Things to do after installing Pop!

_OS
20.04 (Apps, Settings, and Tweaks)
Please feel free to raise any comments or issues on the website’s Github repository.
Pull requests are very much appreciated.

In the following I will go through my post installation steps, i.e. which settings I choose and
which apps I install and use.

Basic Steps
Go through welcome screen and create user account

This is self-explanatory. Usually I already set up Online Accounts for Nextcloud.

Change the mirror for getting updates, set locales, get rid of unnecessary languages

I am living in Germany, so I adapt my locales:

sudo sed -i 's/us./de./' /etc/apt/sources.list

sudo locale-gen de_DE.UTF.8
sudo locale-gen en_US.UTF.8
sudo update-locale LANG=de_DE.UTF-8

Open “language” in “region settings”, do not update these, but first remove the unnecessary
ones. Then reopen “languages” and update these.

Install updates and reboot

sudo apt update
sudo apt upgrade
sudo apt dist-upgrade
sudo apt autoremove
sudo apt autoclean
sudo fwupdmgr get-devices
sudo fwupdmgr get-updates
sudo fwupdmgr update
sudo reboot now

Set Hybrid Graphics

Switching Graphics in Pop!_OS is easy: either use the provided extension and restart or run

sudo system76-power graphics hybrid

sudo reboot now

Get Thunderbolt Dock to work and adjust monitors

I use a Thunderbolt Dock (DELL TB16) with three monitors, which is great but also a bit
tricky to set up (see Dell TB16 Archwiki). I noticed that sometimes I just need to plug the
USB-C cable in and out a couple of times to make it work (there seems to be a loose
contact). Anyways, for me the most important step is to check in
“Settings-Privacy-Thunderbolt”, whether the Thunderbolt dock works, so I can rearrange my
three monitors in “monitor settings”. I then save this as default for “gdm”:

sudo cp ~/.config/monitors.xml ~gdm/.config/

Restore from Backup

I mount my luks encrypted backup storage drive using nautilus and use rsync to copy over
my files and important configuration scripts:

export BACKUP=/media/$USER/UUIDOFBACKUPDRIVE/@home/$USER/
sudo rsync -avuP $BACKUP/Bilder ~/
sudo rsync -avuP $BACKUP/Dokumente ~/
sudo rsync -avuP $BACKUP/Downloads ~/
sudo rsync -avuP $BACKUP/dynare ~/
sudo rsync -avuP $BACKUP/Images ~/
sudo rsync -avuP $BACKUP/Musik ~/
sudo rsync -avuP $BACKUP/Schreibtisch ~/
sudo rsync -avuP $BACKUP/SofortUpload ~/
sudo rsync -avuP $BACKUP/Videos ~/
sudo rsync -avuP $BACKUP/Vorlagen ~/
sudo rsync -avuP $BACKUP/Work ~/
sudo rsync -avuP $BACKUP/.config/Nextcloud ~/.config/
sudo rsync -avuP $BACKUP/.gitkraken ~/
sudo rsync -avuP $BACKUP/.gnupg ~/
sudo rsync -avuP $BACKUP/.local/share/applications ~/.local/share/
sudo rsync -avuP $BACKUP/.matlab ~/
sudo rsync -avuP $BACKUP/.ssh ~/
sudo rsync -avuP $BACKUP/wiwi ~/
sudo rsync -avuP $BACKUP/.dynare ~/
sudo rsync -avuP $BACKUP/.gitconfig ~/

sudo chown -R $USER:$USER /home/$USER

Sync Firefox to access password manager

I use Firefox and like to keep my bookmarks and extensions in sync. Particularly, I use
Bitwarden for all my passwords.
SSH keys

If I want to create a new SSH key, I run:

ssh-keygen -t rsa -b 4096 -C "willi@mutschler"

Otherwise, I restore my .ssh folder from my backup. Either way, afterwards, one needs to
add the file containing your key, usually id_rsa, to the ssh-agent:

eval "$(ssh-agent -s)"

ssh-add ~/.ssh/id_rsa

Don’t forget to add your public keys to GitHub, Gitlab, Servers, etc.

