- Ansible role for your DevOps/SysOps Linux Mint 22.x/Zorin OS based workstation
This role is designed to configure your Linux Mint 22.x or Zorin OS 17.x workstation. It will install essential packages, main packages, extra/optional packages, 3rd party software, and configure your system. It will also install extra binaries in /usr/local/bin
folder.
It will also change startup settings for a specific user (that's why you should not run this as root). It will also change ansible.cfg
, dconf
settings, and sysctl
system settings.
It's an extension od my previous project - https://github.com/marcinbojko/linux_mint which won't be updated anymore.
-
installed
Linux Mint
22.x - all 64-bit, standard options with extra codecs (available as selection during install) -
installed
Zorin OS
17.x - all 64-bit, standard options with extra codecs (available as selection during install) -
access to internet
-
openssh-server
installed and running -
ansible
in version 2.10 or higher -
sudo ansible-galaxy install -r requirements.yml
sudo apt install openssh-server;sudo systemctl enable ssh && sudo systemctl start ssh
-
PermitRootLogin in
/etc/ssh/sshd_config
if you're using root account
sudo ansible-galaxy install -r requirements.yml --roles-path /etc/ansible/roles
- 10 GB free space on OS drive (recommended 20-30 due to Flatpak)
- ssh private key or password method
- user specified in
group_vars
or passed in variableansible_ssh_user
- by default, extra binaries (outside packages) will be installed in
/usr/local/bin
(adjustable bypld_bin_path
variable) If you prefer to keep them in cloud (sync between computers), down below I'll attach info how to replace binaries with proper -ymlinks (work in progress) - adds repositories with codename and filename
- adds missing pgp keys for repositories
- installs essential packages
- installs main packages
- installs extra/optional packages
- downloads 3rd party software and puts it in proper path -
/usr/local/bin
by default (adjustable bypld_bin_path
variable) - changes startup settings for specific user (that's why you should not run this as root)
- changes in
ansible.cfg
- changes in
dconf
settings - changes in
sysctl
system settings
Role of this playbook is to work on clean or cleanly-upgraded system. I haven't tested it properly in case of in-place upgrade systems, so both 18=>19 and 19=>20 upgrades and playbook usage, are risky and experimental. Make sure all apt repositories (except system ones) are removed from /etc/apt - playbook works best when this list is empty.
Warning - systems after upgrade will require: ansible_python_interpreter=/usr/bin/python3
setting.
Be aware several packages (virtualbox-6.1, zenmap) will install python2 and remove python-is-python3 package.
sudo apt update
sudo apt install python-is-python3
sudo apt update
sudo apt remove python2 --simulate
sudo apt remove python2
ansible-playbook ./pld.yaml -i myhost.lst
or change user you're using (startup related stuff will be done for that specific user user)
ansible-playbook ./pld.yaml -i myhost.lst --extra-vars "pld_active_user=myuser"
in case you'd like to run as root with password or ssh key, you can do desktop related changes for user bob
ansible-playbook ./pld.yaml -i myhost.lst --extra-vars "pld_active_user=bob"
or passing true/false as JSON
ansible-playbook ./pld.yaml -i myhost.lst --extra-vars '{"install_optional": "true"}'
or passing several variables as variables.yaml file
ansible-playbook ./pld.yaml -i myhost.lst --extra-vars @variables.yaml
Variables are separated into multiple sets of files.
Variables for controlling playbook behavior
Variable | Value | Comment |
---|---|---|
pld_active_user | "{{ ansible_ssh_user }}" | User for which you're setting folders. By default taken from group_vars |
pld_bin_path | /usr/local/bin | Where to put all downloaded execs |
pld_config_ansible | true | Change ansible settings in ansible.cfg |
pld_config_autostart | true | Change application autostart settings |
pld_config_dconf | true | Change dconf settings |
pld_config_neofetch | true | Change neofetch settings |
pld_config_sysctl | true | Change sysctl settings |
pld_delay_time | 1 | Delay time in seconds between retries |
pld_install_deb | true | Should extra deb packages be installed |
pld_install_flatpak | true | Should flatpak packages be installed |
pld_install_npm | true | Should npm packages be installed |
pld_install_optional | true | Should optional packages be installed |
pld_install_state | latest | If set to latest, every pass of playbook will also update packages |
pld_install_steampipe_plugins | true | Should we install extra steampipe plugins |
pld_install_vscode_extensions | true | Should we install extra vscode extensions |
pld_install_yubico | false | Should we install yubico software |
pld_install_zsh | true | Should we install oh-my-zsh and p10k theme |
pld_reboot_required | false | Force reboot even if apt upgrade won't change anything |
pld_remove_flatpak | true | Should flatpak packages be removed |
pld_retries_count | 1 | How many retries |
pld_unpack_folder | /tmp/linux_mint | Which folder to use when downloading and unarchiving |
Most OS variables are stored in roles/pld/vars/*.yml
files.
