Misc: setup, fish, auto, helix, starship, system

- Setup: add Fedora guides, Signal, Dynamic Desktop, and Flatseal
- Shells: fix $() on older fish versions and unalias batcat on Fedora
- Auto:
    - Detect git dependency
    - Add .clang-format for C/C++ family
    - Add full-setup script
- Helix: update to 24.03, add text width, rulers, and fix reflow
- Rust: fix fish env
- Starship: fix config path
- System: rename mac fnmode scripts and update sshd_config

auto/auto

@@ -1,4 +1,9 @@
 #!/bin/sh -e
+if ! command -v git > /dev/null; then
+	echo "Error: git not found"
+	exit 1
+fi
+
 cd ssh
 ./ssh
 cd ..
@@ -23,6 +28,10 @@ cd tmux
 ./tmux
 cd ..
 
+cd clang-format
+./clang-format
+cd ..
+
 cd home-chmod
 ./home-chmod
 cd ..

auto/clang-format/.clang-format

@@ -0,0 +1,91 @@
+---
+Language: Cpp
+BasedOnStyle:  LLVM
+AccessModifierOffset: -2
+AlignAfterOpenBracket: DontAlign # BlockIndent for newer version
+AlignEscapedNewlines: Right
+AlignTrailingComments: false
+AllowAllArgumentsOnNextLine: true
+AllowAllConstructorInitializersOnNextLine: true
+AllowAllParametersOfDeclarationOnNextLine: true
+BraceWrapping:
+  AfterCaseLabel:  false
+  AfterClass:      false
+  AfterControlStatement: Never
+  AfterEnum:       false
+  AfterFunction:   false
+  AfterNamespace:  false
+  AfterObjCDeclaration: false
+  AfterStruct:     false
+  AfterUnion:      false
+  AfterExternBlock: false
+  BeforeCatch:     false
+  BeforeElse:      false
+  IndentBraces:    false
+  SplitEmptyFunction: true
+  SplitEmptyRecord: true
+  SplitEmptyNamespace: true
+BreakBeforeBinaryOperators: None
+BreakBeforeBraces: Attach
+BreakBeforeInheritanceComma: false
+BreakInheritanceList: BeforeColon
+BreakBeforeTernaryOperators: true
+BreakConstructorInitializersBeforeComma: false
+BreakConstructorInitializers: BeforeColon
+BreakAfterJavaFieldAnnotations: false
+BreakStringLiterals: true
+ColumnLimit:     100
+CommentPragmas:  '^ IWYU pragma:'
+CompactNamespaces: false
+ConstructorInitializerAllOnOneLineOrOnePerLine: false
+ConstructorInitializerIndentWidth: 4
+ContinuationIndentWidth: 4
+Cpp11BracedListStyle: true
+DeriveLineEnding: true
+DerivePointerAlignment: false
+DisableFormat:   false
+ExperimentalAutoDetectBinPacking: false
+FixNamespaceComments: true
+ForEachMacros:
+  - foreach
+  - Q_FOREACH
+  - BOOST_FOREACH
+IncludeBlocks:   Preserve
+IncludeIsMainRegex: '(Test)?$'
+IncludeIsMainSourceRegex: ''
+IndentCaseLabels: false
+IndentGotoLabels: true
+IndentPPDirectives: None
+IndentWidth:     4
+IndentWrappedFunctionNames: false
+JavaScriptQuotes: Leave
+JavaScriptWrapImports: true
+KeepEmptyLinesAtTheStartOfBlocks: true
+MacroBlockBegin: ''
+MacroBlockEnd:   ''
+MaxEmptyLinesToKeep: 1
+NamespaceIndentation: None
+PointerAlignment: Left
+ReflowComments:  true
+SortUsingDeclarations: true
+SpaceAfterCStyleCast: true
+SpaceAfterLogicalNot: false
+SpaceAfterTemplateKeyword: true
+SpaceBeforeAssignmentOperators: true
+SpaceBeforeCpp11BracedList: false
+SpaceBeforeCtorInitializerColon: true
+SpaceBeforeInheritanceColon: true
+SpaceBeforeParens: ControlStatements
+SpaceBeforeRangeBasedForLoopColon: true
+SpaceInEmptyBlock: false
+SpaceInEmptyParentheses: false
+SpacesBeforeTrailingComments: 1
+SpacesInConditionalStatement: false
+SpacesInParentheses: false
+SpacesInSquareBrackets: false
+SpaceBeforeSquareBrackets: false
+Standard:        Latest
+TabWidth:        4
+UseCRLF:         false
+UseTab:          AlignWithSpaces
+...

