Brought to you by Megabyte Labs
A no-stone-unturned Ansible playbook you can use to set up the ultimate home lab or on-premise addition to your cloud!
- Introduction
- Quick Start
- Supported Operating Systems
- Requirements
- Software
- Web Applications
- Philosophy
- Architecture
- Managing Environments
- Contributing
- License
Welcome to a new way of doing things. Born out of complete paranoia and a relentless pursuit of the best of GitHub Awesome lists, Gas Station aims to add the capability of being able to completely wipe whole networks and restore them on a regular basis. It takes a unique approach to network provisioning because it supports desktop provisioning as a first-class citizen. By default, without much configuration, it is meant to provision and maintain the state of a network that includes development workstations and servers. One type of user that might benefit from this project is a web developer who wants to start saving the state of their desktop as code. Another type of user is one who wants to start hosting RAM-intensive web applications in their home-lab environment to save huge amounts on cloud costs. This project is also meant to be maintainable by a single person. Granted, if you look through our eco-system you will see we are well-equipped for supporting entire teams as well.
Gas Station a collection of Ansible playbooks, configurations, scripts, and roles meant to provision computers and networks with the "best of GitHub". By leveraging Ansible, you can provision your whole network relatively fast in the event of a disaster or scheduled network reset. This project is also intended to increase the security of your network by allowing you to frequently wipe, reinstall, and re-provision your network, bringing it back to its original state. This is done by backing up container storage volumes (like database files and Docker volumes) to encrypted S3 buckets, storing configurations in encrypted git repositories, and leveraging GitHub-sourced power tools to make the job easy-peasy.
This project started when a certain somebody changed their desktop wallpaper to an cute picture of a cat 🐱 when, all of a sudden, their computer meowed. Well, it actually started before that but no one believes someone who claims that time travelers hacked them on a regular basis. Tip: If you are stuck in spiritual darkness involving time travelers, save yourself some headaches by adopting an other-people first mentality that may include volunteering, tithing, and surrendering to Jesus Christ. Anyway, enough preaching!
Gas Station is:
- Highly configurable - most roles come with optional variables that you can configure to change the behavior of the role
- Highly configured - in-depth research is done to ensure each software component is configured with bash completions, plugins that are well-received by the community, and integrated with other software used in the playbook
- Compatible with all major operating systems (i.e. Windows, Mac OS X, Ubuntu, Fedora, CentOS, Debian, and even Archlinux)
- The product of a team of experts
- An amazing way to learn about developer tools that many would consider to be "the best of GitHub"
- Open to new ideas - feel free to open an issue or contribute with a pull request!
The easiest way to run the entire playbook, outlined in the main.yml
file, is to run the appropriate command listed below. These commands will run the playbook on the machine you run the command on. This is probably the best way to get your feet wet before you decide to give us a ⭐ and customize the playbook for your own needs. Ideally, this command should be run on the machine that you plan on running Ansible with to provision the other computers on your network. It is only guaranteed to work on fresh installs so testing it out with Vagrant is highly encouraged.
To test it out with Vagrant, you can run the following commands which will open up an interactive dialog where you can pick which operating system and virtualization provider you wish to test the installation with:
bash start.sh && task ansible:test:vagrant
curl -sSL https://install.doctor/quickstart > ./setup.sh && bash ./setup.sh
In an administrative PowerShell session, run:
iex ((New-Object System.Net.WebClient).DownloadString('https://install.doctor/windows-quickstart'))
Our playbooks include a specially crafted playbook for Qubes. It will load your VMs with sensible defaults. For more details, check out the Qubes playbook and Qubes variables. Perhaps most importantly, the "quickstart" the inventory file details the VM structure that the provisioning script adds to the target system.
To setup Qubes, run the following on a fresh install in dom0:
qvm-run --pass-io sys-firewall "curl -sSL https://install.doctor/qubes" > ./setup.sh && bash ./setup.sh
The following chart shows the operating systems that have been tested for compatibility using the environments/dev/
environment. This chart is automatically generated using the Ansible Molecule tests you can view in the molecule/default/
folder. We currently have logic in place to automatically handle the testing of Windows, Mac OS X, Ubuntu, Fedora, CentOS, Debian, Archlinux, and, of course, Qubes. If your operating system is not listed but is a variant of one of the systems we test (i.e. a Debian-flavored system or a RedHat-flavored system) then it might still work.
compatibility_matrix
- Python >=3.7
- Ansible >=2.9
- Ansible controller should be a macOS/Linux environment (WSL/Docker can be used on Windows)
There are Python and Ansible package requirements need to be installed by running the following command (or equivalent) in the root of this repository:
pip3 install -r .config/requirements.txt
ansible-galaxy install requirements.yml
You can also run bash start.sh
if you do not mind development dependencies being installed as well. This method will even handle installing Python 3 and Ansible.
This playbook is built and tested to run on fresh installs of Windows, Mac OS X, Ubuntu, Fedora, Debian, CentOS, Archlinux, and Qubes. It may still be possible to run the playbook on your current machine. However, installing the playbook on a fresh install is the only thing we actively support. That said, if you come across an issue with an environment that already has configurations and software present, please do not hesitate to open an issue.
SSH (or WinRM in the case of Windows) and Python should be available on the target systems you would like to provision. If you are attempting to provision a Windows machine, you can ensure that WinRM is enabled and configured so that you can remotely provision the Windows target by running the following command with PowerShell:
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://install.doctor/windows-client'))
We use mas to install apps from the App Store in some of our roles. Sadly, automatically signing into the App Store is not possible on OS X 10.13+ via mas. This is because mas no longer supports login functionality on OS X 10.13+.
There is another caveat with mas. In order to install an application using mas, the application has to have already been added via the App Store GUI. This means that the first time around you will have to install the apps via the App Store GUI so they are associated with your App Store account.
This project breaks down software into a role (found in the subdirectories of the roles/
folder) if the software requires anything other than being added to the PATH
variable. Below is a quick description of what each role does. Browsing through this list, along with the conditions laid out in main.yml
, you will be able to get a better picture of what software will be installed by the default main.yml
playbook.
