Shawn Hensley sahensley

Generating a unified kernel image with minimal modification to distribution defaults

The aim of this process is to improve on the out-of-the-box security and convenience that a default full disk encryption (FDE) setup of most modern linux distribution offers. The target systems are laptops with UEFI and TPM 2.0 chips.

The overarching inspiration for writing this up can be found in Lennart Poetterings blog post from 2022.

Most of these steps can easily be adapted to any distribution that ships with systemd 256 or newer. Alternatives exist for other distributions and init systemd, but requires a bit more tweaking.

The goals are:

Leave the default installation "as is": For Fedora 41, this means GRUB as bootloader, unencrypted /boot partition and LUKS-encrypted /root (and /home, /var etc., if set up)

For directly installing Debian Sid not supported by the Debian installer, namely:

Single LUKS2 encrypted partition which contains the full installation
Single BTRFS filesystem (integrated home partition)
Encrypted swapfile in BTRFS subvolume (supports laptop suspend but not hibernate)
Uses systemd-boot bootloader (instead of Grub2, also optional rEFInd instructions)
Minimal Gnome install (plus instructions for any other DE you wish)
Proper user groups for common security tools like sudo-less Wireshark, etc...
Optional removal of crypto keys from RAM during laptop suspend
Optional configurations for laptops (including fingerprint readers)

Zsh custom git prompt cheatsheet

Everything you need for customizing your git prompt in oh-my-zsh

print and echo commands for all functions in the git plugin. Printing and echoing because then i can check what values are outputted. Massively helpful when creating a theme.
a list of all the variables that you can use to customize $(git_prompt_info), thanks to vergenzt

grep -o "ZSH_THEME_GIT_[A-Z_]\+" lib/git.zsh| sort | uniq

Encrypted Btrfs storage setup and maintenance guide

Initial setup with LUKS/dm-crypt

This exemplary initial setup uses two devices /dev/sdb and /dev/sdc but can be applied to any amount of devices by following the steps with additional devices.

Create keyfile:

dd bs=64 count=1 if=/dev/urandom of=/etc/cryptkey iflag=fullblock
chmod 600 /etc/cryptkey

Git Subtree Basics

If you hate git submodule, then you may want to give git subtree a try.

Background

When you want to use a subtree, you add the subtree to an existing repository where the subtree is a reference to another repository url and branch/tag. This add command adds all the code and files into the main repository locally; it's not just a reference to a remote repo.

When you stage and commit files for the main repo, it will add all of the remote files in the same operation. The subtree checkout will pull all the files in one pass, so there is no need to try and connect to another repo to get the portion of subtree files, because they were already included in the main repo.

Adding a subtree

Let's say you already have a git repository with at least one commit. You can add another repository into this respository like this:

How to recover lost Python source code if it's still resident in-memory

I screwed up using git ("git checkout --" on the wrong file) and managed to delete the code I had just written... but it was still running in a process in a docker container. Here's how I got it back, using https://pypi.python.org/pypi/pyrasite/ and https://pypi.python.org/pypi/uncompyle6

Attach a shell to the docker container

Install GDB (needed by pyrasite)

apt-get update && apt-get install gdb

	#!/bin/bash
	# file: /etc/kernel/postinst.d/sign-kernel-longterm
	#
	# Create signing keys:
	#
	# openssl req -new -x509 -newkey rsa:4096 \
	# -keyout MOK.priv \
	# -outform DER -out MOK.der \
	# -nodes -days 36500 -subj "/CN=Descriptive Name/"
	#

	#!/usr/bin/env bash

	# run this on the remote terminal machine, as auser with sudo powers, probably through a remote ssh shell

	# this will overwrite all the settings it touches

	# the name of the user to run these commands as
	TARGET_USER=jane

	# we need an inlocked desktop session. we can either start a new autologin one or unlock an existing one

	sub cloud_moomin {
	set resp.http.moomin00 = " %1b[38;5;237m▄%1b[38;5;235m▄%1b[49m";
	set resp.http.moomin01 = " %1b[38;5;237m▄%1b[48;5;237m%1b[38;5;249m▄%1b[38;5;236m▄%1b[49m %1b[48;5;239m%1b[38;5;16m▄%1b[48;5;237m%1b[38;5;253m▄%1b[38;5;247m▄%1b[48;5;234m%1b[38;5;16m▄%1b[49m";
	set resp.http.moomin02 = " %1b[38;5;233m▄%1b[48;5;253m%1b[38;5;237m▄%1b[48;5;254m%1b[38;5;255m▄%1b[38;5;251m▄%1b[38;5;239m%1b[49m▄ %1b[38;5;237m▄ %1b[48;5;254m%1b[38;5;248m▄%1b[48;5;249m%1b[38;5;254m▄%1b[48;5;235m%1b[38;5;246m▄%1b[49m";
	set resp.http.moomin03 = " %1b[38;5;235m▄%1b[48;5;250m%1b[38;5;242m▄%1b[48;5;231m %1b[48;5;247m%1b[38;5;231m▄%1b[48;5;252m▄%1b[48;5;253m▄%1b[48;5;254m▄%1b[48;5;253m▄%1b[48;5;249m▄%1b[48;5;188m▄%1b[48;5;245m%1b[38;5;251m▄%1b[49m";
	set resp.http.moomin04 = "

	package main

	import (
	"database/sql"
	"fmt"
	"net/url"
	"os"
	"reflect"
	"regexp"
	"strconv"