Your document is already well-organized, but here are some suggestions to make it even better:

### Structural Improvements:
1. **Split Into Multiple Files**:
   - Consider separating the "Hardening Guide" and "PCIe Passthrough Guide" into two distinct files
   - Create a `docs/` directory with:
     ```plaintext
     docs/
     ├── hardening/
     │   ├── services.md
     │   ├── network.md
     │   └── kernel.md
     ├── virtualization/
     │   ├── pcie-passthrough.md
     │   └── kvm-optimization.md
     └── README.md (main index)
     ```

2. **Enhanced Navigation**:

   ## Quick Links
   [![Hardening](https://img.shields.io/badge/Go_to-Hardening-blue)](#service-hardening)
   [![Passthrough](https://img.shields.io/badge/Go_to-PCIe_Passthrough-green)](#pcie-passthrough-guide-for-debian)
   ```

### Content Improvements:
1. **Add Risk Indicators**:

   ### :warning: Extreme Measures (Potential Breakage)
   ```bash
   sudo apt purge --auto-remove -y snapd lxd  # [!DANGER]
   ```
   > **Legend**:  
   > [!NOTE] - Safe  
   > [!WARNING] - May affect functionality  
   > [!DANGER] - High breakage risk  
   ```

2. **Version Compatibility**:

   ## Compatibility Matrix
   | Debian Version | Kernel Min | Recommended |
   |----------------|------------|-------------|
   | Bookworm (12)  | 6.1.x      | 6.5+        |
   | Trixie (13)    | 6.6.x      | 6.8+        |
   ```

### Automation Enhancements:
1. **Add Verification Scripts**:
   ```bash
   #!/bin/bash
   # verify_hardening.sh
   echo "=== Service Check ==="
   systemctl list-units --type=service --state=running --no-pager | head -n 5
   
   echo "=== Immutable Files Check ==="
   lsattr /etc/passwd /etc/shadow | grep "----i"
   ```

2. **Include Rollback Procedures**:

   ## Rollback Changes
   ### Revert SSH Hardening
   ```bash
   sudo sed -i 's/^PermitRootLogin no/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config
   ```


### Visual Improvements:
1. **Add ASCII Diagrams**:

   ## Network Flow
   ```plaintext
   [Internet] -> [nftables] -> (DROP)
                   └─[tcp dport 2222] -> [SSH]
   ```

2. **Include Hardware-Specific Notes**:

   ### i7-4790 Specifics
   ```diff
   - Avoid assigning all cores to VM
   + Keep at least 1 physical core for host
   ```


### Documentation Hygiene:
1. **Add Change Log**:
   ```markdown
   ## Revision History
   | Date       | Version | Changes               |
   |------------|---------|-----------------------|
   | 2024-06-01 | 1.1     | Added i350 NIC notes  |
   ```


### Example Improved Section:

## :gear: Kernel Protections [!RECOMMENDED]

### Priority Settings
```bash
# /etc/sysctl.d/99-hardening.conf
#
# Kernel pointer restrictions (1=hidden, 2=hidden+log)
kernel.kptr_restrict=2

# Disable unprivileged namespace creation
kernel.unprivileged_userns_clone=0
```

> **Performance Impact**: <5% CPU overhead on synthetic benchmarks


Would you like me to:
1. Generate a complete revised version with these improvements?
2. Create template files for the suggested directory structure?
3. Focus on enhancing a specific section (e.g., PCIe passthrough)?

---

# Next-Level Debian Hardening & Minimalism

For power users who want **maximum control, security, and performance** from their Debian system.

## Table of Contents
1. [Service Hardening](#service-hardening)
2. [Network Lockdown](#network-lockdown)
3. [Kernel Protections](#kernel-protections)
4. [Filesystem Hardening](#filesystem-hardening)
5. [User Environment](#user-environment)
6. [Extreme Minimalism](#extreme-minimalism)

---

## Service Hardening

### Disable Non-Essential Services
```bash
# List running services
sudo systemctl list-units --type=service --state=running