Role Name | Description | GitHub |
---|---|---|
Android Studio | Android Studio is the official integrated development environment for Google's Android operating system, built on JetBrains' IntelliJ IDEA software and designed specifically for Android development. This role installs Android Studio on nearly any operating system and also ensures a configurable list of command-line tools and SDKs are installed and seamlessly integrated with the system (i.e. the role adds the appropriate items to the PATH environment variable). (Homepage | Documentation | Role on GitHub) |
❌ Closed source |
Appium | Appium is an open source automation tool for running scripts and testing native applications, mobile-web applications and hybrid applications on Android or iOS using a webdriver. (Homepage | Documentation) | |
Autokey | AutoKey is a free, open-source scripting application for Linux. AutoKey allows the user to define hotkeys and trigger phrases which expand to predefined text, automating frequent or repetitive tasks such as correcting typographical errors or common spelling mistakes and inserting boiler plate sections of text. AutoHotKey is a similar piece of software that is only available on the Windows platform. (Homepage | Documentation) | |
IntelliJ IDEA (CE) | IntelliJ IDEA is an integrated development environment written in Java for developing computer software. It is developed by JetBrains, and is available as an Apache 2 Licensed community edition, and in a proprietary commercial edition. Both can be used for commercial development. (Homepage | Documentation) | |
XCode | Xcode is Apple's integrated development environment for macOS, used to develop software for macOS, iOS, iPadOS, watchOS, and tvOS. (Homepage | Documentation) | ❌ Closed source |
Host Home Page | N/A | |
MAAS | MAAS allows very fast server provisioning for your data centre. It allows self-service, remote installation of Windows, CentOS, ESXi and Ubuntu on real servers. It turns your data centre into a bare metal cloud. (Homepage | Documentation) | |
pfSense | pfSense is a firewall/router computer software distribution based on FreeBSD. pfSense Community Edition is the open source version while pfSense Plus has moved to a closed source model. It is installed on a physical computer or a virtual machine to make a dedicated firewall/router for a network. (Homepage | Documentation) | |
PiHole | Pi-hole is a Linux network-level advertisement and Internet tracker blocking application which acts as a DNS sinkhole and optionally a DHCP server, intended for use on a private network. It is designed for low-power embedded devices with network capability, such as the Raspberry Pi, but supports any Linux machines. (Homepage | Documentation) | |
Qubes | Qubes is a Linux distribution that introduces some radically new concepts that basically boil down to running everything inside of a VM. It is touted by security professionals as one of (if not, the most) secure desktop operating system. In Qubes, the base namespace is called dom0 which is more or less the control point for all the other VMs that you would run applications in. This role updates dom0 and then sets up a configurable list of features into dom0 including setting up sys-usb (a VM for all your USB devices), adding YubiKey integration, forcing system updates over Tor, and a handful of other additions every Qubes user should have as part of their stack. (Homepage | Documentation) | |
Security Onion | Security Onion is a free and open source Linux distribution for threat hunting, enterprise security monitoring, and log management. It includes Elasticsearch, Logstash, Kibana, Snort, Suricata, Bro, Wazuh, Sguil, Squert, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes! This role takes it a step further and automates the whole setup process. (Homepage | Documentation) | |
Sonatype Nexus | Sonatype Nexus is a repository manager that lets you proxy and cache assets from apt-get, yum, npm, pypi, and a handful of other sources. This role sets up Sonatype Nexus using the awesome work of the ansible-ThoTeam/nexus3-oss repository on GitHub. (Homepage | Documentation | Role on GitHub) | |
AntiVirus | Clam AntiVirus is a free software, cross-platform and open-source antivirus software toolkit able to detect many types of malicious software, including viruses. One of its main uses is on mail servers as a server-side email virus scanner. rkhunter is a Unix-based tool that scans for rootkits, backdoors, and possible local exploits. It does this by comparing SHA-1 hashes of important files with known good ones in online databases. Malwarebytes is an anti-malware software for Microsoft Windows, macOS, Chrome OS, Android, and iOS that finds and removes malware. Made by Malwarebytes Corporation, it was first released in January 2006. | N/A |
CertBot | Certbot is part of EFF’s effort to encrypt the entire Internet. Secure communication over the Web relies on HTTPS, which requires the use of a digital certificate that lets browsers verify the identity of web servers (e.g., is that really google.com?). Web servers obtain their certificates from trusted third parties called certificate authorities (CAs). Certbot is an easy-to-use client that fetches a certificate from Let’s Encrypt—an open certificate authority launched by the EFF, Mozilla, and others—and deploys it to a web server. (Homepage | Documentation) | |
Elastic Agent | Elastic Agent is a single, unified way to add monitoring for logs, metrics, and other types of data to each host. A single agent makes it easier and faster to deploy monitoring across your infrastructure. The agent’s single, unified policy makes it easier to add integrations for new data sources. You can use Elastic Agent with Fleet. Fleet is a Kibana service that allows you to add and manage integrations for popular services and platforms, as well as manage Elastic Agent installations. (Homepage | Documentation) | |
Gitlab Runner | GitLab Runner is an application that works with GitLab CI/CD to run jobs in a pipeline. (Homepage | Documentation) | |
Guacamole | Apache Guacamole is a clientless remote desktop gateway. It supports standard protocols like VNC, RDP, and SSH. (Homepage | Documentation) | |
NGINX | It also generates sites-enabled proxies using YML configurations. Easter eggs included. Nginx, stylized as NGINX, nginx or NginX, is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. The software was created by Igor Sysoev and publicly released in 2004. Nginx is free and open-source software, released under the terms of the 2-clause BSD license. (Homepage | Documentation) | |
Samba | Samba is a free and open-source software that allows files to be shared across Windows and Linux systems simply and easily. To be exact, it is an open-source implementation of the SMB/CIFS protocol. (Homepage | Documentation) | |
Wazuh | Wazuh is a free, open source and enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response and compliance. (Homepage | Documentation) | |
Common | For example, this role sets the timezone, sets the hostname, sets up the swap space, ensures auto-login is either disabled or enabled, and customizes GRUB (on Linux). It also ensures that specified groups are present on the system. On Windows, the role ensures all the available updates are installed, ensures Scoop is installed, and ensures common dependencies like Bandizip (a compressed-file manager) are installed. | N/A |
Debloat Windows | This repository is the home of an Ansible role that Debloats Windows | N/A |
DNS | This role ensures that DNS requests are encrypted if you supply it the appropriate configuration. It uses systemd on Linux. On macOS/Windows, it installs and configures Stubby. | N/A |
Firewall | This role is intended to be used with the ProfessorManhattan playbook. It integrates tightly with the other roles included with the playbook. | N/A |
GlusterFS | Gluster is a free and open source software scalable network filesystem. Gluster is a software defined distributed storage that can scale to several petabytes. It provides interfaces for object, block and file storage. | N/A |
Sanoid | Sanoid is a free and open source snapshot management tool. Sanoid is a policy-driven snapshot management tool for ZFS filesystems. When combined with the Linux KVM hypervisor, you can use it to make your systems functionally immortal. | N/A |
A binary authorization system for MacOS | A binary authorization system for MacOS (santa) role is a daemon that makes execution decisions based on the contents of a local database, a GUI agent that notifies the user in case of a block decision and a command-line utility for managing the system and synchronizing the database with a server. | N/A |
Security | This role turns on auto-updates and configures sudo, for instance. | N/A |
Betelgeuse Theme | Betelgeuse is a theme for KDE, XFCE, Gnome, and many more themeing engines. It is heavily based on Sweet. It tries to make the theme compatible with many environment types. It also includes special styles geared towards styling Qubes OS. | N/A |
Common | For example, this role sets the timezone, sets the hostname, sets up the swap space, ensures auto-login is either disabled or enabled, and customizes GRUB (on Linux). It also ensures that specified groups are present on the system. On Windows, the role ensures all the available updates are installed, ensures Scoop is installed, and ensures common dependencies like Bandizip (a compressed-file manager) are installed. | N/A |
Autorestic | Autorestic is a wrapper around Restic. The Restic CLI can be a bit overwhelming and difficult to manage if you have many different location that you want to backup to multiple locations. Autorestic makes managing all your S3 backups easier by making it config / cron driven. (Homepage | Documentation) | |
null | null (Documentation) |
We encourage you to browse through the repositories that are linked to in the table above to learn about the configuration options they support. Some of the roles are included as roles because they support configurations that rely on user-specific variables like API keys.
A lot of the nifty software we install by default does not require any configuration other than being added to the PATH
or being installed with an installer like brew
. For this kind of software that requires no configuration, we list the software we would like installed by the playbook as a variable in group_vars/
or host_vars/
as an array of keys assigned to the software
variable (example here). With those keys, we install the software using the professormanhattan.genericinstaller
role which determines how to install the binaries by looking up the keys against the software_package
object (example here).
NOTE: The binary packages listed in these charts will attempt to install using the system package manager and then from source if the option is available before resorting to less desirable methods like downloading the binary from GitHub releases. The order of installation method preference that the professormanhattan.genericinstaller
role attempts to use is defined in the INSERT_VARIABLE_NAME
variable. The default order is:
- System package managers
- Compiling from source (via Go, Rust, etc.)
