What are your ‘defaults’ for your desktop Linux installations, especially when they deviate from your distros defaults? What are your reasons for this deviations?
To give you an example what I am asking for, here is my list with reasons (funnily enough, using these settings on Debian, which are AFAIK the defaults for Fedora):
-
Btrfs: I use Btrfs for transparent compression which is a game changer for my use cases and using it w/o Raid I had never trouble with corrupt data on power failures, compared to ext4.
-
ZRAM: I wrote about it somewhere else, but ZRAM transformed even my totally under-powered HP Stream 11" with 4GB Ram into a usable machine. Nowadays I don’t have swap partitions anymore and use ZRAM everywhere and it just works ™.
-
ufw: I cannot fathom why firewalls with all ports but ssh closed by default are not the default. Especially on Debian, where unconfigured services are started by default after installation, it does not make sense to me.
My next project is to slim down my Gnome desktop installation, but I guess this is quite common in the Debian community.
Before you ask: Why not Fedora? - I love Fedora, but I need something stable for work, and Fedoras recent kernels brake virtual machines for me.
Edit: Forgot to mention ufw
KDE, just because it’s a good balance of usability and customisability.
I don’t think I will ever go back to a filesystem without snapshot support. BTRFS with Snapper is just so damn cool. It’s an absolute lifesaver when working with Nvidia drivers because if you breathe on your system wrong it will fail to boot. Kernel updates and driver updates are a harrowing experience with Nvidia, but snapper is like an IRL cheat code.
OpenSuse has this by default, but I’m back to good ol’ Debian now. This and PipeWire are the main reasons I installed Debian via Spiral Linux instead of the stock Debian installer. Every time I install a new package with apt, it automatically created
preandpostsnapshots. Absolutely thrilled with the results so far. Saved me a few hours already, after yet another failed Nvidia installation attempt.
Please tell me more about Spiral Linux. I’m not a huge Debian fan personally(at least for desktop), but I often install Linux on other people’s machines. And Mint/ Debian is great for them.
How does it differ from stock?
Details on the Spiral Linux web site: https://spirallinux.github.io/
Key points are BTRFS with Snapper, PipeWire, newer kernels and some other niceties from backports, proprietary drivers/codecs by default, VirtualBox support (which I’ve personally had huge problems with in the past on multiple distros). They also mention font tweaks, but I haven’t done side-by-side comparisons, so I’m not sure exactly what that means.
Edit: shoutout to Spiral Linux creator @sb56637@lemmy.ca , who posted a few illuminating comments on this older thread: https://lemmy.ca/post/6855079 (if there’s a way to link to posts in an instance-agnostic way on Lemmy, please let me know!)
How does it differ from stock?
Well for one thing their driver support is apparently “harrowing”. 😊
I will never understand why people choose distributions that will brick themselves when the wind blows, so they add snapshot support as a band-aid, and then they celebrate “woo hoo, it takes pre and post snapshots after every package install!”
How about using a distro where you never have to restore a snapshot…
To clarify, this is my first time using Spiral Linux. My experience regarding Nvidia drivers is across several different distros (most recently Ubuntu LTS and OpenSuse Tumbleweed). I have never had a seamless experience. Often the initial driver installation works, but CUDA and related tools are finicky. Sometimes a kernel update breaks everything. Sometimes it doesn’t play nice with other kernel extensions.
The Debian version of the drivers didn’t set up Secure Boot properly. Instead, I rolled back and used the generic Nvidia .run installer, which worked fine. Not seamless, obviously, but not really worse than my experience on other distros. In the future I will always just use the generic installers from Nvidia.
Point is, with BTRFS you can just try anything without fear. I’m not going to worry about installing kernel updates from now on, or driver updates, or anything, because if anything goes wrong, it’s no big deal.
And my point is that it’s not normal to fear updates. Any updates, but especially updates to essential packages like the kernel or graphics driver.
If you’re using the experimental branch of a distro or experimental versions of packages on purpose then snapshots are a good tool. But if you’re using a normal distro and its normal packages you should not have to resort to such measures.
Nvidia just sucks across every distro I’ve used. Have you had good experience running CUDA, cuDNN, and cuBLAS? If so, which distro?
And have you run it alongside other things that require kernel modules, like ZFS and VirtualBox?
Nice use case for snapshots! :-) I’ll put it in my backlog, perhaps it is a nice insurance for my crash prone machines.
