Versión
Fecha
Comentario
Autor
1.0
10/01/2025
Primera edición. Marco Teórico y Cheat Sheet.
Jes
This guide is a step by step meant to reproduce my workstation environment after a hard wipe of the disk.
This includes:
My Proton referral code
Do not use any network.
Use entire disk + guided partition + encrypted Logical Volume.
Use a separated /home partition.
Select Debian desktop environment and
Grant sudo rights to everyday user.
-
-aG sudo jes
Reboot now.
Load a pre‑downloaded Wireguard profile for Proton VPN.
If wg-quick is available:
mkdir -p /etc/wireguard
cp /mnt/$USER /external_drive_mount_point/Wireward/CH-MX.conf /etc/wireguard/
wg-quick up CH-MX
systemctl enable wg-quick@CH-MX
Reload if you edit the profile:
wg-quick down CH-MX && sudo wg-quick up CH-MX
But it's not If we don't connect to the internet during installation (for example because we only have access to an unsecured network), so we use the GNOME GUI NetworkManager .
First make the file be only accessible by our everyday user:
mkdir -p /etc/wireguard
cp /mnt/$USER /external_drive_mount_point/Wireward/CH-MX.conf /etc/wireguard/
chmod 600 /etc/wireguard/CH-MX.conf
chown $USER :$USER CH-MX.conf
Then proceed with the GUI
Turn on Wi-Fi or connect Ethernet cable and Check public IP .
I run this snippet as root, could also open touch and open file as sudo with gedit/nano and paste it.
<< EOF > /etc/apt/sources.list.d/debian.sources
Types: deb deb-src
URIs: https://deb.debian.org/debian
Suites: trixie trixie-updates
Components: main non-free-firmware
Enabled: yes
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
Types: deb deb-src
URIs: https://security.debian.org/debian-security
Suites: trixie-security
Components: main non-free-firmware
Enabled: yes
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
EOF
Curl and other utilities are installed here instead of the next section because we use it right away.
apt update && \
apt install extrepo curl wget apt-transport-https -y && \
extrepo enable librewolf && \
wget -O /usr/share/keyrings/element-io-archive-keyring.gpg https://packages.element.io/debian/element-io-archive-keyring.gpg && \
echo "deb [signed-by=/usr/share/keyrings/element-io-archive-keyring.gpg] https://packages.element.io/debian/ default main" | sudo tee /etc/apt/sources.list.d/element-io.list && \
curl -fsSLo /usr/share/keyrings/mullvad-keyring.asc https://repository.mullvad.net/deb/mullvad-keyring.asc && \
echo "deb [signed-by=/usr/share/keyrings/mullvad-keyring.asc arch= $( dpkg --print-architecture ) ] https://repository.mullvad.net/deb/stable stable main" | sudo tee /etc/apt/sources.list.d/mullvad.list
Before continuing we upgrade the packages that were included offline from the installation media:
apt update && \
apt upgrade -y
apt update && \
apt full-upgrade -y && \
apt install -y unattended-upgrades && \
dpkg-reconfigure unattended-upgrades
apt install -y git exiftool vim tar btop ufw apparmor apparmor-utils gnupg gnupg2 gnupg1 gnupg-agent libayatana-appindicator3-1 gir1.2-ayatanaappindicator3-0.1 gnome-shell-extensions gnome-shell-extension-manager gnome-shell-extension-prefs gnome-shell-extension-appindicator gnome-shell-extension-blur-my-shell gnome-shell-extension-impatience gnome-shell-extension-system-monitor gnome-shell-extension-hard-disk-led gnome-shell-extension-user-theme flatpak gnome-software-plugin-flatpak xfce4-terminal clamav clamav-daemon clamtk clamtk-gnome rkhunter fail2ban mullvad-browser librewolf debsig-verify debian-keyring nicotine keepassxc-full webext-keepassxc-browser keepassxc nextcloud-desktop tmux rhythmbox easyeffects perl jq element-desktop
apt update && \
apt autoremove --purge && \
apt clean
ufw default deny incoming && \
ufw default allow outgoing && \
ufw enable
curl -fsSL https://raw.githubusercontent.com/ThatOneCalculator/NerdFetch/main/nerdfetch -o /usr/local/bin/nerdfetch && \
chmod +x /usr/local/bin/nerdfetch && \
echo 'nerdfetch' >> /home/$USER /.bashrc
Links on this website point to old versions: Proton Apps
Individual product websites do point to latest versions... mostly.
