├── inventory ├── .gitignore ├── templates ├── jail.local.j2 ├── libvirt_polkit.j2 ├── vagrant-nfs.j2 └── sshd_config.j2 ├── handlers └── main.yml ├── meta └── main.yml ├── tasks ├── harden.yml ├── services.yml ├── system.yml ├── users.yml ├── thirdparty.yml ├── repos.yml └── packages.yml ├── ansible.cfg ├── setup_workstation.yml ├── vars └── vars.yml ├── LICENSE.md └── README.md /inventory: -------------------------------------------------------------------------------- 1 | [workstation] 2 | localhost ansible_connection=local 3 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | files/bashrc 2 | .DS_Store 3 | *.retry 4 | *.env 5 | credentials/ 6 | .vault_password 7 | .vagrant/ 8 | *.sublime-project 9 | *.sublime-workspace 10 | .envrc 11 | -------------------------------------------------------------------------------- /templates/jail.local.j2: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | 3 | [DEFAULT] 4 | bantime = 3600 5 | sender = fail2ban@{{ ansible_nodename }} 6 | destemail = {{ local_user_email }} 7 | action = %(action_mwl)s 8 | 9 | [sshd] 10 | enabled = true 11 | -------------------------------------------------------------------------------- /handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Create systemd-tmpfiles 3 | command: /usr/bin/systemd-tmpfiles --prefix=/sys --create 4 | 5 | - name: Restart sshd 6 | service: 7 | name: sshd 8 | state: restarted 9 | 10 | - name: Restart fail2ban 11 | service: 12 | name: fail2ban 13 | state: restarted 14 | -------------------------------------------------------------------------------- /meta/main.yml: -------------------------------------------------------------------------------- 1 | galaxy_info: 2 | author: Joe Doss 3 | description: Configures your Fedora Workstation for development work. 4 | 5 | license: MIT 6 | 7 | min_ansible_version: 2.9.10 8 | 9 | platforms: 10 | - name: Fedora 11 | versions: 12 | - 32 13 | 14 | galaxy_tags: 15 | - workstation 16 | 17 | dependencies: [] 18 | -------------------------------------------------------------------------------- /templates/libvirt_polkit.j2: -------------------------------------------------------------------------------- 1 | polkit.addRule(function(action, subject) { 2 | if (action.id == "org.libvirt.unix.manage" && 3 | subject.user == "{{ local_user }}") { 4 | return polkit.Result.YES; 5 | polkit.log("action=" + action); 6 | polkit.log("subject=" + subject); 7 | } 8 | }); 9 | -------------------------------------------------------------------------------- /tasks/harden.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Harden sshd 4 | template: 5 | src: templates/sshd_config.j2 6 | dest: /etc/ssh/sshd_config 7 | owner: root 8 | group: root 9 | mode: 0600 10 | notify: Restart sshd 11 | when: enable_sshd 12 | 13 | - name: Copy fail2ban jail.local 14 | template: 15 | src: templates/jail.local.j2 16 | dest: /etc/fail2ban/jail.local 17 | owner: root 18 | group: root 19 | mode: 0644 20 | notify: Restart fail2ban 21 | when: enable_fail2ban 22 | -------------------------------------------------------------------------------- /ansible.cfg: -------------------------------------------------------------------------------- 1 | # config file for ansible -- http://ansible.com/ 2 | # ============================================== 3 | # See https://github.com/ansible/ansible/blob/devel/examples/ansible.cfg 4 | # for an example ansible.cfg 5 | 6 | [defaults] 7 | host_key_checking = False 8 | retry_files_enabled = False 9 | ansible_managed = Ansible managed: {file} modified on %Y-%m-%d %H:%M:%S by {uid} on {host} 10 | inventory = inventory 11 | 12 | [ssh_connection] 13 | control_path = ~/.ssh/ansible-%%r@%%h:%%p 14 | scp_if_ssh = True 15 | pipelining = True 16 | -------------------------------------------------------------------------------- /setup_workstation.