Debian Workstation (Trixie) (v2025-09)

TOC

XXX WIP XXX

Workstation usability

Here is the system configuration memo on my workstation running Debian 13 Trixie stable release with GNOME 48. This is mostly a rewrite of the older guide for Debian 12 Bookworm.

I am trying to keep my workstation as clean Trixie installation as possible.

This is non-hardware specific notes and tips. For the hardware specific notes and tips, see also:

• Thinkpad T14 Gen 1 – hostname=goofy
• Sony Vaio SVT1313 – hostname=casper hostname=mickey

System installation

Installation by debian-installer and apt

• For non-encrypted UEFI system: (Thinkpad main)
  • Simply apt full-upgrade from Debian 12/Bookworm (see older guide) to Trixie.
  • /dev/nvme1n1p1: /boot/EFI – EFI boot partition in FAT32
  • /dev/nvme1n1p5: Btrfs holding many subvolumes: @rootfs, @osamu, …
  • /dev/nvme1n1p6: swap
• For non-encrypted UEFI system: (Thinkpad sub)
  • Brute force apt full-upgrade several times from Debian 11/Bullseye to Trixie.
    • I forgot to upgrade to Bookworm previously.
    • Newer keys are copied to /etc/apt/trusted.gpg.d/ from main system.
  • /dev/nvme1n1p1: /boot/EFI – EFI boot partition in FAT32
  • /dev/nvme0n1p1: Btrfs holding a subvolume: @rootfs
  • /dev/nvme0n1p2: Unused
• For encrypted MBR system (Sony main):
  • Perform full disk encrypted installation (default).
  • See Rescue media(2) for the system migration
    • A primary partition (/dev/sda1) formatted to Ext4 for / (system data).
    • A LUKS encrypted PV == VG which holds 2 LVs (in /dev/sda5)
      • A 30G LV formatted to ext4 for / (system data).
      • A 8G LV formatted to swap used for swap.
      • A 408G LV formatted to btrfs (@home subvolume used for /home for user data).
• For non-encrypted MBR system (Sony sub):
  • Refreshed partition to make UUID of /dev/sdb1 discovered by the recent Linux kernel. (/dev/sdb1 now starts at sector 2024.)
  • /dev/sdb1: 21G Ext4 /
  • /dev/sdb2: 1.5G swap

I left the domain name as blank for debian-installer. All hosts on the same local subnet can be accessed by adding .local at the end of each host name thanks to Avahi (avahi-autoipd package).

All packages with Priority: values required, important and standard are installed by debian-installer.

Initial manual setup

If your system boot into the GUI console for any reason, use “CTRL-ALT-F?” (? can be 1-6) to access Linux virtual terminal login prompt. Otherwise, you are already at login prompt on Linux virtual terminal.

Login to the root account and execute:

$ su bash
 ...
# apt-get update
# apt-get install aptitude sudo vim mc wget nano-

NOTE: If you didn’t set password for root during system installation with debian-installer in the expert mode, sudo is configured for you and you need to use it to gain root privilege.

Tidy-up package installation status for aptitude

I use aptitude as the primary package maintenance tool and identify intentionally installed packages as a scrollable list by typing in ~i!~M~poptional in the l prompt of aptitude.

Since debian-installer installed packages doesn’t set the auto install flag (M), I usually tidy-up them up before installing optional packages by setting missing M flags to groups of files:

• packages under libs section
• packages under Depends and Recommends for:
  • apt
  • dpkg
  • aptitude
  • debconf
  • task-desktop etc. (if installed)
• Add a few packages …

You can print list of intentionally installed packages as a plain text with:

