ThinkPad Setup

The daily-driver dev box. Ubuntu 24.04 on a ThinkPad T14s. Where you write code, edit docs, push to GitHub, ssh to bastion. Set up pre-Phase-1 (Stage 3 of Start Here checklist).

The ThinkPad is the client side of the homelab — the surface you actually type on. Proxmox runs the platform; the ThinkPad runs your editor, your terminal, your browser, and the SSH session that reaches the bastion. Every commit to basecamp, every kubectl apply, every weekly log entry originates here.

It lands pre-Phase-1 as Stage 3 of the Start Here checklist, after Proxmox + bastion are reachable. By keeping the dev environment on Linux (matching the bastion and most server-side tooling), you avoid the cross-platform friction that turns Phase 1 (OS Foundations) into a “fight my own laptop” exercise. The Master Plan reading order assumes this box is alive when Phase 1 opens.

Languages and toolchains land as phases need them — don’t pre-install everything Day 1. The table below is the schedule.

Hardware

ThinkPad T14s (any recent gen with 16GB+ RAM). Linux-friendly; long battery; trackpoint. The “engineer’s laptop” archetype.

OS install

Ubuntu 24.04 LTS Desktop. Reasons:

Apt-based (matches bastion + most server-side work)
LTS = stable for 5 years
Wayland default in 24.04 (fewer X11 quirks)

Username:   abukix
Hostname:   thinkpad
Encryption: full-disk LUKS (always)
Timezone:   Asia/Manila (or wherever)

Essential packages (Day 1)

# Update
sudo apt update && sudo apt upgrade -y

# Dev essentials
sudo apt install -y \
  git curl wget jq tree htop tmux vim \
  build-essential pkg-config \
  ca-certificates gnupg lsb-release

# Network tools (Phase 2)
sudo apt install -y \
  net-tools dnsutils traceroute mtr-tiny iperf3 \
  nmap tcpdump tshark whois

# Containers (Phase 6)
sudo apt install -y docker.io docker-compose-v2
sudo usermod -aG docker $USER
# logout/login for group to apply

# Process / system tools (Phase 1)
sudo apt install -y \
  strace lsof psmisc \
  bpftrace bpfcc-tools

# Editor
sudo snap install --classic code   # VS Code; or use nvim via apt

SSH config

~/.ssh/config for ergonomic access to homelab:

Host bastion
  HostName 192.168.0.10
  User ubuntu
  IdentityFile ~/.ssh/id_ed25519
  ServerAliveInterval 60
  ForwardAgent no

Host pve
  HostName 192.168.0.50
  User root
  IdentityFile ~/.ssh/id_ed25519
  ServerAliveInterval 60

# Jump-via-bastion (for K3s VMs once they exist)
Host k3s-*
  ProxyJump bastion
  User ubuntu
  IdentityFile ~/.ssh/id_ed25519

Generate SSH key (Phase 0 prerequisite):

ssh-keygen -t ed25519 -C "abukix@thinkpad" -f ~/.ssh/id_ed25519
# add public key to bastion (already in proxmox.md) + GitHub

ForwardAgent no is deliberate — agent forwarding to a host means anyone with root on that host can use your keys. The ProxyJump pattern is the safer alternative for reaching K3s VMs through the bastion.

Languages + toolchains

Install when each phase first needs them. Don’t pre-install everything Day 1 — let phases drive what lands on the ThinkPad.

Tool	Phase that needs it	Install
Python 3.12+	Y1 P1	`sudo apt install python3-full python3-venv`
`uv` (Python pkg manager)	Y1 P4	`curl -LsSf https://astral.sh/uv/install.sh \| sh`
`ruff` (Python linter)	Y1 P4	`uv tool install ruff`
Go 1.23+	Y1 P5	from go.dev/dl (apt’s Go is often stale)
`golangci-lint`	Y1 P5	from github.com/golangci/golangci-lint
Docker / Podman	Y1 P6	apt above
`kubectl`	Y1 P7	`sudo snap install kubectl --classic`
`helm`	Y1 P7	`curl https://baltocdn.com/helm/...`
`argocd` CLI	Y1 P7	from github.com/argoproj/argo-cd
`terraform` (or `tofu`)	Y2 P9	from hashicorp.com or opentofu.org
`aws-cli`, `gcloud`	Y2 P10-11	per cloud’s install guide

Shell + dotfiles

Use whatever shell you’re comfortable with (zsh + oh-my-zsh, bash + plain, fish — all fine). Don’t over-invest in shell config Day 1; you’ll iterate.

Recommended dotfile repo structure (private):

github.com/abukix/dotfiles (private)
  ├── .zshrc / .bashrc
  ├── .gitconfig
  ├── .ssh/config (without keys)
  ├── .tmux.conf
  └── install.sh

Tailscale (for remote access)

curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up

Add bastion + Proxmox host + ThinkPad + MacBook to your tailnet. Now you can SSH to bastion from anywhere on Earth.

Tailscale ACLs let you scope which device can reach which — worth configuring once (in the admin console) so a compromised laptop can’t reach the Proxmox web UI.

Daily workflow

Morning:
  ssh bastion    # work happens on bastion / homelab
  vs code        # edit docs locally, sync via git

Anytime:
  Open ROOT in VSCode
  Open ops-handbook in another window
  Open basecamp / current-phase project in a third

Sunday:
  Write the weekly log (~20 min)
  Review the phase status (~10 min)
  Commit + push everything

The Sunday log is the load-bearing habit (see Master Plan, time budget). Everything else can flex.

Troubleshooting

Symptom	Likely cause	Fix
Wayland app glitchy	mixed X11/Wayland	use Wayland-native version or fall back
Battery drain on suspend	Wakelocks (USB device)	check `dmesg` post-resume
Docker permission denied	not in `docker` group	logout/login after `usermod -aG docker $USER`
Tailscale won’t start	systemd service failed	`sudo systemctl status tailscaled`; check logs

Cross-references

proxmox.md — what bastion expects from your client
macbook-setup.md — secondary / travel machine
Phase 1 prereqs: Year 1 Phase 1
Phase 7 (K8s on the homelab): Year 1 Phase 7