This is the big one, since I spend most of my time in front of these.

These machines run mostly standard software, with the things I use most heavily customized to my needs. Consequently, I mostly use software I am able to customize when I feel the need (Mostly to save time, but sometimes out of a need for comfort).

On the hardware side of things, I like the ThinkPad T-Series. Granted, they were better when IBM still made them, but the early-model Lenovo ones still feature the a better keyboard and general serviceability than all of the consumer Laptops manufactured today. Also, they are pretty easy to get cheap on eBay.

The latest model I use is currently a T410, though I also keep a stack of T60 and T61 models around, which are configured to be used interchangeably. That way, if one of them breaks irrecoverably, I can just use another one (and maybe replace the broken one in the future), saving a lot of buying stress. Another benefit is that each of the units usually come with a charger compatible across the product line.

You’ll notice that these machines are definitely not latest generation, and in most cases just have a basic dual core processor. That’s fine for me though, since I rarely game or indulge in other graphics- or CPU-heavy computing (except for compiling things, but that works well enough).

The main reasons I use these machines over other manufacturers or even later ThinkPad models are

Almost all the software I use regularly is free and/or open-source, and most of it is available from the Debian package repositories.

• OS: Debian stable
• Synchronization: git
• Window manager: ratpoison jwm
• Shell: zsh
• Terminal emulator: rxvt-unicode
• Terminal multiplexer: tmux screen
• Editor: vim scite
• Development: gcc tcc clang git valgrind strace
• Audio: ALSA (alsa-base alsa-utils)
• Multimedia: vlc mplayer xli
• Wireless connection manager: wicd-curses
• PDF Viewer: zathura
• Password management: keepassx
• Web browsing: chromium firefox netsurf
• Miscellaneous: htop xfe scrot xsel

I probably won’t go into detail on every piece of software listed above, but I’ll cover the more important or interesting things.

This is one big holy war in the land of computing. Everyone you ask will most likely have his own opinions and preferences, especially when it comes to linux distributions.

Partly owing to the underwhelming feature-set of most of my machines, I rarely need bleeding-edge software, so instead I opt for non-breaking updates, solid security support and humungous repository breadth.

What little I need in latest releases, I can compile myself (though that mostly concerns software I am involved with myself in some way, so that would have happened anyway).

Since I want as few packages installed as possible (at least in the base system), I usually install Debian from the netboot image, which is intended for use with a network connection, but installs nicely without one - resulting in a very minimalistic installation.

The installation of netinst without net is (to my knowledge) only possible when using the Advanced setup option in the Debian installer menu and skipping all tasks that require a network connection.

My go-to keyboard layout, ever since I once had a ThinkPad featuring it in hardware, is the British layout, which is very similar to the American layout, but with a full-size Enter key and the backslash key being on opposite end of the forward slash, making for a very neat programming layout.

One big thing I do after first setting up the OS is teaching apt, Debians package manager, not to automatically install recommended packages in addition to things I myself request to be installed. This brings down the list of installed packages considerably.

To do that, create a file /etc/apt/apt.conf.d/00local with the contents

APT::install-recommends "false";
APT::install-suggests "false";

Since I don’t use a desktop manager, my systems boot to a default tty login prompt. After I log in, I can work in text mode, which sometimes suits me just fine and is generally easier on the battery.

Once I decide I want to do something graphical such as browsing the web, I start the X server by running xinit (which, in newer systems, is actually an alias to startx via ~/.zshrc). This, in the last instance, executes ~/.xinitrc, which is where my window manager is started.

In the ~/.xinitrc, I disable some powersaving options that turn off the screen after some minutes, then set my background to be black and continue by loading my color scheme settings into the X database. After that, there is some magic to allow me to test different window managers.

#!/bin/bash
session=${SESSION:-rptest}
printf "Starting %s session\n" "$session"
# Change to home directory before executing WM
cd
# Turn off powersaving stuff
xset -dpms
xset s off
# Background image
xsetroot -solid black -cursor_name left_ptr
# Merge xresources to database
xrdb -merge ~/.xresources
case $session in
        rptest) exec ./rp-test;;
        ratpoison) exec ratpoison;;
        jwm) exec jwm;;
        *) exec $1;;
esac

This allows me to run my default window manager (which is currently a testing build of ratpoison) by just running xinit, while being able to, for example, start with jwm by running SESSION=jwm xinit.

