Skip to content

Instantly share code, notes, and snippets.

View plembo's full-sized avatar

Phil Lembo plembo

View GitHub Profile
@plembo
plembo / chromesetchecklist.md
Last active July 26, 2024 15:21
Google Chrome settings checklist

Google Chrome settings checklist

Google Chrome is an acceptably secure, but by default an arguably not very private, browser. Google has wired closed-source Chrome and its underlying open-source Chromium base to serve Google's insatiable need for user behaviorial data, and it shows. Here is a list of the changes the Brave browser team make to fix that: Deviations from Chromium (features we disable or remove).

Given that list, there's no way to make closed-source Chrome significantly more private. But the reality is that many of us still need to use Chrome for a variety of reasons. The following settings checklist is what I use to mitigate risks to my privacy (and make Chrome more usable overall):

  1. You and Google > Sync and Google services: disable everything (including "Allow Chrome sign-ins")
  2. Autofill and passwords > Google Password Manager > Settings: disable everything
@plembo
plembo / tpmsecbootwinkvm.md
Last active April 25, 2024 14:37
KVM libvirt qemu tpm secure boot Windows install

TPM and Secure Boot for Windows 11 guests on KVM

The latest KVM on Ubuntu Desktop 22.04 supports both TPM2.0 and Secure Boot for Windows 11 guests. To use it you'll need to make sure the ovmf package is installed.

If using Virtual Machine Manager (VMM, or virt-manager) to install Windows 11 from a Microsoft iso, be sure to check "Customize configuration before install" before clicking on the "Finish" button. While VMM will automatically detect the operating system version and customize many things, including TPM, it will not choose the correct setting for Secure Boot.

When you get to the VM's configuration screen in VMM, you'll find that a TPM vNone device has already been added. Setting up Secure Boot properly will require manually selecting the correct firmware. To do that:

  1. Select Overview
@plembo
plembo / virgl3d-ubuntu.md
Last active June 26, 2024 13:19
3d acceleration for Linux guests in KVM on Ubuntu Desktop

VirGL for Linux KVM guests on Ubuntu Desktop

NOTE: Please don't ask for help here, it was a miracle that I got it to work at all. Seek answers in the usual places (yes, even Stackoverflow knows more than I do).

The question: How can I get 3d accelerated graphics for Linux guests in KVM without using PCI passthrough?

The short answer is: Use VirGL. The long answer is more complicated, because the VirGL project has had slow but steady progress towards actually working reliably, but the degree to which any given Linux distribution (or related driver project) is in sync has varied greatly over time. Even if it works right now, today, on your machine, it might not tomorrow. Note that even when it works, graphics performance is mediocre to downright painful.

Tested on Ubuntu Desktop 22.04.04 LTS with qemu-kvm, in an "Ubuntu on Xorg" session (not Wayland). Linux quests must have spice-vdagent installed (Ubuntu installs this by default). The hardware is a AMD 5600G d

@plembo
plembo / newmutternostutter.md
Last active May 25, 2024 16:04
Upgrade mutter to eliminate stutter in Gnome terminal on Ubuntu

Upgrade mutter to eliminate stutter

System impacted is a AMD workstation with NVIDIA graphics, running Gnome desktop on X11. The operating system is Ubuntu Desktop 22.04.4 LTS.

The latest mutter update causes stutter and lagging in Gnome terminal sessions. Switching to xterm relieves the problem, but not a real solution.

The problem was finally identified as a bug in the code to Canonical's latest update for Gnome's mutter window manager and compositor (Bug #2059847). A preliminary workaround PPA from mutter maintainer Daniel Van Vugt (vanvugt) stopped working after a new official update that retained the original bug. In a 15 May 2024 comment to the bug report (#135), Daniel posted links to corrected packages that fix the issue:

You don't really need to enable jammy-proposed. Just download the 3 proposed packages:
@plembo
plembo / shrinkpdfsize.md
Last active March 27, 2024 15:18
Massively shrink PDF size

Massively shrink the size of a PDF file

Use ghostscript:

