My routine for rebuilding my Linux laptops from scratch

By | July 22, 2024

Yesterday when I tried to do an apt-get dist-upgrade on one of my Debian Linux laptops, the upgrade failed to complete successfully because my /boot partition (I have a separate partition because the rest of disk is encrypted with LUKS) wasn’t big enough to hold three kernels. Debian saves two kernels, but it needs space for a third temporarily during upgrades, and the initrd for the new kernel was so large that it wouldn’t fit with the other two.

It turns out that this was due to a bug which is going to be fixed, i.e., the size of the initrd is eventually going to go back down such that there will once again be room for three on the partition. I suspected that might be the case, but at the same time, (a) I like to rebuild my laptops periodically to give them a fresh start and make sure that the tools I use for the rebuild haven’t atrophied, and (b) I have COVID and I felt terrible yesterday and I needed something to distract me, so I said “what the heck” and decided to reinstall Debian with a larger /boot partition.

Usually when I rebuild one of my laptops, I either back up my home directory to my NAS before the rebuild and restore it afterward, or I copy my home directory from my other laptop after the rebuild, so I don’t have to rebuild everything from scratch. However, every once in a while I decide to rebuild everything from scratch, because all the configuration stuff in Linux home directories accumulates historical cruft which negatively impacts user experience. I decided to go ahead with a full rebuild this time, both because I hadn’t done it in quite a while and because of the aforementioned need for distraction from COVID misery.

I took notes while I was doing the rebuild for my own reference the next time I need to do this. I’m sharing them here on the off chance they might be interesting to someone else.

Note that most of the rebuild work is actually handled automatically by a bunch of Ansible playbooks. The notes below show how they’re invoked; you can see the playbooks themselves at https://github.com/jikamens/family-orchestration-public.

Rebuilding a debian desktop/laptop from scratch

Installing Debian

Partitioning

Run the guided partitioning first to get an idea of what the Debian installer wants to do if you specify that you want to use full-disk encryption and separate /var, /tmp, and /home. Take a picture of the partitions the guided partitioner wants to create so that you can replicate them. Then restart the installer and do the partitioning by hand, with the following changes from the guided partitioning:

  1. Get rid of swap; we’re going to use zramswap instead.
  2. Make the /boot partition 1GB.
  3. Make the /root partition 60GB.
  4. Make the /tmp partition 10GB.
  5. Make the /var partition 20GB.
  6. Make the /home partition take up the rest of the space.

Package selection

When you get to the point where it asks what packages you want to install, specify Debian desktop environment (specifically GNOME), web-server, ssh-server.

Miscellaneous customizations

Add Hebrew and French input methods in the settings app by going to Keyboard.

Firefox

  • Sign in.
  • Wait for add-ons to sync.
  • Customize the toolbar so it’s Bitwarden, 2fas, extensions puzzle piece, overflow menu (unpin other add-ons, move unwanted Firefox buttons to overflow menu). NOTE: You haven’t yet run the Ansible playbook that configures the touchpad for corner click, so you need to click with two fingers to get a right click.
  • In the 2fas Android app, remove old instances of this laptop if any.
  • Pair 2fas in browser and update its name in the browser preferences.
  • Log into Bitwarden.
  • Configure Bitwarden not to prompt about Passkeys (under notifications).
  • Configure Bitwarden to lock after 24 hours (under account security).
  • Configure Firefox Download Manager:
    • Features
      • Clear finished downloads when the browser closes
      • Clear a finished download after opening it
      • Clear a finished download after opening containing folder
    • Download Bar Mode
      • Hide Download Bar 5 seconds after downloads are completed

Notes about Firefox

  • If you decide to copy your profile directory from another computer instead of reconstructing from scratch as described above, you need to erase the extension storage for the 2FAS extension and then repair the browser with 2FAS. Otherwise you’ll end up with multiple computers that think they’re the same.

Synology Drive Client

We’re doing this by hand here because we need some of the files in our Synology Drive to get us to the point where we can run the Ansible playbook that does it automatically.

Install Synology Drive Client.

Configure a sync task:

  • Remote My Drive/Drive/Drive, local /home/jik/CloudStation.
  • Configure Synology Drive Client these filters during the initial setup: #* *~ .#* .~*

Preparing to run Ansible playbooks

Wait for CloudStation/random/git (for git config files) and CloudStation/closed/ssh (for the config file which the symlink ~/.ssh/config points at) to sync.

ln -s ~/CloudStation/random/git/gitconfig ~/.gitconfig
ln -s ~/CloudStation/random/git/gitignore_global ~/.gitignore_global
su -c 'apt-get install -y rsync git ansible make m4'

Copy ~/.ssh from another machine onto a thumb drive and copy it into your home directory on the rebuilt laptop.

mkdir ~/src
# This repository is private, but you can see a public snapshot of most of what's in it
# at https://github.com/jikamens/family-orchestration-public/.
cd ~/src && git clone git@github.com:jikamens/family-orchestration
cd family-orchestration
git submodule init
git submodule update
git submodule foreach --recursive git submodule init
git submodule foreach --recursive git submodule update

In “su -” shell:

cd ~jik/src/family-orchestration
ansible-playbook -l $HOSTNAME -c local desktops/sshd_config.yml

Copy src/family-orchestration/secrets.yml from another machine.