But I figured the best way to get the newest links is to check the .json files that contains all version numbers, checksums and download URLs.
For some reason ProtonVPN has the file URL and the checksum published on this support article: How to install the Proton VPN GUI app on Debian .
I failed to find a .json file similar to the other products. I did foud a Release gpg key on the protonvpn repository but the checksum on the support article works fine so we use that.
For mail bridge they use a different integrity verification method: Proton Mail Bridge Signature
export PROTON_VPN_CHECKSUM = "0b14e71586b22e498eb20926c48c7b434b751149b1f2af9902ef1cfe6b03e180" && \
export PROTON_VPN_VERSION = "1.0.8_all" && \
export PROTON_PASS_CHECKSUM = "c742f302f73d59484a11055d58229240c7a0f648b2b9778968b6aac9e814e33c316f2a658cac58b55c518d228b59d92e1215e3eda07a5957fd5c4dddc086c8d0" && \
export PROTON_PASS_VERSION = "1.33.5_amd64" && \
export PROTON_MAIL_CHECKSUM = "eb24eeee66adc282ad7127a3e90cfd075353188f1a259c54d63ceb1883a6bfd4c5de4931a614836c20fedb18f3be1d972cf69486965e973f7f66d87e0120e28e" && \
export PROTON_MAIL_VERSION = "1.12.0" && \
export PROTON_BRIDGE_VERSION = "3.21.2-1_amd64" && \
export PROTON_AUTH_CHECKSUM = "f442dbf6c798586316f0e49cdfec999787cee3a0e1b42d43a868405e4f1f33496eb9e20a15209ad31595b26ac795eb7808bc10c341658c89732727bef5ca55de" && \
export PROTON_AUTH_VERSION = "1.1.4_amd64"
https://repo.protonvpn.com/debian/dists/stable/main/binary-all/protonvpn-stable-release_${ PROTON_VPN_VERSION } .deb && \
https://proton.me/download/pass/linux/proton-pass_${ PROTON_PASS_VERSION } .deb && \
https://proton.me/download/authenticator/linux/ProtonAuthenticator_${ PROTON_AUTH_VERSION } .deb && \
https://proton.me/download/mail/linux/${ PROTON_MAIL_VERSION } /ProtonMail-desktop-beta.deb && \
https://proton.me/download/bridge/protonmail-bridge_${ PROTON_BRIDGE_VERSION } .deb
echo " $PROTON_VPN_CHECKSUM protonvpn-stable-release_ ${ PROTON_VPN_VERSION } .deb" | sha256sum --check - && \
echo " $PROTON_PASS_CHECKSUM proton-pass_ ${ PROTON_PASS_VERSION } .deb" | sha512sum --check - && \
echo " $PROTON_AUTH_CHECKSUM ProtonAuthenticator_ ${ PROTON_AUTH_VERSION } .deb" | sha512sum --check - && \
echo " $PROTON_MAIL_CHECKSUM ProtonMail-desktop-beta.deb" | sha512sum --check -
We expect to see all OK to this point.
