00-Pop!_OS-first-steps.md

73# First steps after installing Pop!_OS 19.10

Using ansible. Installs pyenv, nvm, keybase, keeweb, vs codium, riot-web, golang

Packages

Upgrade & install basics

sudo apt-get update && sudo apt-get upgrade -y
sudo apt-get install -y htop vim tmux jq ncdu pigz sudo pv unzip curl wget git

Reboot

Install packages needed for pyenv

sudo apt-get install -y --no-install-recommends make build-essential libssl-dev zlib1g-dev libbz2-dev libreadline-dev libsqlite3-dev wget curl llvm libncurses5-dev xz-utils tk-dev libxml2-dev libxmlsec1-dev libffi-dev liblzma-dev

Install pyenv

Install python 3.8 & ansible

pyenv install 3.8.1
pyenv global 3.8.1
pip install ansible

Ansible

Transfer the local.yaml playbook from this gist to your machine.

Update the vars: section with your values. At least fix your username.

Install dev-sec ssh hardening role

ansible-galaxy role install --roles-path roles dev-sec.ssh-hardening
sudo touch /etc/ssh/moduli

Execute the playbook

ansible-playbook --ask-become-pass local.yaml
sudo rm /etc/ssh/moduli

Remove packages (optional)

If you like, you can remove packges listed in file packages-to-remove with sudo apt-get remove --purge $(cat packages-to-remove)

local.yaml

---
- hosts: 127.0.0.1
  connection: local
  vars:
    username: CHANGEME-TO-YOUR-USERNAME
    debs_urls:
    - https://github.com/keeweb/keeweb/releases/download/v1.12.3/KeeWeb-1.12.3.linux.x64.deb
    - https://github.com/VSCodium/vscodium/releases/download/1.41.1/codium_1.41.1-1576787344_amd64.deb
    - https://prerelease.keybase.io/keybase_amd64.deb
    - https://downloads.slack-edge.com/linux_releases/slack-desktop-4.2.0-amd64.deb
    nvm_tag: v0.35.2
    golang_version: "1.13.5"
    kubectl_version: "1.17.1"
    kustomize_version: "3.5.4"
    kind_version: "0.7.0"
    docker_compose_version: "1.25.0"
    ansible_become: yes
    ansible_python_interpreter: /usr/bin/python3.7
    # dev-sec.ssh-hardening
    ssh_server_hardening: no
    ssh_server_enabled: no
    ssh_client_hardening: yes
    network_ipv6_enable: yes
  roles:
  - dev-sec.ssh-hardening
  tasks:
  - name: install some basic packages
    apt:
      name:
        - lsb-release
        - apt-transport-https
        - htop
        - vim
        - tmux
        - jq
        - ncdu
        - pigz
        - sudo
        - pv
        - unzip
        - curl
        - wget
        - git
        - xz-utils
        - gnome-tweaks
        - vlc
        - xdotool
        - docker.io
        - genisoimage
        - haveged
        - inkscape
        - thunderbird
        - thunderbird-gnome-support
        - chrome-gnome-shell
        - gimp
        - lftp
        - rsync
        - libu2f-udev
      state: present
      update_cache: yes

  - name: Download riot.im apt gpg key
    get_url:
      url: https://packages.riot.im/debian/riot-im-archive-keyring.gpg
      dest: /usr/share/keyrings/riot-im-archive-keyring.gpg

  - name: Add riot.im apt-reposiory
    apt_repository:
      repo: "deb [signed-by=/usr/share/keyrings/riot-im-archive-keyring.gpg] https://packages.riot.im/debian/ {{ ansible_distribution_release }} main"
      filename: riot-im

  - name: Install riot-web
    apt:
      name: riot-web
      state: present
      update_cache: yes

  - name: Install deb files from remote
    apt:
      deb: "{{ item }}"
    loop: "{{ debs_urls | flatten(levels=1) }}"

  - name: Clone nvm to /home/{{ username }}/.nvm
    git:
      repo: https://github.com/nvm-sh/nvm.git
      dest: "/home/{{ username }}/.nvm"
      version: "{{ nvm_tag }}"

  - name: Let {{ username }} own /home/{{ username }}/.nvm
    file:
      path: "/home/{{ username }}/.nvm"
      state: directory
      owner: "{{ username }}"
      group: "{{ username }}"

  - name: Activate nvm for user {{ username }}
    blockinfile:
      dest: "/home/{{ username }}/.bashrc"
      marker: "## {mark} added by ansible"
      block: |
        export NVM_DIR="$HOME/.nvm"
        [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"  # This loads nvm
        [ -s "$NVM_DIR/bash_completion" ] && \. "$NVM_DIR/bash_completion"  # This loads nvm bash_completion

  - name: Add yarn apt key
    apt_key:
      url: https://dl.yarnpkg.com/debian/pubkey.gpg
      state: present

  - name: Add yarn apt-reposiory
    apt_repository:
      repo: "deb https://dl.yarnpkg.com/debian/ stable main"
      filename: yarn

  - name: Install yarn
    apt:
      name: yarn
      install_recommends: no
      state: present
      update_cache: yes

  - name: Remove dependencies that are no longer required
    apt:
      autoremove: yes

  - name: Remove useless packages from the cache
    apt:
      autoclean: yes

  - name: Install golang from archive
    unarchive:
      src: "https://dl.google.com/go/go{{ golang_version }}.linux-amd64.tar.gz"
      dest: /usr/local
      remote_src: yes
      creates: /usr/local/go/VERSION

  - name: Activate golang for all users
    lineinfile:
      create: yes
      dest: "/etc/profile.d/go-to-path.sh"
      line: "export PATH=$PATH:/usr/local/go/bin"