$ gs -sDEVICE=pdfwrite \
-dCompatibilityLevel=1.4 \
-dPDFSETTINGS=/ebook \
-dNOPAUSE \
-dBATCH \
@plembo
plembo / dellchromelinux.md
Last active May 23, 2024 14:11
Linux on a Dell Chromebook 11

Linux on a Dell Chromebook 11

My retail (not enterprise) Dell Chromebook 11 (an Inspiron model 3181, not the 3180 or 3189) went EOL shortly after I purchased it new from Best Buy. Since then it saw some hard use in the family kitchen as a recipe lookup device, but was finally retired when replaced by a (relatively) newer Android tablet (that also reached EOL shortly thereafter).

NOTE: Ridiculously short lifespans for hardware devices definitely suck, as do all the manufacturers who make them. There should be a law against it.

With an overseas trip looming, I decided to look into refurbishing the Chromebook for use as a privacy hardened travel laptop. Frankly, the thought of TSA and Customs manhandling my trusty portable workstation was too much to bear.

I mostly followed the detailed instructions in the Chrultrabook Docs, using the firmware supplied by MrChromebox. As it turns out, the process was fairly painless, and seemed much more straig

@plembo
plembo / debiangnome.md
Last active February 16, 2024 16:43
Notes on Debian Gnome Desktop

Notes on Debian Gnome Desktop

Some notes on setting up the Gnome desktop on Debian.

This is only for Debian, not Ubuntu.

Base system is Debian 12 Stable (Bookworm).

No joy installing nvidia drivers. Sorry.

@plembo
plembo / ubuntudesktopprint.md
Last active June 17, 2024 17:45
Printing on Ubuntu desktop

Printing on Ubuntu Desktop

Some notes I've brought back from the gist graveyard to address the finer points of printing with Ubuntu desktop.

IMPORTANT: There are many situations in which Zeroconf, and the avahi-daemon that enables it on Linux, is the path of least resistence. For me, a primary consideration are family members who have a low tolerance for friction. Unfortunately, that means that our home printer is enabled for Zeroconf, and my Linux machines (including the home server) have avahi-deamon enabled.

Zeroconf and Printing

Zeroconf, or Zero Configuration may be a dream for developers: but can be an absolute nightmare for sysadmins and users. Zeroconf aims to allow the system to configure itself automatically for all kinds of external devices, from music players to printers. For many of the latest releases of Ubuntu Desktop, the system is designed to detect any and all printers on the local subnet that are advertising using a number of Zeroconf protocols, and auto

@plembo
plembo / resticbackup.md
Last active March 2, 2024 18:55
Restic backup

Backups with restic

We just recently began to use restic as our main backup solution at home. I'm posting this mostly to document the configuration for myself. Anyone interested in using restic should thoroughly read the documentation before proceeding.

By default, backups are run with encryption and compression enabled. Although many people have all hosts in a multi-host network sharing a single repo, I chose to separate them out (to limit the impact of any future data corruption and simplify security configuration).

@plembo
plembo / debianserver.md
Last active May 2, 2024 20:59
Debian server notes

Notes on Debian as a server

These are some notes on instaling and configuring Debian Linux for a server. In this case, my existing home backup/application server that had been running Ubuntu Server 22.04 LTS. The occasion of this migration was a series of hardware failures that resulted in the need to reinstall the operating system.

Hardware

Everything below was done on a 6 year-old desktop-class machine with a 6th gen Intel (Skylake) i7 CPU and 32 GB non-ECC RAM. The boot drive is a (by today's standards) tiny 1 year-old (7836 power-on hours) "spare" 120 GB 2-1/2" SSD (this was the weekend, and the idea of running out to Best Buy on a Saturday was intolerable: besides, Clonezilla will make short work of any future replacement), and data is stored on a new pair of 8 TB hard disks in a JBOD arrangement. All partitions (except EFI and Swap) use the ext4 filesystem sans LVM.

The existing server had been another 3 year-old desktop-class machine with a 2nd gen Ryzen 5 CPU and 32