diff --git a/README.md b/README.md index 69369a4..6679fb2 100644 --- a/README.md +++ b/README.md @@ -35,20 +35,170 @@ git clone https://git.fsfe.org/fsfe-system-hackers/staff-laptop.git Finally, execute the Ansible playbook on the target host by running: ```shell -cd staff-laptop # Navigate to repository -ansible-playbook -K -v playbook.yml # When queried for 'BECOME password', enter user password +cd staff-laptop # Navigate to repository +``` + +and then the following command: + +```shell +ansible-playbook -K -v playbook.yml # When queried for 'BECOME password', enter your user password ``` This installs all packages commonly used by FSFE staff. This operation will take a while. When it has completed successfully, reboot the computer. -## Further configuration +## Employee configuration Now that all the needed packages are installed, some further manual configuration is needed. ### E-mails with Thunderbird + +Our current email setup is somewhat involved. You **receive** emails on your +`@fsfe.org` address at the email address you specified at +https://my.fsfe.org as your for 'Primary email'. If you are a staffer at the +FSFE, it is likely that we already created a paid account for you at +https://mailbox.org which is a German email provider we trust. A username and +password will have been provided to you when you received your laptop. Please +make sure you can login at https://mailbox.org with these credentials. Next, +please open Thunderbird and use the same credentials to setup your email +account. [This +article](https://kb.mailbox.org/en/private/e-mail-article/setup-with-mozilla-thunderbird) +might help you do that. + +If you want to be able to send mails from your `@fsfe.org` email +address from Thunderbird, you need to add a second identity. + +For this follow the steps below: + +1. Right click on your account in the sidebar on the left like + `username@domain.de` and choose **Settings** in the dropdown. +2. Under **Outgoing Server (SMTP)** you will find the menu for **Manage + Identities**, click on it +3. A new menu will open. Choose **Add** +4. Fill out all the information required. In the field email address put in + your fsfe-mail (`@fsfe.org`). Also the + reply-mail should be (`@fsfe.org`). The + outgoing-mailserver is `mail.fsfe.org` and the port number `587`. Connection + security is `STARTTLS`. The username and password are the same that you use + on https://my.fsfe.org. + ### Matrix chat with Element -### Password management with KeepassXC (personal) Passbolt (organisation) -### File Sharing and Calendars with Nextcloud Desktop + +Matrix is an important communication channel. Element (the client we suggest you +use to chat with the rest of us and everybody else who uses matrix) should +already be installed on your machine. Alternatively, you can always use the web +frontend provided at https://chat.fsfe.org. Again, you login with the same +credentials that work on https://my.fsfe.org. Make sure that the homeserver is +set to `matrix.fsfe.org`. Otherwise this will not work. + +![Matrix Login Page](./img/matrix.png) + +Once you are logged in you can ping me (`@linus:fsfe.org`) or matthias +(`@mk:fsfe.org`) so that one of us can add you to the Staff room or any other +room that is access-restricted. + +Next, you should read the [Element User Guide](https://element.io/user-guide). +You can skip the 'Onboarding' chapter as you have already successfully logged +in. Please pay particular attention to the chapter 'Secure backup' and make sure +you have a way to recover your encrypted chats should you lose your computer. +Another thing that might help is setting up Element on another device and +verifying this new device. Please refer to the aforementioned user guide before +reaching out for somebody to help. + ### Backups with Vorta + +### Password management + +Your credetials are very important ant you should most certainly not have to +manage all of them in your head. + +#### Passbolt (organisation) + +[Passbolt](https://passbolt.com/) is a Free Software password storage and +management service. The FSFE's installation is on +[pass.fsfe.org](https://pass.fsfe.org/) and available to people who are +concerned with sensible passwords used by multiple people in various teams. It +is a web-based service, but uses GPG in the background that encrypts all +passwords securely. + +The basic idea is that every user creates a new GPG key upon registration, only +used by Passbolt. The secret key will be stored within a browser add-on. Every +password a user has access to will be encrypted with this key. + +The deployment code is [here](https://git.fsfe.org/fsfe-system-hackers/passbolt). + +##### Initial Setup + +If you belong to the group of people who should have access to a selection of +these passwords, you will be invited via email. Then follow these steps +carefully, as the security of the passwords and your access depends on it: + +1. Click on the "get started" button in the e-mail you received from passbolt. +2. You will probably be asked to install the Passbolt Extension in your browser. + It is available for Firefox and Chromium. If you are done, reload the page. +3. You will be asked to verify the server's data. Make sure that you see + https://pass.fsfe.org as domain and `4E477C5EA50C5CA2DF941805C438739EE8F30B36` + as server key. Tick the confirmation box if applicable and click "Next" +4. You will now create your own dedicated GPG for Passbolt. You don't need to + provide more data, just click "Next" +5. Enter a secure passphrase for your new key. **Please store it safely**! +6. In the next step, you have to download the generated key. This is only + possible now, and nobody can recover it! **Download it and store it + securely**! +7. As an additional security layer, you can generate a token. Set a colour you + like, and memorise it as well as its 3-character representation. It will be + shown next to the login and other password fields. If it's different than + what you set initially, you will know that the server is not legitimate and + somebody is interfering. Please contact your technical contact at the FSFE + immediately. +8. Now you can log in with your passphrase. Next to the password field, you will + see the security token. + +Please note that your key is saved within your browser inside the extension, so +it is bound to this device and browser. If you ever change browsers or want to +set up another device, it is possible to import the key you've saved earlier. + +If you're done, inform your happy technical contact at the FSFE, and ask to be +added to the respective groups you should have access to. + +## Usage + +To **view** a password: + +1. Visit the service website. +2. Afterwards, you will see your email and be able to enter the password of + your key (not you general FSFE password). Please check the colour/text token + next to the password field. +3. You will see all passwords you have access to. You can filter via the groups + on the left, or search for a password. +4. In your browser, you can also click on the Passbolt extension to search + within it directly. This may a neat shortcut for you. + +To **add** a new password: + +1. Click on the blue "Create" button +2. Enter a meaningful name, URL, user & password, and a description if + necessary +3. Select this password and share it with the group it belongs to. Please set + it as the owner ("is owner") to make the passwords not depend on individual + users. + +As of now, there are not classical folders but only a flat list of passwords, +separated into groups. A folder feature is in passbolt's pipeline though. + +#### KeepassXC (personal) + +If you prefer an offline password manager, this playbook installs one called +[KeepassXC](https://keepassxc.org/docs/KeePassXC_GettingStarted.html#_interface_overview) +including its [web +extension](https://keepassxc.org/docs/KeePassXC_GettingStarted.html#_setup_browser_integration) +for Firefox. The two links in the last sentence should provide all the +information you need to setup and manage your offline password store using +KeepassXC. + +### Nextcloud + +#### File Sharing with Nextcloud Sync Assistant + +#### Set up calendars diff --git a/img/matrix.png b/img/matrix.png new file mode 100644 index 0000000..9d6e510 Binary files /dev/null and b/img/matrix.png differ