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Setup Workstation 3 | hosts: workstation 4 | become: true 5 | gather_facts: true 6 | 7 | vars_files: 8 | - vars/vars.yml 9 | 10 | tasks: 11 | - include_tasks: tasks/repos.yml 12 | - include_tasks: tasks/packages.yml 13 | - include_tasks: tasks/users.yml 14 | - include_tasks: tasks/services.yml 15 | - include_tasks: tasks/system.yml 16 | - include_tasks: tasks/thirdparty.yml 17 | - include_tasks: tasks/harden.yml 18 | 19 | handlers: 20 | - import_tasks: handlers/main.yml 21 | -------------------------------------------------------------------------------- /templates/vagrant-nfs.j2: -------------------------------------------------------------------------------- 1 | # Allow Vagrant to manage /etc/exports 2 | Cmnd_Alias VAGRANT_EXPORTS_ADD = /usr/bin/tee -a /etc/exports 3 | Cmnd_Alias VAGRANT_NFSD_CHECK = /usr/bin/systemctl status --no-pager nfs-server.service 4 | Cmnd_Alias VAGRANT_NFSD_START = /usr/bin/systemctl start nfs-server.service 5 | Cmnd_Alias VAGRANT_NFSD_APPLY = /usr/sbin/exportfs -ar 6 | Cmnd_Alias VAGRANT_EXPORTS_REMOVE = /bin/sed -r -e * d -ibak /*/exports 7 | Cmnd_Alias VAGRANT_EXPORTS_REMOVE_2 = /bin/cp /*/exports /etc/exports 8 | %vagrant ALL=(root) NOPASSWD: VAGRANT_EXPORTS_ADD, VAGRANT_NFSD_CHECK, VAGRANT_NFSD_START, VAGRANT_NFSD_APPLY, VAGRANT_EXPORTS_REMOVE, VAGRANT_EXPORTS_REMOVE_2 9 | -------------------------------------------------------------------------------- /vars/vars.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | # User 4 | local_user: jdoe 5 | local_user_email: jdoe@email.com 6 | local_user_passwordless_sudo: true 7 | 8 | # Services 9 | enable_fail2ban: true 10 | enable_libvirtd: true 11 | enable_sshd: true 12 | enable_vagrant_nfs: true 13 | 14 | # Extras 15 | install_extra_fonts: true 16 | install_packager: true 17 | 18 | # Third party 19 | install_atom: true 20 | install_authy: true 21 | install_bitwarden: true 22 | install_chrome: true 23 | install_googletalk: true 24 | install_slack: true 25 | install_spotify: true 26 | install_sublime_text: true 27 | install_vscode: true 28 | install_zoom: true 29 | install_rpmfusion: true 30 | 31 | #python3 32 | ansible_python_interpreter: /usr/bin/python3 33 | -------------------------------------------------------------------------------- /tasks/services.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Start and enable postfix 4 | service: 5 | name: postfix 6 | state: started 7 | enabled: yes 8 | 9 | - name: Start and enable sshd 10 | service: 11 | name: sshd 12 | state: started 13 | enabled: yes 14 | when: enable_sshd 15 | 16 | - name: Start and enable fail2ban 17 | service: 18 | name: fail2ban 19 | state: started 20 | enabled: yes 21 | when: enable_fail2ban 22 | 23 | - name: Enable nfs-server 24 | service: 25 | name: nfs-server 26 | enabled: yes 27 | when: enable_vagrant_nfs 28 | 29 | - name: Start and enable libvirtd 30 | service: 31 | name: libvirtd 32 | state: started 33 | enabled: yes 34 | when: enable_libvirtd 35 | -------------------------------------------------------------------------------- /tasks/system.