Now proceed with the verification mechanism for the bridge:
https://proton.me/download/bridge/bridge_pubkey.gpg && \
--dearmor --output debsig.gpg bridge_pubkey.gpg && \
mkdir -p /usr/share/debsig/keyrings/E2C75D68E6234B07 && \
mv debsig.gpg /usr/share/debsig/keyrings/E2C75D68E6234B07 && \
https://proton.me/download/bridge/bridge.pol && \
mkdir -p /etc/debsig/policies/E2C75D68E6234B07 && \
cp bridge.pol /etc/debsig/policies/E2C75D68E6234B07 && \
protonmail-bridge_${ PROTON_BRIDGE_VERSION } .deb
Should yield:
debsig: Verified package from 'Proton AG (Proton Mail Bridge developers) <bridge@protonmail.ch>' (Proton AG)
dpkg -i ./protonvpn-stable-release_${ PROTON_VPN_VERSION } .deb && \
apt update && \
apt install -y proton-vpn-gnome-desktop
apt update && \
dpkg -i ./proton-pass_${ PROTON_PASS_VERSION } .deb && \
dpkg -i ./ProtonAuthenticator_${ PROTON_AUTH_VERSION } .deb && \
dpkg -i ./ProtonMail-desktop-beta.deb && \
dpkg -i ./protonmail-bridge_${ PROTON_BRIDGE_VERSION } .deb
I wouldn't use unofficial RClone plugin for Proton Drive because I'm paying ProtonAG for an enterprise level office-suite and that's what I expect...
For the time being I'm using the Proton Drive Webapp for my personal files, and a Nextcloud instance on my own vps for work-related files.
Deny everything by default and only enable known traffic.
Add fallback "kill-switch" just in case.
export WG_IFACE = "CH-MX"
export PROTON_IFACE = "proton0"
export ETH_IFACE = "en0"
export WIFI_IFACE = "wl0"
ufw reset
ufw default deny incoming
ufw default deny outgoing
ufw default deny routed
ufw allow in on lo
ufw allow in on " $ETH_IFACE " to any port 67 proto udp comment 'DHCP server (eth)'
ufw allow in on " $ETH_IFACE " to any port 68 proto udp comment 'DHCP client (eth)'
ufw allow in on " $WIFI_IFACE " to any port 67 proto udp comment 'DHCP server (wifi)'
ufw allow in on " $WIFI_IFACE " to any port 68 proto udp comment 'DHCP client (wifi)'
# DNS
ufw allow out on " $ETH_IFACE " to 127 .0.0.53 port 53 proto udp comment 'DNS (eth)'
ufw allow out on " $WIFI_IFACE " to 127 .0.0.53 port 53 proto udp comment 'DNS (wifi)'
ufw allow out on " $ETH_IFACE " to " $PROTON_DNS " port 53 proto { udp,tcp} comment 'Proton DNS (eth)'
ufw allow out on " $WIFI_IFACE " to " $PROTON_DNS " port 53 proto { udp,tcp} comment 'Proton DNS (wifi)'
# API de Proton VPN
ufw allow out on " $ETH_IFACE " to any port 443 proto tcp comment 'Proton VPN API (eth)'
ufw allow out on " $WIFI_IFACE " to any port 443 proto tcp comment 'Proton VPN API (wifi)'
# Túneles VPN
ufw allow out on " $WG_IFACE " comment "WireGuard tunnel ( $WG_IFACE ) – outbound"
ufw allow out on " $PROTON_IFACE " comment "Proton VPN tunnel ( $PROTON_IFACE ) – outbound"
ufw allow in on " $PROTON_IFACE " comment "Allow inbound from Proton tunnel (established)"
ufw allow in on " $WG_IFACE " comment "Allow inbound from WireGuard tunnel (established)"
ufw enable
systemctl enable --now apparmor
net.ipv4.tcp_syncookies = 1 – enables SYN-cookies to mitigate SYN-flood attacks that could exhaust the TCP connection table.
net.ipv4.conf.all.rp_filter = 1 – activates reverse-path filtering, discarding packets with source addresses that do not match the expected output path, avoiding spoofing and reflections.
net.ipv4.conf.all.accept_redirects = 0 – ignores ICMP redirects, preventing an attacker from modifying the host's route table.
net.ipv4.icmp_echo_ignore_broadcasts = 1 – blocks responses to broadcast pings, preventing the machine from participating in DDoS amplification attacks.
kernel.randomize_va_space = 2 – enables full ASLR, increasing the randomness of memory layout and making it more difficult to exploit vulnerabilities.
kernel.kptr_restrict = 2 – Hides kernel symbols in /proc/kallsyms from unprivileged users, reducing the information available to local attackers.
fs.suid_dumpable = 0 – prevents processes with SUID/SGID from generating core dumps, avoiding the exposure of sensitive data in case of failures.
