the perfect PC setup

or why you might not want to use NixOS on your desktop just yet

• software
• thoughts

People sometimes¹ ask me how they should setup their new laptop. And since I’m currently in this process myself, I figured it might make sense to jot it down.

Keep in mind, that this is my opinion and certainly not the only one.

what device to choose

Used devices are good — both for the environment and for your budget. (But please don’t buy an Acer one.)

These are the (minimal) specs for a device that is usable with current software:

• amd64 (or aarch64²)
• 4 GB RAM (better: 8 GB)
• 50 GB SSD
• UEFI
• TPM 2

make sure that it works

If you buy a used device, it may be broken.³ So, check it. Your device may come with a built-in diagnosis tool (Dell, Lenovo, etc.), run it. If it doesn’t, run a memtest and a (long) SMART self-test on the SSD.

When they all succeed: congratulations, you have a new device.

Enter the firmware setup and reset it to factory defaults. Reboot. Enter the firmware setup again and make sure the following settings are enabled:

• boot mode: UEFI
• Secure Boot
• Secure Boot Mode: User (sometimes also called “Windows”)
• virtualisation
• standby mode: Linux (this might also make sense when you’re using Windows)
• TPM: enabled (or fTPm)
• set a power-on password

If your device doesn’t have each one, it might not be too bad.

install your operating system of choice

Ok, but what exactly is your choice? You’ll want a system that provides timely security updates, has good defaults and supports encryption and has apps.

Windows

Windows is an operating system by Microsoft. It costs money and is proprietary, but your device might already come with a license you can use.

First, you’ll need to create a bootable USB drive with the media creation tool. To use this tool, you’ll need another Windows PC. Or you can install Windows inside a VM and pass the USB key through.

When you have a USB key, insert it into your new device, boot it and try to install Windows. If it doesn’t work because you don’t have a TPM, you can open the registry editor and use the LabConfig trick.

Be aware that this will complicate further feature updates; you’ll need to (again) create a USB key and then call the installer with setup.exe /product server to upgrade each year⁴.

Please use Chocolatey (or its GUI) to manage your software, it will make your life much easier. Also, if you sign in with a Microsoft account, you’ll get TPM⁵-backed FDE⁶. More on that later on.

Also, WSL⁷ is actually nice to use.

But, as stated, this is proprietary, and I want to (mainly) use Free Software, so let’s use Linux⁸.

Ubuntu

Ubuntu is the Windows of Linux: it’s easy to set up, most people are using it and it works most of the time. It’s got a steady release schedule and timely updates.

And (that’s why I will be using it), it natively supports TPM-backed FDE.

(If your device doesn’t have a TPM 2, skip the next three sections.)

So, go ahead and download Ubuntu 24.04 LTS. Use e.g. balenaEtcher to put it on a USB drive. Boot from it.

The installer should be pretty self-explanatory, just three things:

• refrain from checking any of the boxes for proprietary software⁹
• on the partitioning screen, tap on “Advanced” and select TPM-backed FDE
• don’t create your actual user account just yet. Create a temporary one, instead.

This will take about 30 minutes, go grab a tea.

first things first

After the installation succeeded, reboot into your new system and note down the recovery key:

sudo snap recovery --show-keys

Please actually do this. Right away. I didn’t and installed a firmware update which required me to enter the recovery key afterwards — which I didn’t have.

Plasma

If you like GNOME, you can obviously skip this step. But I want to use Plasma¹⁰:

sudo apt install kubuntu-desktop

This might take a few minutes. Select sddm if you’re asked to select a display manager. Reboot afterwards and make sure that everything works.

Then, uninstall GNOME:

wget https://releases.ubuntu.com/24.04/ubuntu-24.04.2-desktop-amd64.manifest
wget https://cdimage.ubuntu.com/kubuntu/releases/noble/release/kubuntu-24.04.2-desktop-amd64.manifest
cut -f1 ubuntu-24.04.2-desktop-amd64.manifest | grep -v '^linux-[hims]' | grep -v "snap:" | sort > old-de
cut -f1 kubuntu-24.04.2-desktop-amd64.manifest | grep -v '^linux-[hims]' | grep -v "snap:" | sort > new-de
comm -23 old-de new-de > packages-to-remove
xargs -a packages-to-remove sudo apt purge

You might want to take a look at packages-to-remove beforehand. :D

Reboot and make sure that everything still works.

if you don’t have a TPM 2: Kubuntu

If you don’t have a TPM (2), the best you can get¹¹ is by installing Kubuntu ¹² 22.04 and upgrading afterwards. (Probably, I am not a lawyer.)