For more information on this whole process, see man 1 xinit.

To change the keyboard layout while in an X session, run

# Set keyboard layout to German
setxkbmap de
# Set layout to British
setxkbmap gb

As mentioned before, I like to keep my machines synchronized in order to be able to switch over to another one should the need arise.

This is done by having all personal files I need synchronized in a git repository, which I can push to a remote server with a simple global command (which is aliased to execute a shell script). I can then pull the changes from all other machines with another command created in the same way. This is not done automatically, in order to be able to simply play around without creating unnecessary commits.

The repository also contains most of my configuration files, in order to maintain a unified experience. These configuration files are symlinked to my HOME in most cases.

Each machine has it’s own notes file in the repository, symlinked to ~/notes, which makes for easy note-taking, which is optionally visible on all machines.

Of course, this repository does only contain few binary files (and even fewer ‘large’ files), in order to keep the size down. Media files and browser “Download” folders are not synchronized, but large files to be archived (such as Photos, etc) are kept on my NAS or external hard drives.

Other than the aforementioned categories, most of my home directory consists of git repositories for software projects, which can be independently pulled on every machine.

To do the same, you will need a machine or service where you can store git repositories (preferrably non-publicly), create a new repository and check it out on every machine you want to synchronize.

Though, I should add, really only for wireless connections, since I can’t bring myself to learn the wpa-supplicant configuration file syntax by heart.

Another heavily contested topic between linux people is the choice of editor. I fall on the side of vim, though I admit it has a steep learning curve. It is worth it in my opinion though, greatly improving productivity while editing files.

vim is heavily extendable with lots and lots of options, modules and extension scripts available, but I’m very happy with the following few lines.

filetype plugin indent on
syntax on
set encoding=utf-8
" Disable the help popup on F1
map <F1> <Esc>
imap <F1> <Esc>

scite is just a basic graphical text editor based on the Scintilla project. It features pretty good syntax highlighting and is easier to grasp at first glance than vim. It is also pretty lightweight on resources.

I use chromium as my main browser, with my sessions growing up to some few hundred tabs since I don’t really like to use bookmarks (They are, sadly, not as readily exportable as copying an URL).

In order to keep memory usage at an acceptable level, I use some plugins, namely

• The great suspender: Replaces tabs with a static page after some time of inactivity.
• uBlock Origin and uMatrix: For ad and script blocking
• Disable HTML5 Autoplay: Because who likes autoplay.
• Session Buddy: To manage sets of tabs should the need for some compartmentalization arise.

firefox (or iceweasel, as it likes to be called on Debian) is configured to forget all history after closing, making it my “incognito” or VPN browser. An AdBlocker as well as the NoScript extension are installed there.

netsurf I install actually just for fun. It’s a nice project to build a new browser from the ground up, and as such is missing many features (such as viable JavaScript support), but it loads pretty fast and is nice to use once in a while.

Much like with my workstations, I’m a great fan of keeping my server systems very light weight - meaning as few packages as possible installed, only running services that are needed and choosing lightweight software wherever possible.

• OS: Debian stable
• git access control: fugit
• Web server: lighttpd nginx
• Database: sqlite3 postgres
• Monitoring: munin vnstat
• Firewall: iptables
• Mail: cmail

I’ll keep this mostly short and sweet, since you should hopefully already have some experience using Linux when you’re going to have a server reachable from the entire internet.

git does not ship a mechanism for authentication or authorization itself, instead relying on the ones provided by the transport mechanism of choice (WebDAV, HTTP, SSH, etc). Most people, me included, opt for SSH, at least for write access (with public read access optionally provided via HTTP).

This entails creating a system user that stores the actual repositories and granting collaborators login access to that user. Without any further configuration, this poses the problem that all users basically have unfettered access to all repositories stored as this user.

While it would be possible to create one user per project or repository, this quickly gets impractical, which is why there is a whole host of software dealing with this (and related) problems.

Sadly, most of these have features I don’t need bloating the codebase, are impossible to debug properly, have dependencies I’m not willing to install or change their interfaces more frequently than I am willing to delve into their configuration.

My go-to HTTP daemon is currently lighttpd, mostly for its ease of configuration, wide range of modules and configurability, lightweight resource consumption and overall speed.

