Ultra-Geek Linux Workstation Guide
May 17, 2017
So I’ve gone a little overboard collecting notes about what seems to me to be an ideal Linux workstation for hackers. Everything from hardware to software. Thought I’d share it with you all because many of the items on the list were a surprise to me, and I think you’ll enjoy them. Feel free to write me and suggest even better ideas.
Will I actually build it? Who knows, but the research has been fun and educational in an OCD kind of way.
Note that the hardware choices and some software have been updated after a great discussion on lobste.rs.
- User actions should complete instantaneously. While I understand if compiling code and rendering videos takes time, opening programs and moving windows should have no observable delay. The system should use minimalist tools.
- Corollary: cache data offline when possible. Everything from OpenStreetMaps to StackExchange can be stored locally. No reason to repeatedly hit the internet to query them. This also improves privacy because the initial download is indiscriminate and doesn’t reveal personal queries or patterns of computer activity.
- No idling program should use a perceptible amount of CPU. Why does CalendarAgent on my Macbook sometimes use 150% CPU for fifteen minutes? Who knows. Why are background ChromeHelpers chugging along at upper-single-digit CPU? I didn’t realize that holding a rendered DOM could be so challenging.
- Stability. Old fashioned programs on a conservative OS on quality mainstream hardware. There are enough challenges to tackle without a bleeding edge system being one of them.
- Delegate to quality hardware components. Why use a janky ncurses Linux audio mixer when you can use…an actual audio mixer?
- Hardware privacy. No cameras or microphones that I can’t physically disconnect. Also real hardware protection for cryptographic keys.
- Software privacy. Commercial software and operating systems have gotten so terrible about this. I even catch Mac command line tools trying to call Google Analytics. Sorry homebrew, your cute emojis don’t make up for the surveillance.
To get the best hardware for the money I’m opting for a desktop computer. Haven’t had one since the early 2000s and it feels anachronistic, but it will outperform a laptop of similar cost.
I remember that my desktop long ago had an annoying fan which sounded like a jet in my room. The ultimate machine should be super quiet. That’s why I’m picking the Fractal Design Define Mini C Silent Mini Tower. Its understated design is compact and omits drive bays that will not be used.
Building a solid computer means not cheaping out on a power supply. Going higher than this computer needs, at 650 watts, the Seasonic ATX12V should stay well within its most efficient fanless operating zone. Externally, the APC BR1000G UPS will protect the system from power surges and abrupt shutdowns.
For the motherboard, pick an ASUS P10S-M WS LGA 1151 Intel C236. It has an integrated gigabit ethernet card, and support for fast DDR4 2133 memory. Not to mention Puget Systems rated it one of the most reliable boards they had tested in 2016.
The CPU will be a 3.6 GHz Xeon E3-1275 V5. Xeons support error correcting (ECC) memory, which is good for the stability of the system, especially with the large amount of RAM we will use. This CPU includes an integrated Intel HD Graphics P530 chipset so we won’t need a dedicated GPU. (The system isn’t for gaming or bitcoin mining.)
Slap four sticks of 16GB Kingston ValueRAM memory in there for good measure. It’s DDR4 2133mhz with 15ns cas latency, has ECC as mentioned, and is unbuffered for greater speed. This is certainly a lot of memory for the minimalist software we’ll be using, but can support a generous ramdisk for video editing artifacts.
I learned that modern SSDs are so fast that they no longer connect to the motherboard with traditional storage buses. They plug straight into PCI express and are managed with an NVMe interface for high parallelism. Samsung MZ-V6E1T0BW is well reviewed and super fast.
For extra fun, include a powered USB hub to sit on the desk and accomodate extra hardware. With an Anker 7-Port USB 3.0 Data Hub visitors can easily plug in keyboards for pairing sessions, or charge their devices.
I know a lot of people enjoy surrounding themselves with a wall of monitors like they’re in the heart of NASA Mission Control, but I find multi-monitor setups slightly disorienting. It introduces an extra bit of cognitive overhead to determine which monitor is for what exactly. That’s why I’d go with a modest, crisp Dell UltraSharp 24" U2417HJ. It’s 1080p and yeah there are 4k monitors nowadays, but text and icons are small enough as it is for me! If you want 4k, try the Dell P2715Q.
If I ever considered a second monitor it would be e-ink for comfortably reading electronic copies of books or long articles. The price is currently too high to justify the purchase, but the most promising monitor seems to be the Dasung Paperlike.
In the other direction, video input, it’s more flexible to use a general-purpose HDMI capture box like the Rongyuxuan than settle on a particular webcam. This allows hooking up a real camera, or any other video device.
Although the motherboard for this system has built-in audio, a better approach is to use clean hardware outside of the computer. We want to allow the system flexibility to connect to pro gear. The soundcard I have in mind for this system is great quality, and very simple. The Behringer UCA202 puts as little between the computer and line level RCA input/output jacks as possible. It’s a simple 16-bit 48khz USB DAC.
