Debian Workstation (usability) (v2023-10)

Date: 2023/10/07 (initial publish), 2024/02/23 (last update)

Source: en/note-00049.md

Previous Post Top Next Post

TOC

Workstation usability

The older deprecated guide was used as the base.

Considering GNOME post-44 is going through major changes, I still chose to use GNOME 43 in Debian 12 bookworm stable release for my workstation as of 2024-01-04.

I am trying to keep my workstation as clean bookworm installation as possible.

This is non-hardware specific notes and tips. For the hardware specific notes and tips, see also:

Bare metal initial system installation

Initial installation by debian-installer

The initial installation by the debian-installer should skip “Desktop environment (task-desktop)” task and select “SSH server (task-ssh-server)” to make it light, GUI-less, and SSH-ready.

This process installs (mostly) packages with Priority: values in required, important and standard.

In order to place most system data and all user data eventually on btrfs while keeping this system bootable with GRUB, I install as follows:

I leave the domain name as blank. All hosts on the same local subnet can be accessed by adding .local at the end of each host name thanks to Avahi (avahi-autoipd package).

Initial manual setup (minimal CLI commands)

If your system boot into the GUI console for any reason, use “CTRL-ALT-F?” (? can be 1-6) to access Linux virtual terminal login prompt. Otherwise, you are already at login prompt on Linux virtual terminal.

Login to the root account and execute:

# apt-get update
# apt-get install aptitude sudo vim mc wget nano-

NOTE: If you didn’t set password for root during system installation with debian-installer in the expert mode, sudo is configured for you and you need to use it to gain root privilege.

Initial manual setup (SUDO)

For the passwordless sudo operation, configure sudo from root by adding /etc/sudoers.d/passwordless as:

# No passowrd required for the user in sudo group
# please note the last match wins configuration
%sudo ALL = (ALL:ALL) NOPASSWD: ALL
# No password for 8 hours
#Defaults timestamp_timeout = 480
#Defaults timestamp_type = global

NOTE: Please note that the last matching configuration is the active one for sudo.

Tidy-up package installation status for aptitude.

I use aptitude as the primary package maintenance tool and identify intentionally installed packages as a scrollable list by typing in ~i!~M~poptional in the l prompt of aptitude.

Since debian-installer installed packages doesn’t set the auto install flag (M), I usually tidy-up them up before installing GUI packages by setting missing M flags to groups of files:

You can print list of intentionally installed packages as a plain text with:

$ aptitude search '!~M~poptional~i'
i   aptitude                         - terminal-based package manager
i   btrfs-progs                      - Checksumming Copy on Write Filesystem utili
i   discover                         - hardware identification system
i   firmware-atheros                 - Binary firmware for Qualcomm Atheros wirele
i   firmware-linux                   - Binary firmware for various drivers in the
i   firmware-realtek                 - Binary firmware for Realtek wired/wifi/BT a
i   fontmatrix                       - featureful personal font manager
i   fonts-noto                       - metapackage to pull in all Noto fonts
i   gitk                             - fast, scalable, distributed revision contro
i   grub-pc                          - GRand Unified Bootloader, version 2 (PC/BIO
i   ibus-mozc                        - Mozc engine for IBus - Client of the Mozc i
i   installation-report              - system installation report
i   linux-image-amd64                - Linux for 64-bit PCs (meta-package)
i   locales-all                      - GNU C Library: Precompiled locale data
i   lxc                              - Linux Containers userspace tools
i   lxd                              - Powerful system container and virtual machi
i   lxd-tools                        - Powerful system container and virtual machi
i   mc                               - Midnight Commander - a powerful file manage
i   python3-pip                      - Python package installer
i   python3-virtualenv               - Python virtual environment creator
i   screen                           - terminal multiplexer with VT100/ANSI termin
i   task-desktop                     - Debian desktop environment
i   task-english                     - General English environment
i   task-laptop                      - laptop
i   task-ssh-server                  - SSH server
i   usbutils                         - Linux USB utilities
i   vim                              - Vi IMproved - enhanced vi editor

(This intensionally ignores some outdated packages with priority=extra packages.)

Initial manual setup (SSH)

For paswordless ssh operation to the new system, configure ssh server as follows from the primary user:

Initial manual setup (GPG)

After configuring SSH as above, your GPG keys on goofy can be moved to casper by executing the following on goofy:

$ scp -r .gnupg casper.local:.