Most of my server machines handle multiple virtual hosts, which is easily configured using mod_evhost.

# Load necessary modules
server.modules = (
    "mod_access",
    "mod_alias",
    "mod_accesslog",
    "mod_compress",
    "mod_evhost",
    "mod_auth",
    "mod_fastcgi",
    "mod_rewrite",
    "mod_redirect",
    "mod_expire",
    "mod_evasive",
)

# Some standard setup
server.pid-file = "/var/run/lighttpd.pid"
server.document-root = "/var/www/default"
server.tag = "lighty [hostname]"
index-file.names = ( "index.php", "index.html", "index.htm" )
server.upload-dirs = ( "/var/cache/lighttpd/uploads" )
url.access-deny = ( "~", ".inc" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )

# These might be Debian-specific
server.username = "www-data"
server.groupname = "www-data"

# Logfiles
server.errorlog = "/var/log/lighttpd/error.log"
accesslog.filename = "/var/log/lighttpd/access.log"
evasive.max-conns-per-ip = 10

# Set up virtual host pattern
evhost.path-pattern = "/var/www/%2/%3/"

# Enable HTTPS
$SERVER["socket"] == ":443" {
    ssl.engine  = "enable"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"
    ssl.cipher-list = "HIGH:!NULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!aNULL:!anon"
    ssl.pemfile = "/path/to/default_cert.pem"
    ssl.ca-file = "/path/to/default_ca.pem"
    ssl.dh-file = "/path/to/dhparams.pem"
    ssl.ec-curve = "secp384r1"
    $HTTP["host"] =~ "(^|)example\.org$" {
        ssl.pemfile = "/path/to/vhost_cert.pem"
        ssl.ca-file = "/path/to/vhost_ca.pem"
    }
}

# Enable directory listings
dir-listing.encoding        = "utf-8"
server.dir-listing          = "enable"

# Enable compression
compress.cache-dir          = "/var/cache/lighttpd/compress/"
compress.filetype           = ("text/plain", "text/html", "application/x-javascript", "text/css")

# Enable caching for static content
expire.url = (
    "/static/" => "access plus 7 days",
)

# Redirect www.foo.* to foo.*
$HTTP["host"] =~ "^www\.(.*)$" {
    url.redirect = ( "^/(.*)" => "http://%1/$1" )
}

# Use IPv6 if possible
include_shell "/usr/share/lighttpd/use-ipv6.pl"
# Mimetype mapping
include_shell "/usr/share/lighttpd/create-mime.assign.pl"

# Pass all .php files to php5
fastcgi.server = ( ".php" => ((
    "bin-path" => "/usr/bin/php5-cgi",
    "socket" => "/var/run/lighttpd/php.socket",
    "max-procs" => 10
)))

For fancier setups, such as UWSGI applications or reverse proxy setups, I tend to use nginx.

For most of my database needs, I really like sqlite3, which is a file-based database.

This has it’s advantages, such as being able to simply copy a file to backup (or replace) the entire database, ease of setup (just create a file) and zero need for configuration of daemons.

It does also have some drawbacks though, such as rapdidly degrading performance when tasked with concurrent writes, no access control mechanism and only coarse-grained locking.

Still, in my experience most things requiring a database and serving under a few tens of users is perfectly fine with SQLite. If the load is mostly reading data, SQLite may even be a pretty good choice.

For things absolutely requiring a client-server database which implements a full standards compliant SQL dialect with all the features you could ever wish for and very good performance, I’d recommend looking into PostgreSQL (or postgres, as the binary is called).

Most of the firewall configuration on my server consists of explicitly allowing the ports the machine is supposed to server and then dropping all traffic to everything else.

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -p tcp --dport 2222 -j ACCEPT
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
-A INPUT -p tcp --dport 995 -j ACCEPT
-A INPUT -p tcp --dport 587 -j ACCEPT
-A INPUT -p tcp --dport 110 -j ACCEPT
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 465 -j ACCEPT
-A INPUT -p udp --dport 546 -j ACCEPT
-A INPUT -p udp --dport 68 -j ACCEPT
COMMIT

To ensure the rules are loaded at boot time, install the package iptables-persistent, which loads the rules.v4 and rules.v6 files from /etc/iptables/ when started.

As always, be careful when visiting external links. I can not guarantee that they won’t change.

Laptop