The way to connect it with other things is with a dedicated hardware mixer. The Behringer Xenyx 802 has all the connections needed, and the ability to route audio to and from the computer and a variety of devices at once. The mixer may seem an odd peripheral, but I want to mix the computer with an old fashioned CD player, ham radio gear, and amplifier so this unifies the audio setup.
When doing remote pair programming or video team meetings it’s nice to have a quality microphone. The best ones for this kind of work are directional, with a cardioid reception pattern. The MXL 770 condenser mic is perfect, and uses a powered XLR connection supplied by the mixer.
I know, I know, backups are so easy now. Just use $SILICON_VALLEY_CLOUD_SERVICE and forget about it.
Yeah right. Did you really think I’d say that? We’re going dead simple and old-school, back to tapes. There are a set of tape standards called LTO-n. As n increases the tape capacity gets bigger, but the tape drive gets more expensive. In my opinion the best balance these days for the home user is LTO-3. You can usually find an HP Ultrium 960 LTO-3 on eBay for 150 dollars. The cartridges hold 800GB and are about 15 dollars apiece. Hard drives keep coming down in price, but these tapes are very cheap and simpler than keeping a bunch of disk drives. Also tape has proven longevity, and good recoverability.
To use old fashioned tech like this you need a SCSI host bus adapter like the Adaptec 2248700-R U320. That one hooks up to PCIe.
You don’t want to generate and store secret keys on a general purpose network attached computer. The attack surface is a mile wide. Generating or manipulating “offline” secret keys needs to happen on a separate computer with no network access.
Little boards like the Raspberry Pi would be good except they use ARM processors (incompatible with Tails OS) and have wifi. The JaguarBoard is a small x86 machine with no wireless capability. Just switch the keyboard and monitor over to this machine for your “cleanroom.”
Generating keys requires entropy. The Linux kernel samples system properties to generate randomness, but why not help it out with a dedicated true random number generator (TRNG)? Bit Babbler supplies pure randomness at a high bitrate through USB. The web page describes its design and the gauntlet of tests it passes.
This little computer will save its results onto a OpenPGP Smartcard V2.1. This card provides write-only access to keys, and computes cryptographic primitives internally to sign and encrypt messages. To use it with a regular computer, hook up a Cherry ST2000 card reader. This reader has a PIN pad built in, so no keylogger on the main computer could even obtain your decyption PIN.
We take the beefed up hardware above and pair it with ninja-fast software written in C. Some text-based, others raw X11 graphical apps unencumbered by ties to any specific window manager.
There are two contenders for the base system: Debian stable or FreeBSD. Debian is cool because of the maturity of its development process and its social contract. While many people say FreeBSD is a more coherent, purer Unix with a quietly excellent community.
- Window manager - i3
- X11 configured for secondary selection with the Sun Type 6 Keyboard. Map the special keys with xkb and call out to xsel.
- Application launcher - dmenu
- Color management: Dell UltraSharp ICC color profile. Load it with xcalib. Adjust color tone at night with Redshift.
- Screen magnifier - vmg
- Screenshots - maim
- Screen lock - slock
- Terminal emulator: rxvt, or possibly urxvt for unicode
- Shell: mksh is lightweight and posix compliant
- VPN: OpenVPN with PrivateInternetAccess config files
- RFC downloader/reader. Caches locally.
- Web browser: when possible NetSurf, when necessary Firefox.
- Pipe text to clipboard: xclip
- Todo manager: tudu
- Map and driving directions: Navit with downloadable OpenStreetMap data
- Desktop notifications - Dunst, be sure to use >= v1.1.0 for a memory leak fix
- Calendar - calcurse includes support for CalDAV and triggering notification commands
- Email (see description of MxA components)
- MUA - NeoMutt includes scriptable new-mail hook, and notmuch indexer
- Use the maildir storage format
- MTA - msmtp supports storing password using GnuPG
- MRA - mbsync syncs the local mailbox with remote imap
- urlview creates a menu from urls in a text file to open them
- abook to store and retrieve addresses
- Calendar integration: mutt + calcurse
- MUA - NeoMutt includes scriptable new-mail hook, and notmuch indexer
- Chat (don’t necessarily need them all, just as the need arises)
- video: Jitsi
- audio: Mumble
- instant messenger: psi
- irc client: irssi (console) or hexchat (x11)
- desktop notification via irssi-libnotify
- hexchat uses libnotify by default I think
- SMS: dterm through GSM modem
- Use AT commands like AT+CMGS to send a text
- Hook up to an RS232 GSM modem like the SIMCOM SIM900
- Offline Stackoverflow queries
- Get quarterly xml data dump of questions and answers
- How to import XML into postgres: http://stackoverflow.com/a/33211885
- Map the “help” button on keyboard to search with highlighted text
- Video editing - kdenlive No need to run KDE window manager, for the KDE part you should only need kdelibs, kdelibs-devel, qt and qt-devel packages.
- Store editing artifacts on ram drive for super speed
- System monitoring
- Audio player - cmus
- Weather forecast - weather retrieves METARs (Meteorological Aerodrome Reports) directly from NOAA
- File manager - ViFM
- REST client - Resty + jq
- Backup and tape rotation - Bacula