This repository contains instructions to set up Pop!_OS for developing software in Go, Rust, C# (.NET Core), Java, Python, and NodeJS, as well as web front-ends in React. The steps below should also work for Ubuntu and most Ubuntu-based Linux distributions.

See Fedora Workstation Setup Guide for a version of this guide specific to Fedora.

The first thing you should do is get the latest security updates:

sudo apt update && sudo apt dist-upgrade -y

Next, install common development tools:

sudo apt install \
build-essential \
apt-transport-https \
ca-certificates \
curl \
software-properties-common \
apache2-utils \
make \
chromium-browser \
gnome-tweaks \
gnome-shell-extensions \
dconf-editor

Cleanup:

sudo apt autoremove -y
sudo apt autoclean -y

Check for firmware updates:

sudo fwupdmgr get-devices
sudo fwupdmgr get-updates
sudo fwupdmgr update

Reboot before proceeding any further:

sudo reboot now

The default font rendering in Pop!_OS may appear blurry on LCD monitors. Gnome's OS settings application lacks the ability to change font rendering. You must install the Gnome Tweak Tool to adjust these settings. Gnome Tweak Tool can be installed from the Pop!_Shop or from a terminal as shown below:

1. Run sudo apt install gnome-tweaks
2. Run gnome-tweaks
3. Fonts > Hinting > Set to "Full"
4. Fonts > Antialiasing > Set to "Subpixel (for LCD screens)"

The Pop!_OS defaults are: "Slight" for Hinting and "Standard" for Antialiasing, in case you want to switch back.

When working with Dropbox, React, and NodeJS, you may run into the following error: "User limit of inotify watches reached". The default limit for file watchers is 8,192. Increase this limit to something more reasonable:

1. Run sudo gedit /etc/sysctl.conf
2. Add fs.inotify.max_user_watches=10000000 to the bottom of the file
3. Run sudo sysctl -p (or restart the OS)

Tilix may be preferable to the default Gnome terminal:

sudo apt install tilix

Instructions derived from https://github.com/ohmyzsh/ohmyzsh/wiki/Installing-ZSH on 2024-02-18

ZSH can be installed by running:

sudo apt install zsh

Run zsh --version and look for zsh 5.8.1 (x86_64-ubuntu-linux-gnu) (or newer) to verify success

To set zsh as the default shell, run:

chsh -s $(which zsh)

Start a new session. ZSH is now your default shell.

Oh-My-ZSH is an excellent tool for managing your ZSH configuration. Install it using the following command:

sh -c "$(wget -O- https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)"

An "Oh My Zsh!... is now installed!" message should appear in the terminal output.

You may be prompted to set ZSH as your default shell.

Install syntax highlighting for ZSH by running:

sudo apt install zsh-syntax-highlighting

Now run:

echo "source /usr/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh" >> ~/.zshrc

The changes will be applied to new terminal windows.

Oh-My-ZSH is installed with several themes. Let's change the default theme to blinks by first opening the .zshrc file:

sudo gedit ~/.zshrc

Find the line ZSH_THEME="robbyrussell" and change it to ZSH_THEME="blinks" and save. The new theme will be applied to new terminal windows.

Plugins add functionality to ZSH. Let's enable some pre-installed plugins for a few programming languages. First, open the .zshrc file:

sudo gedit ~/.zshrc

Find the line plugins=(git) and change it to include your preferred plugins. An example:

plugins=(git dotnet rust golang mvn npm terraform aws gradle)

Save the file. The plugins will be applied to new terminal windows.

1. From the desktop, select Activities (top-left corner of your monitor) > Pop!_Shop
2. Search for "Eclipse" and install "Eclipse for Java Developers"
3. Launch Eclipse

Alternatively, run the following command to install Eclipse from a terminal:

flatpak install flathub org.eclipse.Java

The instructions for installing JetBrains products are derived from https://www.jetbrains.com/help/idea/installation-guide.html#toolbox and are current as of 2024-03-09

1. Visit https://www.jetbrains.com/toolbox/app/ and download the JetBrains Toolbox app.
2. Run the following commands, replacing the file name in the example with the file name you downloaded:

sudo tar -xzf jetbrains-toolbox-2.4.2.32922.tar.gz -C /opt
cd /opt/jetbrains-toolbox-2.4.2.32922
./jetbrains-toolbox

3. Select the product that you want to install.

Postman is a complete toolchain for API developers. It can be installed in one of three ways. The easiest is to open the Pop!_Shop and install Postman using the GUI.