- NixOS
- disko + nixos-anywhere (automatic partitioning & remote installation of new systems)
- stylix (system-wide theming)
- agenix (secret management)
- impermanence (managing persistent data)
- nixos containers for sandboxing applications & services (using systemd-nspawn)
- TMPFS as /
- LUKS
- BTRFS as /nix (might try bcachefs)
- SWAP partition (= RAM size, to susbend to disk)
- Greetd with TUIgreet (DM)
- SwayFX (WM)
- Kitty & foot (term)
- Nushell (shell)
- Helix (editor)
- Firefox (browser)
- slackhq/nebula (c.f. self-hosted tailscale, connecting my systems beyond double NATs)
EDIT1: fix “DE” -> “DM”
Now that’s quite an interesting NixOS setup, I’m especially intrigued by the tmpfs root portion. The link you provided was a great read, and I’ll keep this and honestly most of what you’ve described in mind for when I mess with NixOS again.
There are also these two blog posts by elis on setting up tmpfs specifically. Though these posts rather are setup guides, than “talking about the philosophy” of systems design.
Much appreciated, I’ll definitely take a look!
- NixOS
- LUKS
- Btrfs
- sway
Nobara KDE user here. One of the reasons why I chose it is because it comes with many of the customisations that I’d normally do (such as using an optimized kernel). But in addition, I use:
- Opal instead of LUKS
- KDE configured with a more GNOME/macOS like layout (top panel+side dock)
- GDM instead of SDDM, for fingerprint login
- Fingerprint authentication for sudo
- TLP instead of power-profiles-daemon for better power saving (AMD P-State EPP control, charging thresholds etc)
- Yakuake terminal (and Kitty for ad-hoc stuff)
- fish shell instead of bash
- mosh instead of ssh
- btop instead of top/htop
- gdu instead of du/ncdu
- bat instead of cat
- eza instead of ls
- fd instead of find
- ripgrep instead of grep
- broot instead of tree
- skim instead of fzf
Impressive list! What is the benefit of using Opal compared to LUKS?
Opal drives are self-encrypting, so they’re done by the disk’s own controller transparently. The main advantage is that there’s almost no performance overhead because the encryption is fully hardware backed. The second advantage is that the encryption is transparent to the OS - so you could have a multi-boot OS setup (Windows and FreeBSD etc) all on the same encrypted drive, so there’s no need to bother with Bitlocker, Veracrypt etc to secure your other OSes. This also means you no longer have a the bootloader limitation of not being able to boot from an encrypted boot partition, like in the case of certain filesystems. And because your entire disk is encrypted (including the ESP), it’s more secure.
Thank you very much for your explanation.
I still feel skeptical about using a chips controller for encryption. AFAIK there have been multiple problems in the past:
- Errors in the implementation which weaken the encryption considerably
- I think I even read about ways to extract the key from the hardware (TPM based encryption)
Do you provide a password and there are ‘hooks’ which the boot process uses for you to enter the password on boot?
I think it is nice to have full disk encryption, but usually we are speaking about evil-maid attacks (?), and IMHO it is mostly game over when an attacker has physical access to your device.
Yes, I do provide a password on boot, as you said, keys can be extracted from the hardware so that’s not secure, which is why I don’t use the TPM to store the keys.
There are no hooks necessary in the bootloader, as it’s the BIOS which prompts you for the password and unlocks the drive.
And yes, there have been implementation problems in the past, but that’s why the Opal 2.0 standard exists - don’t just buy any random self-encrypting drive, do your research on past vulnerabilities for that manufacturer, and check if there are any firmware updates for the drive (don’t just rely on LVFS).
Also, the common hardware attacks rely on either a SATA interface (to unplug the drive while it still has power) or older external ports vulnerable to DMA attacks such as PCMCIA or Thunderbolt 3.x or below; so those attacks only affects older laptops. Of course, someone could theoretically install a hardware keylogger or something, but this is also why you have chassis intrusion detection, and why you should secure and check any external ports and peripherals connected to your machine. Overall physical security is just as important these days.
But ultimately, as always, it comes down to your personal threat model and inconvenience tolerance levels. In my case, I think the measures I’ve taken are reasonably secure, but mostly, I’ve chosen Opal for performance and convenience reasons.
Thank you very much for elaborating. :-)
I’ve never had a problem with ext4 after power failure.
Zram is not a substitute for swap. Your system is less optimal by not having at least a small swap.
Firewalls should never default to on. It’s an advanced tool and it should be left to advanced users.
Not to mention how much grief it would cause distro maintainers. If they don’t auto configure the firewall they get blasted by people who don’t know why their stuff isn’t working. If they auto configure they get blasted by people upset that the auto configurator dared change their precious firewall rules. You just can’t win.