auto/clang-format/clang-format

@@ -0,0 +1,2 @@
+#!/bin/sh
+cp -i .clang-format ~

auto/shells/bash

@@ -23,7 +23,6 @@ PS1='${debian_chroot:+($debian_chroot)}\[\e[01;38;5;11m\]\u\[\e[00;38;5;208m\]@\
 PROMPT_DIRTRIM=3
 
 alias ls='ls --color'
-alias bat='batcat'
 alias mosh='mosh -o'
 alias cargo='cargo auditable'
 alias md='pulldown-cmark -TFSLH'

auto/shells/fish

@@ -56,10 +56,9 @@ umask 007
 
 export EDITOR='vim'
 export VISUAL='vim'
-export GPG_TTY=$(tty)
+export GPG_TTY=(tty)
 export PATH="$HOME/.local/bin:$PATH:/usr/lib/llvm-15/bin"
 
-alias bat='batcat'
 alias md='pulldown-cmark -TFSLH'
 alias mosh='mosh -o'
 alias cargo='cargo auditable'

full-setup

@@ -0,0 +1,11 @@
+#!/bin/sh
+cd auto
+./auto
+cd ../manual/rust
+./rust
+. ~/.cargo/env
+cd ../helix
+./helix
+cd ../starship
+./starship
+echo success

manual/helix/helix

@@ -21,7 +21,7 @@ fi
 rm -rf helix-git
 git clone --single-branch https://github.com/helix-editor/helix helix-git
 cd helix-git
-git checkout 84e24b33dcda16d1d64805f34dcc02d82d0de8f1
+git checkout 2cadec0b1182332338a5a1cc3062776f834d8835
 cargo install -f --locked --path helix-term
 mkdir -p ~/.config/helix
 rm -rf runtime/grammars/sources
@@ -38,14 +38,14 @@ cat > ~/.config/helix/config.toml << 'EOF'
 theme = "monokai_pro_spectrum"
 
 [keys.normal]
-space.z = ":reflow 100"
+space.z = ":reflow"
 space.i = ":toggle lsp.display-inlay-hints"
 space.u = ":update"
 
 [editor]
 line-number = "relative"
 bufferline = "multiple"
-rulers = [101]
+rulers = [81, 101]
 
 [editor.lsp]
 display-messages = true
@@ -66,6 +66,7 @@ cat > ~/.config/helix/languages.toml << 'EOF'
 name = 'rust'
 indent = { tab-width = 4, unit = "\t" }
 shebangs = ["rust-script"]
+text-width = 100
 
 [language-server.rust-analyzer.config]
 checkOnSave = { command = "clippy" }
@@ -73,25 +74,31 @@ checkOnSave = { command = "clippy" }
 [[language]]
 name = "c"
 indent = { tab-width = 4, unit = "\t" }
+text-width = 100
 
 [[language]]
 name = "cpp"
 indent = { tab-width = 4, unit = "\t" }
+text-width = 100
 
 [[language]]
 name = 'java'
 indent = { tab-width = 4, unit = "\t" }
+text-width = 100
 
 [[language]]
 name = "bash"
 indent = { tab-width = 4, unit = "\t" }
+text-width = 100
 
 [[language]]
 name = "toml"
 indent = { tab-width = 4, unit = "\t" }
+text-width = 100
 
 [[language]]
 name = "markdown"
+text-width = 80
 indent = { tab-width = 4, unit = "\t" }
 language-servers = [ "ltex-ls" ]
 file-types = ["md"]

manual/rust/rust-configure

@@ -14,7 +14,7 @@ use std::{
 
 const ENV: &str = r#". "$HOME/.cargo/env""#;
 // until the release of https://github.com/rust-lang/rustup/pull/3506/files
-const ENV_FISH: &str = r#"export PATH="$HOME/.cargo/bin:$PATH""#;
+const ENV_FISH: &str = r#"set -x PATH "$HOME/.cargo/bin" $PATH"#;
 
 fn main() -> anyhow::Result<()> {
 	let home = dirs::home_dir().context("can't find home directory")?;