Installing Postman from Pop!_Shop installs from Flathub.

You may alternatively install Postman from Flathub using a terminal session.

flatpak install flathub com.getpostman.Postman

The instructions for installing Zed are derived from https://zed.dev/docs/linux#zed-on-linux and are current as of 2024-07-13

Zed is a highly-efficient, cross-platform code editor written in Rust.

Run the following command to install Zed:

curl https://zed.dev/install.sh | sh

To run Zed after installation:

~/.local/bin/zed

The instructions for installing Visual Studio Code are derived from https://code.visualstudio.com/docs/setup/linux and are current as of 2024-02-19

1. Run the following commands:

sudo apt-get install wget gpg
wget -qO- https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > packages.microsoft.gpg
sudo install -D -o root -g root -m 644 packages.microsoft.gpg /etc/apt/keyrings/packages.microsoft.gpg
sudo sh -c 'echo "deb [arch=amd64,arm64,armhf signed-by=/etc/apt/keyrings/packages.microsoft.gpg] https://packages.microsoft.com/repos/code stable main" > /etc/apt/sources.list.d/vscode.list'
rm -f packages.microsoft.gpg
sudo apt install apt-transport-https
sudo apt update
sudo apt install code

2. Launch Visual Studio Code
3. Navigate File > Preferences > Settings and then type "telemetry"
4. Select "off" for the Telemetry Level
5. Disable the "Dotnet Acquisition Extension: Enable Telemetry" option
6. Optional: While still in Settings, change the following to "False":
   1. Enable Natural Language Search
   2. Enable Experiments
7. Optional: While still in Settings, enable Editor: Format on Save. Turning this setting on is the same as running the Format Document command each time you save a file.
8. Optional: While Visual Studio Code is open, select Activities, right-click the Visual Studio Code icon on the dock, and select Add to favorites.

While you can install Visual Studio Code from flathub via the Pop!_Shop, doing so will result in problems finding development tools like the .NET SDK. The .deb package in Pop!_Shop is also many versions out-of-date. The process outlined above resolves both issues.

The following VS Code extensions are handy:

1. HashiCorp Terraform
2. Go
3. C# Dev Kit - syntax highlighting, debugging, test runner support, and intellisense for C#
4. Rust-Analyzer - Rust language server
5. CodeLLDB - for debugging Rust code on Ubuntu
6. Extension Pack for Java - syntax highlighting, debugging, and intellisense for Java, plus unit testing support
7. Spring Boot Extension Pack - specific enhancements for working with Spring Boot
8. VS Live Share - allows simultaneous editing of code files by multiple authors, like Google Docs
9. Docker
10. Kubernetes
11. JavaScript Debugger for Chrome
12. Python
13. ESLint
14. TSLint
15. Prettier

There are some excellent dark theme alternatives to the VS Code default theme:

1. Tokyo Night
2. One Monokai
3. Atom One Dark
4. Material
5. Blueberry Dark
6. Arc+
7. Arc Darker
8. Neon City

To see which VSCode extensions are installed:

code --list-extensions

You can install VSCode extensions from the terminal, too. Run the following commands to install HashiCorp's Terraform extension, Google's Go extension, and Microsoft's Docker extension:

code --install-extension HashiCorp.terraform
code --install-extension golang.Go
code --install-extension ms-azuretools.vscode-docker

Instructions for installing Terraform taken from https://developer.hashicorp.com/terraform/install on 2024-06-29

wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo apt update && sudo apt install terraform

Run terraform --version to verify the installation was a success.

sudo apt install openjdk-17-jdk-headless maven

Run javac -version and look for the following output to verify success:

openjdk version "11.0.10" 2021-01-19
OpenJDK Runtime Environment (build 11.0.10+9-Ubuntu-0ubuntu1.20.04)
OpenJDK 64-Bit Server VM (build 11.0.10+9-Ubuntu-0ubuntu1.20.04, mixed mode, sharing)

Instructions for installing Go taken from https://go.dev/doc/install on 2024-08-15

While you can install Go via apt, doing so installs an oudated version. Run the following commands instead, ensuring you replace the version number in the commands below with the version number you want to install. These are also the same commands you will use to update Go to a newer version.

curl -OL https://golang.org/dl/go1.23.0.linux-amd64.tar.gz
sha256sum go1.23.0.linux-amd64.tar.gz
sudo rm -rf /usr/local/go
sudo tar -C /usr/local -xzf go1.23.0.linux-amd64.tar.gz

Run the following command to verify success:

go version

Look for go version go1.23.0 linux/amd64 (or newer) to verify success.

