Abstractly.
There is some software that needs X’s.
Download, install, launch - enjoy.
But here’s the problem: I don’t want to run software (absolutely everything that is not included in the standard debian repository.) like this on:

1. My HOST.
2. From my user.
3. Under my user’s Xorg.
4. Allow into my networks, including 127.0.0.0

In addition, a browser for regular web surfing and a browser for client banking are not the same browser, user, and sometimes even system.
We will not consider points 1, 2, 4 now; we will talk about X.

In debian, with standard system settings, LightDM is used as the default display manager.
You can enable listen tcp in it, but it runs Xorg processes as root.
In gdm3, on the contrary, by default, it launches Xorg from the user who logs into the environment, but the ability to enable listen tcp was broken.
More precisely, they left the ability to disable nolisten tcp,
but not enable listen tcp.

To do this, you need to edit the wrapper over X.

We have a laptop with intel wifi onboard which sometimes failed due to overheating, or due to long-term uptime, or channel load / pps, or whatever.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

[2250886.567817] ieee80211 phy0: Hardware restart was requested
[2250886.602451] iwlwifi 0000:24:00.0: Radio type=0x1-0x2-0x0
[2250886.899471] iwlwifi 0000:24:00.0: Radio type=0x1-0x2-0x0
[2250887.042217] iwlwifi 0000:24:00.0: Microcode SW error detected.  Restarting 0x2000000.
[2250887.042225] iwlwifi 0000:24:00.0: Loaded firmware version: 18.168.6.1 6000g2a-6.ucode
[2250887.042348] iwlwifi 0000:24:00.0: Start IWL Error Log Dump:
[2250887.042349] iwlwifi 0000:24:00.0: Status: 0x0000004C, count: 6
[2250887.042482] iwlwifi 0000:24:00.0: Start IWL Event Log Dump: nothing in log
[2250887.042486] iwlwifi 0000:24:00.0: BUG_ON, Stop restarting
[2250887.128058] iwlwifi 0000:24:00.0: Command REPLY_ADD_STA failed: FW Error
[2250887.128063] wlan0: failed to remove key (0, 01:11:88:ab:2c:99) from hardware (-5)
[2250887.128112] iwlwifi 0000:24:00.0: iwl_trans_wait_tx_queues_empty bad state = 0
[2250887.128132] iwlwifi 0000:24:00.0: Command REPLY_ADD_STA failed: FW Error
[2250887.128133] wlan0: failed to remove key (1, ff:ff:ff:ff:ff:ff) from hardware (-5)
[2250887.228460] iwlwifi 0000:24:00.0: Request scan called when driver not ready.
[2250902.567848] iwlwifi 0000:24:00.0: Command REPLY_RXON failed: FW Error
[2250902.567857] iwlwifi 0000:24:00.0: Error clearing ASSOC_MSK on BSS (-5)
[2250902.587425] iwlwifi 0000:24:00.0: Radio type=0x1-0x2-0x0
[2250902.637530] iwlwifi 0000:24:00.0: Command COEX_PRIORITY_TABLE_CMD failed: FW Error
[2250902.637535] iwlwifi 0000:24:00.0: Could not complete ALIVE transition: -5
[2250902.649786] iwlwifi 0000:24:00.0: Failed to run INIT ucode: -5
[2250902.649819] iwlwifi 0000:24:00.0: Unable to initialize device.
[2250960.530138] iwlwifi 0000:24:00.0: Radio type=0x1-0x2-0x0
[2250960.665000] iwlwifi 0000:24:00.0: Unable to initialize device.

Basic or simple option just reboot system. But when (always) you have million open windows and million shell tabs with runned scripts over mounted partitions, it’s not a vary good option.

Installing and configuring an unprivileged lxc container with uid/gid offset.

1

LANG=C SUITE=bookworm MIRROR=https://ftp.debian.org/debian/ lxc-create --name=unprivileged-lxc --template=debian

Let’s add additional subuids/subgids for the root user.

1
2
3
4
5

usermod --add-subuids 200000-265535 root
usermod --add-subgids 200000-265535 root
# to remove subgroups
# usermod --del-subuids 200000-265535 root
# usermod --del-subgids 200000-265535 root

Storing cryptsetup headers separately has some advantages, firstly, without them, the block device itself is a set of Entropy, from which it is impossible to determine the type of partition / encryption / device.
Secondly, it is a small file that can be easily backed up without using dd.

Simple cheat sheet

Generate a password.

1

cat /dev/urandom | tr -dc '[[:print:]]' | fold -w 256 | sed 's/ //g' | fold -w128 | head -n 1

Required packages apt install fontforge и pip install fonttools.

Let’s decide on the necessary glyphs: we need Latin, Cyrillic, special characters, including some Greek symbols (ΣΩαβγμ), Greek analogues that are similar in style but have different codes (∆∑µ), and a few more that can be used somewhere in the text or as elements to replace graphics (♪♫♬).

Why are there multiple variants of similar glyphs with different codes?

Because the µ (mu U+00b5) symbol and the Greek letter μ (mu U+03bc) in extended fonts can have their own glyph with different shapes, or, conversely, a common glyph, where similar characters in shape refer to the same glyph. Or, for example, the Greek Σ (Sigma U+03a3) is not the same as the symbol ∑ (summation U+2211).
But perhaps these symbols look the same on your screen.