit of job security, who is destroying our rail infrastructure!? 25 to 50% of average households are unable to pay their bills this winter, whilst energy companies announced record breaking profits. In 2021, Shell paid zero pounds on their oil production in the UK and received 100 million pounds of subsidies in tax payer’s money. Working people are suffering at the hands of corporate greed and unbridled economic mismanagement, and this is why people are striking for better pay, conditions and job security. Recently, the government gave us the Public Order bill that, that [sic] even one Tory peer described as an afront to a civilised society. Crackdowns on peaceful protest is the purview of China and Iran, not British democracy. And yet these reactionary fuckwits tell us it’s Scottish primary school teachers who are holding us hostage. The bastards who wrecked the economy, squandered our reputation on the international stage, sold off any and all of the country’s assets for a quick buck are getting their mates in the media to tell you that it’s bus drivers, bin men, teachers, nurses, postmen, passport control workers and rail workers who are throwing the country to the dogs. Don’t believe them; they are lying to you!

Well, stome [sic], still some weeks ahead of Christmas industrial action, misery for commuters, patients and holiday makers. Frustration and anger at the unions for deciding to strike over Christmas …”

Jonathan Pie

Boomerang

“The Boomerang is hitting Britain hard, especially right now. Empire wasn’t just something that happened to the Colonies, it’s something that happened to Britain. It created some of Britain’s most well-loved institutions, from the NHS to its greatest talents. But it also created the unequal Britain we see today.”
Kojo Koram

How legacies of empire are breaking Britain’s economy: Q&A with Owen Jones, Kojo Koram and Dalia Gebrial

The Monarchy: Last Week Tonight with John Oliver

“And look, to go by recent polls, Australia, like the UK, seems unlikely to let go of the monarchy anytime soon. But other Commonwealth countries are already preparing to do so. Last year, Barbados removed the queen as head of state. Jamaica is looking to have a referendum to do the same within the next three years, with one poll showing a majority supports it. And Antigua and Barbuda, Grenada and Belize, seem to be moving in the same direction. And while the royal family have said that these countries are free to leave, if they so choose, they also refuse to reckon with why they might want to do that in the first place.
Instead, they’ve continued working hard to be perceived as a mere symbol while never taking responsibility for what that symbol excused. All while ignoring calls for true apologies and reparations to those who suffered tremendously because of what was done in their name. And look, you don’t have to hate the royal family personally … You don’t even have to think that the institution shouldn’t exist. But if it’s going to continue to, it is fair to expect significantly more from them. Because right now, far too often, they hide behind the convenient shield of politeness and manners which frequently demands the silence of anyone who might criticise them or what they stand for.
Will this segment even air on Sky TV in Britain? I honestly don’t know! Maybe, maybe not. But if they do cut it out for being disrespectful, they won’t want to seriously think about why. Why they and everyone else are working so hard not to offend a family whose name was branded into people’s skin and who sit atop a pile of stolen wealth, wearing crowns adorned with other countries treasures.”
John Oliver

Das Fediverse: Social Media losgelöst von den Fesseln kommerzieller Interessen

“Soziale Medien werden von Plattformbetreibern dominiert, die das eigene Interesse in den Vordergrund rücken und jede Entscheidung daran messen, wie sich eine Profitmaximierung erzielen lässt. Hat man das einmal verinnerlicht, wirft sich einem unweigerlich die Frage auf, was an sozialen Medien eigentlich sozial ist. Sozial bedeutet anderen zu helfen, was auch bedeuten kann, die eigenen Interessen zurückzustellen. Also im Grunde genau das Gegenteil dessen, wie kommerziell ausgerichtete Plattformen wie Twitter, Facebook und Co. agieren.”
Mike Kuketz erklärt die Idee des Fediverse und unterstreicht, warum es sich damit so grundlegend von Platformen wie Twitter und Facebook unterscheidet. Dieser Beitrag ist von großer Wichtigkeit, nicht nur für die Nutzer der sozialen Medien…
www.kuketz-blog.de

Jan Böhmermann ist auch auf Mastodon!

This is a Britain that has lost its Queen – and the luxury of denial about its past

“Yet I sympathise with those who feel the Queen’s loss. Under her reign, many latched on to the stabilising sense of cultural continuity. To lose that is to feel disrupted and uncertain. For me, it’s a familiar anxiety – Britain’s empire by definition redrew boundaries, and swept aside generations of tradition. Our parents and grandparents were recruited to Britain for its benefit, the terms and conditions of which my generation are still trying to make sense. We know how it feels to lack cultural continuity. Others in Britain enjoyed it at our expense.
If continuity is an abstract subject, the other trappings of royal symbolism are more concrete. There were pompous reflections last week with the idea expressed in the Economist’s obituary that the Queen ‘came from good Hanoverian blood’. If that sounds like a white supremacist idea, that’s because it is.” Afua Hirsch does not get to opt out of processing memories that many refuse to acknowledge.
www.theguardian.com

The big idea: why relationships are the key to existence

“Too often we foolishly measure success in terms of a single actor’s fortunes. This is both short-sighted and irrational. It misunderstands the true nature of reality, and is ultimately self-defeating.” Carlo Rovelli provides a compellingly argued explanation of the way in which interactions shape our world and, in the end, determine our reality.
www.theguardian.com

The warning signs are there for everyone else to see

“For a party that prides itself on the economy, the Tories have a shocking record of running it. Our economy has the slowest growth in the G7. We have got greater regional inequality than almost any other developed nation. Food banks now do the job of Government in providing for families—families that are more often than not in work.