Are located in file roles/pld/vars/shared.yml
Variable | Description |
---|---|
ansible_python_interpreter | Specifies the Python interpreter path for Ansible |
pld_alternatives | List of alternatives to set |
pld_ansible | List of Ansible roles to install |
pld_codename | Codename for the Linux Mint or Zorin OS version |
pld_deb | List of deb packages to install |
pld_deb822_repositories | List of deb822 repositories to add |
pld_downloads | List of URLs to download files from |
pld_files | List of files to copy |
pld_files_remove | List of files to remove |
pld_files_remove_bin_path | Path to remove files from |
pld_flatpak | List of Flatpak packages to install |
pld_flatpak_remove | List of Flatpak packages to remove |
pld_global_env | List of global environment variables to set |
pld_keys | List of GPG keys to import |
pld_keys_keyserver | Keyserver to use for importing GPG keys |
pld_keys_remove | List of GPG keys to remove |
pld_neofetch | Whether to configure Neofetch |
pld_npm | List of npm packages to install |
pld_packages | List of packages to install |
pld_packages_clean_system | Whether to clean the system before installing packages |
pld_packages_optional | List of optional packages to install |
pld_packages_remove | List of packages to remove |
pld_pip | List of Python packages to install with pip |
pld_pip_executable | Path to the pip executable |
pld_repositories_remove | List of repositories to remove |
pld_services | List of services to enable or disable |
pld_startup_template | Path to the startup template file |
pld_steampipe | List of Steampipe plugins to install |
pld_sysctl | List of sysctl settings to apply |
pld_timezone | Timezone to set |
pld_unpack | List of archives to unpack |
pld_vscode | List of Visual Studio Code extensions to install |
pld_vscode_obsolete | List of obsolete Visual Studio Code extensions to remove |
pld_yubico_flatpak | List of Yubico Flatpak packages to install |
pld_yubico_packages | List of Yubico packages to install |
pld_yubico_repo_key | GPG key for Yubico repository |
pld_yubico_repositories | List of Yubico repositories to add |
Are located in file roles/pld/vars/Linux Mint.yml
| Variable | Description | |_---------------------------------|--------------------------------------------------| | pld_deb822_repositories_optional | Optional deb822 repositories to add for Mint | | pld_packages_essential | Essential packages to install | | pld_startup | Startup settings for specific user | | pld_dconf | Dconf settings |
Are located in file roles/pld/vars/Zorin OS.yml
| Variable | Description | |_---------------------------------|--------------------------------------------------| | pld_deb822_repositories_optional | Optional deb822 repositories to add for Zorin | | pld_packages_essential | Essential packages to install | | pld_startup | Startup settings for specific user | | pld_dconf | Dconf settings |
graph LR
A[main.yaml] --> B[Shared]
B --> C[Linux Mint]
B --> D[Zorin OS]
TBD
alexx2000
- Double Commanderansible
- Ansibleazure-cli
- Azure CLI SDKdocker-stable
- Docker-CEgcsfuse
- Google Storage gcsfuse - Mount a GCS bucket locally`google-cloud-sdk
- Google Cloud Tools SDKgooglechrome
- Google Chrome Browserhashicorp
- Hashicorp toolshelm-stable-debian
- Helm for Kuberneteskubernetes-129
- Google Kubernetes kubeadm & kubectl for 1.29microsoft-prod-deb
- Microsoft .Net Coremozilla-team
- Stable Firefox and Mozilla Softwarenodesource20
- Node.js LTSpalemoon