Set the following environment variables if this is the first time you're installing Go. You do not need to repeat this step if you're upgrading Go.

echo "export PATH=$PATH:$(go env GOPATH)/bin:/usr/local/go/bin" >> ~/.profile
source ~/.profile

Delve is a debugger for Go. You can install it by running the following command:

go install github.com/go-delve/delve/cmd/[email protected]

Run the following command to check that dlv is installed and you're on an up-to-date version:

dlv version

You should see the following after running dlv version:

Delve Debugger
Version: 1.22.1
Build: $Id: 0c3470054da6feac5f6dcf3e3e5144a64f7a9a48

Instructions for installing Rust taken from https://www.rust-lang.org/tools/install on 2024-02-18

curl --proto '=https' --tlsv1.3 -sSf https://sh.rustup.rs | sh

Restart your terminal session, or run source "$HOME/.cargo/env", and then run rustc --version. Look for rustc 1.80.1 (3f5fd8dd4 2024-08-06) (or newer) to verify success.

To update Rust:

rustup update

You can easily uninstall Rust and Rustup by running rustup self uninstall.

sudo apt install python3-minimal

Run python3 --version and look for Python 3.8.5 (or newer) to verify success

To install Anaconda Python instead, see https://linuxhint.com/install_anaconda_python_ubuntu_1804/.

The quick way to install NodeJS 20 (LTS):

curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash - &&\
sudo apt-get install -y nodejs

Run node --version to verify success.

sudo apt install dotnet-sdk-8.0

Run dotnet --list-sdks and look for the following output to verify success:

8.0.108 [/usr/lib/dotnet/sdk]

1. Run gedit ~/.profile
2. Type export DOTNET_CLI_TELEMETRY_OPTOUT=true at the bottom of the file
3. Save and exit
4. Log out and log in again

There are several ways to install Wireshark from apt.

The latest, or at least close to latest, version of Wireshark can be installed via:

sudo add-apt-repository ppa:wireshark-dev/stable
sudo apt update
sudo apt install wireshark

An older version of Wireshark can be installed by running:

sudo apt install wireshark

This will likely install an older version versus using installtion option #1 above.

At the time of writing this section, option #1 installs version 4.2.5 while option #2 installs Wireshark 3.6.

1. It is recommended to choose Yes when the installer asks: "Should non-superusers be able to capture packets?" If you fail to select Yes then you will need root privileges to run Wireshark.

Requiring root privileges means running wireshark with sudo.

If you want to change your answer from No to Yes in the future, run sudo dpkg-reconfigure wireshark-common.

2. Next, add your user to the wireshark group. Run this command exactly as-is:

sudo usermod -a -G wireshark "$USER"

3. Ensure your username is part of the wireshark group. You should see your username when you run the below command:

groups "$USER"

4. Log out and log in to Pop!_OS.
5. Run Wireshark and capture some packets.

The following instructions are derived from a response to a GitHub issue.

By default, Wireshark 4.2.5 does not respect the Dark mode selector in Pop!_OS 22.04 or Dark mode themes like Nordic-darker-v40 or Arc Dark. We can fix this, albeit partially:

1. Install the Adwaita-qt theme:

sudo apt install adwaita-qt

2. Run Wireshark using the following terminal command:

QT_STYLE_OVERRIDE=Adwaita-Dark wireshark

The instructions for installing Podman are derived from https://podman-desktop.io/downloads and are current as of 2024-06-22

Podman is an open source alternative to Docker Desktop. To install Podman Desktop client:

flatpak install flathub io.podman_desktop.PodmanDesktop

To install Podman itself:

sudo apt-get update
sudo apt-get -y install podman

Podman commands are similar to Docker commands. Example: podman compose up instead of docker-compose up and podman ps instead of docker ps. Podman also installs kubectl if you select the Kubernetes extension on initial setup.