Government could start solving this crisis by providing solutions, like closing tax-avoidance loopholes or creating a windfall tax for energy companies. But instead, we get endless bills paying lip service to a manufactured culture war. The priority isn’t the economy. It seems to be things like protecting freedom of speech, and yet the Tories are the ones who banned schools in England from using sources that are not overtly pro-capitalist. They are cracking down on freedom of assembly and protest. They are privatising Channel 4, when the Culture Secretary didn’t even know that Channel 4 receives no public money, so the argument is not financial. And as the Member for Rhondda touched upon earlier on, when we consider, that the Culture Secretary was a key focus of a Channel 4 documentary once about the influence that Christian fundamentalism has on UK politics, it becomes even more concerning that this decision is political and it’s personal. It is not professional.

But most terrifying of all, however, is that the Government literally wants to get rid of the Human Rights Act. And that begs the question: for whom do they think rights have gone too far? Do you know how scary it is to sit at home and wonder if it is you—is it your rights that are up for grabs? We have witnessed Windrush. Our economic strategy is to open our doors to the rest of the world when we need their hard work and then chuck them out 50 years later without a word’s notice. We tell our own citizens that their safety cannot be guaranteed in Rwanda, but we are perfectly happy to ship asylum seekers, people fleeing war and persecution, over to Rwanda as though they are cattle to be dealt with by someone else and despite knowing that this plan costs more than it will ever save.

This is just little England elites drunk on the memory of a British empire that no longer exists. We have the lowest pensions in Europe and the lowest sick pay. We pretend minimum wage is a living wage when it is not. We miss our own economic targets time and time again. We are happy to break international law. We are turning into a country where words hold no value.

And over the last 12 years, I fear we have been sleepwalking closer and closer to the F word. And I know everyone is scared to say it for fear of sounding over the top or being accused of going too far, but I say this with all sincerity. When I say the F word, I am talking about fascism—fascism wrapped in red, white and blue. And you may mock and you may disagree, but fascism does not come in with intentional evil plans or the introduction of leather jackboots. It doesn’t happen like that. It happens subtly. It happens when we see the Governments making decisions based on self-preservation, based on cronyism, based on anything that will keep them in power, we see the concentration of power whilst avoiding any of the scrutiny or responsibility that comes with that power. It arrives under the guise of respectability and pride, that will then be refused to anyone who is deemed different. It arrives through the othering of people, the normalisation of human cruelty. Now I don’t know how far down that road we are. Time will tell, but the things we do in the name of economic growth—the warning signs are there for everyone else to see, whether they admit it or not.”
Mhairi Black

Twitter buyout puts Mastodon into spotlight

“Mastodon is used to publish 500-character messages with pictures, polls, videos and so on to an audience of followers, and, in turn, to follow interesting people and receive their posts in a chronological home feed. Unlike Twitter, there is no central Mastodon website – you sign up to a provider that will host your account, similarly to signing up for Outlook or Gmail, and then you can follow and interact with people using different providers. Anyone can become such a provider as Mastodon is free and open-source. It has no ads, respects your privacy, and allows people/communities to self-govern.” Eugen Rochko preempted the planned aquisition of Twitter by a mere 6 years.
joinmastodon.org

Geflüchtete aus der Ukraine und Syrien: Unterschiedlich willkommen in Deutschland?

“Auch dieses Foto ist ein aktuelles Bild aus einem Krieg, den Putin gerade führt. Aber es wurde nicht in der Ukraine aufgenommen, sondern in Idlib in Syrien. Ein Krieg, den wir gerade zu vergessen scheinen, obwohl auch von dort zehntausende nach Deutschland geflohen sind aus Angst vor den Bomben Putins. Und, so groß die Hilfsbereitschaft für ukrainische Kriegsgeflohene gerade ist, so schwer macht es Deutschland den Geflüchteten aus Syrien, in diesem Land anzukommen. Die Menschenwürde ist unteilbar, sagt das Grundgesetz, und doch machen wir Unterschiede.”
Georg Restle

They are ‘civilised’ and ‘look like us’: the racist coverage of Ukraine

“What all these petty, superficial differences – from owning cars and clothes to having Netflix and Instagram accounts – add up to is not real human solidarity for an oppressed people. In fact, it’s the opposite. It’s tribalism. These comments point to a pernicious racism that permeates today’s war coverage and seeps into its fabric like a stain that won’t go away.” Moustafa Bayoumi asks that we offer help and solidarity to innocent people who need protection, irrespective of geographical proximity or skin color.
www.theguardian.com