Filesystem optimizations: fstrim timer and tlp

Btrfs Async Discard Support Looks To Be Ready For Linux 5.6; however, I am mostly on the
5.4 kernel, so I make sure that discard is not set in either my fstab or crypttab files, and also
enable the fstrim.timer systemd service:

sudo sed -i "s|,discard||" /etc/fstab

cat /etc/fstab #should be no discard
sudo sed -i "s|,discard||" /etc/crypttab
cat /etc/crypttab #should be no discard
sudo systemctl enable fstrim.timer

Also, there is some debate whether tlp on btrfs is a good choice or should be deactivated. In
any case, my laptops have sufficient battery power, so I remove it:

sudo apt remove --purge tlp

Security steps with Yubikey

I have two Yubikeys and use them

● as second-factor for all admin/sudo tasks

● to unlock my luks encrypted partitions
● for my private GPG key

For this I need to install several packages:

sudo apt install -y yubikey-manager yubikey-personalization # some common packages

# Insert the yubikey
ykman info # your key should be recognized
# Device type: YubiKey 5 NFC
# Serial number:
# Firmware version: 5.1.2
# Form factor: Keychain (USB-A)
# Enabled USB interfaces: OTP+FIDO+CCID
# NFC interface is enabled.
#
# Applications USB NFC
# OTP Enabled Enabled
# FIDO U2F Enabled Enabled
# OpenPGP Enabled Enabled
# PIV Enabled Disabled
# OATH Enabled Enabled
# FIDO2 Enabled Enabled

sudo apt install -y libpam-u2f # second-factor for sudo commands

sudo apt install -y yubikey-luks # second-factor for luks
sudo apt install -y gpg scdaemon gnupg-agent pcscd gnupg2 # stuff for GPG

Make sure that OpenPGP and PIV are enabled on both Yubikeys as shown above.

Yubikey: two-factor authentication for admin/sudo password

Let’s set up the Yubikeys as second-factor for everything related to sudo using the
common-auth pam.d module:

pamu2fcfg > ~/u2f_keys # When your device begins flashing, touch the metal contact to
confirm the association.
pamu2fcfg -n >> ~/u2f_keys # Do the same with your backup device
sudo mv ~/u2f_keys /etc/u2f_keys
# Make this required for common-auth
echo "auth required pam_u2f.so nouserok authfile=/etc/u2f_keys cue" | sudo
tee -a /etc/pam.d/common-auth
# Before you close the terminal, open a new one and check whether you can do `sudo echo
test`

Yubikey: two-factor authentication for luks partitions

Let’s set up the Yubikeys as second-factor to unlock the luks partitions. If you have brand
new keys, then create a new key on them:

ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible #BE CAREFUL TO

NOT OVERWRITE IF YOU HAVE ALREADY DONE THIS

Now we can enroll both yubikeys to the luks partition:

export LUKSDRIVE=/dev/nvme0n1p4
#insert first yubikey
sudo yubikey-luks-enroll -d $LUKSDRIVE -s 7 # first yubikey
#insert second yubikey
sudo yubikey-luks-enroll -d $LUKSDRIVE -s 8 # second yubikey
export CRYPTKEY="luks,keyscript=/usr/share/yubikey-luks/ykluks-keyscript"
sudo sed -i "s|luks|$CRYPTKEY|" /etc/crypttab
cat /etc/crypttab #check whether this looks okay
sudo update-initramfs -u

Yubikey: private GPG key

Let’s use the private GPG key on the Yubikey (a tutorial on how to put it there is taken from
Heise or YubiKey-Guide). My public key is given in a file called
/home/$USER/.gnupg/public.asc:

sudo systemctl enable pcscd

sudo systemctl start pcscd
# Insert yubikey
gpg --card-status
cd ~/.gnupg
gpg --import public.asc #this is my public key, my private one is on my yubikey
export KEYID=91E724BF17A73F6D
gpg --edit-key $KEYID
trust
5
y
quit
echo "This is an encrypted message" | gpg --encrypt --armor --recipient $KEYID -o
encrypted.txt
gpg --decrypt --armor encrypted.txt
# If this did not trigger to enter the Personal Key on your Yubikey, then try to put
# echo 'reader-port Yubico YubiKey' >> ~/.gnupg/scdaemon.conf
# reboot and try again. Make sure to enable pcscd.

Auto-login

Now, as I have a fully encrypted luks system and am the sole user of my computer, I can
turn on automatic login in the settings, and afterwards disable the keyring manager by
setting a blank password on the login keyring.

sudo apt install -y seahorse

Open seahorse, right-click on login, change password, input an empty password. Lastly,
select autologin in gnome settings.
Apps
Snap support

Enable snap support

sudo apt install snapd

System utilities

arandr

In case my monitor settings need more tweaking:

sudo apt install -y arandr

Caffeine
A little helper in case my laptop needs to stay up