To add me to the sudo group so that I can start using sudo instead of su:

  • Run cd ~/src/family-orchestration && ansible-playbook -l $HOSTNAME desktops/users.yml && kill -TERM -1
  • Log back in.

Install scripts

I have a directory full of shell scripts, Perl scripts, Python scripts, etc., that I’ve written over decades that I use on the regular. This is the point in the rebuild at which I have enough restored that I can install the scrdipts:

# Needed for scripts install
cd ~/src && git clone git@github.com:jikamens/keyless-entry
# "jik6" is a private server on my home LAN
cd ~/src && git clone jik@jik6:/d/src/git-projects/scripts
mkdir -p ~/build/scripts && cd ~/build/scripts && ln -sf ../../src/scripts/Makefile && mkdir -p ~/scripts && make install

Install dotfiles

Like the scripts, I have heavily customized dotfiles that I’ve written over the course of many years. They go on every new machine I build out.

cd ~/src && git clone jik@jik6:/d/src/git-projects/dotfiles
mkdir -p ~/build/dotfiles && cd ~/build/dotfiles && ln -sf ../../src/dotfiles/Makefile && make install

Log out and log back in.

Time for the main Ansible playbook

This is needed because the playbook expects it to be present:

cd ~/src && git clone git@github.com:jikamens/allow-locked-remote-desktop

Change the release to testing in /etc/apt/sources.list.

Make sure that all the lines in /etc/apt/sources.list specify main contrib non-free-firmware non-free.

cd ~/src/family-orchestration
# "<cloud-server>" here is the host name of our family server in the cloud. There are some tasks in the
# playbooks that need to be done on the cloud server when building out a desktop, most notably VPN
# client certificate creation. I limit the playbook to just the machine we're in the process of rebuilding
# and the cloud server becauseI don't want to waste time rerunning the playbook on all of my
# desktop and laptop machines listed in the inventory.
ansible-playbook -l "$HOSTNAME,<cloud-server>" desktops/rebuild_after_sshd_config.yml

Once the entire playbook has run successfully, reboot and log back in.

Enable Allow Locked Remote Desktop extension if it isn’t enabled.

Notes

  • The main playbook includes a bunch of other playbooks, so if you don’t want to wait for them all to rerun over and over when you have to rerun the playbook after fixing problems, you can run the individual playbooks.
  • If teamviewer fails to install because of a policykit-1 dependency, then download the deb by hand, run dpkg -i --ignore-depends=policykit-1 teamviewer_amd64.deb, and edit /var/lib/dpkg/status to remove the policykit-1 dependency from teamviewer (ugh), then rerun the playbook.
  • You may need to log out and log back in to get appindicators to start working to get flameshot to start working for the playbook to be able to configure the settings for flameshot.
  • It doesn’t appear that the gnome-extensions tool is able to successfully install Allow Locked Remote Desktop, I think it needs to be done by hand, don’t know what’s up with that. Or maybe logging out and logging back in after installing it will get GNOME to notice it, not sure.
  • On two different recently passes through these instructions, DNS resolution got screwed up at some point before desktops/displaylink.yml ran, and I had to do systemctl restart systemd-resolved to fix it, then run apt update before picking up the playbook where it left off. I can’t figure out which play caused this issue so I don’t know how to modify the Ansible code to fix it.

Teamviewer

Start teamviewerd.

Start teamviewer.

Log into teamviewer.

Disable random password under “Password strength” on the Security tab of the Options opened from the Extras menu .

Exit teamviewer and stop teamviewerd.

Miscellaneous customizations, continued

Change desktop scaling as needed under display settings.

Delete “default” and “default-release” Firefox profiles, rename “default-esr” to “Mozilla”, and make it the default.

Fix duplicate configs in /etc/apt/sources.list.d/keybase.list (apt update will tell you if there are duplicates).

Reconnect twofas-cli to the 2fas app on my phone.

Add Google Keep PWA and Google Messages PWA to dock.

Configure keyless-entry.

Set root password to long random password and save in Bitwarden.

Configure Dropbox if this is one of the machines that gets it.

Set up DigiKam:

  • Copy appimage from another machine
  • Copy ~/.config/digikamrc from another machine
  • Copy ~/.config/digikam_systemrc from another machine
  • Copy ~/.digikam from another machine
  • Copy ~/.local/share/digikam from another machine
  • Mount ~/pictures and launch appimage and confirm it works
  • Unmount ~/pictures after quitting from digikam

Keybase:

  • Remove old instances of this computer from Keybase.
  • Add back.
  • Configure not to launch at startup (Advanced preferences tab).