- Installing via Homebrew
- Downloading the pre-compiled assets from GitHub releases
For your convienience, we have split the long list of single binary based software into two lists - one for CLIs and one for Applications:
Package | Description | GitHub |
---|---|---|
Altair | A beautiful feature-rich GraphQL Client for all platforms | |
Betwixt | Web Debugging Proxy based on Chrome DevTools Network panel | |
BitWarden | The desktop vault (Windows, macOS, & Linux) | |
Cerebro | Open-source productivity booster with a brain | |
Cumulus | A SoundCloud player that lives in the menubar | |
Dat Desktop | Peer to peer data syncronization | |
Google Assistant Unofficial Desktop Client | A cross-platform unofficial Google Assistant Client for Desktop | |
Gitify | GitHub notifications on the menu bar | |
Jitsi Meet Electron | Desktop application for Jitsi Meet built with Electron | |
Manta | Flexible invoicing desktop app with beautiful & customizable templates | |
MarkText | A simple and elegant markdown editor, available for Linux, macOS and Windows | |
MassCode | A free and open source code snippets manager for developers | |
MJML App | The desktop app for MJML | |
Mockoon | Mockoon is the easiest and quickest way to run mock APIs locally. No remote deployment, no account required, open source | |
Motrix | A full-featured download manager | |
MQTT X | Elegant Cross-platform MQTT 5.0 Desktop Client | |
Mullvad VPN | The Mullvad VPN client app for desktop and mobile | |
Nuclear | Streaming music player that finds free music | |
Pretzel | Pretzel is Mac desktop app that shows and find keyboard shortcuts based on your current app | |
raindrop | All-in-one bookmark manager | N/A |
Responsively | A modified web browser that helps in responsive web development | |
RunJS | A JavaScript playground that auto-evaluates as you type | |
Scrcpy GUI | A simple & beautiful GUI application for scrcpy | |
Skype | Skype is for connecting with the people that matter most in your life and work | N/A |
Slack | Transform the way that you work with one place for everyone and everything that you need to get things done | N/A |
SQLectron | A simple and lightweight SQL client desktop with cross database and platform support | |
SwitchHosts | Extension to switch hosts | |
Tabby | A terminal for a more modern age | |
Temps | Simple menubar application based on Electron with actual weather information and forecast | |
Udemy Course Downloader | A desktop application for downloading Udemy Courses | |
WebTorrent Desktop | Streaming torrent app for Mac, Windows, and Linux |
Package | Description | GitHub |
---|---|---|
act | To run Github Actions locally | |
argo | ArgoCD is a declarative GitOps continuous delivery platform. | N/A |
azure-functions-core-tools | A local development experience for creating, developing, testing, running, and debugging Azure Functions | |
bandwhich | Terminal bandwidth utilization tool | |
bane | Custom & better AppArmor profile generator for Docker containers | |
bat | Clone of cat(1) with syntax highlighting and Git integration | |
bin | Effortless binary manager | |
bivac | Backup Interface for Volumes Attached to Containers | |
boilr | boilerplate template manager that generates files or directories from template repositories | |
budibase-cli | The Budibase CLI is how you initialise, manage and update your Budibase installation | |
captain | Helps manage docker-compose.yml files from anywhere in the file system | |
clair | Vulnerability Static Analysis for Containers | |
cloudflared | Cloudflare Tunnel client | |
cmctl | A CLI tool that can help you to manage cert-manager resources inside your cluster | N/A |
confd | Manage local application configuration files using templates and data from etcd or consul | |
consul-cli | Command line interface to Consul HTTP API | |
croc | Easily and securely send things from one computer to another | |
ctop | Top-like interface for container metrics | |
curator | Elasticsearch Curator helps you curate, or manage, your Elasticsearch indices and snapshots | N/A |
dasel | Select, put and delete data from JSON, TOML, YAML, XML and CSV files with a single tool | |
dat | Peer-to-peer sharing & live syncronization of files via command line | |
delta | A syntax-highlighting pager for git and diff output | |
dive | A tool for exploring each layer in a docker image | |
desed | Debugger for Sed: demystify and debug the sed scripts, from comfort of terminal | |
deta | Command line interface for managing Deta micros and deployments | |
direnv | Extension to load and unload environment variables depending on the current directory | |
docker-slim | Extension to minify and secure Docker images | |
dockle | Container Image Linter for Security, Helping build the Best-Practice Docker Image, Easy to start | |
doctl | The official command line interface for the DigitalOcean API | |
dog | A command-line DNS client | |
drone | The Drone command line tools are used to interact with the Drone from the command line, and provide important utilities for managing users and repository settings | |
duf | a better 'df' alternative | |
dust | A more intuitive version of du in rust | |
envconsul | Launch a subprocess with environment variables using data from @hashicorp Consul and Vault | |
etcd | Distributed reliable key-value store for the most critical data of a distributed system | |
fd | A simple, fast and user-friendly alternative to 'find' | |
ffsend | Easily and securely share files from the command line, a fully featured Firefox Send client | |
filebrowser | Web file browser | |
fm | Terminal file manager | |
fq | jq for binary formats | |
fselect | Extension to find files with SQL-like queries | |
Fuego | Fuego is a command line client for the firestore database | |
gdrive | Google Drive CLI Client | |
ghorg | Supports GitHub, GitLab, Bitbucket, and more | |
gitleaks | Extension to scan git repos (or files) for secrets using regex and entropy | |
gitomatic | A tool to monitor git repositories and automatically pull & push changes | |
glab | An open-source GitLab command line tool bringing GitLab's cool features to your command line | |
glow | Glow is a terminal based markdown reader designed from the ground up to bring out the beauty—and power—of the CLI | |
gojq | gojq is a pure Go implementation of jq that is mostly backwards compatible (but not completely) | |
go-chromecast | CLI for Google Chromecast, Home devices and Cast Groups | |
gping | Ping, but with a graph | |
grex | A command-line tool and library for generating regular expressions from user-provided test cases | |
gron | Extension to make JSON greppable | |
hclq | Command-line processor for HashiCorp config files, like sed for HCL — Terraform, Consul, Nomad, Vault | |
hexyl | A command-line hex viewer | |
hey | HTTP load generator, ApacheBench (ab) replacement, formerly known as rakyll/boom | |
hostctl | This tool gives more control over the use of hosts file | |
htmlq | A lightweight and flexible command-line JSON processor for HTML | |
hyperfine | A command-line benchmarking tool | |
jiq | Create jq queries interactively by leveraging a live reload feature in the terminal | |
jo | JSON output from a shell | |
jq | Command-line JSON processor | |
kdash | A simple and fast dashboard for Kubernetes | |
kn | The Knative CLI (kn) provides a quick and easy interface for creating Knative resources, such as Knative Services and Event Sources | |
kubenav | kubenav is the navigator for your Kubernetes clusters right in your pocket | |
license | Command-line license text generator | |
linkerd2 | Linkerd is an ultralight, security-first service mesh for Kubernetes | |
linuxkit | A toolkit for building secure, portable and lean operating systems for containers | |
logcli | Run LogQL queries against a Loki server | |
mc | MinIO Client is a replacement for ls, cp, mkdir, diff and rsync commands for filesystems and object storage | |
mergestat | Query git repositories with SQL. Generate reports, perform status checks, analyze codebases | |
mkcert | A simple zero-config tool to make locally trusted development certificates with any names | |
mole | CLI application to create ssh tunnels focused on resiliency and user experience | |
muffet | Fast website link checker in Go | |
nebula | A scalable overlay networking tool | |
nnn | A full-featured terminal file manager | |
node-prune | Extension to remove unnecessary files from node_modules | |
nomino | Batch rename utility for developers | |
osquery | SQL powered operating system instrumentation, monitoring, and analytics | |
ots | Share end-to-end encrypted secrets with others via a one-time URL | |
oq | A performant, and portable jq wrapper to facilitate the consumption and output of formats other than JSON; using jq filters to transform the data | |
page-fetch | Fetch web pages using headless Chrome, storing all fetched resources including JavaScript files | |
pass | Password manager | N/A |
pastel | A command-line tool to generate, analyze, convert and manipulate colors | |
peco | Simplistic interactive filtering tool | |
pony | Local file-based password, API key, secret, recovery code store backed by GPG | |
procs | A modern replacement for ps written in Rust | |
psu | CLI client for Portainer | |
pup | Parsing HTML at the command line | |
q | Run SQL directly on CSV or TSV files | |
rancher | The Rancher Command Line Interface (CLI) is a unified tool for interacting with your Rancher Server | |
rip | A safe and ergonomic alternative to rm | |
s5cmd | Parallel S3 and local filesystem execution tool with benchmarks that show it is the fastest S3 downloader | |