manual/starship/starship

@@ -11,7 +11,7 @@ cargo install starship --locked
 echo 'eval "$(starship init bash)"' >> ~/.bashrc
 mkdir -p ~/.config/fish
 echo 'starship init fish | source' >> ~/.config/fish/config.fish
-cat >> ~/.config << 'EOF'
+cat >> ~/.config/starship.toml << 'EOF'
 [status]
 map_symbol = true
 format = '[$symbol$common_meaning$signal_name$maybe_int]($style) '

setup/debian-server-setup.md

@@ -17,7 +17,7 @@ sudo groupadd --system ssh-users
 sudo usermod -aG ssh-users $(whoami)
 sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
 sudo wget \
-	https://git.duckduckwhale.com/DuckDuckWhale/dotfiles/raw/branch/main/system/sshd/sshd_config \
+	https://git.duckduckwhale.com/DuckDuckWhale/dotfiles/raw/branch/main/system/sshd/sshd_config-debian \
 	-O /etc/ssh/sshd_config
 sudo systemctl enable ssh --now
 sudo systemctl reload ssh

setup/fedora-install.md

@@ -0,0 +1,180 @@
+# Fedora 39 Installation
+
+Here is how I installed Fedora 39.  I chose to migrate from ext4 to btrfs, the
+default file system for Fedora.  I also bought a new disk, which means that I
+needed to create everything from scratch.
+
+By following these steps, you will be able to install Fedora with:
+- `/` as a btrfs subvolume using xxhash as the checksum function on LUKS2 (an
+  encryption layer)
+- `/home` as another subvolume on the same btrfs (which means it's also
+  encrypted)
+- `/boot` as ext4
+- `/boot/efi` as System EFI Partition
+
+A disk password will be required upon boot and a separate user password will be
+required.  `/boot` is not encrypted because it contains only the kernel files
+and are public and the same for all Fedora installations -- there's nothing
+worth encrypting here.  Benchmarking shows that there's a negligible performance
+overhead.
+
+After extensive benchmarking, I found SHA-256 to be too slow for practical use
+even with the sha_ni kernel module for acceleration.  Without acceleration the
+speed was ~400 MB/s, and with acceleration the speed was ~1500 MB/s, but my disk
+is capable of ~6000 MB/s.  crc32c gave me ~5000 MB/s, and xxhash gave me ~4500
+MB/s, which I found acceptable, so that's what I went with.
+
+## Making a Fedora Live USB
+
+Simply go to the Fedora project website and download the ISO.  I opted not to
+use the Fedora Media Writer because I like collecting Linux ISOs.  It shouldn't
+impact the result.
+
+After the download you may find the GPG-signed SHA256 checksum file from the
+icon next to the ISO download.  You may find the GPG key fingerprints and
+instructions to verify via the links there.
+
+Simply `dd` it to the disk and `sync` before pulling the USB out.  _Make sure
+you have backups and are using the right disk!  A friend of mine didn't and
+corrupted his disk._
+
+## Preparing the SSD
+
+Boot the USB.  Open gparted by typing its name and pressing enter.  Make a GPT
+partition table.
+
+(If you have paintext data on the drive, you really should do a NVME sanitize.
+You may find instructions on doing that by looking up the man page for the
+`nvme` command.)
+
+Make a large empty partition with no file system (choose "unformatted") leaving
+10240 MiB at the end of the drive.  You may find a calculator to be handy here.
+
+Make a 1024 MiB partition at the very end of the drive and format with ext4,
+then make another one right before it and also format with ext4.  Formatting
+here really isn't necessary if not for the Fedora installer graying out all the
+fields when it doesn't detect a file system (bug?).
+
+I assume that you are using an UEFI system as almost all modern x86_64 systems
+have that, but you could verify that with `[ -d /sys/firmware/efi ] && echo UEFI
+|| echo BIOS`.
+
+Now, make the LUKS2 layer by opening a terminal and typing:
+
+`sudo cryptsetup luksFormat --hash sha512 --use-random /dev/<root-partition>`
+
+...where `<root-partition>` is the big partition you made first and should look
+something like `/dev/nvme0n1p1`.  There are some sane defaults that I didn't
+include in this command as all new systems should have them by default, but you
+could spell it out if you want to be extra certain: `--type luks2 --key-size 512
+- --cipher aes-xts-plain64 --iter-time 2000 --verify-passphrase`
+
+Then, unlock this encrypted partition by typing: `sudo cryptsetup open /dev/
+<root-partition> <mapper>`, where `<mapper>` is the name for the mapper file and
+doesn't matter for our install.  You could just use `luks`.
+
+Now, make the btrfs file system with xxhash as the checksum function: `sudo
+mkfs.btrfs --csum xxhash <mapper>`.  I didn't use LVM here as btrfs snapshots
+are much better and support RAID0/1 well.  btrfs snapshots doesn't have LVM