Initial manual setup (GNOME)

Install task-desktop package which pulls in task-gnome-desktop package to set up a decent GNOME GUI workstation with aptitude.

Wallpaper for GRUB

Place your JPEG wallpaper graphics (JPEG) in /boot/grub/ and update GRUB configuration using one of the followings:

OS probing for GRUB

Somehow, the GRUB_DISABLE_OS_PROBE setting in /etc/default/grub seems to be unset during some automatic package reconfiguration steps involving grub-efi-amd64 and grub-pc.

Running dpkg-reconfigure interactively on them with -plow option and answering explicitly as “Yes” to the question “Run os-prober automatically to detect and boot other OSes?” will set GRUB_DISABLE_OS_PROBE=false and enable OS detection. This manual step is required after kernel updates etc., to work around the unset problem.

sudo update-grub doesn’t do unset as above but requires explicit setting of GRUB_DISABLE_OS_PROBE=false to do OS probing.

Multi-boot with GRUB on UEFI system

For more robust multi-boot, I usually add following as /etc/grub.d/40_fixed_linux:

#!/bin/sh
exec tail -n +3 $0
# This file provides an easy way to add custom menu entries.  Simply type the
# menu entries you want to add after this comment.  Be careful not to change
# the 'exec tail' line above.
menuentry 'Debian GNU/Linux --- main SSD' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-fixed-fe3e1db5-6454-46d6-a14c-071208ebe4b1' {
        load_video
        insmod gzio
        if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
        insmod part_gpt
        insmod btrfs
        search --no-floppy --fs-uuid --set=root fe3e1db5-6454-46d6-a14c-071208ebe4b1
        echo    'Loading Linux from /dev/nvme0n1p5 ...'
        linux   /@rootfs/vmlinuz root=UUID=fe3e1db5-6454-46d6-a14c-071208ebe4b1 ro rootflags=subvol=@rootfs  quiet
        echo    'Loading initial ramdisk from /dev/nvme0n1p5 ...'
        initrd  /@rootfs/initrd.img
}
menuentry 'Debian GNU/Linux --- sub SSD' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-fixed-51f9cd11-30b3-4d99-b2ed-fe411fa22ee6' {
        load_video
        insmod gzio
        if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
        insmod part_gpt
        insmod btrfs
        search --no-floppy --fs-uuid --set=root 51f9cd11-30b3-4d99-b2ed-fe411fa22ee6
        echo    'Loading Linux from /dev/nvme1n1p1 ...'
        linux   /@rootfs/vmlinuz root=UUID=51f9cd11-30b3-4d99-b2ed-fe411fa22ee6 ro rootflags=subvol=@rootfs  quiet
        echo    'Loading initial ramdisk from /dev/nvme1n1p1 ...'
        initrd  /@rootfs/initrd.img
}

Since GRUB UEFI, root filesystem on btrfs data is readable and used.

If you have multiple Debian system installed, you should make a backup copy of /boot/efi/EFI/debian/grub.cfg to protect it gets overridden by installing the second Debian system.

See https://wiki.debian.org/Btrfs%20migration .

Use of Btrfs with LUKS on MBR system

Since GRUB MBR can’t access data on btrfs, / is placed on ext4 filesystem on non-encrypted partition.

I still wanted to keep all user data on encrypted disk, I set up system by mounting all /usr, /var, /home/<name>, etc. from the BTRFS subvolume under LUKS encrypted volume .

This way, /vlmliniz and /initrd.img, etc. are stably available while user data are securely stored on encrypted volume using Btrfs allowing to make snapshots.

GNOME desktop customization

The gnome-tweak package installed as a dependency of gnome package helps to tweak the system via GUI application Tweak.

The GNOME extension packages may not be robust for the update of GNOME. So the extensive use of them should be limited to system tracking the stable release. They are available from GNOME Extension web site using browser with GNOME Shell integration enabled. They can be configured via GUI application Extensions.

Terminal customization

Wallpaper for GNOME (Settings+Tweaks)

You can set wallpaper graphics from:

Keyboard shortcut customization (Settings)

(SUPER-\ is easier to type than SUPER-T.)