- Chromium based Java+Flash browserubuntu-mozilla-security
- Firefox and Thunderbird Securityvirtualbox
- Virtualization Softwarevscode
- Microsoft Visual Studio Code
dockbarx
- DockBarX is a lightweight taskbargrub-customizer
- customize black screen to something usefulinsync
- Googledrive & Onedrive Linux Clientlens
- Kubernetes IDEngrok
- Secure tunnels to localhostnoobslab-icons
- Noobslab iconsrancher-desktop
- Rancher Desktoptrivy
- Container security scannerveeam-agent
- Veeam Agent for Linuxveracrypt
- Device encryption utility
Software | Type | Link |
---|---|---|
Amass | In-depth Attack Surface Mapping and Asset Discovery | https://github.com/OWASP/Amass |
AngryIP Scanner | Network Scanner | https://angryip.org/ |
Azure CLI | Command-line tools for Azure | https://github.com/Azure/azure-cli |
Balena-etcher | Image Writer | https://www.balena.io/etcher/ |
Ctop | Container process monitor | https://github.com/bcicen/ctop |
Diodon | Clipboard Manager | https://launchpad.net/diodon |
Dive | Docker image explorer | https://github.com/wagoodman/dive |
Dockle | Container Image Linter for Security | https://github.com/goodwithtech/dockle |
Double Commander | File Manager | https://doublecmd.sourceforge.io/ |
Ffuf | Fast web fuzzer written in Go | https://github.com/ffuf/ffuf |
GitKraken | Git Client | https://www.gitkraken.com/ |
Google Chrome | Browser | https://www.google.com/intl/pl_ALL/chrome/ |
Google Cloud SDK | Command-line tools for GCP | https://cloud.google.com/sdk |
Google Kubectl/Kubeadm | Kubernetes Manager | https://kubernetes.io/docs/reference/kubectl/overview/ |
Gping | Ping with a graph | https://github.com/orf/gping |
Hadolint | Docker linter | https://github.com/hadolint/hadolint |
Helm | Package manager for Kubernetes | https://helm.sh/ |
k3d | k3d creates containerized k3s clusters | https://k3d.io/ |
k3s | Lightweight Kubernetes 5 less than k8s | https://k3s.io/ |
k9s | Kubernetes CLI Manager | https://github.com/derailed/k9s |
Keepass | Password Manager | https://keepass.info/ |
Kubeconform | Kubernetes config validator | https://github.com/yannh/kubeconform |
Kubent | Kubernetes-no-trouble | https://github.com/doitintl/kube-no-trouble |
Kubernetes | Production-Grade Container Orchestration | https://kubernetes.io/ |
Kustomize | Kubernetes customiser | https://github.com/kubernetes-sigs/kustomize |
Lens | Kubernetes IDE | https://k8slens.dev/ |
Minikube | Run Kubernetes locally | https://github.com/kubernetes/minikube |
Packer | Image creator | https://www.packer.io/ |
Packetsender | Packet Sender can send and receive UDP, TCP, and SSL on the ports of your choosing | https://packetsender.com/ |
Palemoon | Browser alternative (Java_+Flash) | https://www.palemoon.org/ |
Polaris | Validation of best practices in your Kubernetes clusters | https://www.fairwinds.com/polaris |
RamboxOS | Multi IM | https://github.com/TheGoddessInari/hamsket |
Rancher Desktop | Rancher Desktop runs Kubernetes and container management on your desktop | https://rancherdesktop.io/ |
Redshift | Monitor temperature changer | http://jonls.dk/redshift/ |
Remmina | Remote Connection Manager | https://remmina.org/ |
Shutter | Screenshot Manipulation | http://shutter-project.org/ |
Sops | Secrets manager | https://github.com/getsops/sops |
Synapse | Symantic Launcher | https://launchpad.net/synapse-project |
Tabby | Modern Terminal | https://github.com/Eugeny/terminus |
Teller | Secret manager | https://github.com/tellerops/teller |
