OpenSUSE

Configuration

New computer tasks (for Leap 15.6):

Set hostname
Install pyenv, git, subversion, kernel-devel, minicom
Install ssh-agent service
Copy .bashrc, .inputrc, .vimrc to user+root
Set up x0vncserver and open firewall port via YaST

# Update packages
zypper -vvv refresh -f 
zypper update

# Delete obselete repositories
zypper lr -d
zypper rr <REPO_NUM>

# Install git, then pyenv
zypper install git
# See https://github.com/pyenv/pyenv/wiki#suggested-build-environment
curl https://pyenv.run | bash
...  # since /etc/profile sources .bashrc, just put it in there

# Install Docker
zypper install docker docker-compose
usermod -aG docker ...

# Set up SSH keys and SSH agent systemctl



# Note the group user (100)
//192.168.101.165/lightstick /mnt/lightstick cifs credentials=/home/user/.smbcredentials,uid=1000,gid=100,rw,hard,intr,fsc,async,file_mode=0644,dir_mode=0755 0 0

Use AutoFS for mounting instead of the static /etc/fstab. This allows for graceful disconnection (instead of hanging if share is disconnected).

/etc/auto.master

/mnt /etc/autofs.fileserver --timeout 60 --browse

/etc/autofs.fileserver

bitstream  -user,rw,hard,intr bitstream.quantum.nus.edu.sg:/workspace-int
lightstick  -fstype=cifs,credentials=/home/user/.smbcredentials,uid=1000,gid=100,rw,hard,intr,fsc,async,file_mode=0644,dir_mode=0755 ://192.168.101.165/lightstick

User management

New user is created via YaST (using sudo yast). For a new setup:

Add new user
Add to dialout (for tty access) and wheel (for sudo access)
Create public/private key pair
Root access by default governed by root password only, with any user in users group being able to access. Change this to user-based authentication by running sudo visudo and modify /etc/sudoers file according to the code block below.
Create root password with sudo passwd root

/etc/sudoers

...
## In the default (unconfigured) configuration, sudo asks for the root password.
## This allows use of an ordinary user account for administration of a freshly
## installed system. When configuring sudo, delete the two
## following lines:
#Defaults targetpw   # ask for the password of the target user i.e. root
#ALL   ALL=(ALL) ALL   # WARNING! Only use this together with 'Defaults targetpw'!

...
##
## User privilege specification
##
root ALL=(ALL:ALL) ALL
justin ALL=(ALL:ALL) ALL

## Uncomment to allow members of group wheel to execute any command
%wheel ALL=(ALL:ALL) ALL

Networking

Firewall defaults are as per usual, unless SSH needs to be disabled. For mesh networking, consider using Tailscale. Command to run Tailscale (and additionally accept subnet routes):

sudo tailscale up --accept-routes

Python

Python to be managed by pyenv as usual. The required build environment is reproduced in the zypper package installation step below:

> zypper install gcc automake bzip2 libbz2-devel xz xz-devel openssl-devel ncurses-devel \
readline-devel zlib-devel tk-devel libffi-devel sqlite3-devel make
> pyenv install 3.10.7
> pyenv versions
> pyenv global 3.10.7
> pip3 install matplotlib scipy numpy tqdm uncertainties pyserial requests pytest pandas jupyter

More updated...

pip3 install matplotlib scipy numpy tqdm uncertainties \
    pyserial requests requests-cache pandas arrow pre-commit

VNC

OpenSUSE Leap comes packaged with TigerVNC by default. Some documentation (the documentation on TigerVNC by Arch Linux looks useful):

Start server: Run vncserver to set session password and start server (goes from display :1, onwards). Password creation will generate ~/.vnc/passwd file (delete this file to reset the password).
Connect as client: The VNC server listens on port 5901 by default, can see via sudo lsof -nPi. To connect, run TigerVNC Viewer and connect to ip:port (can test locally with 127.0.0.1:5901)

vncviewer -passwd ~/.vnc/passwd 127.0.0.1:5901

Kill server: Run vncserver -kill :[DISPLAY_NUM].
Start server for :0 display: To pipe :0 contents (probably hosted with X0 or X11) to VNC server, run x0vncserver -passwordfile ~/.vnc/passwd -display :0.

Remote administration is available, i.e. login mechanism via login manager. But this is not natively built-in.

