ubergesundheit · October 21, 2022 15:04
diff --git a/00-Pop!_OS-first-steps.md b/00-Pop!_OS-first-steps.md
diff --git a/local.yaml b/local.yaml
 ---
 - hosts: 127.0.0.1
  connection: local
  vars:
    username: CHANGEME-TO-YOUR-USERNAME
    debs_urls:
    - https://github.com/keeweb/keeweb/releases/download/v1.12.3/KeeWeb-1.12.3.linux.x64.deb
    - https://github.com/VSCodium/vscodium/releases/download/1.41.1/codium_1.41.1-1576787344_amd64.deb
    - https://prerelease.keybase.io/keybase_amd64.deb
    - https://downloads.slack-edge.com/linux_releases/slack-desktop-4.2.0-amd64.deb
    nvm_tag: v0.35.2
    golang_version: "1.13.5"
    kubectl_version: "1.17.1"
    kustomize_version: "3.5.4"
    kind_version: "0.7.0"
    docker_compose_version: "1.25.0"
    ansible_become: yes
    ansible_python_interpreter: /usr/bin/python3.7
    # dev-sec.ssh-hardening
    ssh_server_hardening: no
    ssh_server_enabled: no
    ssh_client_hardening: yes
    network_ipv6_enable: yes
  roles:
  - dev-sec.ssh-hardening
  tasks:
  - name: install some basic packages
    apt:
      name:
        - lsb-release
        - apt-transport-https
        - htop
        - vim
        - tmux
        - jq
        - ncdu
        - pigz
        - sudo
        - pv
        - unzip
        - curl
        - wget
        - git
        - xz-utils
        - gnome-tweaks
        - vlc
        - xdotool
        - docker.io
        - genisoimage
        - haveged
        - inkscape
        - thunderbird
        - thunderbird-gnome-support
        - chrome-gnome-shell
        - gimp
        - lftp
        - rsync
        - libu2f-udev
      state: present
      update_cache: yes

  - name: Download riot.im apt gpg key
    get_url:
      url: https://packages.riot.im/debian/riot-im-archive-keyring.gpg
      dest: /usr/share/keyrings/riot-im-archive-keyring.gpg

  - name: Add riot.im apt-reposiory
    apt_repository:
      repo: "deb [signed-by=/usr/share/keyrings/riot-im-archive-keyring.gpg] https://packages.riot.im/debian/ {{ ansible_distribution_release }} main"
      filename: riot-im

  - name: Install riot-web
    apt:
      name: riot-web
      state: present
      update_cache: yes

  - name: Install deb files from remote
    apt:
      deb: "{{ item }}"
    loop: "{{ debs_urls | flatten(levels=1) }}"

  - name: Clone nvm to /home/{{ username }}/.nvm
    git:
      repo: https://github.com/nvm-sh/nvm.git
      dest: "/home/{{ username }}/.nvm"
      version: "{{ nvm_tag }}"

  - name: Let {{ username }} own /home/{{ username }}/.nvm
    file:
      path: "/home/{{ username }}/.nvm"
      state: directory
      owner: "{{ username }}"
      group: "{{ username }}"

  - name: Activate nvm for user {{ username }}
    blockinfile:
      dest: "/home/{{ username }}/.bashrc"
      marker: "## {mark} added by ansible"
      block: |
        export NVM_DIR="$HOME/.nvm"
        [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"  # This loads nvm
        [ -s "$NVM_DIR/bash_completion" ] && \. "$NVM_DIR/bash_completion"  # This loads nvm bash_completion

  - name: Add yarn apt key
    apt_key:
      url: https://dl.yarnpkg.com/debian/pubkey.gpg
      state: present

  - name: Add yarn apt-reposiory
    apt_repository:
      repo: "deb https://dl.yarnpkg.com/debian/ stable main"
      filename: yarn

  - name: Install yarn
    apt:
      name: yarn
      install_recommends: no
      state: present
      update_cache: yes

  - name: Remove dependencies that are no longer required
    apt:
      autoremove: yes

  - name: Remove useless packages from the cache
    apt:
      autoclean: yes

  - name: Install golang from archive
    unarchive:
      src: "https://dl.google.com/go/go{{ golang_version }}.linux-amd64.tar.gz"
      dest: /usr/local
      remote_src: yes
      creates: /usr/local/go/VERSION