As root or sudo with gedit instead:
<< EOF > /etc/sysctl.d/99-hardening.conf
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
kernel.randomize_va_space = 2
kernel.kptr_restrict = 2
fs.suid_dumpable = 0
EOF
sysctl --system
Enable automatic signature updates
freshclam
systemctl enable --now clamav-freshclam
systemctl status clamav-freshclam
systemctl enable --now fail2ban
systemctl status fail2ban
KeepassXC Browser Extension
Allow exntesion on KeepassXC Gui.
remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo
-p ~/.local/share/xfce4/terminal/colorschemes
clone https://github.com/rose-pine/xfce-terminal.git ~/Repositories/rose-pine/
~/Repositories/rose-pine/dist/*.theme /home/$USER /.local/share/xfce4/terminal/colorschemes/
-R $USER :$USER ~/.local/share/xfce4
clone https://github.com/neovim/neovim.git
clone ssh://git@codeberg.org/jesmx/tmux.conf.git
clone ssh://git@codeberg.org/jesmx/tmux.powerline.conf.git
clone ssh://git@codeberg.org/jesmx/nvim.conf.git
Use Neovim nightly (main) branch for build from source. Follow up with Personal Tmux and Neovim configurations.
clone ssh://git@codeberg.org/jesmx/Knowledge.git
Easy Effects wiki Community Presets
-p ~/Music/eq_presets/
cd ~/Music/eq_presets/
clone https://github.com/Bundy01/EasyEffects-Presets
clone https://github.com/JackHack96/EasyEffects-Presets.git
clone https://github.com/qbarbosa/PulseEffects-Presets.git
Converting PulseEffects presets to EasyEffects presets:
In EasyEffects 6.0.0 preset structure changed a little. There is a bash shell script that can convert all presets in directory the entire directory.
The script is provided in this issue comment by AbsurdlySuspicious
<< EOF > ~/Music/eq_presets/fix_ef_pe.sh
#!/usr/bin/env bash
# Replace with 'input' if you want to convert input preset
section='output'
# Convert boolean and numeric strings + replace invalid empty blocklist
perl -i -pe 's/"(true|false|[\d\.-]+)"/$1/g; s/(?<="blocklist": )""/[]/g' "$@"
# Fix plugins order using v5 state field (your set up plugin order is preserved)
for f in "$@"; do
# Extract active plugins in right order
po_src=$(jq ".$section"' | . as $out | .plugins_order | .[] | . as $pn | select($out | to_entries | .[] | .key as $key | select(["blocklist", "plugins_order"] | any(. == $key) | not) | select(.value.state != false) | .key == $pn)' "$f" -r)
# Replace order array in config with new one
jq --arg po "$po_src" '($po | split("\n")) as $poa | '".$section.plugins_order"' = $poa' "$f" >tmp
mv tmp "$f"
done
EOF
+x ~/Music/eq_presets/fix_ef_pe.sh
cd ~/Music/eq_presets/fix_ef_pe.sh
*.json
aa-status | grep "enforced"
systemctl is-active clamav-freshclam
systemctl is-active fail2ban
$USER
-lU $USER
ufw status verbose
connection show --active
config --global user.email " $USER @jes.mx"
config --global user.user " $USER "
config --global user.name " $USER "
apt update
apt upgrade -y
apt clean
apt autoremove --purge
Reboot now.
Setup anime girl background and transparent xfce terminal. Make terminal maximize on start, remove scrollbar, remove all terminal key-binds but full-screen. Set rose-pine color theme in settings.
Make VPN GUI launch at startup, setup kill-switch, netshield, ipv6 support, automatic connection to México.
Enable and customize gnome shell extensions.
Install Top Bar Customizer from gnome user extensions and sort the top bar.
Login into NextCloud accounts via Desktop app. Login into Nextcloud accounts via Gnome Accounts.
Setup proton mail bridge.
Login into IMAP & SMPT Accounts via Gnome accounts.
Blast some music and get ready to work ;)