Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time
November 8, 2021 20:41
November 12, 2021 09:17
October 25, 2021 22:12
October 25, 2021 22:12
February 19, 2020 21:18
October 25, 2021 22:12
November 12, 2021 09:16
February 22, 2020 13:50
November 12, 2021 09:16
November 7, 2021 17:50
October 25, 2021 22:12
February 16, 2020 12:26
October 25, 2021 22:12

Arch Linux Workstation

Ansible playbook for configuring my main work machine on top of a clean Arch Linux installation.

This configuration sets up a desktop environment based on i3-gaps, a popular fork of the i3 tiling window manager.


Note: Since this is used in different machines with different hardware, it does not try to set up hardware-specific drivers and configuration (i.e. graphics card); these should be done manually in each machine.

Note: This setup is constantly evolving, so the screenshot will most likely be outdated.

Ansible Roles

This installation contains the following Ansible roles:

Role Description
base Sets up the base system configuration
i3 Sets up i3 window manager desktop environment
dev Sets up necessary packages for my current job as a software engineer
sec Sets up security-related packages and configuration
studio Sets up the software I use for audio/video recording and processing


First, follow the official installation guide to bootstrap the bare-bones, bootable system.

I also use full disk encryption as I always need to keep some private information stored in the local disk. This protects my files from being accessed in case my work machine gets stolen.

Running the Linter

Run make lint to run the Ansible linter to detect common issues with the configuration.

Provisioning a VM with Vagrant

To bootstrap a VM with this configuration, make sure you have Vagrant installed and then run make vagrant.

Check the troubleshooting section below if you find any errors when applying the configuration.


Install the Required Packages

Run the following command as root to install the packages required to complete the rest of the installation:

pacman -Sy ansible base-devel git-lfs nano openssh sudo

Install the required Ansible roles:

ansible-galaxy install -r requirements.yml

Create User

Run the following commands as root to create a new user:

# Create a group and user (replace <user>/<group> by the desired values):
groupadd <group>
useradd -m -g <group> -G wheel <user>
passwd <user>

# Make sure the  user is allowed to sudo:
EDITOR=nano visudo -f /etc/sudoers.d/<user>

Running the Ansible Playbook

Clone this playbook in your home directory, override the desired variables in a new file vars/custom.yml (see the available vars in vars/main.yml) and then run the following command to apply the Ansible playbook:

# Clone the repository:
git clone
cd archlinux-workstation

# Edit some variables
nano vars/custom.yml

# Run the playbook:
make run

Don't leave the machine unattended as you'll might have to re-enter the user password a few times throughout the process when installing the required packages.


Issues When Applying ufw Rules

If you get errors like the following while trying to apply the ufw configuration:

fatal: [default]: FAILED! => {"changed": false, "commands": ["/usr/bin/ufw status verbose"], "msg": "ERROR: problem running iptables: iptables v1.8.7 (legacy): can't initialize iptables table `filter': Table does not exist (do you need to insmod?)\nPerhaps iptables or your kernel needs to be upgraded.\n\n\n"}
  • If you are provisioning a VM with Vagrant, try running make vagrant to reboot the VM and retry the provisioning.
  • If you are provisioning in your machine, try rebooting and retrying.

Issues When Installing AUR Packages

The AUR is community-maintained, so it's not that uncommon to find outdated packages or packages that cannot be installed without manual intervention (i.e. due to having mismatching validation hash).

If you encounter any issues, you might have to remove the affected packages from the configuration or fix the affected packages by hand before retrying the Ansible playbook again.

If you are provisioning a VM with Vagrant, run vagrant ssh to log into the VM and try to fix the situation.

Some commands that might be useful:

# If you need to edit the PKGBUILD file to fix a validation SHA or download URL:
yay -S <package> --editmenu

The installation of AUR packages might also fail when packages try to check PGP-signed packages when you don't have the corresponding public keys in your keyring.

You might have better luck in this regard if you use Ubuntu keyserver:

# In your vars/custom.yml file:
user_gnupg_keyserver: hkps://

Check the comments for the package in the AUR website to see what do to.


Set User Password

This playbook does not try to force a specific password for your user, so don't forget to run sudo passwd {{ user_name }} to change the password.

Secure Boot Configuration

This configuration generates the required keys for enrolling into the firmware if the system_secure_boot: on variable is set. Follow the Arch wiki for instructions on how to proceed if you wish to enable secure boot.

Local Auth With YubiKey + PAM

This setup allows you to configure PAM to enhance the local security and convenience via the use of U2F keys, such as YubiKeys:

  • Requiring a U2F key to system login (2FA)
  • Allowing U2F key to authenticate sudo commands instead of typing a password

To proceed with this configuration, run pam2fcfg -n and press the blinking button on each key:

# Run this command and press the blinking key, if asked:
pamu2fcfg -n

# Sample output:

Run this command for each key you want to register and concatenate the output for all commands into the {{ user_pam_u2f_key_handles }} variable:

user_pam_u2f_key_handles: |

Then, re-run the playbook to apply the configuration.

Note: Make sure to enable more than one key, so you have a way to log back in with a backup key in case you lose your main key.

YubiKey + GnuPG Setup

Some YubiKeys can be used as a GPG smart card, allowing us to store GPG encryption, signing and authentication keys in it.

More information:

That's It!

If the ansible-playbook command finishes successfully, reboot the system to access your new environment!


Copyright (C) Daniel Fernandes Martins

Distributed under the New BSD License. See LICENSE for further details.