# Disable cron (if unused)
sudo systemctl disable --now cron.service

# Disable iperf3 (if not benchmarking)
sudo systemctl disable --now iperf3.service

# Disable systemd-logind (headless only)
sudo systemctl mask --now systemd-logind.service
```

### Harden SSH
```bash
sudo sed -i -E \
  -e 's/^#?PermitRootLogin .*/PermitRootLogin no/' \
  -e 's/^#?PasswordAuthentication .*/PasswordAuthentication no/' \
  -e 's/^#?ClientAliveInterval .*/ClientAliveInterval 300/' \
  -e 's/^#?MaxAuthTries .*/MaxAuthTries 3/' \
  /etc/ssh/sshd_config
sudo systemctl restart ssh
```

### Restrict DBus
```bash
sudo mkdir -p /etc/systemd/system/dbus.service.d/
echo '[Service]
RestrictRealtime=yes
MemoryDenyWriteExecute=yes
LockPersonality=yes
' | sudo tee /etc/systemd/system/dbus.service.d/harden.conf
sudo systemctl daemon-reload
```

---

## Network Lockdown

### nftables Firewall (Drop All Inbound Except SSH)
```bash
sudo nft flush ruleset
sudo nft -f - <<EOF
table inet filter {
  chain input {
    type filter hook input priority 0; policy drop;
    ct state established,related accept
    iif lo accept
    ip protocol icmp accept
    tcp dport 2222 accept
  }
  chain forward { policy drop; }
  chain output { policy accept; }
}
EOF
sudo nft list ruleset | sudo tee /etc/nftables.conf
```

---

## Kernel Protections

### /etc/sysctl.d/99-hardening.conf
```bash
echo "
kernel.kptr_restrict=2
kernel.unprivileged_userns_clone=0
vm.unprivileged_userfaultfd=0
net.core.bpf_jit_harden=2
" | sudo tee /etc/sysctl.d/99-hardening.conf
sudo sysctl -p /etc/sysctl.d/99-hardening.conf
```

---

## Filesystem Hardening

### Immutable Critical Files
```bash
sudo chattr +i /etc/passwd /etc/shadow /etc/group /etc/sudoers
```

### Disable SUID Binaries (Except Essentials)
```bash
find / -type f -perm /4000 -not -path '/usr/bin/sudo' \
  -not -path '/usr/bin/passwd' -exec chmod u-s {} \;
```

---

## User Environment

### Secure ~/.bashrc
```bash
echo '
umask 077
alias ports="ss -tulnp | grep -vE '\''127.0.0.1|::1'\''"
' >> ~/.bashrc
```

---

## Extreme Minimalism

### Purge All Bloat
```bash
sudo apt purge --auto-remove -y \
  snapd lxd lxcfs cloud-init unattended-upgrades \
  apparmor policykit-1 popularity-contest
sudo apt autoremove -y --purge
```

### Replace journald with socklog
```bash
sudo apt install socklog-void
sudo systemctl disable --now systemd-journald
sudo systemctl enable --now socklog-unix
```

---

## Verification
```bash
# Check running services (should be < 5)
sudo systemctl list-units --type=service --state=running

# Check installed packages (should be < 150)
dpkg -l | wc -l
```

> **Note:** Adjust based on your needs. This is a **starting point**, not dogma.