  - name: Disable canonical motd stuff
    lineinfile:
      dest: /etc/default/motd-news
      state: present
      regexp: "^ENABLED="
      line: "ENABLED=0"

  - name: Clear /var/cache/motd-news file
    copy:
      content: ""
      dest: /var/cache/motd-news

  - name: Disable (chmod -x) some files in /etc/update-motd.d
    file:
      path: "/etc/update-motd.d/{{ item }}"
      mode: "0644"
    loop:
      - 10-help-text
      - 50-motd-news

  - name: Uninstall snapd
    apt:
      name: snapd
      state: absent
      purge: yes
      autoclean: yes
      autoremove: yes

  - name: Remove snap directories
    file:
      state: absent
      path: "{{ item }}"
    loop:
      - /var/cache/snapd

  - name: Install ufw
    apt:
      name: ufw
      state: present

  - name: Enable ufw and deny everything else
    ufw:
      state: enabled
      policy: deny
      logging: 'on'
      direction: incoming

  - name: Install kubectl {{ kubectl_version }}
    get_url:
      url: "https://storage.googleapis.com/kubernetes-release/release/v{{ kubectl_version }}/bin/linux/amd64/kubectl"
      mode: "0755"
      dest: /usr/local/bin/kubectl

  - name: Install kustomize {{ kustomize_version }}
    unarchive:
      src: "https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv{{ kustomize_version }}/kustomize_v{{ kustomize_version }}_linux_amd64.tar.gz"
      mode: "0755"
      dest: /usr/local/bin/
      remote_src: yes

  - name: Install kind {{ kind_version }}
    get_url:
      url: "https://github.com/kubernetes-sigs/kind/releases/download/v{{ kind_version }}/kind-linux-amd64"
      mode: "0755"
      dest: /usr/local/bin/kind

  - name: Install docker-compose {{ docker_compose_version }}
    get_url:
      url: "https://github.com/docker/compose/releases/download/{{ docker_compose_version }}/docker-compose-Linux-x86_64"
      mode: "0755"
      dest: /usr/local/bin/docker-compose

packages-to-remove

73libreoffice-help-common
libreoffice-help-de
libreoffice-help-en-gb
libreoffice-help-en-us
libreoffice-help-es
libreoffice-help-fr
libreoffice-help-it
libreoffice-help-ja
libreoffice-help-pt
libreoffice-help-pt-br
libreoffice-help-ru
libreoffice-help-zh-cn
libreoffice-help-zh-tw
libreoffice-l10n-ar
libreoffice-l10n-de
libreoffice-l10n-en-gb
libreoffice-l10n-en-za
libreoffice-l10n-es
libreoffice-l10n-fr
libreoffice-l10n-it
libreoffice-l10n-ja
libreoffice-l10n-pt
libreoffice-l10n-pt-br
libreoffice-l10n-ru
libreoffice-l10n-zh-cn
libreoffice-l10n-zh-tw
firefox-locale-ar
firefox-locale-de
firefox-locale-en
firefox-locale-es
firefox-locale-fr
firefox-locale-it
firefox-locale-ja
firefox-locale-pt
firefox-locale-ru
firefox-locale-zh-hans
firefox-locale-zh-hant
gnome-user-docs
gnome-user-docs-de
gnome-user-docs-es
gnome-user-docs-fr
gnome-user-docs-it
gnome-user-docs-ja
gnome-user-docs-pt
gnome-user-docs-ru
gnome-user-docs-zh-hans
gnome-getting-started-docs
gnome-getting-started-docs-de
gnome-getting-started-docs-es
gnome-getting-started-docs-fr
gnome-getting-started-docs-it
gnome-getting-started-docs-ja
gnome-getting-started-docs-pt
gnome-getting-started-docs-ru
gnome-getting-started-docs-zh-hk
gnome-getting-started-docs-zh-tw
hunspell-ar
hunspell-de-at-frami
hunspell-de-ch-frami
hunspell-en-au
hunspell-en-ca
hunspell-en-gb
hunspell-en-za
hunspell-es
hunspell-fr
hunspell-fr-classical
hunspell-it
hunspell-pt-br
hunspell-pt-pt
hunspell-ru
hyphen-en-ca
hyphen-en-gb
hyphen-es
hyphen-fr
hyphen-it
hyphen-pt-br
hyphen-pt-pt
hyphen-ru
language-pack-ar
language-pack-ar-base
language-pack-es
language-pack-es-base
language-pack-fr
language-pack-fr-base
language-pack-gnome-ar
language-pack-gnome-ar-base
language-pack-gnome-es
language-pack-gnome-es-base
language-pack-gnome-fr
language-pack-gnome-fr-base
language-pack-gnome-it
language-pack-gnome-it-base
language-pack-gnome-ja
language-pack-gnome-ja-base
language-pack-gnome-pt
language-pack-gnome-pt-base
language-pack-gnome-ru
language-pack-gnome-ru-base
language-pack-gnome-zh-hans
language-pack-gnome-zh-hans-base
language-pack-gnome-zh-hant
language-pack-gnome-zh-hant-base
language-pack-it
language-pack-it-base
language-pack-ja
language-pack-ja-base
language-pack-pt
language-pack-pt-base
language-pack-ru
language-pack-ru-base
language-pack-zh-hans
language-pack-zh-hans-base
language-pack-zh-hant
language-pack-zh-hant-base
mythes-ar
mythes-de-ch
mythes-en-au
mythes-es
mythes-fr
mythes-it
mythes-pt-pt
mythes-ru
geary