Setting up your PC
Hardware
Here are the standard minimum guidelines for hardware for Kartoza Staff:
Laptops are preferred in general. Many of our staff work in areas with unreliable power supply and so you need to be able to work offline for at least four hours.
Admin Staff
Admin staff tend to have less demanding activities which is reflected in the hardware:
Feature | Requirements |
---|---|
RAM | 8GB |
Hard Disk | 256GB SSD |
Internal Display | 1920 x 1080 or better |
External Display | 1920 x 1080 or better |
Operating System | Ubuntu LTR |
CPU | Mid range e.g. i5 4 core or Athlon equivalent |
GIS Staff
GIS Staff need laptops with good storage capacity for accommodating large GIS datasets, and good processing power to perform time-consuming analysis quickly.
Feature | Requirements |
---|---|
RAM | 16GB |
Hard Disk | 1TB SSD |
Internal Display | 1920 x 1080 or better |
External Display | 1920 x 1080 or better |
Operating System | Ubuntu LTR |
CPU | Mid range e.g. i5 4 core or Athlon equivalent |
Developer Staff & Devops
Developer Staff and Devops need laptops with processing power so they can run multiple containers to emulate the deployment environment for their apps. Developer staff tend to have more technical skills and may install their own preference of Operating System if they prefer.
Feature | Requirements |
---|---|
RAM | 16GB |
Hard Disk | 500GB SSD |
Internal Display | 1920 x 1080 or better |
External Display | 1920 x 1080 or better |
Operating System | Ubuntu LTR or user preference |
CPU | Mid range e.g. i5 4 core or Athlon equivalent |
Additional Hardware
All staff should in addition be issued with:
- A USB headset. USB headsets include their own DSP (Digital Sound Processor) and will generally have a better sound quality than an analogue headset.
- An external disk for backups. This should again be encrypted. The disk should be 4x the size of the hard disk. Use Déjà Dup Backups to run automatic backups on a nightly basis.
- A kensington lock. This should be used whenever the laptop is left unattended in a public place (i.e. anywhere other than your home).
- A Yubikey. This will be used to authenticate to Google Apps for Domains (Via Yubikey TOTP), BitWarden, your local PC login (via FIDO2) and other services such as NextCloud. Each staff member should be issued with two of these devices and the second should be stored at home in a safe place in case the first is lost. One of following models are suggested:
Base Install Requirements
Every staff computer should have the following as a minimum:
-
Encrypted disk. Under Linux use LUKS when you install to encypt at a minimum your home partition. Ideally your whole system should be encrypted since if you run docker, postgres and other similar services, you have exposure to data loss if someone steals your PC.
-
Strong password. The password for your account should not be used for any other system.
-
Yubikey PAM Integration. We recommend as an added precaution to set up the YubiKey PAM module which will require to touch your YubiKey after typing in your system password to autheticate. The process for doing this is described here.
Yubkey locks the FIDO2 Pin by default. You should follow these steps to unlock it first before running through the above tutorial. Note they assume you have installed the PPA in the above tutorial above first.
Install the YubiKey GUI manager, then use the options as shown below.
Online Accounts
You need to have online accounts with the following services:
- GitHub - then set up your YubiKey as your 2FA here. As a backup 2FA you should use the GitHub mobile app. Note that using SMS for 2FA is not considered secure.
- Google. Set up your YubiKey as your 2FA here. As a backup 2FA you should use the Google mobile app. Note that using SMS for 2FA is not considered secure.
- Hetzner. If you are a staff member with permission to access Hetzner, set up your YubiKey as your 2FA here. Note that using SMS for 2FA is not considered secure.
-
ERNext. Our admin team will provision an account for you.
-
NextCloud. Our admin team will provision an account for you. NextCloud. If you are a staff member with permission to access Hetzner, set up your YubiKey as your 2FA here. Note that using SMS for 2FA is not considered secure.
Kartoza VPN
We use wireguard to access our internal systems.
On ubuntu you can install it like this:
Also you can install the Gnome QR code app from here: https://apps.gnome.org/Decoder/
- get the config QR code from Leon via screenshare
- Use the Gnome QR Code app to scan it
- Save the resulting file to e.g. kartoza-vpn.conf
- Run this command:
Installing and Importing the CA Certificate for Secure Access to Internal Company Websites
Installing the Kartoza CA (Certificate Authority) certificate and importing it into your browsers is necessary for secure access to certain internal company websites.
Why Install the CA Certificate?
-
Secure Communication: CA certificates are used to establish secure connections (HTTPS) between your browser and web servers. This ensures that data transmitted between the client and server is encrypted and secure.
-
Trust Verification: When you access our website, your browser checks the website's SSL/TLS certificate to verify its authenticity. This SSL/TLS certificate is issued by a trusted CA. If the CA certificate is not recognized by your browser, it will display a warning, indicating that the connection may not be secure.
-
Internal Websites: Many companies use self-signed certificates or certificates issued by an internal CA for their internal websites. These internal CAs are not recognized by default by most browsers. Installing the internal CA certificate in your browser ensures that the browser trusts the certificates issued by the internal CA, allowing secure access to the internal websites without warnings.
Steps to Install the CA Certificate
1. Obtain the CA Certificate
For Developers, IT engineers and DevOps engineers, the Kartoza CA-certificate can be downloaded from the devops repository. One should have access to the Kartoza organization before trying to down load the certificate. The certificate will either a have a .crt
or .pem
extension.
2. Install the CA Certificate on Your Machine
For Windows:
- Double-click the CA certificate file.
- Click "Install Certificate".
- Choose "Local Machine" and click "Next".
- Select "Place all certificates in the following store".
- Click "Browse" and select "Trusted Root Certification Authorities".
- Click "Next" and then "Finish".
For macOS:
- Double-click the CA certificate file.
- The Keychain Access application will open.
- Select "System" from the keychains list.
- Drag the certificate file into the Keychain Access window.
- Double-click the imported certificate.
- Expand the "Trust" section and select "Always Trust".
For Linux:
- Copy the CA certificate file to the
/usr/local/share/ca-certificates
directory:
- Update the CA certificates:
3. Import the CA Certificate into Your Browser
For Google Chrome:
- Open Chrome and go to
Settings
. - Search for "Certificates" and click on "Manage certificates".
- Go to the "Authorities" tab.
- Click "Import" and select the CA certificate file.
- Follow the prompts to complete the import.
For Firefox:
- Open Firefox and go to
Preferences
orOptions
. - Search for "Certificates" and click on "View Certificates".
- Go to the "Authorities" tab.
- Click "Import" and select the CA certificate file.
- Ensure the option to "Trust this CA to identify websites" is checked.
- Click "OK".