the_information_nexus/tech_docs/linux/next_level_debian.md

Your document is already well-organized, but here are some suggestions to make it even better:

Structural Improvements:

1. Split Into Multiple Files:

   • Consider separating the "Hardening Guide" and "PCIe Passthrough Guide" into two distinct files
   • Create a docs/ directory with:

     docs/
     ├── hardening/
     │   ├── services.md
     │   ├── network.md
     │   └── kernel.md
     ├── virtualization/
     │   ├── pcie-passthrough.md
     │   └── kvm-optimization.md
     └── README.md (main index)
     

2. Enhanced Navigation:

   ## Quick Links
   [![Hardening](https://img.shields.io/badge/Go_to-Hardening-blue)](#service-hardening)
   [![Passthrough](https://img.shields.io/badge/Go_to-PCIe_Passthrough-green)](#pcie-passthrough-guide-for-debian)
   

Content Improvements:

1. Add Risk Indicators:

   ### :warning: Extreme Measures (Potential Breakage)
   ```bash
   sudo apt purge --auto-remove -y snapd lxd  # [!DANGER]
   

   Legend:
   [!NOTE] - Safe
   [!WARNING] - May affect functionality
   [!DANGER] - High breakage risk

2. Version Compatibility:

   ## Compatibility Matrix
   | Debian Version | Kernel Min | Recommended |
   |----------------|------------|-------------|
   | Bookworm (12)  | 6.1.x      | 6.5+        |
   | Trixie (13)    | 6.6.x      | 6.8+        |
   

Automation Enhancements:

1. Add Verification Scripts:

   #!/bin/bash
   # verify_hardening.sh
   echo "=== Service Check ==="
   systemctl list-units --type=service --state=running --no-pager | head -n 5
   
   echo "=== Immutable Files Check ==="
   lsattr /etc/passwd /etc/shadow | grep "----i"
   

2. Include Rollback Procedures:

   ## Rollback Changes
   ### Revert SSH Hardening
   ```bash
   sudo sed -i 's/^PermitRootLogin no/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config
   

Visual Improvements:

1. Add ASCII Diagrams:

   ## Network Flow
   

   [Internet] -> [nftables] -> (DROP) └─[tcp dport 2222] -> [SSH]

2. Include Hardware-Specific Notes:

   ### i7-4790 Specifics
   ```diff
   - Avoid assigning all cores to VM
   + Keep at least 1 physical core for host
   

Documentation Hygiene:

1. Add Change Log:

   ## Revision History
   | Date       | Version | Changes               |
   |------------|---------|-----------------------|
   | 2024-06-01 | 1.1     | Added i350 NIC notes  |
   

2. Include Contributor Guidelines:

   ## How to Contribute
   1. Fork this document
   2. Test changes on VM first
   3. Submit PR with verification output
   

Example Improved Section:

## :gear: Kernel Protections [!RECOMMENDED]

### Priority Settings
```bash
# /etc/sysctl.d/99-hardening.conf
#
# Kernel pointer restrictions (1=hidden, 2=hidden+log)
kernel.kptr_restrict=2

# Disable unprivileged namespace creation
kernel.unprivileged_userns_clone=0

Performance Impact: <5% CPU overhead on synthetic benchmarks

Would you like me to:
1. Generate a complete revised version with these improvements?
2. Create template files for the suggested directory structure?
3. Focus on enhancing a specific section (e.g., PCIe passthrough)?

---

# Next-Level Debian Hardening & Minimalism

For power users who want **maximum control, security, and performance** from their Debian system.

## Table of Contents
1. [Service Hardening](#service-hardening)
2. [Network Lockdown](#network-lockdown)
3. [Kernel Protections](#kernel-protections)
4. [Filesystem Hardening](#filesystem-hardening)
5. [User Environment](#user-environment)
6. [Extreme Minimalism](#extreme-minimalism)

