Add tech_docs/linux/next_level_debian.md

2025-08-01 02:46:31 -05:00
parent 0e26dcba3b
commit 3f5f60c361
1 changed files with 280 additions and 0 deletions
--- a/tech_docs/linux/next_level_debian.md
+++ b/tech_docs/linux/next_level_debian.md
@@ -0,0 +1,280 @@
 Here's a **`next_level_debian.md`** document that captures all the hardcore optimizations we've discussed, organized for clarity and reuse:
 ```markdown
 # Next-Level Debian Hardening & Minimalism
 For power users who want **maximum control, security, and performance** from their Debian system.
 ## Table of Contents
 1. [Service Hardening](#service-hardening)
 2. [Network Lockdown](#network-lockdown)
 3. [Kernel Protections](#kernel-protections)
 4. [Filesystem Hardening](#filesystem-hardening)
 5. [User Environment](#user-environment)
 6. [Extreme Minimalism](#extreme-minimalism)
 ---
 ## Service Hardening
 ### Disable Non-Essential Services
 ```bash
 # List running services
 sudo systemctl list-units --type=service --state=running
 # Disable cron (if unused)
 sudo systemctl disable --now cron.service
 # Disable iperf3 (if not benchmarking)
 sudo systemctl disable --now iperf3.service
 # Disable systemd-logind (headless only)
 sudo systemctl mask --now systemd-logind.service
 ```
 ### Harden SSH
 ```bash
 sudo sed -i -E \
  -e 's/^#?PermitRootLogin .*/PermitRootLogin no/' \
  -e 's/^#?PasswordAuthentication .*/PasswordAuthentication no/' \
  -e 's/^#?ClientAliveInterval .*/ClientAliveInterval 300/' \
  -e 's/^#?MaxAuthTries .*/MaxAuthTries 3/' \
  /etc/ssh/sshd_config
 sudo systemctl restart ssh
 ```
 ### Restrict DBus
 ```bash
 sudo mkdir -p /etc/systemd/system/dbus.service.d/
 echo '[Service]
 RestrictRealtime=yes
 MemoryDenyWriteExecute=yes
 LockPersonality=yes
 ' | sudo tee /etc/systemd/system/dbus.service.d/harden.conf
 sudo systemctl daemon-reload
 ```
 ---
 ## Network Lockdown
 ### nftables Firewall (Drop All Inbound Except SSH)
 ```bash
 sudo nft flush ruleset
 sudo nft -f - <<EOF
 table inet filter {
  chain input {
    type filter hook input priority 0; policy drop;
    ct state established,related accept
    iif lo accept
    ip protocol icmp accept
    tcp dport 2222 accept
  }
  chain forward { policy drop; }
  chain output { policy accept; }
 }
 EOF
 sudo nft list ruleset | sudo tee /etc/nftables.conf
 ```
 ---
 ## Kernel Protections
 ### /etc/sysctl.d/99-hardening.conf
 ```bash
 echo "
 kernel.kptr_restrict=2
 kernel.unprivileged_userns_clone=0
 vm.unprivileged_userfaultfd=0
 net.core.bpf_jit_harden=2
 " | sudo tee /etc/sysctl.d/99-hardening.conf
 sudo sysctl -p /etc/sysctl.d/99-hardening.conf
 ```
 ---
 ## Filesystem Hardening
 ### Immutable Critical Files
 ```bash
 sudo chattr +i /etc/passwd /etc/shadow /etc/group /etc/sudoers
 ```
 ### Disable SUID Binaries (Except Essentials)
 ```bash
 find / -type f -perm /4000 -not -path '/usr/bin/sudo' \
  -not -path '/usr/bin/passwd' -exec chmod u-s {} \;
 ```
 ---
 ## User Environment
 ### Secure ~/.bashrc
 ```bash
 echo '
 umask 077
 alias ports="ss -tulnp | grep -vE '\''127.0.0.1|::1'\''"
 ' >> ~/.bashrc
 ```
 ---
 ## Extreme Minimalism
 ### Purge All Bloat
 ```bash
 sudo apt purge --auto-remove -y \
  snapd lxd lxcfs cloud-init unattended-upgrades \
  apparmor policykit-1 popularity-contest
 sudo apt autoremove -y --purge
 ```
 ### Replace journald with socklog
 ```bash
 sudo apt install socklog-void
 sudo systemctl disable --now systemd-journald
 sudo systemctl enable --now socklog-unix
 ```
 ---
 ## Verification
 ```bash
 # Check running services (should be < 5)
 sudo systemctl list-units --type=service --state=running
 # Check installed packages (should be < 150)
 dpkg -l | wc -l
 ```
 > **Note:** Adjust based on your needs. This is a **starting point**, not dogma.