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - block: 4 | 5 | - name: Allow vagrant group to control NFS 6 | template: 7 | src: templates/vagrant-nfs.j2 8 | dest: /etc/sudoers.d/vagrant-nfs 9 | validate: 'visudo -cf %s' 10 | 11 | - name: Allow connections to NFS in the firewall 12 | firewalld: 13 | zone: FedoraWorkstation 14 | service: "{{ item }}" 15 | permanent: true 16 | immediate: true 17 | state: enabled 18 | with_items: 19 | - nfs 20 | - rpc-bind 21 | - mountd 22 | 23 | when: enable_vagrant_nfs 24 | 25 | - name: Enable net.ipv4.ip_forward 26 | sysctl: 27 | name: net.ipv4.ip_forward 28 | value: '1' 29 | sysctl_set: yes 30 | state: present 31 | reload: yes 32 | 33 | - name: Set fs.inotify.max_user_watches to 524288 34 | sysctl: 35 | name: fs.inotify.max_user_watches 36 | value: '524288' 37 | sysctl_set: yes 38 | state: present 39 | reload: yes 40 | when: install_vscode 41 | -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | The MIT License 2 | 3 | Copyright (c) 2020 Joe Doss 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in 13 | all copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 21 | THE SOFTWARE. 22 | -------------------------------------------------------------------------------- /tasks/users.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Create Vagrant group 4 | group: 5 | name: vagrant 6 | state: present 7 | 8 | - name: Setup {{ local_user }} user 9 | user: 10 | name: "{{ local_user }}" 11 | home: /home/{{ local_user }} 12 | groups: mock,vagrant,libvirt,wheel 13 | append: yes 14 | 15 | - name: Allow wheel group to sudo without a password 16 | lineinfile: 17 | dest: /etc/sudoers 18 | state: present 19 | regexp: '^%wheel' 20 | line: '%wheel ALL=(ALL) NOPASSWD: ALL' 21 | validate: visudo -cf %s 22 | when: local_user_passwordless_sudo 23 | 24 | - name: Grant {{ local_user }} access to libvirt via polkit 25 | template: 26 | src: templates/libvirt_polkit.j2 27 | dest: /etc/polkit-1/rules.d/50-org.libvirt.unix.manage.rules 28 | 29 | - name: Create /home/{{ local_user }}/.cert directory 30 | file: 31 | path: /home/{{ local_user }}/.cert 32 | state: directory 33 | mode: 0750 34 | owner: "{{ local_user }}" 35 | group: "{{ local_user }}" 36 | 37 | - name: Run restorecon on /home/{{ local_user }}/.cert 38 | command: /usr/sbin/restorecon -R -v /home/{{ local_user }}/.cert # noqa 301 39 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Fedora Workstation 2 | 3 | This is an opinionated playbook to setup a Fedora 32+ workstation with everything you need to start developing on Fedora Linux. 4 | 5 | ## Quick Setup 6 | 7 | Follow these steps to install Ansible, checkout the Fedora Workstation repo, and run the playbook: 8 | 9 | ``` 10 | sudo dnf install ansible -y 11 | git clone https://github.com/jdoss/fedora-workstation.git 12 | cd fedora-workstation 13 | ansible-playbook setup_workstation.yml -e "local_user=yourusername local_user_email=you@example.com" --become -K 14 | ``` 15 | 16 | For further customization, edit `vars/vars.yml` to fit your needs. 