Dedetok: My Experience Notes

Friday, October 10, 2025

Debian 13: Configure NVidia in dual gpu - hybrid mode and how to utilize it in Android Studio

List your VGA:

# lspci | grep -E "VGA|3D" 01:00.0 VGA compatible controller: NVIDIA Corporation GA107 [GeForce RTX 2050] (rev a1) 05:00.0 VGA compatible controller: Advanced Micro Devices, Inc. [AMD/ATI] Rembrandt [Radeon 680M] (rev 0b)

Installation

# apt-get install firmware-nvidia-graphics nvidia-detect nvidia-driver linux-headers-$(uname -r) vulkan-tools

Warning "Conflicting nouveau kernel module loaded" may appear.

Check your nvidia

# nvidia-detect Detected NVIDIA GPUs: 01:00.0 VGA compatible controller [0300]: NVIDIA Corporation GA107 [GeForce RTX 2050] [10de:25ad] (rev a1) Checking card: NVIDIA Corporation GA107 [GeForce RTX 2050] (rev a1) Your card is supported by all driver versions. Your card is also supported by the Tesla 535 drivers series. It is recommended to install the nvidia-driver

Chek your nvidia software

Note: run glxinfo in "xfce terminal", not "terminal emulator"

GLX information

$ glxinfo | grep "OpenGL renderer" OpenGL renderer string: AMD Radeon 660M (radeonsi, rembrandt, LLVM 19.1.7, DRM 3.61, 6.12.31-amd64)

The desktop will utilize AMD GPU, we want to run Android Studio and utilize GeForce RTX 2050. Create a bash script to run Android Studio using NVidia Geforce RTX2050 instead build in AMD gpu, e.q

#!/bin/bash # Launch Android Studio using the NVIDIA GPU (Prime Render Offload) APP_PATH="$HOME/AndroidStudio/android-studio/bin/studio.sh" if [ ! -f "$APP_PATH" ]; then echo "Error: Android Studio not found at $APP_PATH" exit 1 fi # Run Android Studio with NVIDIA GPU offload __NV_PRIME_RENDER_OFFLOAD=1 __GLX_VENDOR_LIBRARY_NAME=nvidia "$APP_PATH" &

Usefull command if any systemd error during boot

# journalctl -b -u systemd-modules-load.service

Using nextdns.io as parental control for home user

This summary is not available. Please click here to view the post.

Thursday, October 9, 2025

Debian 13: part 2 configure privoxy and torrc as lan https gateway to anonymity Tor Network

Prerequisite Debian 13: part 1 install Tor-Project without error.

General network configuration

Internet — router —- lan —- proxy(tor)

All client has direct connection to internet via router. Client's browser can be configure to use proxy tor for anonymity.

The browser's connection becomes: [Client PC] --> [Debian Server - Tor & Privoxy] --> (WAN/Router) --> Internet (via Tor)

Privoxy is your https proxy. privoxy will connect to tor software, and tor software will find the way to reach destination using tor anonymity network.

Debian proxy

Install privoxy

# apt-get install privoxy

Edit or add your /etc/privoxy/config :

# listening port for your lan listen-address 0.0.0.0:8118 # connection to tor software, privoxy and torrc run on the same server/pc forward-socks5t / 127.0.0.1:9050

Edit or add your /etc/tor/torrc :

# Change "myNiceRelay" to something you like Nickname myNiceRelay # Write your e-mail and be aware it will be published ContactInfo your@e-mail # for relay, 0 disable ORPort 0 # for exit relay, 0 disable ExitRelay 0 # use 127.0.0.1 to make torrc only accessible by localhost / privoxy # comment these if you allow lan accessing torrc SocksPort 9050 SocksListenAddress 127.0.0.1 # uncomment these to allow lan accessing torrc #SocksBindAddress 192.168.1.1:9050 #SocksPolicy accept 192.168.1.0/24 #SocksPolicy reject *

Enable your privoxy and tor service

# systemctl enable tor # systemctl enable privoxy # systemctl restart tor # systemctl restart privoxy

Client Browser

Open your browser setting, find proxy. Fill with

HTTP Proxy: 192.168.1.10
Port: 8118

Note: change 192.168.1.10 to your debian lan ip server.

Now your client can browsing using anonymity tor network

Debian 13: part 1 install Tor-Project

Tor Project's repository only support amd64, arm64, or i386 architectures.

# dpkg --print-architecture amd64

Install apt-transport-https

# apt install apt-transport-https gnupg

Add Tor Project repository into debian machince

Create a new file in /etc/apt/sources.list.d/ named tor.list
Filled /etc/apt/sources.list.d/tor.list with:
deb [signed-by=/usr/share/keyrings/deb.torproject.org-keyring.gpg] https://deb.torproject.org/torproject.org trixiemain
deb-src [signed-by=/usr/share/keyrings/deb.torproject.org-keyring.gpg] https://deb.torproject.org/torproject.org trixie main

Currently, Tor repository only support bookworm, bullseye and trixie.