  - name: Activate golang for all users
    lineinfile:
      create: yes
      dest: "/etc/profile.d/go-to-path.sh"
      line: "export PATH=$PATH:/usr/local/go/bin"

  - name: Disable canonical motd stuff
    lineinfile:
      dest: /etc/default/motd-news
      state: present
      regexp: "^ENABLED="
      line: "ENABLED=0"

  - name: Clear /var/cache/motd-news file
    copy:
      content: ""
      dest: /var/cache/motd-news

  - name: Disable (chmod -x) some files in /etc/update-motd.d
    file:
      path: "/etc/update-motd.d/{{ item }}"
      mode: "0644"
    loop:
      - 10-help-text
      - 50-motd-news

  - name: Uninstall snapd
    apt:
      name: snapd
      state: absent
      purge: yes
      autoclean: yes
      autoremove: yes

  - name: Remove snap directories
    file:
      state: absent
      path: "{{ item }}"
    loop:
      - /var/cache/snapd

  - name: Install ufw
    apt:
      name: ufw
      state: present

  - name: Enable ufw and deny everything else
    ufw:
      state: enabled
      policy: deny
      logging: 'on'
      direction: incoming

  - name: Install kubectl {{ kubectl_version }}
    get_url:
      url: "https://storage.googleapis.com/kubernetes-release/release/v{{ kubectl_version }}/bin/linux/amd64/kubectl"
      mode: "0755"
      dest: /usr/local/bin/kubectl

  - name: Install kustomize {{ kustomize_version }}
    unarchive:
      src: "https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv{{ kustomize_version }}/kustomize_v{{ kustomize_version }}_linux_amd64.tar.gz"
      mode: "0755"
      dest: /usr/local/bin/
      remote_src: yes

  - name: Install kind {{ kind_version }}
    get_url:
      url: "https://github.com/kubernetes-sigs/kind/releases/download/v{{ kind_version }}/kind-linux-amd64"
      mode: "0755"
      dest: /usr/local/bin/kind