17 | 18 | ## License 19 | 20 | The MIT License 21 | 22 | Copyright (c) 2020 Joe Doss 23 | 24 | Permission is hereby granted, free of charge, to any person obtaining a copy 25 | of this software and associated documentation files (the "Software"), to deal 26 | in the Software without restriction, including without limitation the rights 27 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 28 | copies of the Software, and to permit persons to whom the Software is 29 | furnished to do so, subject to the following conditions: 30 | 31 | The above copyright notice and this permission notice shall be included in 32 | all copies or substantial portions of the Software. 33 | 34 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 35 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 36 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 37 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 38 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 39 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 40 | THE SOFTWARE. 41 | -------------------------------------------------------------------------------- /tasks/thirdparty.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Install Google Chrome 3 | dnf: 4 | name: google-chrome-stable 5 | state: present 6 | when: install_chrome 7 | 8 | - name: Install Google Talk 9 | dnf: 10 | name: google-talkplugin 11 | state: present 12 | when: install_googletalk 13 | 14 | - name: Install Spotify 15 | dnf: 16 | name: spotify-client 17 | state: present 18 | ignore_errors: yes 19 | when: install_spotify 20 | 21 | - name: Install Sublime Text 22 | dnf: 23 | name: sublime-text 24 | state: present 25 | when: install_sublime_text 26 | 27 | - name: Install Slack 28 | dnf: 29 | name: slack 30 | state: present 31 | when: install_slack 32 | 33 | - name: Install VS Code 34 | dnf: 35 | name: code 36 | state: present 37 | when: install_vscode 38 | 39 | - name: Install Authy 40 | snap: 41 | name: authy 42 | channel: beta 43 | when: install_authy 44 | 45 | - name: Install Bitwarden and Bitwarden CLI 46 | snap: 47 | name: 48 | - bitwarden 49 | - bw 50 | channel: beta 51 | when: install_bitwarden 52 | 53 | - name: Install Slack 54 | dnf: 55 | name: 56 | - slack 57 | state: present 58 | 59 | - block: 60 | 61 | - name: Check for Zoom 62 | stat: path=/usr/bin/zoom 63 | register: zoom_installed 64 | 65 | - name: Install Zoom RPM 66 | dnf: 67 | name: 'https://zoom.us/client/latest/zoom_x86_64.rpm' 68 | state: present 69 | when: not zoom_installed.stat.exists 70 | 71 | when: install_zoom 72 | 73 | - block: 74 | 75 | - name: Check for Atom 76 | stat: path=/usr/bin/atom 77 | register: atom_installed 78 | 79 | - name: Download Atom RPM 80 | get_url: 81 | url: https://atom.io/download/rpm 82 | dest: /tmp/atom.rpm 83 | when: not atom_installed.stat.exists 84 | 85 | - name: Install Atom RPM 86 | dnf: 87 | name: /tmp/atom.rpm 88 | state: present 89 | when: not atom_installed.stat.exists 90 | 91 | when: install_atom 92 | -------------------------------------------------------------------------------- /tasks/repos.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - block: 3 | 4 | - name: Check for Google Chrome repo 5 | stat: path=/etc/yum.repos.d/google-chrome.repo 6 | register: chrome_installed 7 | 8 | - name: Install Google Chrome repo 9 | dnf: 10 | name: 'https://dl.google.com/linux/direct/google-chrome-stable_current_x86_64.rpm' 11 | state: present 12 | when: not chrome_installed.stat.exists 13 | 14 | - name: Enable Google Chrome repo 15 | command: dnf config-manager --set-enabled google-chrome 16 | args: 17 | warn: false 18 | 19 | when: install_chrome 20 | 21 | - block: 22 | 23 | - name: Check