Run podman version and look for the following:

Version:      3.4.4
API Version:  3.4.4
Go Version:   go1.18.1
Built:        Wed Dec 31 19:00:00 1969
OS/Arch:      linux/amd64

A Podman tutorial is available at https://github.com/containers/podman/blob/main/docs/tutorials/podman_tutorial.md.

The instructions for installing Docker Desktop are derived from https://docs.docker.com/desktop/install/linux-install/ and are current as of 2024-02-18

As an alternative to Podman Desktop, Docker Desktop can now be installed on Linux. It provides the same functionality as Docker Desktop on macOS and Windows and includes a single-node Kubernetes cluster. It is recommended to either install Docker Desktop or install Docker on Linux, but not both (though both can be present simultaneously).

This guide has been updated to focus on installing Docker Desktop.

You may not want to install Docker Desktop if you are running Pop!_OS in a virtual machine, as Docker Desktop installs its own virtual machine; this would be virtualization-within-virtualization and may cause problems. You'd alternatively want to consider installing Docker on Linux directly without "Docker Desktop". This is the traditional way Docker has been installed on Linux. Older versions of this guide describe how this can be done. See /older-versions.

There is no repository for installing Docker Desktop.

1. Download the .deb package from https://docs.docker.com/desktop/install/ubuntu/.
2. Run sudo apt-get install ./docker-desktop-<version>-<arch>.deb
3. Either open the Docker Desktop app that was installed, or run systemctl --user start docker-desktop

Verify success by running docker --version. You should see something like the following:

Docker version 25.0.3, build 4debf41

The instructions for installing Helm are derived from https://helm.sh/docs/intro/install/ and are current as of 2024-06-24

Install Helm by issuing the following commands:

curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
chmod 700 get_helm.sh
./get_helm.sh

Run helm version to verify success.

The instructions for installing Azure CLI tools are derived from https://learn.microsoft.com/en-us/cli/azure/install-azure-cli-linux?pivots=apt&view=azure-cli-latest and are current as of 2024-06-24

The simplest way to install the Azure CLI tools:

curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash

Verify success by running az --version and checking that azure-cli 2.61.0 (or newer) appears somewhere in the output. Additionally, the output should indicate that Your CLI is up-to-date.

You can periodically run az upgrade to upgrade the Azure CLI tools.

See Install Azure CLI with apt for further information and alternative installation methods.

Azure's desktop app for interacting with Azure Storage is cross-platform. It is available in the Pop!_Shop via FlatHub. Installing it on an Ubuntu-based distribution can also be done in the terminal as follows:

flatpak install flathub com.microsoft.AzureStorageExplorer

The instructions for installing AWS CLI tools are derived from https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html and are current as of 2024-06-29

The following script installs v2 of the AWS CLI tools:

sudo apt install -y unzip
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install

Run aws --version and check for aws-cli/2.17.5 Python/3.11.8 Linux/6.9.3-76060903-generic exe/x86_64.pop.22 to verify success.

To update AWS CLI, add your existing symlink and installer information to construct the install command. This is done using the --bin-dir, --install-dir, and --update parameters. The following command block uses an example symlink of /usr/local/bin and example installer location of /usr/local/aws-cli. These locations are the defaults that would have been used during installation unless you specified otherwise.

curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install --bin-dir /usr/local/bin --install-dir /usr/local/aws-cli --update

See https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html for additional information.

Instructions derived from https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/ on 2024-02-18

You may not need to follow these commands to install kubectl if you installed Docker Desktop. Run kubectl version to see if it's already installed. If not, follow the commands below:

sudo apt update
sudo apt install -y apt-transport-https ca-certificates curl
# If the folder `/etc/apt/keyrings` does not exist, it should be created before the curl command, read the note below.
# sudo mkdir -p -m 755 /etc/apt/keyrings
curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.29/deb/Release.key | sudo gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.29/deb/ /' | sudo tee /etc/apt/sources.list.d/kubernetes.list
sudo apt update
sudo apt install -y kubectl

Run kubectl version to verify success.