schema | A tool to infer and instantiate schemas and translate between data formats | |
scrcpy | Display and control your Android device | |
sd | Intuitive find & replace CLI (sed alternative) | |
sentry-cli | sentry-cli can connect to the Sentry API and manage some data for your projects | |
sftpgo | S3, Google Cloud Storage, Azure Blob | |
shfmt | A shell parser, formatter, and interpreter with bash support; includes shfmt | |
skm | A simple and powerful SSH keys manager | |
ssh-vault | Encrypt/decrypt using ssh keys | |
ssl-proxy | Simple zero-config SSL reverse proxy with real autogenerated certificates | |
sync-ssh-keys | Sync public ssh keys to ~/.ssh/authorized_keys, based on Github/Gitlab organization membership | |
sysbench | System performance benchmark tool | |
sysget | One package manager to rule them all | |
Task | A task runner / simpler Make alternative written in Go | |
Teleport | Modern SSH server for teams managing distributed infrastructure | |
teller | never leave your command line for secrets | |
tflint | A Pluggable Terraform Linter | |
tilt | Define your dev environment as code. For microservice apps on Kubernetes | |
tokei | Tokei is a program that displays statistics about the code | |
transfer | Converts from one encoding to another | |
trivy | Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues | |
up | Ultimate Plumber is a tool for writing Linux pipes with instant live preview | |
vault | HashiCorp Vault is a secrets management tool specifically designed to control access to sensitive credentials in a low-trust environment. It can be used to store sensitive values and at the same time dynamically generate access for specific services/applications on lease | N/A |
@cliVector /) | Vector is a lightweight, ultra-fast tool for building observability pipelines that lets you collect, transform, and route all your logs and metrics with one simple tool. | N/A |
velero | Velero is an open source tool to safely backup and restore, perform disaster recovery, and migrate Kubernetes cluster resources and persistent volumes. | N/A |
waypoint | A tool to build, deploy, and release any application on any platform | |
websocat | CLI for interacting with web sockets | |
whaler | Whaler takes a Docker image and attempts to reverse engineer the Dockerfile that created it | |
winrm-cli | Command-line tool to remotely execute commands on Windows machines through WinRM | |
wkhtmltopdf | Convert HTML to PDF using Webkit (QtWebKit) | |
xurls | Extract urls from text | |
yq | Process YAML documents from the CLI |
NPM provides a huge catalog of useful CLIs and libraries so we also include a useful and interesting default set of NPM-hosted CLIs for hosts in the desktop
group (defined here, for example):
Package | Description | GitHub |
---|---|---|
@angular/cli | Official CLI for Angular capable of generating new projects, generating boilerplate files, and testing apps with LiveReload (Homepage | Documentation) | |
@cloudflare/wrangler | A CLI tool designed for folks who are interested in using Cloudflare Workers (Homepage | Documentation) | |
@feathersjs/cli | Feathers is a lightweight web-framework for creating real-time applications and REST APIs using JavaScript or TypeScript. (Homepage | Documentation) | |
@ionic/cli | A command line interface (CLI) is go-to tool for developing Ionic apps (Homepage | Documentation) | |
@nestjs/cli | A command-line interface tool that helps you to initialize, develop, and maintain your Nest applications (Homepage | Documentation) | |
@sentry/cli | A Sentry command line client for some generic tasks (Homepage | Documentation) | |
@vercel/ncc | CLI for compiling a Node.js module into a single file, together with all its dependencies, gcc-style (Homepage) | |
auto-install | Auto installs dependencies as you code (Homepage) | |
bitly-cli-client | Shorten links with Bitly in the terminal (Homepage) | |
browser-sync | test desktop and mobile versions of a website at the same time (Homepage | Documentation) | |
caniuse-cmd | Caniuse command line tool (Homepage | Documentation) | |
carbon-now-cli | Tool that generates beautiful images of source code through an intuitive UI, while customizing aspects like fonts, themes, window controls and much mor (Homepage) | |
commitizen | The commitizen command line utility (Homepage | Documentation) | |
cordova | The command line tool to build, deploy and manage Cordova-based applications (Homepage | Documentation) | |
deviceframe | Put device frames around mobile/web/progressive app screenshots (Homepage) | |
editly | A tool and framework for declarative NLE (non-linear video editing) using Node.js and ffmpeg (Homepage) | |
electron | A tool that enables to write cross-platform desktop applications using JavaScript, HTML and CSS (Homepage | Documentation) | |
emma-cli | Install the package you are looking for | |
emoj | Find relevant emoji from text on the command-line | |
empty-trash-cli | A CLI to empty the trash | |
eslint | A tool for identifying and reporting on patterns found in ECMAScript/JavaScript code (Homepage | Documentation) | |
fastify-cli | Command line tools for Fastify. Generate, write, and run an application with one single command (Homepage | Documentation) | |
firebase-tools | The Firebase Command Line Interface (CLI) Tools can be used to test, manage, and deploy Firebase project from the command line (Homepage | Documentation) | |
fkill-cli | Fabulously kill processes. Cross-platform. | |
git-open | Type git open to open the repo website (GitHub, GitLab, Bitbucket) in browser | |
google-font-installer | Google Font Installer is a NodeJS module/CLI that lets you Search, Download and Install fonts offered by Google Web Fonts | |
gtop | System monitoring dashboard for terminal. Deprecated in favor of Glances. | |
gulp | A toolkit that helps you automate painful or time-consuming tasks in your development workflow (Homepage | Documentation) | |
imgur-uploader-cli | CLI to upload images to imgur | |
ios-deploy | Command line tool to install aand debug iOS apps. Xcode must be installed (i.e. this is a macOS-only package) | |
is-up-cli | Check whether a website is up or down using the isitup.org API (Homepage) | |
localtunnel | localtunnel exposes localhost to the world for easy testing and sharing (Homepage) | |
mjml | A markup language created by Mailjet and designed to reduce the pain of coding a responsive email (Homepage | Documentation) | |
nativefier | Tool to make any web page a desktop application (Documentation) | |
nectarjs | A JavaScript native compiler (Homepage | Documentation) | |
newman | A command-line collection runner for Postman (Homepage | Documentation) | |
np | A better npm publish | |
npm-check | Check for outdated, incorrect, and unused dependencies (Homepage) | |
nrm | nrm can help you easy and fast switch between different npm registries | |
oclif | A framework for building CLIs in Node.js (Homepage | Documentation) | |
package-size | Tool to get the bundle size of an npm package | |
pageres-cli | A CLI to capture screenshots of websites in various resolutions | |
playwright | Single API to automate Chromium, WebKit, and Firefox (available as a CLI and library) (Homepage | Documentation) | |
pm2 | PM2 is a production process manager for Node.js applications with a built-in load balancer (Homepage | Documentation) | |
pkg | This command line interface enables you to package your Node.js project into an executable that can be run even on devices without Node.js installed | |
prettier | A code formatter (Homepage | Documentation) | |
psi | PageSpeed Insights with reporting (Homepage | Documentation) | |
ramda-cli | A tool for processing data with functional pipelines in the command-line or interactively in browser | |
semantic-release | A tool that automates the process of releasing software, featuring integrations with GitHub / GitLab releases (Homepage | Documentation) | |
serve | Static file serving and directory listing | |
serverless | Serverless Framework – Build web, mobile and IoT applications with serverless architectures using AWS Lambda, Azure Functions, Google CloudFunctions & more (Homepage | Documentation) | |
share-cli | Quickly share files from your command line | |
sharp-cli | CLI for sharp, a high performance Node.js image processing module | |
speed-test | Test your internet connection speed and ping using speedtest.net from the CLI | |
stegcloak | StegCloak is a pure JavaScript steganography module designed in functional programming style, to hide secrets inside text by compressing and encrypting the secret before cloaking it with special unicode invisible characters (Homepage) | |
supdock | A CLI for running commands like "docker logs" in an easier, more interactive way | |
surge | Publish web apps to a CDN with a single command and no setup required (Homepage | Documentation) | |
svgo | SVG Optimizer is a Node.js-based tool for optimizing SVG vector graphics files | |
terminalizer | Record your terminal and generate animated gif images or share a web player link (Homepage) | |
tinypng-cli | Handy command line tool for shrinking PNG images using the TinyPNG API | |
tldr | A Node.js based command-line client for tldr (Homepage) | |
ts2c | A JavaScript/TypeScript to C compiler | |
typescript | A language for application-scale JavaScript (Homepage | Documentation) | |
wifi-password-cli | CLI to get current wifi password | |
wordpressify | Automate your WordPress development workflow (Homepage | Documentation) | |
zx | A tool for writing better scripts |
In a similar fashion to the NPM packages, we include a great set of default Python packages that are included by default for the desktop