for Google Talk repo 24 | stat: path=/etc/yum.repos.d/google-talkplugin.repo 25 | register: googletalk_installed 26 | 27 | - name: Install Google Talk repo 28 | dnf: 29 | name: 'https://dl.google.com/linux/direct/google-talkplugin_current_x86_64.rpm' 30 | state: present 31 | when: not googletalk_installed.stat.exists 32 | when: install_googletalk 33 | 34 | - block: 35 | 36 | - name: Check for fedora-spotify repo 37 | stat: path=/etc/yum.repos.d/fedora-spotify.repo 38 | register: fedora_spotify_installed 39 | 40 | - name: Install fedora-spotify repo 41 | command: dnf config-manager --add-repo=https://negativo17.org/repos/fedora-spotify.repo 42 | when: not fedora_spotify_installed.stat.exists 43 | 44 | when: install_spotify 45 | 46 | - block: 47 | 48 | - name: Check for sublime-text repo 49 | stat: path=/etc/yum.repos.d/sublime-text.repo 50 | register: fedora_sublime_text_installed 51 | 52 | - name: Install sublime-text repo 53 | command: dnf config-manager --add-repo https://download.sublimetext.com/rpm/stable/x86_64/sublime-text.repo 54 | when: not fedora_sublime_text_installed.stat.exists 55 | 56 | when: install_sublime_text 57 | 58 | - block: 59 | 60 | - name: Check for vscode repo 61 | stat: path=/etc/yum.repos.d/vscode.repo 62 | register: fedora_vscode_installed 63 | 64 | - name: Import Microsoft GPG key 65 | rpm_key: 66 | state: present 67 | key: https://packages.microsoft.com/keys/microsoft.asc 68 | 69 | - name: Enable vscode repo 70 | yum_repository: 71 | name: code 72 | description: Visual Studio Code 73 | file: vscode 74 | baseurl: 'https://packages.microsoft.com/yumrepos/vscode' 75 | gpgkey: 'https://packages.microsoft.com/keys/microsoft.asc' 76 | gpgcheck: yes 77 | when: not fedora_vscode_installed.stat.exists 78 | 79 | when: install_vscode 80 | 81 | - block: 82 | 83 | - name: Check for slack repo 84 | stat: path=/etc/yum.repos.d/slack.repo 85 | register: fedora_slack_installed 86 | 87 | - name: Import Slack GPG key 88 | rpm_key: 89 | state: present 90 | key: https://slack.com/gpg/slack_pubkey_2019.gpg 91 | 92 | - name: Enable slack repo 93 | yum_repository: 94 | name: slack 95 | description: Slack 96 | baseurl: 'https://packagecloud.io/slacktechnologies/slack/fedora/21/$basearch' 97 | gpgkey: 'https://slack.com/gpg/slack_pubkey_2019.gpg' 98 | gpgcheck: yes 99 | metadata_expire: '300' 100 | sslverify: yes 101 | sslcacert: /etc/pki/tls/certs/ca-bundle.crt 102 | when: not fedora_slack_installed.stat.exists 103 | 104 | when: install_slack 105 | 106 | - block: 107 | 108 | - name: Check for RPM Fusion Free repo 109 | stat: path=/etc/yum.repos.d/rpmfusion-free.repo 110 | register: fedora_rpm_fusion_free_installed 111 | 112 | - name: Check for RPM Fusion Nonfree repo 113 | stat: path=/etc/yum.repos.d/rpmfusion-nonfree.repo 114 | register: fedora_rpm_fusion_nonfree_installed 115 | 116 | - name: Install RPM Fusion repo rpms 117 | dnf: 118 | name: "http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-{{ ansible_distribution_version }}.noarch.rpm" 119 | state: present 120 | when: not fedora_rpm_fusion_free_installed.stat.exists 121 | 122 | - name: Install RPM Fusion Nonfree repo rpms 123 | dnf: 124 | name: "http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-{{ ansible_distribution_version }}.noarch.rpm" 125 | state: present 126 | when: not fedora_rpm_fusion_nonfree_installed.stat.exists 127 | 128 | when: install_rpmfusion 129 | -------------------------------------------------------------------------------- /templates/sshd_config.j2: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | # $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $ 3 | 4 | # This is the sshd server system-wide configuration file. See 5 | # sshd_config(5) for more information. 