  - name: Install docker-compose {{ docker_compose_version }}
    get_url:
      url: "https://github.com/docker/compose/releases/download/{{ docker_compose_version }}/docker-compose-Linux-x86_64"
      mode: "0755"
      dest: /usr/local/bin/docker-compose
diff --git a/packages-to-remove b/packages-to-remove
 73libreoffice-help-common
 libreoffice-help-de
 libreoffice-help-en-gb
 libreoffice-help-en-us
 libreoffice-help-es
 libreoffice-help-fr
 libreoffice-help-it
 libreoffice-help-ja
 libreoffice-help-pt
 libreoffice-help-pt-br
 libreoffice-help-ru
 libreoffice-help-zh-cn
 libreoffice-help-zh-tw
 libreoffice-l10n-ar
 libreoffice-l10n-de
 libreoffice-l10n-en-gb
 libreoffice-l10n-en-za
 libreoffice-l10n-es
 libreoffice-l10n-fr
 libreoffice-l10n-it
 libreoffice-l10n-ja
 libreoffice-l10n-pt
 libreoffice-l10n-pt-br
 libreoffice-l10n-ru
 libreoffice-l10n-zh-cn
 libreoffice-l10n-zh-tw
 firefox-locale-ar
 firefox-locale-de
 firefox-locale-en
 firefox-locale-es
 firefox-locale-fr
 firefox-locale-it
 firefox-locale-ja
 firefox-locale-pt
 firefox-locale-ru
 firefox-locale-zh-hans
 firefox-locale-zh-hant
 gnome-user-docs
 gnome-user-docs-de
 gnome-user-docs-es
 gnome-user-docs-fr
 gnome-user-docs-it
 gnome-user-docs-ja
 gnome-user-docs-pt
 gnome-user-docs-ru
 gnome-user-docs-zh-hans
 gnome-getting-started-docs
 gnome-getting-started-docs-de
 gnome-getting-started-docs-es
 gnome-getting-started-docs-fr
 gnome-getting-started-docs-it
 gnome-getting-started-docs-ja
 gnome-getting-started-docs-pt
 gnome-getting-started-docs-ru
 gnome-getting-started-docs-zh-hk
 gnome-getting-started-docs-zh-tw
 hunspell-ar
 hunspell-de-at-frami
 hunspell-de-ch-frami
 hunspell-en-au
 hunspell-en-ca
 hunspell-en-gb
 hunspell-en-za
 hunspell-es
 hunspell-fr
 hunspell-fr-classical
 hunspell-it
 hunspell-pt-br
 hunspell-pt-pt
 hunspell-ru
 hyphen-en-ca
 hyphen-en-gb
 hyphen-es
 hyphen-fr
 hyphen-it
 hyphen-pt-br
 hyphen-pt-pt
 hyphen-ru
 language-pack-ar
 language-pack-ar-base
 language-pack-es
 language-pack-es-base
 language-pack-fr
 language-pack-fr-base
 language-pack-gnome-ar
 language-pack-gnome-ar-base
 language-pack-gnome-es
 language-pack-gnome-es-base
 language-pack-gnome-fr
 language-pack-gnome-fr-base
 language-pack-gnome-it
 language-pack-gnome-it-base
 language-pack-gnome-ja
 language-pack-gnome-ja-base
 language-pack-gnome-pt
 language-pack-gnome-pt-base
 language-pack-gnome-ru
 language-pack-gnome-ru-base
 language-pack-gnome-zh-hans
 language-pack-gnome-zh-hans-base
 language-pack-gnome-zh-hant
 language-pack-gnome-zh-hant-base
 language-pack-it
 language-pack-it-base
 language-pack-ja
 language-pack-ja-base
 language-pack-pt
 language-pack-pt-base
 language-pack-ru
 language-pack-ru-base
 language-pack-zh-hans
 language-pack-zh-hans-base
 language-pack-zh-hant
 language-pack-zh-hant-base
 mythes-ar
 mythes-de-ch
 mythes-en-au
 mythes-es
 mythes-fr
 mythes-it
 mythes-pt-pt
 mythes-ru
 geary
	---
	- hosts: 127.0.0.1
	connection: local
	vars:
	username: CHANGEME-TO-YOUR-USERNAME
	debs_urls:
	- https://github.com/keeweb/keeweb/releases/download/v1.12.3/KeeWeb-1.12.3.linux.x64.deb
	- https://github.com/VSCodium/vscodium/releases/download/1.41.1/codium_1.41.1-1576787344_amd64.deb
	- https://prerelease.keybase.io/keybase_amd64.deb
	- https://downloads.slack-edge.com/linux_releases/slack-desktop-4.2.0-amd64.deb
	nvm_tag: v0.35.2
	golang_version: "1.13.5"
	kubectl_version: "1.17.1"
	kustomize_version: "3.5.4"
	kind_version: "0.7.0"
	docker_compose_version: "1.25.0"
	ansible_become: yes
	ansible_python_interpreter: /usr/bin/python3.7
	# dev-sec.ssh-hardening
	ssh_server_hardening: no
	ssh_server_enabled: no
	ssh_client_hardening: yes
	network_ipv6_enable: yes
	roles:
	- dev-sec.ssh-hardening
	tasks:
	- name: install some basic packages
	apt:
	name:
	- lsb-release
	- apt-transport-https
	- htop
	- vim
	- tmux
	- jq
	- ncdu
	- pigz
	- sudo
	- pv
	- unzip
	- curl
	- wget
	- git
	- xz-utils
	- gnome-tweaks
	- vlc
	- xdotool
	- docker.io
	- genisoimage
	- haveged
	- inkscape
	- thunderbird
	- thunderbird-gnome-support
	- chrome-gnome-shell
	- gimp
	- lftp
	- rsync
	- libu2f-udev
	state: present
	update_cache: yes

	- name: Download riot.im apt gpg key
	get_url:
	url: https://packages.riot.im/debian/riot-im-archive-keyring.gpg
	dest: /usr/share/keyrings/riot-im-archive-keyring.gpg

	- name: Add riot.im apt-reposiory
	apt_repository:
	repo: "deb [signed-by=/usr/share/keyrings/riot-im-archive-keyring.gpg] https://packages.riot.im/debian/ {{ ansible_distribution_release }} main"
	filename: riot-im

