fsfe-system-hackers/staff-laptop
15
1
Fork 0
Code Issues 1 Pull Requests Projects Releases Wiki Activity
13 Commits 1 Branch 0 Tags
a7e161256e9f267b026ce5c161cca4f511652581
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Linus Sehn a7e161256e Update README.md
2022-10-07 12:35:45 +02:00
group_vars
Add gtimelog configuration
2022-10-07 12:35:14 +02:00
gtimelog
Add gtimelog configuration
2022-10-07 12:35:14 +02:00
img
Update README.md
2022-10-07 12:35:45 +02:00
.gitignore
initial commit
2022-01-23 22:17:19 +01:00
.gitmodules
Remove unneeded stuff
2022-08-05 12:12:13 +02:00
ansible.cfg
initial commit
2022-01-23 22:17:19 +01:00
inventory.ini
initial commit
2022-01-23 22:17:19 +01:00
LICENSE
Initial commit
2022-01-23 11:40:38 +00:00
playbook.yml
Add gtimelog configuration
2022-10-07 12:35:14 +02:00
README.md
Update README.md
2022-10-07 12:35:45 +02:00
shell.nix
Remove unneeded stuff
2022-08-05 12:12:13 +02:00

README.md

Setup for Staff Laptops

This repository contains all instructions alongside an Ansible playbook to set up staff laptops.

Installation of the OS

Currently, we use Debian Bullseye. Installation media are available in the Berlin office or can be downloaded and flashed onto a USB drive.

Once the install is completed via the graphical installer (please encrypt your hard drive), reboot the computer and continue below. Make a physical note of both the user and the hard drive encryption passphrase that you can then hand to whoever will receive the computer so they memorise the passwords and subsequently destroy the physical note.

Package installation via Ansible

First, install Ansible and Git on the target machine by running:

sudo apt install -y ansible git

Next, clone this repository into your home directory by running:

git clone https://git.fsfe.org/fsfe-system-hackers/staff-laptop.git

Finally, execute the Ansible playbook on the target host by running:

cd staff-laptop # Navigate to repository

and then the following command:

ansible-playbook -K -v playbook.yml  # When queried for 'BECOME password', enter your user password

This installs all packages commonly used by FSFE staff. This operation will take a while. When it has completed successfully, reboot the computer.

Employee configuration

Now that all the needed packages are installed, some further manual configuration is needed.

E-mails with Thunderbird

Our current email setup is somewhat involved. You receive emails on your <username>@fsfe.org address at the email address you specified at https://my.fsfe.org as your for 'Primary email'. If you are a staffer at the FSFE, it is likely that we already created a paid account for you at https://mailbox.org which is a German email provider we trust. A username and password will have been provided to you when you received your laptop. Please make sure you can login at https://mailbox.org with these credentials. Next, please open Thunderbird and use the same credentials to setup your email account. This article might help you do that.

If you want to be able to send mails from your <username>@fsfe.org email address from Thunderbird, you need to add a second identity.

For this follow the steps below:

  1. Right click on your account in the sidebar on the left like username@domain.de and choose Settings in the dropdown.
  2. Under Outgoing Server (SMTP) you will find the menu for Manage Identities, click on it
  3. A new menu will open. Choose Add
  4. Fill out all the information required. In the field email address put in your fsfe-mail (<username>@fsfe.org). Also the reply-mail should be (<username>@fsfe.org). The outgoing-mailserver is mail.fsfe.org and the port number 587. Connection security is STARTTLS. The username and password are the same that you use on https://my.fsfe.org.

Matrix chat with Element

Matrix is an important communication channel. Element (the client we suggest you use to chat with the rest of us and everybody else who uses matrix) should already be installed on your machine. Alternatively, you can always use the web frontend provided at https://chat.fsfe.org. Again, you login with the same credentials that work on https://my.fsfe.org. Make sure that the homeserver is set to matrix.fsfe.org. Otherwise this will not work.

Matrix Login Page

Once you are logged in you can ping me (@linus:fsfe.org) or matthias (@mk:fsfe.org) so that one of us can add you to the Staff room or any other room that is access-restricted.

Next, you should read the Element User Guide. You can skip the 'Onboarding' chapter as you have already successfully logged in. Please pay particular attention to the chapter 'Secure backup' and make sure you have a way to recover your encrypted chats should you lose your computer. Another thing that might help is setting up Element on another device and verifying this new device. Please refer to the aforementioned user guide before reaching out for somebody to help.

Backups with Vorta

Password management

Your credetials are very important ant you should most certainly not have to manage all of them in your head.

Passbolt (organisation)

Passbolt is a Free Software password storage and management service. The FSFE's installation is on pass.fsfe.org and available to people who are concerned with sensible passwords used by multiple people in various teams. It is a web-based service, but uses GPG in the background that encrypts all passwords securely.

The basic idea is that every user creates a new GPG key upon registration, only used by Passbolt. The secret key will be stored within a browser add-on. Every password a user has access to will be encrypted with this key.

The deployment code is here.

Initial Setup

If you belong to the group of people who should have access to a selection of these passwords, you will be invited via email. Then follow these steps carefully, as the security of the passwords and your access depends on it:

  1. Click on the "get started" button in the e-mail you received from passbolt.
  2. You will probably be asked to install the Passbolt Extension in your browser. It is available for Firefox and Chromium. If you are done, reload the page.
  3. You will be asked to verify the server's data. Make sure that you see https://pass.fsfe.org as domain and 4E477C5EA50C5CA2DF941805C438739EE8F30B36 as server key. Tick the confirmation box if applicable and click "Next"
  4. You will now create your own dedicated GPG for Passbolt. You don't need to provide more data, just click "Next"
  5. Enter a secure passphrase for your new key. Please store it safely!
  6. In the next step, you have to download the generated key. This is only possible now, and nobody can recover it! Download it and store it securely!
  7. As an additional security layer, you can generate a token. Set a colour you like, and memorise it as well as its 3-character representation. It will be shown next to the login and other password fields. If it's different than what you set initially, you will know that the server is not legitimate and somebody is interfering. Please contact your technical contact at the FSFE immediately.
  8. Now you can log in with your passphrase. Next to the password field, you will see the security token.

Please note that your key is saved within your browser inside the extension, so it is bound to this device and browser. If you ever change browsers or want to set up another device, it is possible to import the key you've saved earlier.

If you're done, inform your happy technical contact at the FSFE, and ask to be added to the respective groups you should have access to.

Usage

To view a password:

  1. Visit the service website.
  2. Afterwards, you will see your email and be able to enter the password of your key (not you general FSFE password). Please check the colour/text token next to the password field.
  3. You will see all passwords you have access to. You can filter via the groups on the left, or search for a password.
  4. In your browser, you can also click on the Passbolt extension to search within it directly. This may a neat shortcut for you.

To add a new password:

  1. Click on the blue "Create" button
  2. Enter a meaningful name, URL, user & password, and a description if necessary
  3. Select this password and share it with the group it belongs to. Please set it as the owner ("is owner") to make the passwords not depend on individual users.

As of now, there are not classical folders but only a flat list of passwords, separated into groups. A folder feature is in passbolt's pipeline though.

KeepassXC (personal)

If you prefer an offline password manager, this playbook installs one called KeepassXC including its web extension for Firefox. The two links in the last sentence should provide all the information you need to setup and manage your offline password store using KeepassXC.

Nextcloud

File Sharing with Nextcloud Sync Assistant

Set up calendars

Description
An Ansible playbook to set up staff laptops
ansible
Readme GPL-3.0 258 KiB
Languages
Nix 100%