+snapshots' heavy performance penalty, doesn't require preallocation of space
+which is often wasted, and doesn't become invalid later when its space is used
+up.
+
+Then, close the LUKS layer as the installer requires the password to it for
+installation. If you skip this step, you would be forced to rescan in the
+installer which closes it after you've already selected your configuration.
+
+## Installing Fedora
+
+Now, start the installer.  Choose your keyboard layout and timezone.  Then click
+into storage configuration.
+
+I have some commands for unlocking the LUKS in my Ubuntu install guide, but here
+you can simply unlock the LUKS volume and the installer does all the work for
+you setting that up.
+
+Click the `+` button to make a new root subvolume.  Anaconda, the Fedora
+installer, requires you to create a new btrfs subvolume at the time of
+writing.  You may simply select the storage as `btrfs.<some-number>`.  Maybe
+`<some-number>` is for disambiguation when you have multiple btrfs file systems
+(smh my head)?  Then do the same for the home subvolume.  The default names are
+fine and the mount points are `/` and `/home`, respectively.
+
+- Format `<boot-partition>` (e.g. `/dev/nvme0n1p3`) as ext4 and mount to `/
+  boot`. (Check the format checkbox.)
+- Format `<efi-partition>` (e.g. `/dev/nvme0n1p2`) as System EFI Partition and
+  mount to `/boot/efi`.
+- Format `/dev/mapper/<machine name>-root` as ext4 and mount to `/`.
+- Format `/dev/mapper/<machine name>-home` as ext4 and mount to `/home`.
+- No need for swap as
+  [Fedora uses zram by default](https://fedoraproject.org/wiki/Changes/SwapOnZRAM).
+
+Now click "Done" and start your install!  It took only ten minutes for me.
+
+Now, reboot into your newly installed system and test it out.  Make sure it
+works before migrating your data as that may take a long time, so you don't want
+to do it again.
+
+## Migrating all the data
+
+Open up your retired machine, pop up the SSD, put it in a NVME enclosure, and
+plug it in.
+
+Now, if you'd like, take a snapshot: `sudo mkdir /snapshots && sudo btrfs
+subvolume snapshot /home /snapshots/home-default`
+
+My install is quite old and is from Ubuntu so it contains lots of files past
+their shelf life.  I hit `Ctrl`+`h` to unhide all hidden files and compared the
+two file trees side-by-side and removed all conflicting or obsolete files.  Now,
+start the copy: `time sudo cp -a -T <old-path> ~` where `<old-path>` is path to
+your old home directory. This took 22 minutes for me.
+
+Now, reboot again to load these files.
+
+## After the install
+
+Congratulations!  You've reached the end of this guide.  After the install,
+check out my [configuration guide](fedora-setup.md) and see if you'd like to
+pull some bits from that.
+
+## Some interesting notes
+
+btrfs uses zstd level 1 compression by default.  This saves substantially for
+`/`, and a little bit for `/home`:
+```
+$ sudo compsize -x /
+Processed 121050 files, 95144 regular extents (114629 refs), 60336 inline.
+Type       Perc     Disk Usage   Uncompressed Referenced
+TOTAL       55%      3.6G         6.6G         8.4G
+none       100%      2.1G         2.1G         2.3G
+zstd        35%      1.5G         4.5G         6.0G
+prealloc   100%      1.2M         1.2M          11M
+$ sudo compsize /home
+Processed 1178463 files, 1863614 regular extents (1907988 refs), 519681 inline.
+Type       Perc     Disk Usage   Uncompressed Referenced
+TOTAL       94%      1.2T         1.2T         1.2T
+none       100%      1.1T         1.1T         1.1T
+zstd        36%       40G         110G         113G
+prealloc   100%      1.2M         1.2M         1.1M
+```
+
+In my testing I managed to reach `91%` by forcing compression, but I didn't use
+it as I don't think `3%` is worth the performance hit.  (The default options has
+negligible performance overhead.)
+
+After using it for a while:
+```
+$ sudo compsize -x /
+Processed 356866 files, 228300 regular extents (347966 refs), 187319 inline.
+Type       Perc     Disk Usage   Uncompressed Referenced
+TOTAL       56%       11G          19G          30G
+none       100%      6.9G         6.9G         9.8G
+zstd        32%      4.1G          12G          20G
+prealloc   100%      1.2M         1.2M          22M
+$ sudo compsize /home
+Processed 1204163 files, 2035560 regular extents (2142558 refs), 501390 inline.
+Type       Perc     Disk Usage   Uncompressed Referenced
+TOTAL       95%      1.3T         1.4T         1.4T
+none       100%      1.3T         1.3T         1.3T
+zstd        35%       38G         107G         111G
+prealloc   100%      215M         215M         115M