	- name: Install riot-web
	apt:
	name: riot-web
	state: present
	update_cache: yes

	- name: Install deb files from remote
	apt:
	deb: "{{ item }}"
	loop: "{{ debs_urls \| flatten(levels=1) }}"

	- name: Clone nvm to /home/{{ username }}/.nvm
	git:
	repo: https://github.com/nvm-sh/nvm.git
	dest: "/home/{{ username }}/.nvm"
	version: "{{ nvm_tag }}"

	- name: Let {{ username }} own /home/{{ username }}/.nvm
	file:
	path: "/home/{{ username }}/.nvm"
	state: directory
	owner: "{{ username }}"
	group: "{{ username }}"

	- name: Activate nvm for user {{ username }}
	blockinfile:
	dest: "/home/{{ username }}/.bashrc"
	marker: "## {mark} added by ansible"
	block: \|
	export NVM_DIR="$HOME/.nvm"
	[ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh" # This loads nvm
	[ -s "$NVM_DIR/bash_completion" ] && \. "$NVM_DIR/bash_completion" # This loads nvm bash_completion

	- name: Add yarn apt key
	apt_key:
	url: https://dl.yarnpkg.com/debian/pubkey.gpg
	state: present

	- name: Add yarn apt-reposiory
	apt_repository:
	repo: "deb https://dl.yarnpkg.com/debian/ stable main"
	filename: yarn

	- name: Install yarn
	apt:
	name: yarn
	install_recommends: no
	state: present
	update_cache: yes

	- name: Remove dependencies that are no longer required
	apt:
	autoremove: yes

	- name: Remove useless packages from the cache
	apt:
	autoclean: yes

	- name: Install golang from archive
	unarchive:
	src: "https://dl.google.com/go/go{{ golang_version }}.linux-amd64.tar.gz"
	dest: /usr/local
	remote_src: yes
	creates: /usr/local/go/VERSION

	- name: Activate golang for all users
	lineinfile:
	create: yes
	dest: "/etc/profile.d/go-to-path.sh"
	line: "export PATH=$PATH:/usr/local/go/bin"

	- name: Disable canonical motd stuff
	lineinfile:
	dest: /etc/default/motd-news
	state: present
	regexp: "^ENABLED="
	line: "ENABLED=0"

	- name: Clear /var/cache/motd-news file
	copy:
	content: ""
	dest: /var/cache/motd-news

	- name: Disable (chmod -x) some files in /etc/update-motd.d
	file:
	path: "/etc/update-motd.d/{{ item }}"
	mode: "0644"
	loop:
	- 10-help-text
	- 50-motd-news

	- name: Uninstall snapd
	apt:
	name: snapd
	state: absent
	purge: yes
	autoclean: yes
	autoremove: yes

	- name: Remove snap directories
	file:
	state: absent
	path: "{{ item }}"
	loop:
	- /var/cache/snapd

	- name: Install ufw
	apt:
	name: ufw
	state: present

	- name: Enable ufw and deny everything else
	ufw:
	state: enabled
	policy: deny
	logging: 'on'
	direction: incoming

	- name: Install kubectl {{ kubectl_version }}
	get_url:
	url: "https://storage.googleapis.com/kubernetes-release/release/v{{ kubectl_version }}/bin/linux/amd64/kubectl"
	mode: "0755"
	dest: /usr/local/bin/kubectl

	- name: Install kustomize {{ kustomize_version }}
	unarchive:
	src: "https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv{{ kustomize_version }}/kustomize_v{{ kustomize_version }}_linux_amd64.tar.gz"
	mode: "0755"
	dest: /usr/local/bin/
	remote_src: yes

	- name: Install kind {{ kind_version }}
	get_url:
	url: "https://github.com/kubernetes-sigs/kind/releases/download/v{{ kind_version }}/kind-linux-amd64"
	mode: "0755"
	dest: /usr/local/bin/kind

	- name: Install docker-compose {{ docker_compose_version }}
	get_url:
	url: "https://github.com/docker/compose/releases/download/{{ docker_compose_version }}/docker-compose-Linux-x86_64"
	mode: "0755"
	dest: /usr/local/bin/docker-compose