The instructions for installing GitHub CLI tools are derived from https://github.com/cli/cli/blob/trunk/docs/install_linux.md and are current as of 2024-02-18

type -p curl >/dev/null || (sudo apt update && sudo apt install curl -y)
curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg \
&& sudo chmod go+r /usr/share/keyrings/githubcli-archive-keyring.gpg \
&& echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null \
&& sudo apt update \
&& sudo apt install gh -y

git config --global user.name "Your Name"
git config --global user.email [email protected]
git config --global init.defaultBranch main

See Customizing Git Configuration for more details. You can edit the global Git config file by running gedit ~/.gitconfig in a terminal window.

Tip: Remember that you can include a longer commit message by using a second -m in your command. Example: git commit -m "The short message, best ~50 characters" -m "The extended description that can go on however long you want."

The instructions for generating SSH keys is derived from https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent. Instructions for adding an SSH key to GitHub is derived from https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account. Both are current as of 2024-02-18

1. Run ssh-keygen -t ed25519 -C "[email protected]"
2. Enter a passphrase
3. Run ssh-add ~/.ssh/id_ed25519
4. Run cat ~/.ssh/id_ed25519.pub
5. Copy the output from cat and paste it into GitLab and GitHub's SSH key sections for your profile
6. Run ssh -T [email protected] to verify the key is recognized and working with GitHub.com
7. Run ssh -T [email protected] to verify the key is recognized and working with GitLab

Taken from https://docs.gitlab.com/ee/user/project/repository/gpg_signed_commits/index.html.

1. Run gpg --full-gen-key
2. Choose "RSA and RSA (default)"
3. Choose 4096 bits
4. Choose 2y (or a timeframe of your choosing)
5. Provide the other required inputs
6. Run gpg --list-secret-keys --keyid-format LONG [email protected] (replace [email protected] with the email you used previously)
7. Copy the GPG key ID that starts with sec. E.g. in sec rsa4096/30F2B65B9246B6CA 2017-08-18 [SC], the key ID is 30F2B65B9246B6CA
8. Run gpg --armor --export 30F2B65B9246B6CA
9. Run git config --global user.signingkey 30F2B65B9246B6CA
10. Add the key to your GitHub account

To sign commits, the only difference is the addition of the -S flag:

git commit -S -m "My commit msg"

sudo apt install -y vlc
sudo apt install -y libavcodec-extra libdvd-pkg
sudo dpkg-reconfigure libdvd-pkg

1. Dropbox
2. Slack
3. Spotify
4. VirtualBox
5. Zoom
6. Microsoft Teams
7. VLC - for playing media files
8. Peek - for recording your screen and producing animated GIFs
9. GNU Image Manipulation Program
10. Htop
11. Bleachbit - for secure file erasure and general disk cleanup

1. Install the React Developer Tools addon
2. Preferences > Search > Change the search engine to "DuckDuckGo" (or your preferred engine)
3. Preferences > Privacy > Change tracking and protection settings as-needed

1. Navigate to Edit > Settings
2. In the Privacy & Security tab, scroll down to Enable DNS over HTTPS and select Max Protection
3. Select "Cloudflare" as the provider

Firefox in Gnome can experience screen tearing and other performance-inhibiting behavior. This may be adjustable by forcing GPU rendering, though it may impact power usage and stability. This has only been tested using NVIDIA GPUs.

1. Navigate to about:config in the Firefox URL bar
2. Select Accept the Risk and Continue
3. Copy and paste layers.acceleration.force-enabled into the search box and Enable it
4. Copy and paste layers.force-active into the search box and Enable it
5. Restart Firefox and observe smoother scrolling behavior

See https://wiki.mozilla.org/Privacy/Privacy_Task_Force/firefox_about_config_privacy_tweeks for advanced privacy-related Firefox configuration options.

1. From the desktop, select Activities (top-left corner of your monitor) > Pop!_Shop
2. Search for "Chromium Browser" and install it
3. Navigate to https://chrome.google.com/webstore/category/extensions and search for "React Developer Tools"
4. Add the React Developer Tools to Chromium

