fsfe-system-hackers/staff-laptop
15
1
Fork 0
Code Issues 1 Pull Requests Projects Releases Wiki Activity

Update README.md

Browse Source
This commit is contained in:
Linus Sehn
2022-10-07 12:35:45 +02:00
parent 52c8c98bbe
commit a7e161256e
2 changed files with 155 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

160
README.md
View File

@@ -35,20 +35,170 @@ git clone https://git.fsfe.org/fsfe-system-hackers/staff-laptop.git
Finally, execute the Ansible playbook on the target host by running:
```shell
cd staff-laptop # Navigate to repository
ansible-playbook -K -v playbook.yml # When queried for 'BECOME password', enter user password
cd staff-laptop # Navigate to repository
```
and then the following command:
```shell
ansible-playbook -K -v playbook.yml # When queried for 'BECOME password', enter your user password
```
This installs all packages commonly used by FSFE staff. This operation will take
a while. When it has completed successfully, reboot the computer.
## Further configuration
## Employee configuration
Now that all the needed packages are installed, some further manual
configuration is needed.
### E-mails with Thunderbird
Our current email setup is somewhat involved. You **receive** emails on your
`<username>@fsfe.org` address at the email address you specified at
https://my.fsfe.org as your for 'Primary email'. If you are a staffer at the
FSFE, it is likely that we already created a paid account for you at
https://mailbox.org which is a German email provider we trust. A username and
password will have been provided to you when you received your laptop. Please
make sure you can login at https://mailbox.org with these credentials. Next,
please open Thunderbird and use the same credentials to setup your email
account. [This
article](https://kb.mailbox.org/en/private/e-mail-article/setup-with-mozilla-thunderbird)
might help you do that.
If you want to be able to send mails from your `<username>@fsfe.org` email
address from Thunderbird, you need to add a second identity.
For this follow the steps below:
1. Right click on your account in the sidebar on the left like
`username@domain.de` and choose **Settings** in the dropdown.
2. Under **Outgoing Server (SMTP)** you will find the menu for **Manage
Identities**, click on it
3. A new menu will open. Choose **Add**
4. Fill out all the information required. In the field email address put in
your fsfe-mail (`<username>@fsfe.org`). Also the
reply-mail should be (`<username>@fsfe.org`). The
outgoing-mailserver is `mail.fsfe.org` and the port number `587`. Connection
security is `STARTTLS`. The username and password are the same that you use
on https://my.fsfe.org.
### Matrix chat with Element
### Password management with KeepassXC (personal) Passbolt (organisation)
### File Sharing and Calendars with Nextcloud Desktop
Matrix is an important communication channel. Element (the client we suggest you
use to chat with the rest of us and everybody else who uses matrix) should
already be installed on your machine. Alternatively, you can always use the web
frontend provided at https://chat.fsfe.org. Again, you login with the same
credentials that work on https://my.fsfe.org. Make sure that the homeserver is
set to `matrix.fsfe.org`. Otherwise this will not work.
![Matrix Login Page](./img/matrix.png)
Once you are logged in you can ping me (`@linus:fsfe.org`) or matthias
(`@mk:fsfe.org`) so that one of us can add you to the Staff room or any other
room that is access-restricted.
Next, you should read the [Element User Guide](https://element.io/user-guide).
You can skip the 'Onboarding' chapter as you have already successfully logged
in. Please pay particular attention to the chapter 'Secure backup' and make sure
you have a way to recover your encrypted chats should you lose your computer.
Another thing that might help is setting up Element on another device and
verifying this new device. Please refer to the aforementioned user guide before
reaching out for somebody to help.
### Backups with Vorta
### Password management
Your credetials are very important ant you should most certainly not have to
manage all of them in your head.
#### Passbolt (organisation)
[Passbolt](https://passbolt.com/) is a Free Software password storage and
management service. The FSFE's installation is on
[pass.fsfe.org](https://pass.fsfe.org/) and available to people who are
concerned with sensible passwords used by multiple people in various teams. It
is a web-based service, but uses GPG in the background that encrypts all
passwords securely.
The basic idea is that every user creates a new GPG key upon registration, only
used by Passbolt. The secret key will be stored within a browser add-on. Every
password a user has access to will be encrypted with this key.
The deployment code is [here](https://git.fsfe.org/fsfe-system-hackers/passbolt).
##### Initial Setup
If you belong to the group of people who should have access to a selection of
these passwords, you will be invited via email. Then follow these steps
carefully, as the security of the passwords and your access depends on it:
1. Click on the "get started" button in the e-mail you received from passbolt.
2. You will probably be asked to install the Passbolt Extension in your browser.
It is available for Firefox and Chromium. If you are done, reload the page.
3. You will be asked to verify the server's data. Make sure that you see
https://pass.fsfe.org as domain and `4E477C5EA50C5CA2DF941805C438739EE8F30B36`
as server key. Tick the confirmation box if applicable and click "Next"
4. You will now create your own dedicated GPG for Passbolt. You don't need to
provide more data, just click "Next"
5. Enter a secure passphrase for your new key. **Please store it safely**!
6. In the next step, you have to download the generated key. This is only
possible now, and nobody can recover it! **Download it and store it
securely**!
7. As an additional security layer, you can generate a token. Set a colour you
like, and memorise it as well as its 3-character representation. It will be
shown next to the login and other password fields. If it's different than
what you set initially, you will know that the server is not legitimate and
somebody is interfering. Please contact your technical contact at the FSFE
immediately.
8. Now you can log in with your passphrase. Next to the password field, you will
see the security token.
Please note that your key is saved within your browser inside the extension, so
it is bound to this device and browser. If you ever change browsers or want to
set up another device, it is possible to import the key you've saved earlier.
If you're done, inform your happy technical contact at the FSFE, and ask to be
added to the respective groups you should have access to.
## Usage
To **view** a password:
1. Visit the service website.
2. Afterwards, you will see your email and be able to enter the password of
your key (not you general FSFE password). Please check the colour/text token
next to the password field.
3. You will see all passwords you have access to. You can filter via the groups
on the left, or search for a password.
4. In your browser, you can also click on the Passbolt extension to search
within it directly. This may a neat shortcut for you.
To **add** a new password:
1. Click on the blue "Create" button
2. Enter a meaningful name, URL, user & password, and a description if
necessary
3. Select this password and share it with the group it belongs to. Please set
it as the owner ("is owner") to make the passwords not depend on individual
users.
As of now, there are not classical folders but only a flat list of passwords,
separated into groups. A folder feature is in passbolt's pipeline though.
#### KeepassXC (personal)
If you prefer an offline password manager, this playbook installs one called
[KeepassXC](https://keepassxc.org/docs/KeePassXC_GettingStarted.html#_interface_overview)
including its [web
extension](https://keepassxc.org/docs/KeePassXC_GettingStarted.html#_setup_browser_integration)
for Firefox. The two links in the last sentence should provide all the
information you need to setup and manage your offline password store using
KeepassXC.
### Nextcloud
#### File Sharing with Nextcloud Sync Assistant
#### Set up calendars

BIN
img/matrix.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 158 KiB