setup/fedora-system-setup.md

@@ -0,0 +1,113 @@
+# Fedora 39 System Setup
+
+Congratulations on your new install!  Now, let's set the system up.
+
+_Note: this document details the system level setup only.  For user level setup
+that is remembered in the user home directories, see
+[Fedora 39 User Setup](fedora-user-setup.md)._
+
+Rename your system in `Settings` -> `About`.
+
+## UEFI
+
+Limit the battery charge to 95%.
+
+## System packages
+
+Your first `dnf` install would probably ask you to confirm the Fedora GPG key,
+which you may find the fingerprint of at <https://fedoraproject.org/security>.
+
+`dnf install vim-enhanced mosh keepassxc thunderbird-wayland mpv obs-studio
+wl-clipboard qrencode xournalpp gstreamer1-plugins-bad-free-extras
+gnome-extensions-app gnome-shell-extension-gsconnect nautilus-gsconnect
+kernel-tools mozilla-openh264 gstreamer1-plugin-openh264 trash-cli ripgrep
+gnome-tweaks goldendict-ng gcc-c++ gimp alacritty clang clang-tools-extra bat
+quearcode qpdf lm_sensors kdenlive`
+
+### As needed
+
+`dnf install gnome-usage install rlwrap mediainfo nmap xeyes progress
+duperemove memtest86+`
+
+## Flathub apps
+
+If you are somewhat of a FOSS purist like me and didn't enable third party
+repositories at the time of install, you may enable Flathub in Software.
+
+Use Flatseal to lock down all of them: `dnf install flatseal`
+You may also use `flatpak permission-show` and `flatpak permission-remove` to
+clear out any left over dynamic permissions.  `flatpak uninstall --delete-data`
+can clear the app data.
+
+- Mission Center
+    - `flatpak install flathub io.missioncenter.MissionCenter`
+    - Use Wayland and disable X11 and its fallback
+- Resources
+    - `flatpak install flathub net.nokyan.Resources`
+    - Use Wayland and disable X11 and its fallback
+    - Remove `host:ro` (sus)
+- Video Trimmer
+	- `flatpak install flathub org.gnome.gitlab.YaLTeR.VideoTrimmer`
+	- Use Wayland and disable X11 and its fallback
+- Bottles
+	- `flatpak install flathub com.usebottles.bottles`
+- Signal
+	- `flatpak install flathub org.signal.Signal`
+	- Use Wayland: `SIGNAL_USE_WAYLAND=1` and disable X11 permissions.
+	- Disable `org.freedesktop.login1`.  Not sure why it's needed.
+	  If you know why, please let me know!
+- Cameractrls
+	- `flatpak install flathub hu.irl.cameractrls`
+	- Disable X11 and fallback
+- Denaro
+	- `flatpak install flathub org.nickvision.money`
+	- Disable X11 and fallback
+- Minecraft (Prism Launcher)
+	- `flatpak install flathub org.prismlauncher.PrismLauncher`
+	- Remove `xdg-download:ro`
+	- Remove `~/.ftba:ro`
+	- Remove `xdg-run/app/com.discordapp.Discord:create`
+- Steam
+	- `flatpak install flathub com.valvesoftware.Steam`
+	- Remove `xdg-run/app/com.discordapp.Discord:create`
+- Geekbench 6
+    - `flatpak install flathub com.geekbench.Geekbench6`
+    - Remove X11
+    - `flatpak run com.geekbench.Geekbench6`
+    - `flatpak run com.geekbench.Geekbench6 --compute vulkan`
+- Slack
+	- `flatpak install flathub com.slack.Slack`
+	- Disable X11, enable Wayland
+	- There are some
+	  [suspicious permissions](https://github.com/flathub/com.slack.Slack/issues/217).
+	  I would lock them down with Flatseal and use Wayland.
+- Discord
+	- `flatpak install flathub com.discordapp.Discord`
+	- Remove `xdg-pictures:ro`, `xdg-videos:ro`
+- Zoom
+	- `flatpak install flathub us.zoom.Zoom`
+- WeChat
+	- `flatpak install flathub com.tencent.WeChat`
+	- Remove "Owns: `org.kde.*`"
+
+## SSH
+
+In `Settings` -> `Sharing`: turn on `Remote Login` and edit
+`/etc/ssh/sshd_config` according to `system/sshd/sshd_config-rhel`.
+
+`sudoedit /etc/ssh/sshd_config.d/00-no-gss.conf` and write
+`GSSAPIAuthentication no` to override `/etc/ssh/sshd_config.d/50-redhat.conf`,
+which changes the default setting for some stupid reason.
+(Why does that file exist at all??  Please let me know if you have a clue.)
+
+```
+systemctl reload sshd
+sudo groupadd --system ssh-users
+sudo usermod -aG ssh-users $(whoami)
+```
+Finally, log out then log in again for the `usermod` to take effect.
+
+If you see a permission denied from sshd in your logs, use
+`restorecon -RFv ~/.ssh` to please SELinux.
+
+(Don't forget to install Mosh!)