group (defined here):
Package | Description | GitHub |
---|---|---|
ansibleconnect | Parses Ansible inventory and opens up a tmux session for each host | |
ansible-lint | Lint tool that checks Ansible projects for best practices and problematic code (Documentation) | |
asciinema | Tool that records terminal session and replay them in a terminal as well as in a web browser (Homepage | Documentation) | |
aws-shell | AWS shell is the interactive productivity booster for the AWS CLI (Documentation) | |
cookiecutter | A command-line utility that creates projects from cookiecutters (project templates) (Documentation) | |
gdown | An alternative to wget and curl that can handle downloading large files from Google Drive | |
git-filter-repo | Tool that aids in wiping particular sections of a repository (Documentation) | |
gixy | A tool to analyze Nginx configuration | |
gphotos-sync | A tool that can be used to backup photos and video from Google Photos (Documentation) | |
httpstat | A script that reflects curl statistics in a fascinating and well-defined way, it is a single file which is compatible with Python 3 and requires no additional software (dependencies) to be installed on a users system | |
http-prompt | An interactive command-line HTTP client featuring autocomplete and syntax highlighting, built on HTTPie and prompt_toolkit (Homepage | Documentation) | |
iredis | A terminal client for redis with auto-completion and syntax highlighting (Homepage) | |
kube-shell | An integrated shell for working with the Kubernetes CLI | |
litecli | A command-line client for SQLite databases that has auto-completion and syntax highlighting (Homepage | Documentation) | |
netaddr | A system-independent network address manipulation library for Python 2.7 and 3.5+ (Documentation) | |
ngxtop | ngxtop parses your nginx access log and outputs useful, top-like, metrics of your nginx server | |
molecule | Molecule project is designed to aid in the development and testing of Ansible roles. Molecule provides support for testing with multiple instances, operating systems and distributions, virtualization providers, test frameworks and testing scenarios (Documentation) | |
mycli | Command line interface for MySQL database with auto-completion and syntax highlighting (Homepage | Documentation) | |
pre-commit | A framework for managing and maintaining multi-language pre-commit hooks (Homepage | Documentation) | |
pywhat | what is recursive | |
social-analyzer | API, CLI & Web App for analyzing & finding a person’s profile across social media websites | |
spotdl | A tool to download Spotify playlists and songs along with album art and metadata | |
starred | Generate a GitHub Awesome list directly from your starred repositories | |
statcode | man pages for HTTP status codes (used by running statcode 418 , for instance) |
|
trufflehog | A tool which makes it easier to search through the history of a git repository to discover passwords and other secrets (Homepage) | |
virtualenv | A tool for creating isolated virtual Python environments (Homepage | Documentation) | |
yamllint | A linter for YAML files (Documentation) |
A handful of Ruby gems are also installed on targets in the desktop
group (defined here):
Package | Description | GitHub |
---|---|---|
Bundler | A tool that manages ruby application's gem dependencies through its entire life, across many machines, systematically and repeatably (Homepage | Documentation) | |
Chef | A systems integration framework, built to bring the benefits of configuration management to the entire infrastructure (Homepage | Documentation) | |
CocoaPods | A tool that manages library dependencies for Xcode project (Homepage | Documentation) | |
fpm | A tool that converts directories, rpms, python eggs, rubygems, and more to rpms, debs, solaris packages and more (Documentation) | |
mdl | A style checker/lint tool for markdown files | |
mdl | A log viewer for Papertrail (a logging service with a basic free plan) (Homepage) | |
t | A command-line power tool for Twitter |
A considerable amount of effort has gone into researching and finding the "best" VS Code extensions. They are defined here and Gas Station also installs a good baseline configuration which includes settings for these extensions:
Package | Description | GitHub |
---|---|---|
Angular Language Service | Editor services for Angular template files | |
MJML | MJML preview, lint, and compile | |
Markdown Emoji | Adds emoji syntax support to VS Code's built-in Markdown preview | |
Turbo Console Log | This extension make debugging much easier by automating the operation of writing meaningful log message | |
Firestore Rules | Firestore security rule support for Visual Studio Code | |
Regex Previewer | Shows the current regular expression's matches in a side-by-side document | |
MySQL | A database GUI for SQL, SQLite, MongoDB, Redis, and ElasticSearch | |
markdownlint | Markdown/CommonMark linting and style checking for Visual Studio Code | |
ESLint | Integrates ESLint into VS Code | |
Deno | Adds support for Deno (powered by the Deno language server) | |
GitLens | GitLens is a popular extension that supercharges the Git capabilities built into VS Code | |
EditorConfig | This plugin attempts to override user/workspace settings with setting found in .editorconfig files | |
Prettier | Prettier is an opinionated code formatter | |
Carbon Now | A VS Code extension to open the current editor content in carbon.now.sh | |
Jest Runner | Manage, run, and debug individual Jest tests | |
Auto Rename Tag | Automatically rename paired HTML/XML tag, same as Visual Studio IDE does | |
Code Runner | Run code snippet or code file | |
GitHub Pull Requests and Issues | Review and manage your GitHub pull requests and issues directly in VS Code | |
GitLab Workflow | This extension integrates GitLab to VS Code | N/A |
Cloud Code | This extension brings the power and convenience of IDEs to cloud-native application development | |
Go | This extension provides rich language support for the Go programming language, integrates with Google Cloud services like Google Kubernetes Engine, Cloud Run, Cloud APIs, and Secret Manager | |
HashiCorp Terraform | This extension adds syntax highlighting and other editing features for Terraform files using the Terraform Language Server | |
Draw.io Integration | Allows editing draw.io images in VS Code by adding files ending with .drawio.png | |
Output Colorizer | This extension adds syntax colorization for both the output/debug/extensions panel and *.log files, other extension that colorize the output panel will disable this extension | |
SSH FS | Allows mounting SSH destinations as file system mounts inside VS Code | |
Bash IDE | This extension utilizes the bash language server, that is based on Tree Sitter and its grammar for Bash and supports explainshell integration | |
Docker | This extension makes it easy to build, manage, and deploy containerized applications from Visual Studio Code | |
Kubernetes | The extension for developers building applications to run in Kubernetes clusters and for DevOps staff troubleshooting Kubernetes applications | |
Remote Containers | Containers extension enables the use a Docker container as a full-featured development environment | |
Remote SSH | SSH enables the use of any remote machine with a SSH server as the development environment | |
Remote WSL | WSL extension enables the use VS Code on Windows to build Linux applications that run on the Windows Subsystem for Linux(WSL) | |
Python | A VS Code extension with rich support for the Python language, including features such as IntelliSense (Pylance), linting, debugging, code navigation, code formatting, refactoring, variable explorer, test explorer, and more | |
PowerShell | This extension provides rich PowerShell language support for Visual Studio Code | |
Live Share | This extension enables to collaboratively edit and debug with others in real time, regardless what programming languages are used | |
Live Share Audio | This extension enhances the existing Visual Studio Live Share experience, by enabling to quickly spin up an audio call directly from within Visual Studio Code, without needing to use a separate tool or service | |
autoDocstring Python Docstring Generator | Aids in writing Python doc strings via templates | |
Nx Console | A UI to accompany the Nx CLI | |
Taskfile | This extension provides Intellisense, Tasks, a Tree View and Hover actions for your Taskfiles | |
ngrok | A VSCode extension for controlling ngrok from the command palette | |
Material Icon Theme | Material design icons | |
CSS Peek | A VSCode extension for peeking at CSS definitions from a class or id taq in HTML | |
Paste JSON as Code | An extension that generates types and helper code for reading JSON | |
TypeScript Hero | A VSCode extension to organize and sort all the TS imports | |
Ansible | This extension adds language support for Ansible to Visual Studio Code and OpenVSX compatible editors by leveraging ansible-language-server | |
YAML | Provides comprehensive YAML Language support to Visual Studio Code, via the yaml-language-server, with built-in Kubernetes syntax support | |
Sort JSON Objects | Alphabetically sorts the keys in selected JSON objects | |
Paste and Indent | This extension adds limited support for pasting and indenting code | |
Comments in Typescript | Adds automatic templating of TypeScript-flavored JSDoc comments | |
Markdown Preview Enhanced | An extension that provides with many useful functionalities such as automatic scroll sync, math typesetting, mermaid, PlantUML, pandoc, PDF export, code chunk, presentation writer, etc | |
