This is an experiment to make desktop/laptop configuration fully controllable by Ansible. Also to experiment with GNU/Linux-based web-3/dapp/defi/security-first/insert-your-buzzword-here setup. Also because it's a lot of work to configure everything each time. Also because I can.
This project is not intended to fulfil desires of every user. I use it to provision my own personal PC. You probably find some defaults incompatible with your view on desktop OS configuration, but you can fork and tune it for yourself, or just look at playbooks for inspirations. PRs with improvements welcomed btw.
This playbook meant to be run against Debian bookworm. It probably won't work for other distros/versions, but you can try.
It focus both on security and speed when it's possible. It uses lightweight software when possible and some specific tuning to meet the goal. Take note that while this README uses word "security" several times, nobody checked this. Think then do.
It enables autologin and intended to use only on single-user desktop machines. Use it only with full-disk encryption and if you are single user. Not only for that reason, the whole playbook is meant to be deployed on a single-user desktop machine.
You should look for sources for full list, but here are some choices I made:
- OS: Debian GNU/Linux, stable (current bookworm)
- Shell: bash
- Init: systemd
- MAC: AppArmor, bubblewrap used for Flatpak-packed apps. Sister project apparmor-even-more-profiles deployed by default, bringing profiles for most of included software in enforce mode.
- VPN client: Wireguard
- Firewall: nftables + OpenSnitch
- Display server: Wayland
- Audio/video server: PipeWire
- Display manager: we don't need one, it can be replaced with single systemd unit
- Window manager: sway
- Notification daemon: mako
- Bar: waybar
- Applications launcher: wofi
- URI opener: jaro
- Terminal emulator: foot
- Network configuration: NetworkManager
- DNS server: stubby + unbound with DNS blocklists enabled
- Media player: mpv
- File manager: PCManFM and nnn are available
- FreeTube as alternative less privacy-invasing YouTube frontend, also yt-dlp configured to be used with mpv
- Music player: mpd + ymuse
- Browser: Firefox, but Chromium also available and used for webapps
- Email client: Thunderbird
- Source code editor: VSCodium with extensions from Open VSX
- File sync: Syncthing
- Download managers: aria2, qBittorrent for BitTorent, Nicotine+ for Soulseek
- Some cryptocurrency wallets: Monero fullnode, Electrum and Wasabi Wallet for Bitcoin network, Electron Cash for Bitcoin Cash, MyCrypto for Ethereum, Zecwallet Lite for Zcash, Electrum Dash for Dash, Bisq and Uniswap as DEX
- Support for Ledger, Trezor, Nitrokey, and OnlyKey hardware tokens
- I2P, Tor, IPFS, etc.
- Office packages: zathura + zaread for simple document viewing and LibreOffice for classical office package editing needs
- Image viewer: imv
- Password manager: KeePassXC
- DeltaChat, XMPP (Dino), Telegram, Jami, Matrix (nheko), Mumble, SimpleX messengers
- Local maps with Organic Maps.
- Local dicts with dictd and GoldenDict
- Virtual machines: libvirt + QEMU + virt-manager
- podman + gvisor by default for launching OCI containers, Docker also installed.
- JOSM for OpenStreetMap editing
- node.js, golang, python, etc. dev env.
- et cetera, et cetera
main.yml
includes it all.
Playbook also depends on some roles defined in submodules, so you should also consult related upstream docs.
Install some additional keyrings.
Enable and enforce apt-transport-tor.
Configure boot manager.
Configure audio settings.
Configure logind.
Sets some additional locale settings not supported by debops.
Configure networking.
Configure mullvad VPN.
Configure nftables.
Configure our dm replacement.
Configure window manager and other goodies usually provided by desktop environment.
Configure specific packages. Most of packages configured here.
Install and configure some games.
Configure themes.
Configure fonts.
Configure hardware.
Set timezone.
Install additional apparmor profiles
This playbook meant to be used on desktops, so there is specific desktop-friendly settings made. Most of packages are also configured specifically to address security or speed, but here is some things to note
- Silent boot is enabled
- Watchdog is disabled
- oomd is installed
- zswap is enabled
- gamemode is installed
- VFS cache pressure is set to 50, vm.dirty_ratio is configured to a lower value
- TCP Fast Open is enabled for both sides
- cfs-zen-tweaks is installed
- Core dumps are disabled
- Ansible comes with Redis cache and mitogen
- Analytics are opted-outed with env list
- tirdad is installed
- kloak is installed
- Some kernel modules are disabled according to GrapheneOS list
- Recommended settings from Linux Kernel Self-Protection Project are used
- Playbooks
os_hardening
andssh_hardening
from DevSec Hardening Framework are applied
It can be run in VirtualBox with help of Vagrant and Molecule.
poetry install
poetry run molecule converge
sh lint.sh
sudo apt install git python3-poetry
cd $(mktemp -d)
git clone https://github.com/komachi/ansible-decent-desktop.git
cd ansible-decent-desktop
sh run.sh