 ```
 ### How to Use This Document
 1. **Copy-paste** sections as needed
 2. **Comment out** lines you don't need
 3. **Add your own** customizations
 ---
 Here's a **no-nonsense PCIe passthrough guide** for your Debian system, optimized for your **Intel i7-4790 + Intel I350 NIC** hardware:
 ---
 # PCIe Passthrough Guide for Debian (VT-d Enabled Systems)
 ## Prerequisites
 1. **BIOS Settings**:
   - Enable `VT-d` (Intel) or `AMD-Vi` (AMD)
   - Disable `CSM` (Legacy Boot)
   - Enable `Above 4G Decoding` if available
 2. **Verify IOMMU Groups**:
   ```bash
   sudo apt install -y iommu-tools
   sudo dmesg | grep -i iommu  # Should show "DMAR: IOMMU enabled"
   for g in $(find /sys/kernel/iommu_groups/* -maxdepth 0 | sort -V); do
     echo "IOMMU Group ${g##*/}:"
     for d in $g/devices/*; do
       echo -e "\t$(lspci -nns ${d##*/})"
     done
   done
   ```
 ## Step 1: Configure Kernel for Passthrough
 Edit `/etc/default/grub`:
 ```bash
 GRUB_CMDLINE_LINUX_DEFAULT="quiet intel_iommu=on iommu=pt pcie_acs_override=downstream,multifunction nofb nomodeset video=vesafb:off,efifb:off"
 ```
 Then update GRUB:
 ```bash
 sudo update-grub
 ```
 ## Step 2: Isolate Target Devices
 ### For your **Intel I350 NIC (03:00.0 - 03:00.3)**:
 ```bash
 echo "options vfio-pci ids=8086:1521 disable_vga=1" | sudo tee /etc/modprobe.d/vfio.conf
 echo "softdep igb pre: vfio-pci" | sudo tee /etc/modproprobe.d/igb.conf
 ```
 ## Step 3: Load Required Kernel Modules
 ```bash
 echo "vfio
 vfio_iommu_type1
 vfio_pci
 vfio_virqfd" | sudo tee /etc/modules-load.d/vfio.conf
 sudo update-initramfs -u
 ```
 ## Step 4: Verify Device Isolation
 Reboot, then check:
 ```bash
 lspci -nnk -d 8086:1521  # Should show "Kernel driver in use: vfio-pci"
 ```
 ## Step 5: KVM/QEMU Setup
 ### Install minimal virtualization stack:
 ```bash
 sudo apt install -y --no-install-recommends qemu-system-x86 libvirt-daemon-system virt-manager
 sudo usermod -aG kvm,input,libvirt $USER
 ```
 ### Create VM XML (for NIC passthrough):
 ```xml
 <hostdev mode='subsystem' type='pci' managed='yes'>
  <source>
    <address domain='0x0000' bus='0x03' slot='0x00' function='0x0'/>
  </source>
 </hostdev>
 ```
 (Repeat for each NIC function 0x0-0x3)
 ## Step 6: Performance Tweaks
 ### CPU Pinning (for your 4C/8T i7-4790):
 ```xml
 <cputune>
  <vcpupin vcpu='0' cpuset='0'/>
  <vcpupin vcpu='1' cpuset='4'/>
  <vcpupin vcpu='2' cpuset='1'/>
  <vcpupin vcpu='3' cpuset='5'/>
 </cputune>
 ```
 ### Hugepages (1GB):
 ```bash
 echo "vm.nr_hugepages = 8" | sudo tee /etc/sysctl.d/10-hugepages.conf
 sudo sysctl -p
 ```
 ## Troubleshooting
 1. **Error 43 (AMD GPU)**: Use hidden state and vendor_id:
   ```xml
   <kvm>
     <hidden state='on'/>
   </kvm>
   <hyperv>
     <vendor_id state='on' value='1234567890ab'/>
   </hyperv>
   ```
 2. **IOMMU Group Issues**: Try:
   ```bash
   sudo virsh nodedev-detach pci_0000_03_00_0
   ```
 3. **Performance Checks**:
   ```bash
   sudo perf stat -e 'kvm:*' -a sleep 1
   ```
 ## Final Notes
 - Your **I350 NIC** is ideal for pfSense/OPNsense VMs
 - Consider **CPU isolation** for real-time workloads:
  ```bash
  sudo systemctl set-property --runtime -- user.slice AllowedCPUs=0,4
  ```
 Want me to adapt this for a specific VM (e.g., networking appliance/gaming VM)?