ctr1

👋 right on! I actually also have used containers as a key to my security layout before, but yeah you miss out on all the benefits of portage.

I was doing something crazy and actually running Gentoo inside each one! It was very difficult to stay up-to-date. But I basically had my host as barebones as possible and used LibVirt containers for everything, attempting to make a few templates that I could keep updated and base other VMs on. I was able to keep this up for about two years then I had to relax (was my main PC). But it was really secure, and it does work.

The benefit of encapsulation is that you have a lot of freedom inside each container, like install a different distro if you need to. Also as long as they are isolated you don't need to worry as much about their individual security. But it's still good to. I ran SELinux on the host and non-SELinux (but hardened) in the guests.

SELinux has a lot of advantages over users/groups, but I think the latter can be just as secure if you know what you're doing. For example with SELinux you can prevent certain applications from accessing the network, or restrict access to certain ports, etc. It's also useful for desktop environments where a lot of GUI apps run under one user- e.g. neither my main user nor any other program can access my keepassxc directory, only the keepassxc process (and root) can (even though the application is running under my main user). You can also restrict root quite a bit, especially if you compile in the option to prevent disabling SELinux at boot (I need to recompile my kernel to disable it).

But again while it is fun to learn, it is quite a pain and I've relaxed the setup on my new computer to use a different user for everything (including gui apps), which I think is secure enough for me. But this style relies on my ability to adhere to it, whereas with SELinux you can set it up to where you're forced to

Like others have mentioned, SELinux could be a great addition. It can be a massive pain, but it's really effective at locking things down (if configured properly).

However, the difficulty will depend on the distro. I use it with Gentoo, which has plenty of support/docs for it and provides policies for many packages. Although (when running strict policy types) I usually end up needing to adjust them or write my own.

Obviously Red Hat would be another good choice, but I haven't tried it. Fedora also has good support, but I've only ever used the OOTB targeted policies.

That said, I've started relying on users/groups more often lately, since it really gets in the way of everything.

I alternate between helix and vim depending on the task, and their key bindings are kind of opposite from each other in a lot of ways. I've found that switching back and forth has kept me on my toes a bit and I don't feel as locked in to one editor as I did with vim before trying helix.

So I’m now stuck with my customized neovim, devoid of any hope of abandoning this strange addiction.

I would also try getting used to the defaults or a minimal config, which is also a good way to feel at home in the editor regardless of the system

If you want to mess around with scripting instead of an editor I would recommend Awk- it works great for CSV files and is really powerful. Usually you can use -F, to separate using commas, but for full CSV support (with potential quoted commas) you need to use something like -vFPAT='[^,]*|"[^"]*"' (which isn't POSIX compliant but works with gawk)

I'm not sure how to paste directly into a pane, but you can copy by opening up the scrollback in EDITOR from search mode using Ctrl+S e. This creates a file in /tmp so I try to make sure to clear it when I'm done.

I usually only copy and paste between editor windows using a script that mimics xclip (automatically used by helix), and if I need to paste a command I either edit my bash history or write a script.

Great list. Customizing the font is definitely a priority. I recommend one of the Terminus fonts. Also zellij multiplexer + helix editor is a great combo that works well in the tty.

One thing to add is that it took me a while to create a decent 16-color theme for helix and vim, and while they're okay by default you can actually get a pretty nice looking IDE if you spend some time tinkering with the colors

Ah, nice idea. I've tried a few different ways of doing this, and I think what you're seeing is a discrepancy in how the compiler handles member access into incomplete types. It seems that, in your examples, the compiler is allowing -> decltype(f.private_msg) within the class, but I think it's not selecting do_something outside of it because it uses decltype(t.private_msg). In my case, I'm not even able to do that within the class.

For example, since I'm not able to use decltype(f.private_msg) inside the class, I'm using decltype(private_msg) instead, which causes an error at the do_something declaration related to incomplete type (presumably because of the t.private_msg usage):

// candidate template ignored; member access into incomplete type
template 〈class T〉 auto do_something(T ＆t) -> decltype(t.private_msg);
class Foo {
        const char *private_msg = "You can't touch me!";
        friend auto do_something〈〉(Foo ＆f) -> decltype(private_msg);
};
template 〈〉 auto do_something(Foo ＆f) -> decltype(f.private_msg) {
        return f.private_msg;
}

My reasoning is that removing the t.private_msg from the declaration works:

template 〈class Ret, class T〉 auto do_something(T ＆t) -> Ret;
class Foo {
        const char *private_msg = "You can't touch me!";
        friend auto do_something〈〉(Foo ＆f) -> decltype(private_msg);
};
template 〈〉 auto do_something(Foo ＆f) -> decltype(f.private_msg) {
        return f.private_msg;
}
static Foo foo{};
// this works, but Ret cannot be deduced and must be specified somehow:
static auto something = do_something〈const char*〉(foo);

The reason your second example works is because the friend template inside the class acts as a template declaration rather than a specialization, which isn't specialized until after Foo is complete:

// the do_something inside Foo is a declaration, meaning this isn't used
// template 〈class T〉
// auto do_something(T ＆t) -> decltype(t.private_msg);
class Foo {
        const char *private_msg = "You can't touch me!";
        template 〈class T〉 // t.private_msg is allowed because T is not Foo yet
        friend auto do_something(T ＆t) -> decltype(t.private_msg);
};
template 〈〉 auto do_something(Foo ＆f) -> decltype(f.private_msg) {
        return f.private_msg;
}

I think the issue is that Foo is incomplete when you're declaring the friend, so I think it's impossible. I just tried it and g++ ignores the target candidate due to "member access into incomplete type", which makes sense since std::begin is already defined and calls .begin(). The closest you can get is to use another friend to expose arr and overload std::begin manually, but that's a bit silly 😅

I suppose the most tangible benefit I get out of it is embedding a custom initramfs into the kernel and using it as an EFI stub. And I usually disable module loading and compile in everything I need, which feels cleaner. Also I make sure to tune the settings for my CPU and GPU, enable various virtualization options, and force SELinux to always remain active, among other things.

I have this device and use it to store my keepassxc and onlykey backups, and it's useful to me because I've stopped using passwords (I only need to remember the pins for these devices which can unlock my keepass dbs that have everything else).

It seems secure enough for my use case, especially since the files I store in it are themselves encrypted (the onlykey backup still requires a pin), but I still want them to be difficult to access.

I've had to rely on it before but only because I didn't prepare a backup onlykey ahead of time- ideally it should be one of many recovery methods. But so far it's worked great for me.

Maybe try programming? It's incredibly exciting once you get the hang of it. It can be frustrating at times but it's really rewarding. Since becoming my hobby/job its given me an endless source of things to do at home. Plus it can open up new career paths :)

mpd + ncmpcpp