6 | 7 | # This sshd was compiled with PATH=/usr/local/bin:/usr/bin 8 | 9 | # The strategy used for options in the default sshd_config shipped with 10 | # OpenSSH is to specify options with their default value where 11 | # possible, but leave them commented. Uncommented options override the 12 | # default value. 13 | 14 | # If you want to change the port on a SELinux system, you have to tell 15 | # SELinux about this change. 16 | # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER 17 | # 18 | #Port 22 19 | #AddressFamily any 20 | #ListenAddress 0.0.0.0 21 | #ListenAddress :: 22 | 23 | HostKey /etc/ssh/ssh_host_rsa_key 24 | #HostKey /etc/ssh/ssh_host_dsa_key 25 | HostKey /etc/ssh/ssh_host_ecdsa_key 26 | HostKey /etc/ssh/ssh_host_ed25519_key 27 | 28 | # Ciphers and keying 29 | #RekeyLimit default none 30 | 31 | # Logging 32 | #SyslogFacility AUTH 33 | SyslogFacility AUTHPRIV 34 | #LogLevel INFO 35 | 36 | # Authentication: 37 | 38 | LoginGraceTime 2m 39 | PermitRootLogin no 40 | StrictModes yes 41 | MaxAuthTries 6 42 | #MaxSessions 10 43 | 44 | #PubkeyAuthentication yes 45 | 46 | # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 47 | # but this is overridden so installations will only check .ssh/authorized_keys 48 | AuthorizedKeysFile .ssh/authorized_keys 49 | 50 | #AuthorizedPrincipalsFile none 51 | 52 | #AuthorizedKeysCommand none 53 | #AuthorizedKeysCommandUser nobody 54 | 55 | # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 56 | #HostbasedAuthentication no 57 | # Change to yes if you don't trust ~/.ssh/known_hosts for 58 | # HostbasedAuthentication 59 | #IgnoreUserKnownHosts no 60 | # Don't read the user's ~/.rhosts and ~/.shosts files 61 | #IgnoreRhosts yes 62 | 63 | # To disable tunneled clear text passwords, change to no here! 64 | #PasswordAuthentication yes 65 | PermitEmptyPasswords no 66 | PasswordAuthentication no 67 | 68 | # Change to no to disable s/key passwords 69 | #ChallengeResponseAuthentication yes 70 | ChallengeResponseAuthentication no 71 | 72 | # Kerberos options 73 | #KerberosAuthentication no 74 | #KerberosOrLocalPasswd yes 75 | #KerberosTicketCleanup yes 76 | #KerberosGetAFSToken no 77 | #KerberosUseKuserok yes 78 | 79 | # GSSAPI options 80 | GSSAPIAuthentication yes 81 | GSSAPICleanupCredentials no 82 | #GSSAPIStrictAcceptorCheck yes 83 | #GSSAPIKeyExchange no 84 | #GSSAPIEnablek5users no 85 | 86 | # Set this to 'yes' to enable PAM authentication, account processing, 87 | # and session processing. If this is enabled, PAM authentication will 88 | # be allowed through the ChallengeResponseAuthentication and 89 | # PasswordAuthentication. Depending on your PAM configuration, 90 | # PAM authentication via ChallengeResponseAuthentication may bypass 91 | # the setting of "PermitRootLogin without-password". 92 | # If you just want the PAM account and session checks to run without 93 | # PAM authentication, then enable this but set PasswordAuthentication 94 | # and ChallengeResponseAuthentication to 'no'. 95 | # WARNING: 'UsePAM no' is not supported in Fedora and may cause several 96 | # problems. 