Code Time | A plugin for automatic programming metrics and time tracking Visual Studio Code | |
Auto Import | An extension that automatically finds, parses and provides code actions and code completion for all available imports | |
Stylelint | A mighty, modern CSS linter that helps to enforce consistent conventions and avoid errors in stylesheets | |
ShellCheck | Integrates Shellcheck linting (linting for shell scripts) | |
Firebase | A VSCode extension for syntax highlighting, hover help and code completions with Firestore security rules and index definition files | |
Sort Lines | An extension that sorts lines of text in Visual Studio Code | |
Error Lens | An extension that charges language diagnostic features by making diagnostics stand out more prominently, highlighting the entire line wherever a diagnostic is generated by the language and also prints the message inline | |
LTeX – LanguageTool Grammar/Spelling | Adds LanguageTool functionality including grammar and spell-checking | |
IntelliCode | The IntelliCode extension for Visual Studio Code provides artificial intelligence-assisted IntelliSense for Python, Java, TypeScript, and JavaScript | |
Arduino | The Arduino extension makes it easy to develop, build, deploy and debug your Arduino sketches in Visual Studio Code, with a rich set of functionalities | |
CodeTour | Allows running, creating, and editting code tours which are a unique way of guiding contributors through the code base of a project | |
GistPad | A Visual Studio Code extension that allows you to edit GitHub Gists and repositories from the comfort of your favorite editor | |
TODO Highlight | An extension that highlights TODO, FIXME, and other annotations within the code | |
Import Cost | This extension will display inline in the editor the size of the imported package | |
Surround | Easily add code that surrounds other code like try/catches |
To reduce the amount of time it takes to configure Chromium-based browsers like Brave, Chromium, and Chrome, we also include the capability of automatically installing Chromium-based browser extensions (via a variable defined here):
Package | Description | GitHub |
---|---|---|
AdGuard AdBlocker | Blocks all types of ads on all web pages, even on Facebook, YouTube and all other websites (Homepage | Documentation) | |
Automa | A drag-and-drop, nicely polished browser automation tool (Homepage | Documentation) | |
Bitly | Creates short, customized, powerful links from any page and share them with the world (Homepage | Documentation) | |
Bitwarden | A secure and free password manager for all of the devices (Homepage | Documentation) | |
Buffer | Shares contents to Instagram, Twitter, Facebook, Pinterest and LinkedIn from anywhere on the web (Homepage | Documentation) | |
Checkbot | SEO, web speed, and security tester/crawler (Homepage | Documentation) | N/A |
Falcon | Chrome extension for full text history search | |
Floccus | Syncs bookmarks across browsers via Nextcloud, WebDAV or Google Drive (Homepage | Documentation) | |
Git History Browser Extension | Adds a button to github to see the file history | |
Google Dictionary | View definitions easily as you browse the web | N/A |
GSConnect | Integrates GSConnect / KDEConnect into Chrome-based browsers (allows you to send SMS links / images from the browser). (Homepage | Documentation) | |
Headless Recorder | A Chrome extension for recording browser interaction and generating Puppeteer & Playwright scripts (Homepage) | |
JSON Viewer Pro | A completely free extension to visualise JSON response in awesome Tree and Chart view with great user experience and options (Homepage) | |
LastPass | A password manager that saves passwords and gives secure access from every computer and mobile device (Homepage | Documentation) | N/A |
LanguageTool | Grammar and spelling checker with Google Docs integration (Homepage | Documentation) | |
Mailvelope | E-mail encryption tool that integrates with popular e-mail providers (Homepage | Documentation) | |
Markdown Here | A Chrome extension to write email in Markdown and render it (make it pretty!) before sending (Homepage) | |
MetaMask | An extension for accessing Ethereum enabled distributed applications, or "Dapps" in browser (Homepage | Documentation) | |
NoScript | NoScript allows you to selectively block scripts on certain websites (Homepage | Documentation) | |
Octohint | The missing IntelliSense hint for GitHub and GitLab | |
Rakuten | A Chrome extension to find best shopping deals and coupons and just save them (Homepage | Documentation) | N/A |
Save to Google Drive | Save web content or screen capture directly to Google Drive. | N/A |
Screenity | The most powerful screen recorder for Chrome (Homepage) | |
SingleFile | A Chrome extension to save a complete page into a single HTML file | |
SponsorBlock | A Chrome extension to skip sponsorships, subscription begging and more on YouTube videos (Homepage | Documentation) | |
TasksBoard | Organize and share TODO lists that are synchronized with Google To-Do. (Homepage) | N/A |
Vimeo Record | A Chrome extension to record and share unlimited free video messages from your browser (Homepage | Documentation) | N/A |
Vytal | An extension that spoofs user-agent, language, and location data using the chrome.debugger (Homepage | Documentation) | |
Web Vitals | A Chrome extension to measure metrics for a healthy site (Homepage) |
Below you can find the Firefox extensions that the base configuration of this playbook will automatically install:
Package | Description | GitHub |
---|---|---|
AdGuard AdBlocker | Block ads on Facebook, Youtube and all other websites (Homepage | Documentation) | |
Automa | A drag-and-drop, nicely polished browser automation tool (Homepage | Documentation) | |
Bitwarden | A secure and free password manager for all of the devices (Homepage | Documentation) | |
Buffer | Share great content to Instagram, Twitter, Facebook, Pinterest and LinkedIn from anywhere on the web (Homepage | Documentation) | N/A |
Falcon | Firefox extension for full text browsing history search | |
Floccus | Syncs bookmarks across browsers via Nextcloud, WebDAV or Google Drive (Homepage | Documentation) | |
Git History Browser Extension | Adds a button to github to see the file history | |
GSConnect | Integrates GSConnect / KDEConnect into Firefox-based browsers (allows you to send SMS links / images from the browser). (Homepage | Documentation) | |
Dictionary Anywhere | View definitions easily as you browse the web | |
JSON Lite | highlights, shows items count/size, handles large files | |
LanguageTool | Check text with the free style and grammar checker (Homepage | Documentation) | |
Mailvelope | E-mail encryption tool that integrates with popular e-mail providers (Homepage | Documentation) | |
Markdown Here | Write email in Markdown, then make it pretty (Homepage) | |
MetaMask | Ethereum Browser Extension (Homepage | Documentation) | |
NoScript | NoScript, a tool integrated with the Tor browser, allows you to block scripts from running (Homepage | Documentation) | |
Profile Switcher | Works in combination with a Rust program to allow you to maintain multiple profiles. (Homepage | Documentation) | |
Rakuten | Find best shopping deals and coupons and just save them (Homepage | Documentation) | N/A |
Screen Recorder | Record computer's screeen (Homepage) | N/A |
SingleFile | Save a complete page into a single HTML file | |
SponsorBlock | Skip YouTube video sponsors (Homepage | Documentation) | |
Sweet Dark | The Sweet Dark theme. (Homepage | Documentation) | |
TinyURL | A one-click tool to generate a tiny URL | N/A |
Although most of the brew
installs are handled by the Binaries installer, some brew
packages are also installed using this configuration. The default Homebrew formulae include:
Package | Description | GitHub |
---|---|---|
automake | Tool for generating GNU Standards-compliant Makefiles (Homepage | Documentation) | |
Carthage | A simple, decentralized dependency manager for Cocoa | |
chrome-cli | Control Google Chrome from the command-line | |
findutils | Collection of GNU find, xargs, and locate (Homepage) | N/A |
ideviceinstaller | Tool for managing apps on iOS devices (Homepage | Documentation) | |
libimobiledevice | Library to communicate with iOS devices natively (Homepage | Documentation) | |
cli Trellis | GitHub | Homepage | Documentation | WordPress development platform that requires Vagrant and a VM provider like VirtualBox (Homepage | Documentation) | |
youtube-dl | youtube-dl is an advanced video download application perhaps most well-known for its ability to download YouTube videos from the command-line. It also supports downloading from other sites such as Twitter, Facebook, Vimeo, Twitch, DailyMotion and many more. (Homepage) |
On macOS, some software is installed using Homebrew casks. These include:
Package | Description | GitHub |
---|---|---|
Clocker | macOS program that shows the time in multiple timezones in the top menu bar (Homepage) | |
Secretive | there is no importing/exporting keys so you only have access to the public key | |
Sloth | macOS program that shows all open files, directories, sockets, pipes, and devices in use by all running processes on the system (Homepage) | |
Stats | macOS program that shows the system monitor in the top menu bar (Homepage) |
Go packages, Rust crates, and system-specific packages like .deb
and .rpm
bundles are all handled by the professormanhattan.genericinstaller
role described above in the Binaries section. There are also ways of installing Go and Rust packages directly by using configuration options provided by their corresponding roles outlined in the Roles section.