So, grab the ISO. Use e.g. balenaEtcher to put it on a USB drive. Boot from it.

The installer should be pretty self-explanatory, just two things:

• on the partitioning screen, check the box for disk encryption. Make sure that your chosen password can also be entered with a QWERTY layout.
• don’t create your actual user account just yet. Create a temporary one, instead.

no place like $HOME

Remember that we didn’t add the final user account? Here’s why:

Using systemd-homed, we can get an encrypted home directory (and a filesystem of choice):

# take note which groups you want to be in (sudo!!!)
id
# install your shell
sudo apt install systemd-homed
homectl create your-login-name --real-name="Your real name" --storage=luks --fs-type=btrfs --shell=/usr/bin/your-shell --member-of=group1 --member-of=group2 ...

Then, some fix-ups:

Create a /etc/sddm.conf.d/uid.conf with the following contents, so that the new account shows up add the login screen:

[Users]
MaximumUid=62000

Modify /etc/nsswitch.conf, so that polkit still works:

group: files [SUCCESS=merge] systemd

Reboot and log in with your new account and make sure everything works (eg. sudo id and pkexec bash).

You can then delete the temporary account with sudo deluser temp. (Or keep it around, I don’t care.)

who needs a password anyway

If you want to, you can use your fingerprint for sudo and polkit:

sudo apt install fprintd libpam-fprintd
fprintd-enroll
fprintd-verify
sudo -i
nano /etc/pam.d/sudo

Add the following right above the @include common-auth:

auth       sufficient pam_fprintd.so

Keep this root shell open, open a new terminal window and make sure that sudo still works, but now asks for your fingerprint.

If it does, you can copy /etc/pam.d/sudo to /etc/pam.d/polkit-1. Make sure that polkit still works (pkexec id).

Flatpak

Ubuntu uses dpkg and snap for package management. But you can also install Flatpak to get even more software:

sudo apt install plasma-discover-backend-flatpak

Open Discover, go to the settings and click on the Flathub button.

Thunderbird and Lightning

Thunderbird is a good email client:

sudo apt install thunderbird

And while you’re at it, you might want to switch Firefox to ESR, so that they’re both on the same version:

snap refresh firefox --channel=esr/stable

WSL, but for Linux

If you’re often compiling software, you might not want to do this on your main system: you might end up installing and losing track of various packages that you don’t actually need long-term and every build script can read your emails and your browsing history.

Multipass provides tightly-integrated Ubuntu VMs:

snap install multipass
# this might take a while
multipass shell

Note down the IP address and put your local SSH public key into the VM’s .ssh/authorized_keys. (Also: multipass.gui exists.)

Visual Studio Code

Install VSCode using Flatpak and remove its filesystem access via Flatseal:

flatpak install flathub com.visualstudio.code
flatpak install flathub com.github.tchx84.Flatseal
flatpak run com.github.tchx84.Flatseal

Start VSCode and connect to the Multipass VM via SSH (click the icon in the bottom left corner).

This should also work with JetBrains IDEs, but I haven’t tried that yet.

Linux is fun, because it has games

Steam has lots of games and is installable both via Snap and Flatpak, so that your games don’t have full filesystem access, though this is not officially supported.

I didn’t try this yet.

Ubuntu Pro

I’m not actually sure whether this Ubuntu setup can be upgraded to newer versions. But Ubuntu 24.04 is a LTS¹³, so it’s supported until 2029 — and with Ubuntu Pro this becomes 2036. And since big parts of the software you’re using come from Snap or Flatpak (or is in a VM that you can replace with a newer one), it shouldn’t be a problem to actually use it for so long.

why not NixOS?

I’ve been using NixOS for some time in some virtual machines and I think it’s great for servers, but probably a bit too rigid for desktop use. Flatpak works at least, so this might be an option, and I really like having everything in one configuration, but Secure Boot is a bit complicated and might not be as secure as in other distros¹⁴. FDE is supported, but it’s only secure if used together with Secure Boot — but that’s true for every OS.