This is an experiment to make desktop/laptop configuration fully controllable by Ansible. Also to experiment with GNU/Linux-based web-3/dapp/defi/security-first/insert-your-buzzword-here setup. Also because it's a lot of work to configure everything each time. Also because I can.
This project is not intended to fulfil desires of every user. I use it to provision my own personal PC. You probably find some defaults incompatible with your view on desktop OS configuration, but you can fork and tune it for yourself, or just look at playbooks for inspirations. PRs with improvements welcomed btw.
This playbook meant to be run against Debian bullseye. It probably won't work for other distros/versions, but you can try.
It focus both on security and speed when it's possible. It uses lightweight software when possible and some specific tuning to meet the goal. Take note that while this README uses word "security" several times, nobody checked this. Think then do.
It enables autologin and intended to use only on single-user desktop machines. Use it only with full-disk encryption and if you are single user. Not only for that reason, the whole playbook is meant to be deployed on a single-user desktop machine.
You should look for sources for full list, but here are some choices I made:
- OS: Debian GNU/Linux, stable (current bullseye)
- Shell: bash
- Init: systemd
- MAC: AppArmor, bubblewrap used for Flatpak-packed apps. Sister project apparmor-even-more-profiles deployed by default, bringing profiles for most of included software in enforce mode.
- More hardering: tirdad, LKRG, kloak
- VPN client: Wireguard
- Firewall: nftables + OpenSnitch
- Display server: Wayland
- Audio/video server: PipeWire
- Display manager: we don't need one, it can be replaced with single systemd unit
- Window manager: sway
- Notification daemon: mako
- Bar: waybar
- Applications launcher: wofi
- URI opener: jaro
- Terminal emulator: foot
- Network configuration: NetworkManager
- DNS server: stubby + unbound with DNS blocklists enabled
- Media player: mpv
- FreeTube as alternative less privacy-invasing YouTube frontend, also yt-dlp configured to be used with mpv
- Music player: mpd + pms
- Browser: Firefox, but Chromium also available
- Email client: Thunderbird
- Source code editor: VSCodium
- File sync: Syncthing
- Download manager: aria2, https://ugetdm.com/), XD for I2P torrents
- Some cryptocurrency wallets: Monero fullnode, Electrum and Wasabi Wallet for Bitcoin network, Electron Cash for Bitcoin Cash, MyCrypto for Ethereum, Zecwallet Lite for Zcash, Electrum Dash for Dash, Bisq and Uniswap as DEX
- Support for Ledger, Trezor, Nitrokey, and OnlyKey hardware tokens
- I2P, Tor, IPFS, etc.
- Localhosted Searx instance as a privacy-respecting metasearch engine
- Jackett for searching on trackers
- Office package: zathura + zaread for simple document viewing and LibreOffice for classical office package editing needs
- Image viewer: imv
- Password manager: KeePassXC
- Local bookmarks with shiori
- DeltaChat, XMPP (Dino), Telegram, Jami, Matrix (nheko), Mumble messengers
- Local maps with Pure Maps and OSM Scout Server
- Local dicts with dictd and GoldenDict
- Virtual machines: libvirt + QEMU + virt-manager
- podman + gvisor for launching OCI containers,
- JOSM for OpenStreetMap editing
- node.js, golang, etc.
- et cetera, et cetera
main.yml
includes it all.
Playbook also depends on some roles defined in submodules, so you should also consult related upstream docs.
Install some additional keyrings.
Enable and enforce apt-transport-tor.
Configure boot manager.
Configure audio settings.
Configure logind.
Sets some additional locale settings not supported by debops.
Configure networking.
Configure mullvad VPN.
Configure nftables.
Configure our dm replacement.
Configure window manager and other goodies usually provided by desktop environment.
Configure specific packages. Most of packages configured here.
Install and configure some games.
Configure themes.
Configure fonts.
Configure hardware.
Just checkouts https://github.com/komachi/bin to ~/bin
Set timezone.
Install additional apparmor profiles from apparmor-even-more-profiles
Some additional hardering settings placed here, for now it's just installs some packages from whonix repo