$ aptitude search '!~M~poptional~i'
i  00-min - Task for the minimal non-GUI system
i  aptitude - terminal-based package manager
i  bss - Btrfs Subvolume Snapshot Utility
i  btrfs-progs - Checksumming Copy on Write Filesystem utilities
i  chromium - web browser
i  cmake - cross-platform, open-source make system
i  cryptsetup - disk encryption support - startup scripts
i  devscripts - scripts to make the life of a Debian Package maintainer easier
i  dgit - git interoperability with the Debian archive
i  dh-exec - Scripts to help with executable debhelper files
i  discover - hardware identification system
i  dmsetup - Linux Kernel Device Mapper userspace library
i  firmware-iwlwifi - Binary firmware for Intel Wireless cards
i  firmware-linux - Binary firmware for various drivers in the Linux kernel (metapackage)
i  firmware-misc-nonfree - Binary firmware for various drivers in the Linux kernel
i  firmware-realtek - Binary firmware for Realtek network and audio chips
i  gdisk - GPT fdisk text-mode partitioning tool
i  gitk - fast, scalable, distributed revision control system (revision tree visualizer)
i  gnome-firmware - GTK front end for fwupd
i  gparted - GNOME partition editor
i  grub-efi-amd64 - GRand Unified Bootloader, version 2 (EFI-AMD64 version)
i  hugo - Fast and flexible Static Site Generator written in Go
i  ibus-mozc - Mozc engine for IBus - Client of the Mozc input method
i  imediff - interactive full screen 2/3-way merge tool
i  installation-report - system installation report
i  isc-dhcp-client - DHCP client for automatically obtaining an IP address (deprecated)
i  libcap2-bin - POSIX 1003.1e capabilities (utilities)
i  linux-image-amd64 - Linux for 64-bit PCs (meta-package)
i  locales-all - GNU C Library: Precompiled locale data
i  lvm2 - Linux Logical Volume Manager
i  mc - Midnight Commander - a powerful file manager
i  moreutils - additional Unix utilities
i  neovim - heavily refactored vim fork
i  npm - package manager for Node.js
i  rsyslog - reliable system and kernel logging daemon
i  sbuild - Tool for building Debian binary packages from Debian sources
i  ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-add
i  task-english - General English environment
i  task-gnome-desktop - GNOME
i  task-laptop - laptop
i  task-ssh-server - SSH server
i  unzip-i18n - De-archiver for .zip files with i18n supports
i  usbutils - Linux USB utilities
i  vim - Vi IMproved - enhanced vi editor
i  vim-scripts - plugins for vim, adding bells and whistles
i  xxd - tool to make (or reverse) a hex dump
i  zip - Archiver for .zip files

(This intentionally ignores some outdated packages with priority=extra packages.)

Initial manual setup (SUDO)

For the passwordless sudo operation, configure sudo from root by adding /etc/sudoers.d/passwordless as:

# No passowrd required for the user in sudo group
# please note the last match wins configuration
%sudo ALL = (ALL:ALL) NOPASSWD: ALL
# No password for 8 hours
#Defaults timestamp_timeout = 480
#Defaults timestamp_type = global

NOTE: Please note that the last matching configuration is the active one for sudo.

Initial manual setup (SSH)

For paswordless ssh operation to the new system, configure ssh server as follows from the primary user:

• Copy ssh public keys of the main machine into new machine’s ~/.ssh/authorized_keys to allow access to the new machine from the main machine.
• Run ssh-keygen to generate ssh keys for the new machine
• Copy ssh public keys of the new machine into the main machine’s ~/.ssh/authorized_keys to allow access from the new machine to the main machine. (optional)
• Disable password-based login via sudo vi /etc/ssh/sshd_config to set PasswordAuthentication no for all machines after setting passwordless SSH logins.

Initial manual setup (GPG)

After configuring SSH as above, your GPG keys on goofy can be moved to casper by executing the following on goofy:

$ scp -r .gnupg casper.local:.

Initial manual setup (GNOME)

Install task-desktop package which pulls in task-gnome-desktop package to set up a decent GNOME GUI workstation with aptitude if not installed.

Wallpaper for GRUB

Place your JPEG wallpaper graphics (JPEG) in /boot/grub/ and update GRUB configuration using one of the followings:

• sudo update-grub
• sudo dpkg-reconfigure grub-efi-amd64 # UEFI system
• sudo dpkg-reconfigure grub-pc # MBR system

OS probing for GRUB

No change from older guide for Debian 12 Bookworm.

Multi-boot with GRUB on UEFI system

No change from older guide for Debian 12 Bookworm.

GNOME desktop customization

The gnome-tweak and gnome-shell-extension-manager packages installed along with gnome package help to tweak the system via GUI application Tweak and Extension Manager.

The GNOME extension packages are available from GNOME Extension web site using browser with GNOME Shell integration enabled.