This playbook does a bit more than just install software. It also optionally sets up web applications too. If you choose to deploy the default Gas Station web applications on your network, you should probably do it on a computer/server that has a lot of RAM (e.g. 64GB+).
Although a production environment will always be more stable and performant if it is hosted with a major cloud provider, sometimes it makes more sense to locally host web applications. Some applications have abnormally large RAM requirements that could potentially cost thousands per month to host with a legit cloud provider.
We use Kubernetes as the provider for the majority of the applications. It is a production-grade system and although there is a steeper learning curve it is well worth it. Each application we install is packaged as a Helm chart. All of the data is backed up regularly to an encrypted cloud S3 bucket of your choice.
The available Helm charts that this playbook completely handles the set up for are listed below.
Package | Description | GitHub |
---|---|---|
Argo | ArgoCD is a declarative GitOps continuous delivery platform. (Helm Reference) | |
Budibase | Budibase is a platform that allows you to codelessly create internal apps in minutes. (Helm Reference) | |
Cert-Manager | Cert-Manager is a powerful and extensible X.509 certificate controller. (Helm Reference) | |
Concourse | Concourse is a sophisticated, open-source CI/CD platform that markets itself as, "the open-source continuous thing-doer." (Helm Reference) | |
Consul | HashiCorp Consul is a service networking solution to automate network configurations, discover services, and enable secure connectivity across any cloud or runtime. (Helm Reference) | |
Drone | Drone is a simple, modern, multi-cloud-capable CI platform written in Go. (Helm Reference) | |
Elastic ECK | Elastic Cloud on Kubernetes (ECK) is the official operator by Elastic for automating the deployment, provisioning, management, and orchestration of Elasticsearch, Kibana, APM Server, Beats, Enterprise Search, Elastic Agent and Elastic Maps Server on Kubernetes. (Helm Reference) | |
Falco | Falco is the cloud-native runtime security project. (Helm Reference) | |
Fission | Fission is a framework for serverless functions on Kubernetes. (Helm Reference) | |
GitLab | GitLab is a single application that spans the entire software development lifecycle. (Helm Reference) | |
GitLab Runner | This chart deploys an instance of GitLab runner to a Kubernetes cluster. GitLab runner allows you to attach container/VM instances to GitLab CI workflows. (Helm Reference) | |
Graylog | Graylog is a leading centralized log management solution for capturing, storing, and enabling real-time analysis of terabytes of machine data. (Helm Reference) | |
Knative | Knative is an open-source Enterprise-level solution to build serverless and event-driven applications. It manages serverless containers in Kubernetes environments. (Helm Reference) | |
Kubeapps | Kubeapps is a web-based UI for deploying and managing applications in Kubernetes clusters. (Helm Reference) | |
Kubernetes Dashboard | Kubernetes Dashboard is a general purpose, web-based UI for Kubernetes clusters. It allows users to manage applications running in the cluster and troubleshoot them, as well as manage the cluster itself. (Helm Reference) | |
Linkerd | Linkerd is a service mesh that is ultra light, ultra simple, ultra powerful. According to their website, Linkerd adds security, observability, and reliability to Kubernetes, without the complexity. (Helm Reference) | |
Loki | Grafana Loki is a horizontally scalable, highly available, multi-tenant log aggregation system inspired by Prometheus. It is designed to be very cost effective and easy to operate. (Helm Reference) | |
Minio | MinIO offers high-performance, S3 compatible object storage. Native to Kubernetes, MinIO is the only object storage suite available on every public cloud, every Kubernetes distribution, the private cloud and the edge. (Helm Reference) | |
n8n | n8n is a free and open-source, self-hostable workflow automation tool that some consider to be a worthy replacement for IFTTT. (Helm Reference) | |
Prometheus Operator | A stack that includes everything required for an HA Prometheus / Grafana setup with pre-configured cluster monitoring and charts. It can also be modified to be used for any purpose that Prometheus / Grafana might be used for. (Helm Reference) | |
Rancher | Rancher is a complete software stack for teams adopting containers. It addresses the operational and security challenges of managing multiple Kubernetes clusters, while providing DevOps teams with integrated tools for running containerized workloads. (Helm Reference) | |
Sentry | Sentry is the leading open-source error logging application that tracks with full stacktraces & asynchronous context. Sentry's eco-system includes dozens of SDKs, written for many different languages/environments. (Helm Reference) | |
Space Cloud | Space Cloud is an open-source Kubernetes-based serverless platform with built-in security and instant GraphQL APIs for any database and microservice. (Helm Reference) | |
Thanos | Thanos is an open source, highly available Prometheus setup with long term storage capabilities. (Helm Reference) | |
Vault | HashiCorp Vault is a secrets management tool specifically designed to control access to sensitive credentials in a low-trust environment. It can be used to store sensitive values and at the same time dynamically generate access for specific services/applications on lease. (Helm Reference) | |
VaultWarden | VaultWarden is an optimized, resource-efficient version of the open source BitWarden web app (a password management platform). (Helm Reference) | |
Vector | Vector is a lightweight, ultra-fast tool for building observability pipelines that lets you collect, transform, and route all your logs and metrics with one simple tool. (Helm Reference) | |
velero | Velero is an open source tool to safely backup and restore, perform disaster recovery, and migrate Kubernetes cluster resources and persistent volumes. (Helm Reference) |
By default, on each computer provisioned using the default settings of Gas Station, several apps are installed on each host. Docker Compose is used to manage the deployment. The default apps include:
App | Description | GitHub |
---|---|---|
Authelia | An authentication portal that supports SSO and 2FA (Homepage | Documentation) | |
Homer | A very simple homepage which is customized by the playbook to automatically include links to the Docker containers you choose to host on the computer (Demo) | |
Portainer | A Docker management tool (Homepage | Documentation | Demo) | |
Serve | Simple interface for viewing files located or symlinked to in the /var/www/ folder of the machine |
You can, of course, disable deploying these apps. However, we include them because they have a small footprint and include useful features. You can also customize the list of apps you wish to include on each host.
We do not maintain any of the host applications except the ones listed above. However, we do provide the capability of marking a computer being provisioned as an HTPC. Doing this will include a suite of web applications with powerful auto-downloading, organizing, tagging, and media-serving capabilities. Since most people will probably be stepping outside the confines of the law for this, it is not recommended. If you still want to experiment then you can find descriptions of the applications below. The applications are intended to be hosted on a single computer via Docker Compose. The backend for Kodi is included but you should still use the regular installation method for Plex and the front-end of Kodi to view your media collection.