97 | UsePAM yes 98 | 99 | AllowAgentForwarding yes 100 | AllowTcpForwarding no 101 | #GatewayPorts no 102 | X11Forwarding yes 103 | #X11DisplayOffset 10 104 | X11UseLocalhost yes 105 | #PermitTTY yes 106 | PrintMotd yes 107 | PrintLastLog yes 108 | #TCPKeepAlive yes 109 | #UseLogin no 110 | UsePrivilegeSeparation sandbox 111 | #PermitUserEnvironment no 112 | #Compression delayed 113 | #ClientAliveInterval 0 114 | #ClientAliveCountMax 3 115 | #ShowPatchLevel no 116 | #UseDNS no 117 | #PidFile /var/run/sshd.pid 118 | #MaxStartups 10:30:100 119 | #PermitTunnel no 120 | #ChrootDirectory none 121 | #VersionAddendum none 122 | 123 | # no default banner path 124 | #Banner none 125 | 126 | # Accept locale-related environment variables 127 | AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 128 | AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 129 | AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE 130 | AcceptEnv XMODIFIERS 131 | 132 | # override default of no subsystems 133 | Subsystem sftp /usr/libexec/openssh/sftp-server 134 | 135 | # Example of overriding settings on a per-user basis 136 | #Match User anoncvs 137 | # X11Forwarding no 138 | # AllowTcpForwarding no 139 | # PermitTTY no 140 | # ForceCommand cvs server 141 | -------------------------------------------------------------------------------- /tasks/packages.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Upgrade all packages 4 | dnf: 5 | name: "*" 6 | state: latest # noqa 403 This is a workstation playbook and updating your software to the latest versions is a good idea 7 | 8 | - name: Install group packages 9 | dnf: 10 | name: 11 | - "@development tools" 12 | - "@fedora-packager" 13 | - "@virtualization" 14 | state: installed 15 | 16 | - name: Install extra packages 17 | dnf: 18 | name: 19 | - acpi 20 | - android-tools 21 | - ansible-lint 22 | - appliance-tools 23 | - arpwatch 24 | - asciidoc 25 | - asciidoc-doc 26 | - aspell 27 | - aspell-en 28 | - autoconf 29 | - autofs 30 | - automake 31 | - awscli 32 | - binwalk 33 | - cmake 34 | - collectl 35 | - conntrack-tools 36 | - copr-cli 37 | - createrepo 38 | - crun 39 | - dnf-plugins-extras-common 40 | - dnf-plugins-extras-kickstart 41 | - dnf-plugins-extras-repoclosure 42 | - dnf-plugins-extras-repograph 43 | - dnf-plugins-extras-show-leaves 44 | - dnf-plugins-extras-tracer 45 | - dstat 46 | - elixir 47 | - fail2ban 48 | - fdupes 49 | - fedfind 50 | - fedpkg 51 | - feh 52 | - figlet 53 | - firewalld 54 | - firewalld-filesystem 55 | - flatpak-builder 56 | - fwsnort 57 | - gcc-c++ 58 | - gdb-doc 59 | - glances 60 | - gnome-shell-extension-gpaste 61 | - gnome-tweak-tool 62 | - golang 63 | - golang-godoc 64 | - golang-gotype 65 | - gotags 66 | - gpaste 67 | - heimdall 68 | - htop 69 | - httpie 70 | - hub 71 | - inotify-tools 72 | - intltool 73 | - inxi 74 | - iotop 75 | - iptraf-ng 76 | - jq 77 | - jython 78 | - kernel-devel 79 | - kismet 80 | - kismet-plugins 81 | - letsencrypt 82 | - lftp 83 | - libguestfs 84 | - libguestfs-tools 85 | - libguestfs-tools-c 86 | - libguestfs-xfs 87 | - libicns-utils 88 | - libmtp-examples 89 | - libnfs 90 | - libnfsidmap 91 | - libsemanage-devel 92 | - libtaskotron 93 | - libtool 94 | - libvirt 95 | - libvirt-sandbox 96 | - livecd-tools 97 | - liveusb-creator 98 | - lm_sensors 99 | - lorax 100 | - lshw 101 | - lsscsi 102 | - ltrace 103 | - lynx 104 | - mysql-devel 105 | - ncftp 106 | - nfs-utils 