```bash
# Check running processes (should be < 20)
ps aux | wc -l

# Check installed packages (should be < 150)
dpkg -l | wc -l
```

```

### How to Use This Document
1. **Copy-paste** sections as needed
2. **Comment out** lines you don't need
3. **Add your own** customizations

---

Here's a **no-nonsense PCIe passthrough guide** for your Debian system, optimized for your **Intel i7-4790 + Intel I350 NIC** hardware:

---

# PCIe Passthrough Guide for Debian (VT-d Enabled Systems)

## Prerequisites
1. **BIOS Settings**:
   - Enable `VT-d` (Intel) or `AMD-Vi` (AMD)
   - Disable `CSM` (Legacy Boot)
   - Enable `Above 4G Decoding` if available

2. **Verify IOMMU Groups**:
   ```bash
   sudo apt install -y iommu-tools
   sudo dmesg | grep -i iommu  # Should show "DMAR: IOMMU enabled"
   for g in $(find /sys/kernel/iommu_groups/* -maxdepth 0 | sort -V); do
     echo "IOMMU Group ${g##*/}:"
     for d in $g/devices/*; do
       echo -e "\t$(lspci -nns ${d##*/})"
     done
   done
   ```

## Step 1: Configure Kernel for Passthrough
Edit `/etc/default/grub`:
```bash
GRUB_CMDLINE_LINUX_DEFAULT="quiet intel_iommu=on iommu=pt pcie_acs_override=downstream,multifunction nofb nomodeset video=vesafb:off,efifb:off"
```
Then update GRUB:
```bash
sudo update-grub
```

## Step 2: Isolate Target Devices
### For your **Intel I350 NIC (03:00.0 - 03:00.3)**:
```bash
echo "options vfio-pci ids=8086:1521 disable_vga=1" | sudo tee /etc/modprobe.d/vfio.conf
echo "softdep igb pre: vfio-pci" | sudo tee /etc/modproprobe.d/igb.conf
```

## Step 3: Load Required Kernel Modules
```bash
echo "vfio
vfio_iommu_type1
vfio_pci
vfio_virqfd" | sudo tee /etc/modules-load.d/vfio.conf
sudo update-initramfs -u
```

## Step 4: Verify Device Isolation
Reboot, then check:
```bash
lspci -nnk -d 8086:1521  # Should show "Kernel driver in use: vfio-pci"
```

## Step 5: KVM/QEMU Setup
### Install minimal virtualization stack:
```bash
sudo apt install -y --no-install-recommends qemu-system-x86 libvirt-daemon-system virt-manager
sudo usermod -aG kvm,input,libvirt $USER
```

### Create VM XML (for NIC passthrough):
```xml
<hostdev mode='subsystem' type='pci' managed='yes'>
  <source>
    <address domain='0x0000' bus='0x03' slot='0x00' function='0x0'/>
  </source>
</hostdev>
```
(Repeat for each NIC function 0x0-0x3)

## Step 6: Performance Tweaks
### CPU Pinning (for your 4C/8T i7-4790):
```xml
<cputune>
  <vcpupin vcpu='0' cpuset='0'/>
  <vcpupin vcpu='1' cpuset='4'/>
  <vcpupin vcpu='2' cpuset='1'/>
  <vcpupin vcpu='3' cpuset='5'/>
</cputune>
```

### Hugepages (1GB):
```bash
echo "vm.nr_hugepages = 8" | sudo tee /etc/sysctl.d/10-hugepages.conf
sudo sysctl -p
```

## Troubleshooting
1. **Error 43 (AMD GPU)**: Use hidden state and vendor_id:
   ```xml
   <kvm>
     <hidden state='on'/>
   </kvm>
   <hyperv>
     <vendor_id state='on' value='1234567890ab'/>
   </hyperv>
   ```

2. **IOMMU Group Issues**: Try:
   ```bash
   sudo virsh nodedev-detach pci_0000_03_00_0
   ```

3. **Performance Checks**:
   ```bash
   sudo perf stat -e 'kvm:*' -a sleep 1
   ```

## Final Notes
- Your **I350 NIC** is ideal for pfSense/OPNsense VMs
- Consider **CPU isolation** for real-time workloads:
  ```bash
  sudo systemctl set-property --runtime -- user.slice AllowedCPUs=0,4
  ```

Want me to adapt this for a specific VM (e.g., networking appliance/gaming VM)?