setup/fedora-user-setup.md

@@ -0,0 +1,93 @@
+# Fedora 39 User Setup
+
+Now that you have setup your new system, time to configure quality-of-life user
+settings!
+
+_Note: this document details the user level setup only.  This means settings
+that you may make without super user permission and are remembered in the home
+directory.  For system level setup, see
+[Fedora 39 System Setup](fedora-system-setup.md)._
+
+## Default apps
+
+- Shell: Fish (`chsh -s /usr/bin/fish`)
+- Video: MPV
+
+## Power
+
+Turn off `Automatic Suspend` when `Plugged In`.
+
+## Displays
+
+Turn on Night Light and slide the slider to almost the very left.
+`gsettings set org.gnome.mutter experimental-features
+"['scale-monitor-framebuffer', 'variable-refresh-rate']"`  Then turn fractional
+scaling to 125%.
+
+## Keyboard
+
+In `Input Sources`, add `Chinese (Intelligent Pinyin)` and
+`Hanyu Pinyin Letters (with AltGr dead keys)`.
+
+## Touchpad
+
+- Slightly higher pointer speed
+- Enable tap to click
+
+## Privacy & Security
+
+- `File History & Trash`: Auto delete everything in 30 days
+
+### Shortcuts
+
+| Name | Shortcut | Command |
+| Home folder | `Super` + `F` |
+| Launch email client | `Super` + `E` |
+| Launch web browser | `Super` + `W` |
+| Microphone mute/unmute | `Super` + `A` |
+
+In Settings -> Keyboard -> Custom Shortcuts:
+| Name | Shortcut | Command |
+| Launch Calculator | `Super` + `C` | `gnome-calculator` |
+| Launch Dictionary | `Super` + `D` | `goldendict-ng` |
+| Launch Terminal | `Super` + `T` | `alacritty` |
+| Swap Esc with Caps Lock | `Ctrl` + `Super` + `S` | `gsettings set org.gnome.desktop.input-sources xkb-options "['caps:swapescape']"` |
+| Disable Caps Lock | `Ctrl` + `Super` + `D`| `gsettings set org.gnome.desktop.input-sources xkb-options "['caps:none']"` |
+| Clear key mappings | `Ctrl` + `Super` + `C` | `gsettings set org.gnome.desktop.input-sources xkb-options "[]"` |
+| Toggle OBS Recording | `Super` + `R` | `obs-cmd -w obsws://localhost:4455/<secret> recording toggle` |
+| Save OBS Replay | `Super` + `Alt` + `C` (for capture) | `obs-cmd -w obsws://localhost:4455/<secret> replay save` |
+
+## Migrating Thunderbird and Firefox
+
+Look in `installs.ini` and `profiles.ini` and keep the last one.
+Or use the profile managers.
+
+## Migrating podman rootless containers
+
+Reset SELinux labels:
+`restorecon -RFv $HOME/.local/share/containers`
+
+## App settings
+
+- Terminal: Monospace 15
+- Text Editor
+    - Monospace 15
+    - Using the top right settings icon:
+        - Show Line Number
+        - Show Right Margin
+        - Spaces Per Tab: 4
+- GSConnect: Enable in Extensions app, pair with phone, and adjust settings
+  accordingly.
+- Xournal++: turn on dark mode
+- OBS: 2560x1440,
+  [mkv](https://en.wikipedia.org/wiki/Comparison_of_video_container_formats),
+  VAAPI AV1 (CQ 28), opus, output to `~/Videos/OBS/`
+    - Install [per application audio capture](https://github.com/dimtpap/obs-pipewire-audio-capture/releases/tag/1.1.4).
+      To install the plugin: open OBS folder from its menu, decompress the zip and
+      remove the outer folder and put in the `plugins` folder, creating it if it
+      doesn't exist.  The final result should be something like
+      `.config/obs-studio/plugins/linux-pipewire-audio/{bin,data}/...`
+    - Enable websocket server and install
+      [obs CLI for obs-websocket v5](https://github.com/grigio/obs-cmd) to
+      emulate global shortcuts on Wayland
+    - Enable replay buffer of 60 seconds and 1000 MB