What is the difference between physical swap and having a swap partition on ZRAM, especially for the kernel? To the best of my knowledge, nearly no Linux distribution supports suspend to disk any more, any ZRAM swap looks for the kernel like … swap. Thanks to the virtual file system. Further, I have high trust in the Fedora community, which decided to use ZRAM.
We can agree to disagree about the firewalls, especially for people who don’t now why their stuff isn’t working, it protects them and is much better than having unconfigured services with open ports on a laptop in a public network IMHO.
- /boot and root partition: i dont use swap (i dont need it, i have plenty of ram) and i usually encrypt the root partition with luks
- ext4: ppl keep telling me btrfs is better and all that but idk shit about filesystems and ext4 just works
- any x11 wm: currently im using qtile and ive used bunch of wms in the past
- alacritty: its fast and it has easy config with great doc
- firefox with arkenfox userjs, ublock and tor proxy configuration
- (neo)vim
- qemu/kvm/virt-manager
- doas
- fish shell
Well, almost the opposite of you, I currently use Fedora Silverblue (including BTRFS which I very much appreciate for versioned backups), except that I override GNOME Software (never got it to work properly for me) and Fedora’s Firefox (I use the Firefox from Flathub but not Fedora).
I feel envious - I would love to run Silverblue like you do! :-)
Once, some years back, I posted a topic on how could I slim down my Gnome DE.
It sparked a rather long and complex discussion and the bottom line was that Gnome integration was already at a point where so many parts depended on so many it was not an easy task.
I opted to move to a GTK compatible DE. Currently I use XFCE but spent years with Mate.
Xfce / Mate are great (and lightweight) options!
I used Mate for years, but at some point it became unstable for me. I need Wayland, though, so I have to hold my breath until Xfce supports it in the future.
I still use Mate, but switched the window manager to i3.
Xfs filesystem and a kernel with BORE scheduler, which are the default on CachyOs for a faster and snappier system.
- Void
- EFI and LUKS partition, containing an LVM with root/home/swap. Ext4 partitions. I’m vaguely aware of btrfs and zram but haven’t taken them for a spin yet.
- ufw
- wayland
- basic plasma install + desired apps.
Nothing radical, but I’ve used mplayer as default video player since FreeBSD 4.0, and that’s not changing any time soon. VLC is good and all, I just prefer mplayer.
Oh, and for general purpose storage partitions I use XFS, as it plays nice with beegfs.
why not mpv?
i always use:
- KDE
- yakuake
- kate
- vlc
- fishshell
- gparted
- firefox
no matter what the default might be
EndeavourOS as the distro of choice for easy installation and AUR access.
Depending on the DE, if it’s not MATE, I almost always install Caja, Engrampa, and MATE Calculator since they just have the most sane look and UX to them for my use cases.
- Waterfox as my browser of choice (reason over Firefox is that it offers tabs below address bar as an option in Preferences rather than mucking about in userChrome.css files that often break on updates)
- Vivaldi as a secondary browser for websites that only render right in Chromium
- Kitty as my terminal of choice.
- Clementine as my music player of choice
- yt-dlp for downloading Youtube videos as mp3s
- htop over top, also have gotop for a more graphical look
- exa over ls
Interesting browser choices. ;-) I like what I see from Vivaldi, but I rarely need Chrome compatibility and Chromium is in the repositories of all distributions I use, so I never opt for Vivaldi. Just a personal preference or any good reason to use Vivaldi over Chromium etc.?
Honestly because it’s quite customizable, that’s about it. Being able to customize my software to look and work the way I want them to is a big reason why I use certain programs over others.
- btrfs unless I know I’m not gonna use it that much (might check out bcachefs soon)
- Kitty as the terminal, life is better without fancy multiplexers
- Firefox
- fastfetch > neofetch
- zsh without oh-my-zsh
- tbsm as DM (if available)
- Hyprland as the WM
- Plasma if I have to use a DE
Swapfile instead of partition so I don’t risk losing my data if I don’t have enough memory (haven’t checked out ZRAM yet)Welp that changed quickly, ZRAM looks insane- GRUB as bootloader, also a separate install for every distro, kinda just out of fear that I’ll break it somehow
I tried to use kitty but I have to ssh in to remote machines often for work, usually one of a few hundred edge devices, and I can’t configure them all to work properly with it. Is solid ssh support just not a deal breaker for others?
I never had a reason to use SSH after I switched to Kitty.