My essential GNOME extension is Input method and touchpad shortcuts (See GNOME shell extension for input methods.)

Terminal customization

• Disable “F10”
• Use MONO 14 or equivalent (HACK NERD FONT MONO)
  • Install *.ttf files into ~/.fonts/ for a single user or /usr/local/share/fonts/ for system wide installation.
• Add “080x24”, “080x43”, “127x43” or similar
• (Set shell as login shell if you want anything other than Bash.)

Wallpaper for GNOME (Settings+Tweaks)

You can set wallpaper graphics from:

• Desktop: Settings -> Appearance -> Background
• Desktop: Tweaks -> Appearance -> Background (zoom, …)
• Lock Screen: Blur only
• GDM3: — Not so easy (leave this as is)

Keyboard customization limitations

• Any use of SUPER+modifier+SPACE or SUPER-SPACE breaks normal SUPER-SPACE for rotating input method and bad idea
• SUPER-P seems to be unresponsive
• SUPER-O seems to be unresponsive
• Alt-` (Alt-backtick) is grubbed by Gnome Desktop
  • No windows style toggle IM with Alt-backtick.

Keyboard customization (Settings)

• Install Debian ibus-mozc package
• Settings -> Keyboard tab
  • Set up Input Sources with:
    • Japanese (Mozc)
    • English (US)
    • English (intl., with AltGr dead keys)
• Settings -> Keyboard tab
  • Keyboard Shortcuts -> View and Customize Shortcuts
    • Sound and Media
      • SUPER-,: volume mute/un-mute
    • Custom Shortcuts
      • SUPER-\: Name: Terminal, Command: gnome-terminal

(No more remap of CapsLock as additional Esc with GNOME Tweak. I use jk as Esc for vi.)

NOTE: Non-usable Keyboard shortcut key combos with super

Keyboard and touchpad shortcut customization (Extension)

• Install my GNOME extension: Quick switching of input method and touchpad – source
  • GNOME extension: Input method and touchpad shortcuts
• Log out and log in to GNOME
• Enabled shortcuts from GNOME shell extension preference menu as:
  • Input Method Shortcuts
    • CTRL-SUPER: English (US)
    • SHIFT-SUPER: Mozc
    • SUPER-CTRL: English (international)
  • Touchpad Shortcuts
    • SUPER-.: Touchpad On
    • SUPER-/: Touchpad Off

See GNOME extensions for better UX how I get here.

Keyboard shortcut customization (Internal IM configuration)

For Japanese IM (ibus-mozc), set it up as:

• Keymap style: MS-IME (default) –> Click Customize ...
• 全角かな入力 (hiragana mode) 変換キー equivalent for US keyboard:
  • Direct Input mode: Shift Space key : Activate IME
• 英数半角入力 (latin mode) 無変換キー equivalent for US keyboard:
  • Precomposition mode: Ctrl Space key : Deactivate IME
  • Composition mode: Ctrl Space key : Deactivate IME (originally Insert HW Space)
  • Conversion mode: Ctrl Space key : Deactivate IME
• UI consistency adjustment
  • Conversion mode: Ctrl Enter key : CommitOnlyFirstSegment (originally Commit)

See my old Japanese input on US-keyboard (in Japanese) and its Google translation.

Right mouse click with single button (Setting)

For Mac or some Sony Vaio with single tap pad button, the following allows proper secondary-click (or even middle-click).

• Settings -> Mouse & Touchpad (side) -> Touchpad tab (top)
• -> “Secondary Click”: select “Corner Push”
• -> “Tap to Click”: disable
• -> “Scrolling”: select “Two Finger”

Application customization

Personal packages

See Personal DEB package repository for the method to publish personal DEB packages.

You need to add configuration file for personal DEB package repository to use them.

Here are some of my personal binary DEB packages to help my command line.

• bss: Btrfs Subvolume Snapshot Utility
  • src: https://github.com/osamuaoki/bss
  • This helps me with easy backup and snapshot using btrfs.
• unzip-i18n: patched unzip (-O and -I options to support encoding of filenames)
  • src: https://github.com/osamuaoki/unzip
  • This replaces Debian unzip program which lacks -I and -O options to offer functionality available under other distribution.
    • Use unzip -Osjis filename.zip to unzip Japanese zip files.
• 00-min: Osamu’s Task Packages – WIP updating
  • src: https://github.com/osamuaoki/osamu-task
  • This comes with configuration dot files under /usr/share/doc/00-min/examples/

Editor setups

I use NeoVim 0.11.4 fetched from my HTTP repo with wget and install it with dpkg -i as my main editor.