Terraform | Infrastructure as Code | https://www.terraform.io/ |
Vagrant | Unified Workflow | https://www.vagrantup.com/ |
Vault | Secrets Manager | https://www.vaultproject.io/ |
VirtualBox | Virtualization | https://www.virtualbox.org/ |
Visual Studio Code | Code editor | https://code.visualstudio.com/ |
WPS Office for Linux | Productivity Tools | https://www.wps.com/wps-office-for-linux/ |
XCA | Certificate Manager | https://hohnstaedt.de/xca/ |
Yq | YAML processor | https://github.com/mikefarah/yq/releases/download/v4.43.1/yq_linux_amd64 |
Software | Type | Link |
---|---|---|
Brave Browser | Browser alternative | Brave |
DockbarX | Panel | DockbarX |
Enpass | Password manager | Enpass |
GIMP | GNU Image Manipulation Program | GIMP |
Insync | Googledrive & Onedrive linux client | Insync |
Kodi | Open Source Home Theater | Kodi |
Neofetch | A command-line system information tool written in bash 3.2+ | Neofetch |
Pinta | Drawing/Image Editing | Pinta |
Spotify | Music Player | Spotify |
Steampipe | select * from cloud | Steampipe |
Sublime Text 3 | Text Editor | Sublime Text |
Betterbird | Email client | Betterbird |
Trivy | A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI | Trivy |
Veeam Agent for Linux | Backup tool | Veeam |
Veracrypt | Source disk encryption | Veracrypt |
||||
Software | Type | Link |
---|---|---|
Bitwarden | Password Manager | Bitwarden |
Boxes | Virtualization | Boxes |
Brave | Web Browser | Brave |
EasyEffects | Audio Effects Tool | EasyEffects |
Enpass | Password Manager | Enpass |
Firefox | Web Browser | Firefox |
Flatseal | Permissions Manager | Flatseal |
FreeFileSync | File Synchronization | FreeFileSync |
GIMP | Image Editor | GIMP |
Headlamp | Kubernetes Dashboard | Headlamp |
Kdenlive | Video Editor | Kdenlive |
Kodi | Media Center | Kodi |
Krita | Digital Painting | Krita |
LibreOffice | Office Suite | LibreOffice |
MissionCenter | Project Management | MissionCenter |
Obsidian | Note-taking App | Obsidian |
Pinta | Image Editor | Pinta |
Raspberry Pi Imager | Raspberry Pi Image Writer | Raspberry Pi Imager |
Remmina | Remote Desktop Client | Remmina |
Spotify | Music Streaming | Spotify |
Sublime Text | Text Editor | Sublime Text |
VLC | Media Player | VLC |
Vivaldi | Web Browser | Vivaldi |
WPS Office | Office Suite | WPS Office |
Zenmap | Network Scanner | Zenmap |
Zoom | Video Conferencing | Zoom |
Software | Type | Link |
---|---|---|
Dockerfilelint | Dockerfile linter | https://github.com/replicatedhq/dockerfilelint |
Task | Description | Link |
---|---|---|
install_yubico_software | Install keys, repositories, packages and dekstop files for Yubico infrastructure | https://yubico.com |
configure_zsh | Installs files required by zsh, oh-my-zsh and powerlevel10k |
https://github.com/ohmyzsh/ohmyzsh https://github.com/romkatv/powerlevel10k |
steampipe_plugins.yaml | Install steampipe plugins | https://steampipe.io/ |
configure_neofetch | Installs and configures neofetch | https://github.com/dylanaraps/neofetch |
This guide details the automation of Neofetch configuration adjustments using an Ansible playbook. By specifying various tasks in the playbook, users can easily comment out or uncomment specific lines within the Neofetch configuration file, toggle key-value pairs between "on" and "off", and ensure the creation of the Neofetch configuration file if it doesn't exist. Furthermore, it includes adding Neofetch to the global bashrc file for automatic execution.