107 | - ngrep 108 | - nmap 109 | - nmon 110 | - nodejs 111 | - npm 112 | - openscap 113 | - openscap-containers 114 | - openscap-daemon 115 | - openscap-scanner 116 | - openscap-utils 117 | - openssl-devel 118 | - pandoc 119 | - pass 120 | - patchutils 121 | - pavucontrol 122 | - pavumeter 123 | - pcp 124 | - pcp-doc 125 | - pcp-gui 126 | - perf 127 | - picocom 128 | - pinta 129 | - postfix 130 | - postgresql-devel 131 | - psad 132 | - pssh 133 | - pv 134 | - pykickstart 135 | - pylint 136 | - pyp2rpm 137 | - pypy 138 | - pytest 139 | - python3-firewall 140 | - python3-virtualenv 141 | - qiv 142 | - qpdf 143 | - ranger 144 | - recode 145 | - redis 146 | - rfkill 147 | - rpm-ostree 148 | - ruby 149 | - ruby-devel 150 | - ruby-doc 151 | - ruby-irb 152 | - rubygems 153 | - rubygems-devel 154 | - runc 155 | - sbcl 156 | - scala 157 | - scap-workbench 158 | - scapy 159 | - screen 160 | - screenfetch 161 | - setools-console 162 | - sg3_utils 163 | - smartmontools 164 | - snapd 165 | - socat 166 | - spec2scl 167 | - speedtest-cli 168 | - spin-kickstarts 169 | - sssd-nfs-idmap 170 | - strace 171 | - sysstat 172 | - system-storage-manager 173 | - task 174 | - tcllib 175 | - terminator 176 | - testcloud 177 | - testdisk 178 | - thunderbird 179 | - tito 180 | - tlp 181 | - tlp-rdw 182 | - tmux 183 | - tpp 184 | - transmission-cli 185 | - tuna 186 | - tuned 187 | - tuned-utils 188 | - tuned-utils-systemtap 189 | - units 190 | - vagrant 191 | - vagrant-doc 192 | - vagrant-libvirt 193 | - vagrant-libvirt-doc 194 | - valgrind 195 | - vim-enhanced 196 | - virt-top 197 | - whois 198 | - wireshark-cli 199 | - xbacklight 200 | - xclip 201 | - xfsdump 202 | - xournal 203 | - xsel 204 | - ykclient 205 | - ykpers 206 | state: installed 207 | 208 | - name: Install RPM packager packages 209 | dnf: 210 | name: 211 | - blender-rpm-macros 212 | - erlang-rpm-macros 213 | - fedmsg 214 | - fedora-review 215 | - fedora-review-tests 216 | - ghc-rpm-macros 217 | - ghc-rpm-macros-extra 218 | - ghc-srpm-macros 219 | - gnat-srpm-macros 220 | - go-srpm-macros 221 | - kernel-rpm-macros 222 | - kf5-rpm-macros 223 | - mock 224 | - nodejs-packaging 225 | - ocaml-srpm-macros 226 | - perl-macros 227 | - perl-srpm-macros 228 | - python-fedmsg-meta-fedora-infrastructure 229 | - rpm-apidocs 230 | - rpm-build 231 | - rpm-devel 232 | - rpmconf 233 | - rpmconf 234 | - rpmdevtools 235 | - rpmgrill 236 | - rpmlint 237 | - rpmorphan 238 | - rpmreaper 239 | - scl-utils-build 240 | - sip-macros 241 | - web-assets-devel 242 | state: installed 243 | when: install_packager 244 | 245 | - name: Install extra fonts 246 | dnf: 247 | name: 248 | - adobe-source-code-pro-fonts 249 | - dejavu-sans-fonts 250 | - dejavu-sans-mono-fonts 251 | - dejavu-serif-fonts 252 | - gnu-free-fonts-common 253 | - gnu-free-mono-fonts 254 | - gnu-free-sans-fonts 255 | - gnu-free-serif-fonts 256 | - levien-inconsolata-fonts 257 | - liberation-fonts-common 258 | - liberation-mono-fonts 259 | - liberation-sans-fonts 260 | - liberation-serif-fonts 261 | - mozilla-fira-mono-fonts 262 | - msimonson-anonymouspro-fonts 263 | - overpass-fonts 264 | - terminus-fonts 265 | state: installed 266 | when: install_extra_fonts 267 | 268 | - name: Install RPMFusion Packages 269 | dnf: 270 | name: 271 | - ffmpeg 272 | state: installed 273 | when: install_rpmfusion 274 | --------------------------------------------------------------------------------