---

## Service Hardening

### Disable Non-Essential Services
```bash
# List running services
sudo systemctl list-units --type=service --state=running

# Disable cron (if unused)
sudo systemctl disable --now cron.service

# Disable iperf3 (if not benchmarking)
sudo systemctl disable --now iperf3.service

# Disable systemd-logind (headless only)
sudo systemctl mask --now systemd-logind.service

Harden SSH

sudo sed -i -E \
  -e 's/^#?PermitRootLogin .*/PermitRootLogin no/' \
  -e 's/^#?PasswordAuthentication .*/PasswordAuthentication no/' \
  -e 's/^#?ClientAliveInterval .*/ClientAliveInterval 300/' \
  -e 's/^#?MaxAuthTries .*/MaxAuthTries 3/' \
  /etc/ssh/sshd_config
sudo systemctl restart ssh

Restrict DBus

sudo mkdir -p /etc/systemd/system/dbus.service.d/
echo '[Service]
RestrictRealtime=yes
MemoryDenyWriteExecute=yes
LockPersonality=yes
' | sudo tee /etc/systemd/system/dbus.service.d/harden.conf
sudo systemctl daemon-reload

---

Network Lockdown

nftables Firewall (Drop All Inbound Except SSH)

sudo nft flush ruleset
sudo nft -f - <<EOF
table inet filter {
  chain input {
    type filter hook input priority 0; policy drop;
    ct state established,related accept
    iif lo accept
    ip protocol icmp accept
    tcp dport 2222 accept
  }
  chain forward { policy drop; }
  chain output { policy accept; }
}
EOF
sudo nft list ruleset | sudo tee /etc/nftables.conf

---

Kernel Protections

/etc/sysctl.d/99-hardening.conf

echo "
kernel.kptr_restrict=2
kernel.unprivileged_userns_clone=0
vm.unprivileged_userfaultfd=0
net.core.bpf_jit_harden=2
" | sudo tee /etc/sysctl.d/99-hardening.conf
sudo sysctl -p /etc/sysctl.d/99-hardening.conf

---

Filesystem Hardening

Immutable Critical Files

sudo chattr +i /etc/passwd /etc/shadow /etc/group /etc/sudoers

Disable SUID Binaries (Except Essentials)

find / -type f -perm /4000 -not -path '/usr/bin/sudo' \
  -not -path '/usr/bin/passwd' -exec chmod u-s {} \;

---

User Environment

Secure ~/.bashrc

echo '
umask 077
alias ports="ss -tulnp | grep -vE '\''127.0.0.1|::1'\''"
' >> ~/.bashrc

---

Extreme Minimalism

Purge All Bloat

sudo apt purge --auto-remove -y \
  snapd lxd lxcfs cloud-init unattended-upgrades \
  apparmor policykit-1 popularity-contest
sudo apt autoremove -y --purge

Replace journald with socklog

sudo apt install socklog-void
sudo systemctl disable --now systemd-journald
sudo systemctl enable --now socklog-unix

---

Verification

# Check running services (should be < 5)
sudo systemctl list-units --type=service --state=running

# Check installed packages (should be < 150)
dpkg -l | wc -l

Note: Adjust based on your needs. This is a starting point, not dogma.

# Check running processes (should be < 20)
ps aux | wc -l

# Check installed packages (should be < 150)
dpkg -l | wc -l

### How to Use This Document
1. **Copy-paste** sections as needed
2. **Comment out** lines you don't need
3. **Add your own** customizations

---

Here's a **no-nonsense PCIe passthrough guide** for your Debian system, optimized for your **Intel i7-4790 + Intel I350 NIC** hardware:

---

# PCIe Passthrough Guide for Debian (VT-d Enabled Systems)

## Prerequisites
1. **BIOS Settings**:
   - Enable `VT-d` (Intel) or `AMD-Vi` (AMD)
   - Disable `CSM` (Legacy Boot)
   - Enable `Above 4G Decoding` if available

2. **Verify IOMMU Groups**:
   ```bash
   sudo apt install -y iommu-tools
   sudo dmesg | grep -i iommu  # Should show "DMAR: IOMMU enabled"
   for g in $(find /sys/kernel/iommu_groups/* -maxdepth 0 | sort -V); do
     echo "IOMMU Group ${g##*/}:"
     for d in $g/devices/*; do
       echo -e "\t$(lspci -nns ${d##*/})"
     done
   done

Step 1: Configure Kernel for Passthrough

Edit /etc/default/grub:

GRUB_CMDLINE_LINUX_DEFAULT="quiet intel_iommu=on iommu=pt pcie_acs_override=downstream,multifunction nofb nomodeset video=vesafb:off,efifb:off"

Then update GRUB:

sudo update-grub

Step 2: Isolate Target Devices

For your Intel I350 NIC (03:00.0 - 03:00.3):

echo "options vfio-pci ids=8086:1521 disable_vga=1" | sudo tee /etc/modprobe.d/vfio.conf
echo "softdep igb pre: vfio-pci" | sudo tee /etc/modproprobe.d/igb.conf

Step 3: Load Required Kernel Modules

echo "vfio
vfio_iommu_type1
vfio_pci
vfio_virqfd" | sudo tee /etc/modules-load.d/vfio.conf
sudo update-initramfs -u

Step 4: Verify Device Isolation

Reboot, then check:

lspci -nnk -d 8086:1521  # Should show "Kernel driver in use: vfio-pci"

Step 5: KVM/QEMU Setup

Install minimal virtualization stack:

sudo apt install -y --no-install-recommends qemu-system-x86 libvirt-daemon-system virt-manager
sudo usermod -aG kvm,input,libvirt $USER

Create VM XML (for NIC passthrough):

<hostdev mode='subsystem' type='pci' managed='yes'>
  <source>
    <address domain='0x0000' bus='0x03' slot='0x00' function='0x0'/>
  </source>
</hostdev>

(Repeat for each NIC function 0x0-0x3)

Step 6: Performance Tweaks

CPU Pinning (for your 4C/8T i7-4790):

<cputune>
  <vcpupin vcpu='0' cpuset='0'/>
  <vcpupin vcpu='1' cpuset='4'/>
  <vcpupin vcpu='2' cpuset='1'/>
  <vcpupin vcpu='3' cpuset='5'/>
</cputune>

Hugepages (1GB):

echo "vm.nr_hugepages = 8" | sudo tee /etc/sysctl.d/10-hugepages.conf
sudo sysctl -p

Troubleshooting

1. Error 43 (AMD GPU): Use hidden state and vendor_id:

   <kvm>
     <hidden state='on'/>
   </kvm>
   <hyperv>
     <vendor_id state='on' value='1234567890ab'/>
   </hyperv>
   

2. IOMMU Group Issues: Try:

   sudo virsh nodedev-detach pci_0000_03_00_0
   

3. Performance Checks:

   sudo perf stat -e 'kvm:*' -a sleep 1
   

Final Notes

• Your I350 NIC is ideal for pfSense/OPNsense VMs
• Consider CPU isolation for real-time workloads:

  sudo systemctl set-property --runtime -- user.slice AllowedCPUs=0,4
  

Want me to adapt this for a specific VM (e.g., networking appliance/gaming VM)?