These instructions can be followed after having X11 up and running as per the instructions in the second part of the Debian installation series, or at any time if you are running a different distribution and are just changing your network environment.
I have first seen the idea of running networking through pfSense discussed in this series of posts 1 by Manuel Timita and in this Linux specific post 2 by Radovan Brezular, many thanks to both of them for sharing their experiences and configuration.
At the end of the minimal installation instructions we ended up with a bare-bones Debian installation, where we can now login as root with the password that was entered as part of the installation.
A normal user account should be created, I personally set things up so that my normal user account is uid/gid 1000 and add other groups to it, the uid/gids can of course be changed as needed.
The following instructions assume that the installation will be of the stable version of debian in a bare-metal configuration using legacy boot for maximum compatibility. If a dual/multi-boot setup is required, you might want to follow a different guide to set up your partitions and continue from the installation instructions after the partitioning step.
The installation instructions have been written when Debian Jessie was the current stable release, they have also been followed for Debian Stretch, and they instructions might also work for later releases, let me know if that is the case and you are installing some other Debian release using them.
Security decisions should not be made in isolation but should be taken in response to specific threat scenarios as there is no such thing as a completely secure system that is capable of defending against any possible avenue of attack.
For my specific computing needs I am interested in protecting myself against the following threats:
My computer being stolen while offline and the data it contains being accessed A web-based or software-based compromise causing a malware installation leading to botnet behavior or information exfiltration I am not interested in protection against hardware attacks or attacks that require physical access to my running machine (like a two-pronged malware + theft attack), so it should be possible to create a set-up that fulfills these requirements without it being too cumbersome to use in practice.