setup/ubuntu-setup.md

@@ -71,8 +71,12 @@ Here's my personal Ubuntu 23.10 setup.  (Make sure to use Wayland on Nvidia!)
 	- UFW:
 		- `sudo ufw allow 1716:1764/tcp`
 		- `sudo ufw allow 1716:1764/udp`
-- Flatseal
+
-	- `flatpak install flathub com.github.tchx84.Flatseal`
+## Flatpaks
+
+Use Flatseal to lock down all of them: `flatpak install flathub
+com.github.tchx84.Flatseal`
+
 - Firefox
 	- `flatpak install flathub org.mozilla.firefox`
 - Xournal++
@@ -84,9 +88,14 @@ Here's my personal Ubuntu 23.10 setup.  (Make sure to use Wayland on Nvidia!)
 	- To host servers: `sudo ufw allow 25565/tcp`
 - Bottles
 	- `flatpak install flathub com.usebottles.bottles`
+- Signal
+	- Use Wayland.  Disable `...login1`.
+	- `flatpak install flathub org.signal.Signal`
 - Discord
 	- `flatpak install flathub com.discordapp.Discord`
 - Slack
+	- There are some [suspicious permissions](https://github.com/flathub/com.slack.Slack/issues/217).
+	  I would lock them down with Flatseal and use Wayland.
 	- `flatpak install flathub com.slack.Slack`
 - Denaro
 	- `flatpak install flathub org.nickvision.money`
@@ -98,6 +107,10 @@ Here's my personal Ubuntu 23.10 setup.  (Make sure to use Wayland on Nvidia!)
 	- `flatpak install flathub org.gnome.gitlab.YaLTeR.VideoTrimmer`
 - Pods
 	- `flatpak install com.github.marhkb.Pods`
+- Dynamic Wallpaper Editor
+	- `flatpak install flathub com.github.maoschanz.DynamicWallpaperEditor`
+- Dynamic Wallpaper
+	- `flatpak install flathub me.dusansimic.DynamicWallpaper`
 
 ## Optional Apps
 

system/sshd/sshd_config-debian

@@ -1,13 +1,13 @@
 Include /etc/ssh/sshd_config.d/*.conf
-AllowGroups ssh-users
 Port 22
+AllowGroups ssh-users
 PermitRootLogin no
 PubkeyAuthentication yes
+AuthorizedKeysFile .ssh/authorized_keys
 PasswordAuthentication no
 KbdInteractiveAuthentication no
 UsePAM yes
 AllowTcpForwarding yes
-X11Forwarding yes
+X11Forwarding no
-PrintMotd no
 AcceptEnv LANG LC_* COLORTERM
 Subsystem sftp /usr/lib/openssh/sftp-server

system/sshd/sshd_config-rhel

@@ -1,14 +1,13 @@
 Include /etc/ssh/sshd_config.d/*.conf
-AllowGroups ssh-users
 Port 22
+AllowGroups ssh-users
 PermitRootLogin no
 PubkeyAuthentication yes
+AuthorizedKeysFile .ssh/authorized_keys
 PasswordAuthentication no
 KbdInteractiveAuthentication no
-AuthorizedKeysFile .ssh/authorized_keys
 UsePAM yes
 AllowTcpForwarding yes
-X11Forwarding yes
+X11Forwarding no
-PrintMotd no
 AcceptEnv LANG LC_* COLORTERM
 Subsystem sftp /usr/libexec/openssh/sftp-server