Keyboard customization (Tweaks)

For Vim user, mapping CapsLock to Esc as follows may be interesting:

Right mouse click with single button (Tweaks)

For Mac or some Sony Vaio with single tap pad button, the following allows proper secondary-click (or even middle-click).

Keyboard and touchpad shortcut customization (Extension)

See GNOME extensions for better UX how I get here.

Keyboard shortcut customization (Internal IM configuration)

For Japanese input with US keyboard, set IM (mozc etc.) configuration as:

Since Windows-E style Alt-` is grubbed by Gnome Desktop, this can’t be used to toggle IM for Mozc.

See my old Japanese input on US-keyboard (in Japanese) and its Google translation.

Non-usable Keyboard shortcut key combos with super

Application customization

Shell setups

For restoration, you may want to use manual restoration. This script needs a bit more work.

Editor setups

See Re-learning Vim (7).

Frequent commands to use:

Personal packages

See Personal DEB package repository for the method to publish personal DEB packages.

You need to add configuration file for personal DEB package repository to use them.

Here are some of my personal packages to help my command line. The source of these are published to my github repo and binary packages are published to my github web page.

Web browser

Although Chromium exists in the official Debian repository, it lacks account synchronization capability with other devices since 2021. Although there are some workarounds tips posted on web, installing Chrome can solve this situation for sure.

The best solution seems to be adding APT repository by adding /etc/apt/sources.d/google.sources in DEB822-STYLE FORMAT and select the google-chrome-stable package.

Shotwell

Shotwell 0.30 in Debian 12 bookworm doesn’t support HEIF image files used by iPhone.

I installed Shotwell 0.32.1 or newer flatpack package from Gnome upstream.

See HEIF image files on more HEFI tips.

LibreOffice

Debian 12 bookworm (stable release) offers the LibreOffice 7.4.7. I think it is in good shape.

If any issues arise, I may switch to upstream flatpack package offering LibreOffice 7.6. (2023-10-08)

Mail client

Updated in 2023-11-24

For the GUI access to the remotely hosted IMAP4 mail services, use GNOME Online accounts and Evolution. This approach works for Gmail etc. and compatible with using other devices such as smart phones. Evolution can also be configured to read locally delivered mails to mbox too. (send+receive).

I decided to configure MTA as simple as possible with “sudo dpkg-reconfigure exim4-config” to select “local delivery only; not on a network”. Everything else can be default. I have no more smartsost things nor fetchmail.

When I need to send mail from shell prompt for Debian BTS or Debian mail gateway services, I use my “@debian.org” address and use ssh+sendmail (created shell script ~/bin/sendmail-p.d.o) to access a Debian host. (The similar trick may be usable for any shell access hosts such as salsa.debian.org etc.)

I have mail configuration for:

For Debian voting, mutt works most reliably.

Miscellaneous tips

Migrating user’s home directory to a separate subvolume

As installed, user’s home directory is in the rootfs using subvolume @rootfs. Let me create and use subvolume @osamu for my user osamu and copy contents of original /home/osamu into @osamu. Then update /etc/fstab to mount @osamu onto /home/osamu

# mount /dev/sda6 on /mnt
# cd /mnt
$ ls -lai
total 16
256 drwxr-xr-x 1 root  root   26 Oct  8 17:11 .
256 drwxr-xr-x 1 root  root  238 Oct  8 06:41 ..
256 drwxr-xr-x 1 root  root  238 Oct  8 06:41 @rootfs
# btrfs subvolume create @osamu
# chmod 700 @osamu
# chown osamu:osamu @osamu
total 16
256 drwxr-xr-x 1 root  root   26 Oct  8 17:11 .
256 drwxr-xr-x 1 root  root  238 Oct  8 06:41 ..
256 drwx------ 1 osamu osamu 610 Oct  8 17:01 @osamu
256 drwxr-xr-x 1 root  root  238 Oct  8 06:41 @rootfs
# cp -a /home/osamu/. @osamu
# vi /etc/fstab
# cat /etc/fstab
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
# / was on /dev/sdb6 during installation
UUID=01ec7a23-d2bd-4b27-a5e0-da88cfed58c1 /               btrfs   defaults,subvol=@rootfs 0       0
# /home/osamu is on /dev/sdb6 where / is
UUID=01ec7a23-d2bd-4b27-a5e0-da88cfed58c1 /home/osamu     btrfs   defaults,subvol=@osamu 0       0
# /boot was on /dev/sdb5 during installation
UUID=85827838-41ae-42e2-9081-a98ab7f819f5 /boot           ext4    defaults        0       2
# swap was on /dev/sdb7 during installation
UUID=31355cb6-e02f-4462-91a4-323dcc351ea9 none            swap    sw              0       0

Then reboot this machine.