App | Description | GitHub |
---|---|---|
WireGuard | Dedicated WireGuard VPN for the HTPC applications which is configured in our docker-compose.yml file to be used as the internet connection for all the containers (Homepage) | |
Bazarr | Manages and automatically downloads subtitles (Homepage | Documentation) | |
Heimdall | Simple start page for all the HTPC apps (Homepage) | |
Jackett | Request proxy server for Radarr and Sonarr which helps speed things up | |
Kodi Headless | Backend for Kodi used to host a centralized database for Kodi instances (Homepage | Documentation) | |
Lidarr | Music collection manager that automatically downloads from BitTorrent and Usenet (Homepage | Documentation) | |
NZBGet | NZBGet is a Usenet download manager used to download from NewsGroups which are supposedly more secure than torrents. NOTE: Viruses are still prevalent on both NewsGroups and torrents - make sure you don't run anything with admin / sudo privileges. (Homepage | Documentation) | |
Ombi | Plex media request and user management system which can be used to allow users who use your HTPC server to request movies, TV shows, and other media (Homepage | Documentation | Demo) | |
Organizr | Front end for HTPC web applications with a full-featured user interface that is full of eye candy (Homepage | Documentation | Demo) | |
Radarr | Automatic movie downloader that can even be configured to download lists including the Top 250 IMBD movies (Homepage | Documentation) | |
Sonarr | Automatic TV show downloader with tons of ways to easily and automatically download TV shows (Homepage | Documentation) | |
Tautulli | Metrics and monitoring dashboard for Plex (Homepage | Documentation) | |
Transmission | BitTorrent client that can be used in conjunction with or as an alternative to using NewsGroups via NZBGet (Homepage | Documentation) |
Certain parts of the stack rely on cloud-based service providers. All of the providers can be used for free. The providers are generally chosen because their settings need to persist or the functionality that they provide would benefit from a security-hardened SaaS offering.
You can, of course, swap these services out for alternatives. However, our scripts integrate these specific services so if you want to swap them out then some leg work will be necessary.
Service | Description | Price |
---|---|---|
CloudFlare | CloudFlare is a DNS provider, edge network, and much more. Some day it might be able to replace all the services in this list but until then CloudFlare is the preferred provider for anything it offers a product for. In our configurations, CloudFlare is used for DNS, encrypted tunnels via cloudflared, CloudFlare WARP, and CloudFlare Teams. On top of that, CloudFlare provides some other great features that can be utilized to make lightning-fast web apps. (Documentation) | Free for the services we integrate |
Digital Ocean | Digital Ocean is a cloud hosting provider. Anytime CloudFlare's offerings are not enough to satisfy requirements, Digital Ocean is used. The service has a clean and simple web UI, a wide variety of CLIs/SDKs available on GitHub, and the company has been around since 2011. Digital Ocean is primarily used by our stack to host Kubernetes, S3 buckets, and cheap virtual private servers. (Documentation) | ~$40/month for a Kubernetes cluster, S3 bucket, and a general-purpose VPS |
Wasabi | Wasabi is the cheapest S3 bucket provider available. It is used as a secondary backup for any data that is backed up / saved to an S3 bucket. (Documentation) | $5.99/month for S3 bucket |
Ory | Ory is the only identity platform that can scale indefinitely and is based entirely on open source. Ory is leveraged to provide a feature-rich and programmable single sign-on platform. It includes support for hardware-based tokens. (Documentation) | Free for the developer edition |
Proton | Proton Mail is an end-to-end encrypted email service founded in 2013 in Geneva, Switzerland. Proton Mail and ProtonVPN are used in our stack to provide secure e-mail and configure VPN profiles using ProtonVPN's unique security features. With the Business plan, you can get custom domain branded e-mail and enough VPN connections to configure your router / VPN profiles on each of your devices. (Documentation) | $12.99/month for the Business edition |
GMail | GMail is a free e-mail service offered by Google. In some cases, we leverage GMail's SMTP capabilities to send notification e-mails. (Documentation) | Free |
The philosophy of this project basically boils down to "automate everything" and include the best development tools that might be useful without over-bloating the machine with services. Automating everything should include tasks like automatically accepting software terms in advance or pre-populating Portainer with certificates of all the Docker hosts you would like to control. One problem we face is that there are so many great tools offered on GitHub. A lot of research has to go into what to include and what to pass on. The decision of whether or not to include a piece of software in the default playbook basically boils down to:
- Project popularity - If one project has 10k stars and a similar alternative has 500 stars then 9 times of out 10 the more popular project is selected.
- Last commit date - We prefer software that is being actively maintained, for obvious reasons.
- Cross platform - Our playbook supports the majority of popular operating systems so we opt for cross-platform software. However, in some cases, we will include software that has limited cross-platform support like Xcode (which is only available on Mac OS X). If a piece of software is too good to pass up, it is added and only installed on the system(s) that support it.
- Usefulness - If a tool could potentially improve developer effectiveness then we are more likely to include it.
- System Impact - Software that can be run with a small RAM footprint and software that does not need a service to load on boot is much more likely to be included.
One of the goals of this project is to be able to re-provision a network with the click of a button. This might not be feasible since consumer-grade hardware usually does not include features like IPMI (which is a feature included in high-end motherboards that lets you control the power state remotely). However, we aim to reduce the amount of interaction required when re-provisioning an entire network down to the bare minimum. In the worst case scenario, you will have to reformat, reinstall the operating system, and ensure that OpenSSH is running (or WinRM in the case of Windows) on each of the computers in your network. However, the long term goal is to allow the user to reformat and reinstall the operating system used as your Ansible host using an automated USB installer and then automatically re-provision everything else on the network by utilizing IPMI.
You might ask, "But how can I retain application-level configurations?" We currently handle this by:
- Pre-defining dotfiles in a customizable Git repository
- Backing up to encrypted S3 buckets
- Syncing files to private git repositories
- Utilizing tools that synchronize settings like mackup or macprefs in the case of macOS
However, we intentionally keep this synchronization to a minimum (i.e. only back up what is necessary). After all, one of the goals of this project is to be able to regularly flush the bad stuff off a system. By keeping what we back up to a minimum, we reduce the attack surface.
You can find a high-level overview of what each folder and file does in the ARCHITECTURE.md file.
We accomplish managing different environments by symlinking all the folders that should be unique to each network environment (e.g. host_vars/
, group_vars/
, inventories/
, files/vpn/
, and files/ssh/
). In the environments/
folder, you will see multiple folders. In our case, environments/dev/
contains sensible configurations for testing the playbook and its' roles. The production environment is a seperate git submodule that links to a private git repository that contains our Ansible-vaulted API keys and passwords. When you are ready to set up your production configurations, you can use this method of storing your environment-specific folders in the environments/
folder as well. But if you are just starting off, you do not have to worry about this since, by default, this playbook is configured to run with the settings included in the /environments/dev/
folder.
If you already have the project bootstrapped (i.e. already ran bash .config/scripts/start.sh
), you can switch environments with an interactive prompt by running:
task ansible:playbook:environment
Alternatively, you can run the following if you would like to bypass the prompt:
task ansible:playbook:environment -- environmentName
Contributions, issues, and feature requests are welcome! Feel free to check the issues page. If you would like to contribute, please take a look at the contributing guide.
Sponsorship
Dear Awesome Person,
I create open source projects out of love. Although I have a job, shelter, and as much fast food as I can handle, it would still be pretty cool to be appreciated by the community for something I have spent a lot of time and money on. Please consider sponsoring me! Who knows? Maybe I will be able to quit my job and publish open source full time.
Sincerely,
Brian Zalewski
Below you will find a list of services we leverage that offer special incentives for signing up for their services through our special links:
Copyright © 2020-2021 Megabyte LLC. This project is MIT licensed.