Add gpg key for Tor Project's repository

# wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/deb.torproject.org-keyring.gpg >/dev/null

If asc file does not exist, use your browser to open https://deb.torproject.org/torproject.org/. It will open directory of /torproject.org. Find file's name with asc, copy the file name and replace A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc with the new one.

Install Tor Project key's

# apt install tor deb.torproject.org-keyring

Installing Tor

# apt install tor

Tuesday, October 7, 2025

Debian 13: general nftables with set for web server and router

This is general nftables for apache, ssh, dns ntp

#!/usr/sbin/nft -f flush ruleset table inet filter { # Set for common inbound web server ports set web_ports { type inet_service; flags interval; elements = { 80, 443 } } # Set for other essential services, like SSH, DNS, and NTP set services { type inet_service; elements = { 22, 53, 123 } } chain input { type filter hook input priority 0; policy drop; # Allow connections that are part of an existing or related session ct state established,related accept # Drop invalid packets ct state invalid drop # Allow traffic from the loopback interface iif "lo" accept # Allow incoming traffic for common web services tcp dport @web_ports accept # Allow incoming SSH, DNS, and NTP traffic tcp dport @services accept udp dport @services accept # Allow incoming ICMP (ping) packets for diagnostics icmp type echo-request accept # Log and drop any other incoming traffic meta protocol vmap { ip : log prefix "[NFT-DROP]: ", ip6 : log prefix "[NFT-DROP]: " } meta protocol vmap { ip : drop, ip6 : drop } } chain forward { type filter hook forward priority 0; policy drop; } chain output { type filter hook output priority 0; policy accept; } }

This is nftable for general router

eth0 to internet/router
eth1 to lan

Edit/create nano /etc/sysctl.conf

net.ipv4.ip_forward=1

nftables rules

#!/usr/sbin/nft -f # Clear all existing rules flush ruleset # --- Define variables for interfaces and networks --- define wan_if = eth0 define lan_if = eth1 define lan_net = 192.168.1.0/24 # === Table for IPv4/IPv6 filtering === table inet filter { # Set for essential services (SSH, DNS, NTP) set essential_services { type inet_service; elements = { 22, 53, 123 } } # Set for web server ports set web_ports { type inet_service; flags interval; elements = { 80, 443 } } # Set of trusted interfaces (LAN) set trusted_interfaces { type ifname; elements = { $lan_if } } # Set of untrusted interfaces (WAN) set untrusted_interfaces { type ifname; elements = { $wan_if } } # --- INPUT chain: Controls traffic destined for the router itself --- chain input { type filter hook input priority 0; policy drop; # Accept packets that are part of an established or related connection ct state established,related accept # Drop any packets with an invalid connection state ct state invalid drop # Allow traffic from the loopback interface iif "lo" accept # Allow all traffic from the trusted LAN interfaces iifname @trusted_interfaces accept # Allow incoming SSH, DNS, and NTP from the internet (rate limited) iifname @untrusted_interfaces tcp dport @essential_services limit rate 10/minute accept iifname @untrusted_interfaces udp dport @essential_services limit rate 10/minute accept # Allow incoming web traffic (Apache) from the internet iifname @untrusted_interfaces tcp dport @web_ports accept # Allow ICMP (ping) from the internet, but rate-limit it iifname @untrusted_interfaces icmp type echo-request limit rate 5/second accept # Log and drop everything else coming from untrusted interfaces iifname @untrusted_interfaces log prefix "NFT-INET-DROP: " iifname @untrusted_interfaces drop # Catch-all log and drop for other incoming traffic log prefix "NFT-INPUT-DROP: " drop } # --- FORWARD chain: Controls traffic passing *through* the router --- chain forward { type filter hook forward priority 0; policy drop; # Accept packets that are part of an established or related connection ct state established,related accept # Drop invalid packets ct state invalid drop # Allow outbound traffic from the LAN to the internet iifname @trusted_interfaces oifname @untrusted_interfaces accept # Log and drop any other forwarded traffic log prefix "NFT-FORWARD-DROP: " drop } # --- OUTPUT chain: Controls traffic originating from the server --- chain output { type filter hook output priority 0; policy accept; } } # === NAT table for IPv4 (needed for internet access from LAN) === table ip nat { # --- PREROUTING chain: Used for incoming traffic before routing --- chain prerouting { type nat hook prerouting priority 0; # Example: Port forward incoming web traffic from the internet to a specific LAN machine # iifname $wan_if tcp dport { 80, 443 } dnat to 192.168.1.100 } # --- POSTROUTING chain: Used for outgoing traffic after routing --- chain postrouting { type nat hook postrouting priority 100; # Masquerade traffic leaving the internet interface oifname $wan_if masquerade } }