Setting group membership

Don’t forget to setup group membership for the primary user (UID=1000). Notable groups to watch out are:

You need to re-login to enable them after setting them with e.g., `sudo adduser osamu lxd.

Setting LXD

$ sudo lxd init
Would you like to use LXD clustering? (yes/no) [default=no]:
Do you want to configure a new storage pool? (yes/no) [default=yes]:
Name of the new storage pool [default=default]:
Name of the storage backend to use (dir, btrfs) [default=btrfs]:
Would you like to create a new btrfs subvolume under /var/lib/lxd? (yes/no) [default=yes]:
Would you like to connect to a MAAS server? (yes/no) [default=no]:
Would you like to create a new local network bridge? (yes/no) [default=yes]:
What should the new bridge be called? [default=lxdbr0]:
What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]:
What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]:
Would you like the LXD server to be available over the network? (yes/no) [default=no]:
Would you like stale cached images to be updated automatically? (yes/no) [default=yes]:
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]:

If this is on host casper with the primary user osamu:

$ sysctl kernel.unprivileged_userns_clone
kernel.unprivileged_userns_clone = 1
$ cd /etc
$ cat subgid
osamu:100000:65536
_lxd:165536:10000001
root:165536:10000001
$ cat subuid
osamu:100000:65536
_lxd:165536:10000001
root:165536:10000001
$ grep _lxd passwd
_lxd:x:103:111::/var/lib/lxd/:/bin/false
$ grep lxd group
lxd:x:111:osamu
$ sudo ls -la /var/lib/lxd
total 8
drwx--x--x 1 _lxd lxd  336 Oct  9 08:38 .
drwxr-xr-x 1 root root 856 Oct  8 14:41 ..
drwx------ 1 root root  30 Oct  8 14:49 backups
drwx--x--x 1 root root   0 Oct  8 14:49 containers
drwx------ 1 root root  28 Oct  8 14:49 database
drwx--x--x 1 root root   0 Oct  8 14:49 devices
drwxr-xr-x 1 root root   0 Oct  8 14:49 devlxd
drwx------ 1 root root   0 Oct  8 14:49 disks
drwx------ 1 root root   0 Oct  8 14:49 images
drwx--x--x 1 root root  12 Oct  8 14:50 networks
drwx------ 1 root root  30 Oct  8 14:49 security
-rw-r--r-- 1 root root 757 Oct  8 14:49 server.crt
-rw------- 1 root root 288 Oct  8 14:49 server.key
drwx--x--x 1 root root   0 Oct  8 14:49 shmounts
drwx------ 1 root root   0 Oct  8 14:49 snapshots
drwx--x--x 1 root root  14 Oct  8 14:50 storage-pools
srw-rw---- 1 root lxd    0 Oct  9 08:38 unix.socket
drwx--x--x 1 root root   0 Oct  8 14:49 virtual-machines
drwx------ 1 root root   0 Oct  8 14:49 virtual-machines-snapshots

Re-install and UID/GID issues

UID and GID used by some applications are not fixed. So, if you reinstall the exact same packages in a different order, you end up assigning UID and GID for the application.

UID in range between 101-999 such as ones for avahi, saned, colord, _ssh, … are the most susceptible on this issue.

apt-cacher-ng needs special attention.

EFI-based firmware updates

Install gnome-firmware package and invoke GUI to update firmware on devices supported by fwupd using Linux Vendor Firmware Service.

Many firmware data can be updated using gnome-firmware.

Workaround for some firmware

Some firmware devices may experience some problem to be updated by gnome-firmware.

Most notable one on my system was “Lenovo System Firmware”. (I don’t know if this was version dependent or not.) I used vendor’s BIOS update offered as bootable CD and made USB key containing it image data:

If the BIOS options Security > Secure Boot is enabled, it may restrict booting up from the BIOS Update bootable CD image, you may need to disabled the Secure Boot option to use it.

If Windows 10 or 11 is installed, you may need to reenable Secure Boot after this operation.

Previous Post Top Next Post