Link Signal to phone.

Configure fingerprint login (right and left index fingers).

ln -sf CloudStation/closed/gnupg ~/.gnupg
chmod -R go-rwx ~/.gnupg/.

cd ~/src && git clone git@github.com:jikamens/toodledo-python
cd toodledo-python && pip install --user --break-system-packages -e .

ln -sf CloudStation/closed/agenda-cache.pickle ~/.agenda-cache.pickle
ln -sf CloudStation/closed/agenda-config.json ~/.agenda-config.json
ln -sf CloudStation/closed/agenda-token.json ~/.agenda-token.json

cd ~/src
git clone git@github.com:Extended-Thunder/ToggleReplied
git clone git@github.com:Extended-Thunder/remote-content-by-folder
git clone git@github.com:Extended-Thunder/userChromeJS
git clone git@github.com:Extended-Thunder/folder-pane-view-switcher
git clone git@jikamens.github.com:Extended-Thunder/send-later
git clone git@jikamens.github.com:jikamens/jik-tb-tweaks
~/src/scripts/deploy-addons.py

Install the “Night Theme Switcher” GNOME shell extension from extensions.gnome.org

Thunderbird

Either copy Thunderbird profiles from another computer, or create a new home-jik-bin-jik profile, delete the default profiles, and configure the new profile as follows.

  • Tell profile manager to prompt for which profile on every startup.
  • Add my home account
    • Configure manually (Note that you may run into fail2ban issues. fail2ban-c lient unban <IP> will help.)
      • Inbound server
        • [elided]
        • Autodetect connection security
        • Normal password
        • Username [elided]
      • Outbound server
        • [elided]
        • Autodetect connection security
        • Normal password
        • Username [elided]
    • Change account name to “Home”
    • Check for new messages every 1 minutes (Server Settings)
    • Copies & Folders
      • Don’t save copies of Sent messages
      • Change archive folder to “archive” and set the options to a single folder
    • Composition & Addressing
      • Put signature above the quote
      • Include signature for forwards
    • Junk Settings
      • Disable adaptive junk mail controls
      • Change spam folder to “spamtrain”, enable “Move new junk messages to”
    • Turn off message synchronization for all folders and then turn it back on for the ones we want (Synchronization & Storage)
    • Add identities: [elided list of 9 identities, some of which are configured with signature files form my CloudStation directory]
    • NOTE: There are a bunch of folders that I don’t want to show up in the global search results but it’s too much of a pain in the ass to deselect them all one by one (ref: https://bugzilla.mozilla.org/show_bug.cgi?id=1909138) so I’m just going to deal with them as they come up.
  • Add my gmail account
    • Turn off adaptive junk mail controls
    • Connect address book
    • Connect all calendars
    • Don’t save copies of sent messages
  • Disable new mail notifications in settings.
  • Global junk settings under privacy & security
    • Move marked messages to junk folder
    • Mark messages determined to be junk as read
  • Enable checking for new messages in maybespam, isspam.
  • Change layout to classic view
  • Change thread pane layout to table view
  • Change tags:
    • 1 (Important) is red
    • 2 (Work) is orange
    • 3 (Personal) is yellow
    • 4 (To Do) is green
    • 5 (Later) is blue
    • 6 is purple
  • Customize top bar in main window
    • Remove Simple Redirect and Import Export
    • Add Forward as Attachment, Delete, Archive
  • Install add-ons:
    • DKIM Verifier
    • Emoji
    • Folder Pane View Switcher
    • ImportExportTools NG
    • Send Later
    • jik tweaks
    • LookOut (fix version)
    • No Message Pane Sort
    • Remote Content By Folder
    • Simple Mail Redirection
    • ThunderHTMLedit (www.betterbird.eu/addons)
    • ToggleReplied
    • userChromeJS
  • Tell jik tweaks whether to keep sendDrafts disabled
  • Configure Folder Pane View Switcher
  • Configure favorite folders
  • Configure Remote Content By Folder
    • Allow regexp: .*
    • Block regexp: ^(Spam|Trash|Deleted (Items|Messages)|bogospam|isspam|spam|maybespam|mtmmaybespam|spamtrain)$
    • Folders to scan: ^Inbox$|^Sent
    • Check block regexp first
    • Disable debug logging
  • Configure Send Later
    • Copy advanced config from another computer, remove telemetryUUID, tweak as otherwise appropriate, restart Thunderbird
    • Copy NextChol function from another computer
  • Exit from Thunderbird, run make install in ~/build/dotfiles, restart Thunderbird.
Share

Leave a Reply

Your email address will not be published. Required fields are marked *