One typically uses an autostart script, with user holding read and execute permissions, to automatically enable the x0vncserver (for :0) and vncserver (for :1, etc.):

~/.config/autostart/x0vncserver.desktop

[Desktop Entry]
Name=x0vncserver
Comment=Remote access for display :0
Exec=x0vncserver -passwordfile /home/justin/.vnc/passwd -display :0
Terminal=false
Type=Application
StartupNotify=true

~/.config/autostart/vncserver.desktop

[Desktop Entry]
Name=vncserver
Comment=Remote access for display :1
Exec=/usr/bin/vncserver :1 -geometry 1280x720
Terminal=false
Type=Application
StartupNotify=true

For OpenSUSE 15.5

For OpenSUSE 15.6

vncserver is now integrated as a service.

echo ":1=<USER>" >> /etc/tigervnc/vncserver.users
echo "geometry=1920x1080" >> ~/.vnc/config
sudo systemctl enable --now vncserver@:1

Remember to also open firewall port.

Even better, configure this via YaST > Remote Administration.

May need to do:

vim /etc/firewall.d/config  # Backend=iptables

May need to set /etc/hostname directly to set static hostname, instead of being assigned by DHCP.

Flatpak and other software

Most proprietary codebases have binaries uploaded to FlatHub, whose packages can be managed using flatpak.

sudo zypper install flatpak
flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo

SynologyDrive can be installed from here as well, though the Linux varieties do not support online sync.

VLC might be available through here, since the official package distributed in one of OpenSUSE's repositories is outdated. Read the VLC article. New codes for video playback in VLC: zypper in vlc-codecs.

ffmpeg and zoom (using rpm package) could be installed as well. GIMP using flatpakref.

Comments

Some thoughts on OpenSUSE as of 2022-11-22, based on my limited experience in Ubuntu, Windows, and macOS. Important pros:

Built-in apps just work right out the box (albeit with some slight bugs). tigervnc server for instance is straightforward to enable.
Very sensible security defaults. For example, app downloads and adding repositories always verify GPG keys, something not entirely visible in Ubuntu.
Smaller nice designs:
- Built-in virtual displays, with widgets for comics and system statistics.

And for the blockers I've seen thus far:

Installing software outside of YaST / official repositories can be a hit or miss. Either support is not provided (many smaller softwares tend to focus solely on Ubuntu support) or the build chain is buggy and resources to debug are difficult to find (e.g. build libraries going by different names).
- Example software are: terminator, and others.
- Security likely because software is relatively old (and stable)
Connecting to remote network: Using :1 VNC display seems to be buggy w.r.t. accessing remote network files (cannot read via SFTP, constantly polls SSH server with invalid credentials), difficulties connecting to a SAMBA file server on an RTO-6 oscilloscope
Smaller software-level issues:
- Firefox cannot open on two separate VNC instances. Same applies to vscode.
- Login manager cannot change wallpaper - this is surprisingly hardcoded.
- Connecting to a network printer was a pain.
- Dolphin cannot handle drag-and-drop contexts to web browsers, and browsers cannot save files to remote locations.

Just fyi for CQT printer:

Missing kernel signing keys

If encountering the error .kernel_signing_key.pem not found, this probably means the kernel updater did not supply a signing key for modules along with it. DIY time!

user:~$ cd /usr/src/linux-5.14.21-150500.55.59/certs
user:~$ vim x509.genkey 
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = myexts
 
[ req_distinguished_name ]
CN = Modules
 
[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
 
user:~$ openssl req -new -nodes -utf8 -sha512 -days 36500 -batch -x509 -config x509.genkey -outform PEM -out signing_key.cert.pem -keyout signing_key.key.pem
user:~$ cat signing_key.key.pem signing_key.cert.pem > ../.kernel_signing_key.pem

Repository management

Because repository refreshing can be rather slow, would be good to disable/delete invalid or outdated repositories.

# List repositories with base URL
zypper repos -u

# Add repositories
# or alternatively, with -gf for GPG checks and autorefresh
# Note if URL does not use HTTPS, then zypper may indicate repo is outdated
zypper ar {{URL}} {{NAME}}
zypper ar -gf {{URL}} {{NAME}}

# Remove repositories
zypper rr {{NAME_OR_SERIAL}}