The playbook operates based on a defined payload structure within a YAML file. Here's an example of the payload configuration for the Neofetch automation task:
neofetch:
config_path: /home/{{ pld_active_user }}/.config/neofetch/config.conf
remove_lines:
- Packages
- Resolution
- DE
- WM
- WM Theme
- Theme
- Icons
- Terminal
- Terminal Font
- cols
add_lines:
- Disk
- Local IP
toggle_items:
- key: 'color_blocks'
value: 'off'
Explanation of Configuration Parameters:
-
config_path
: Specifies the path to the Neofetch configuration file. This path can be dynamically set to match the active user's home directory.config_path: /home/{{ pld_active_user }}/.config/neofetch/config.conf
-
remove_lines
: A list of items to be commented out in the Neofetch configuration file. This list should contain the titles of the information blocks as they appear in the configuration.remove_lines: - Packages - Resolution
-
add_lines
: Similar to remove_lines, but these items will be uncommented if they were previously commented out, ensuring they are active in the Neofetch output.add_lines: - Disk - Local IP
-
toggle_items
: This section allows for toggling specific key-value pairs within the configuration file. For example, changing color_blocks from "on" to "off" or vice versa.toggle_items: - key: 'color_blocks' value: 'off'
Some applications are copied to autostart
folder
- Diodon
- DockbarX
- Synapse
- Shutter
- changes timezone and ntpd settings
- modifies
sysctl
settings to start usetcp_congestion_control
set tobbr
- modifies
sysctl
settings to decrease default swappiness - changes
alternatives
for EDITOR - initial
Timeshift
launch - change fstrim schedule to
hourly
- installs popular Microsoft Visual Studio Code extensions
- change
dconf
settings
-
Q: Will it work with specific version WSL/Ubuntu/PidgeonOS?
-
A: Don't know, don't care. Do your own variables.yml and check
-
Q: What will happen if I'll run it multiple times?
-
A: I hope - your applications will be upgraded, same for repos and keys. But, due to DEB/APT dependency you have to look for possible
downgrade
related errors. SeeKnown Issues
for it. -
Q: Can i check this in Ubuntu
-
A: Yes, but be prepared to create your own
variables.yml
and pass it as a parameter -
Q: Can I participate?
-
A: Yes, but please create your own branch and do PR. Do not merge to master. Please keep master branch clean.
-
Q: I don't know how to do the above
-
A: Then don't do it ;)
-
Q: Why there is so many Ubuntu:Bionic/Xenial, not so many LinuxMint:Tara repositories?
-
A: Tara is built over Bionic packages, so rarely it requires to have specific repo.
- better download file versioning (switch to latest where possible, separate version from URL, use separate folder for downloads)
- better docs
- add Vagrant plugins
- manual handle 3rd party deb files - pre-download and re-usage on demand
- configure neofetch
- add cloud-tools section, for people to choose cloud they are using
better archive handleservices handling part (by default in Ubuntu/Debian, installed service is set toenabled/started
)more idempotencyfix Bionic's broken apps like Asbru-CMmore OS tweaks (i/o scheduler)add AWS/GCE repositories for their toolsadd Visual Studio Code extra extensionscontinue to use taggingadd Flatpak packages handlingconvert single sysctl values into whole sectionbetter grub defaults handing
-
Due to how deb packages are treated by apt, we should find a way to install always 'latest' version not specific version. If (after initial run) we'll upgrade package outside this script, next time deb part will fail trying to 'downgrade' package.
-
Downloading & installing all packages can be time consuming, depending on your Internet connection speed (aprox 40-60 minut)
-
pip -
no module named _internal
sudo curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py && sudo python2.7 get-pip.py --force-reinstall
-
Playbook exits with a message
Could not import python modules: apt, apt_pkg. Please install python3-apt package
- Resolution: set
ansible_python_interpreter=/usr/bin/python3
- Resolution: set
-
Older distros have problem with some repositories, using PKI part that wasn't part of a ca-certificates.
- Resolution: Before continuing you're encouraged to install/upgrade
ca-certificates
package. Playbook is doing that as one of first steps, but this doesn't always works properly.
- Resolution: Before continuing you're encouraged to install/upgrade
-
Step
apt_initial_refresh
can fail due to several reasons:- problems with ca-certificates written above
- duplicate entries found in
/etc/apt/sources.list.d
files - expired keys/certificates for repositories
-
Step
reset_dconf_values
can fail in Linux Mint 20.x due to python-psutil package being too new. -
Insync
package strange behavior. Installing packages can fail asInsync
ignores entries in it's own insync.list file and adds new ones. This can lead to mutliple sources being added, thus apt is doomed to fail. In rare cases Insync also tries to add new repos codenames before they exist on their side. Currently there is no workaround for this.