• Main editor: NVIM_APPNAME=nvim_osamu nvim with ~/.config/nvim_osamu (alias vi)
  • Configuration by my forked LazyVim starter placed in ~/.config/nvim_osamu/.
  • Install a few required packages found by :checkhealth: git, ripgrep, …
• Fallback editor: nvim -u NONE (alias v0)
  • No configuration bare neovim.
• Fallback editor: vim
  • Configuration by https://github.com/osamuaoki/dot-vim in ~/.vimrc.

See Building Neovim for how I set up my HTTP repo.

Web browser

Although Chromium exists in the official Debian repository, it lacks account synchronization capability with other devices since 2021. Although there are some workarounds tips posted on web, installing Chrome can solve this situation for sure.

The official Chrome installer create the APT configuration file /etc/apt/sources.list in old non-DEB822-STYLE FORMAT.

LibreOffice

Debian 13 Trixie (stable release) offers the LibreOffice 25.2. I think it is in good shape.

If any issues arise, I may switch to the latest upstream flatpack package offering from LibreOffice download.

Mail client

Updated in 2025-09-08

Debian 13 Trixie doesn’t require to install MTA such as exim4.

For the GUI access to the remotely hosted IMAP4 mail services, use GNOME Online accounts and Evolution. This approach works for Gmail etc. and compatible with using other devices such as smart phones. Evolution can also be configured to read locally delivered mails to mbox too. (send+receive).

When I need to send mail from shell prompt for Debian BTS or Debian mail gateway services, I use my “@debian.org” address and use ssh+sendmail (created shell script ~/bin/sendmail-p.d.o) to access a Debian host. (The similar trick may be usable for any shell access hosts such as salsa.debian.org etc.)

I have mail configuration for:

• GUI:
  • Evolution (GNOME online account)
• CLI:
  • devscripts (add “BTS_SENDMAIL_COMMAND='/home/osamu/bin/sendmail-p.d.o'” to ~/.devscripts)
  • reportbug (add “mta /home/osamu/bin/sendmail-p.d.o” to ~/.reportbugrc)
  • mail (add “set sendmail=/home/osamu/bin/sendmail-p.d.o” to ~/.mailrc)
  • mutt (add “set sendmail = '/home/osamu/bin/sendmail-p.d.o'” to ~/.muttrc)

For Debian voting, mutt works most reliably.

Miscellaneous tips

Setting group membership

Don’t forget to setup group membership for the primary user (UID=1000). Notable groups to watch out are:

• adm
• src
• staff
• sudo – by adding this, you enable sudo with password
• www-data – for web server

You need to re-login to enable them after setting them.

Re-install and UID/GID issues

UID and GID used by some applications are not fixed. So, if you reinstall the exact same packages in a different order, you end up assigning UID and GID for the application.

UID in range between 101-999 such as ones for avahi, saned, colord, _ssh, … are the most susceptible on this issue.

apt-cacher-ng needs special attention.

EFI-based firmware updates

Install gnome-firmware package and invoke GUI to update firmware on devices supported by fwupd using Linux Vendor Firmware Service.

Many firmware data can be updated using gnome-firmware.

Workaround for some firmware

Some firmware devices may experience some problem to be updated by gnome-firmware.

Most notable one on my system was “Lenovo System Firmware”. (I don’t know if this was version dependent or not.) I used vendor’s BIOS update offered as bootable CD and made USB key containing it image data:

• https://pcsupport.lenovo.com/us/en/products/laptops-and-netbooks/thinkpad-t-series-laptops/thinkpad-t14-type-20ud-20ue/downloads/driver-list/component?name=BIOS%2FUEFI

If the BIOS options Security > Secure Boot is enabled, it may restrict booting up from the BIOS Update bootable CD image, you may need to disabled the Secure Boot option to use it.

If Windows 10 or 11 is installed, you may need to reenable Secure Boot after this operation.