1. In Chromium, press the "..." button at the top-right corner of the Chromium window to bring up the options menu
2. Settings > Search Engine > Set to "Duck Duck Go" (or your preferred engine)
3. Settings > Advanced > Privacy & Security >
   1. Allow Chromium sign-in > Disable
   2. Use a prediction service to help complete searches and URLs typed in the address bar > Disable
   3. Use a web service to help resolve navigation errors > Disable
   4. Send a "Do Not Track" request with your browsing traffic > Enable
   5. Allow sites to check if you have payment methods saved > Disable
   6. Content Settings >
      1. Cookies > Block third-party cookies > Enable
      2. Location > Block
      3. Microphone > Block
      4. Camera > Block
      5. Flash > Set to "Block sites from running Flash"
      6. Clipboard > Set to "Do not allow sites to see text and images copied to the clipboard"
      7. Payment Handlers > Set to "Do not allow any site to install payment handlers"

Visual Studio Code can launch Google Chrome in JavaScript debug mode so developers can do useful things like set breakpoints and inspect JavaScript variables at runtime. However, Microsoft's official guidance on how to configure the Chrome Debugger only works with Chrome and not Chromium.

Google Chrome is a commercial, closed-source product. It's based on the open source Chromium project. If you'd like to use Chromium for JavaScript debugging instead of Chrome, you can still follow Microsoft's guide. You'll just need to add a runtimeExecutable property to the launch.json file in your web app's .vscode directory. Just make sure it points to where chromium-browser is installed. If you installed Chromium from the Pop!_Store then it should be located at /usr/bin/chromium-browser.

The launch.json file will automatically be created if you follow along with Microsoft's how-to guide.

The launch.json file needed to debug using Chromium is shown below:

{
  "version": "0.2.0",
  "configurations": [
    {
      "type": "chrome",
      "request": "launch",
      "name": "Launch Chrome against localhost",
      "url": "http://localhost:3000",
      "webRoot": "${workspaceFolder}",
      "runtimeExecutable": "/usr/bin/chromium-browser"
    }
  ]
}

The instructions for enabling and installing themes are derived from https://ubuntuhandbook.org/index.php/2022/05/install-themes-ubuntu-22-04/ and are current as of 2024-06-22

We need to first install shell extensions and an extension manager:

 sudo apt install gnome-shell-extensions
 sudo apt install gnome-shell-extension-manager

Next, open the Extension Manager app and navigate to Browse. Select Install next to the "User Themes" list item. Wait for this to finish and then close the Extension Manager app.

Some themes are available in the central repos. For instance, to install the excellent Arc theme, simply run sudo apt install arc-theme. "Arc-Dark" is then available as a theme in Gnome Tweak Tool.

More themes are available for download on pling.com. For these, extra steps are required to install:

1. Create folders for the themes and icons:

mkdir ~/.themes
mkdir ~/.icons

2. Download a Gnome theme from Pling to your Downloads folder. (We'll use the WhiteSur GTK theme)
3. Extract the contents of the .tar.xz to the .themes folder
4. Download a Gnome icon theme from Pling to your Downloads folder. (We'll use the Tela Icon Theme)
5. Extract the contents of the .tar.xz to the .icons folder
6. Open the Tweaks Tool
7. Navigate to the Apperance tab
8. Select "White Sur-Dark" under Themes > Applications
9. Select "White Sur-Dark" under Themes > Shell
10. Select "Tela-dark" under Themes > Icons
11. Close Tweak Tool

Install the Font Manager application:

sudo apt install font-manager

Let's install Red Hat's free Overpass font. It can be downloaded or cloned: https://github.com/RedHatOfficial/Overpass.

Other good font replacements are:

• Source Sans Pro
• Source Code Pro
• Inconsolata
• Inter

Open Font Manager and press the + button to add a new font. Navigate to the extracted ZIP file (or cloned git repo) and import either the OTF or TTF files, whichever you prefer.

Open Tweak Tool and open the Fonts tab. Select "Overpass" from the Interface Text drop-down list. The changes should be visible immediately.

If you ever want to go back to the default interface font, it's "Fira Sans Book" at size 10.

Some custom fonts, including "Overpass", may look better with Hinting set to "None".

1. From the desktop, select Activities (top-left corner of your monitor) > Pop!_Shop
2. Search for "VirtualBox" and install it

To allow USB pass-through to a guest OS in VirtualBox:

1. Run sudo adduser $USER vboxusers
2. Log out and in again

Instructions derived from https://ubuntu.com/blog/kvm-hyphervisor?ref=itsfoss.com and https://www.youtube.com/watch?v=BgZHbCDFODk

An alternative to VirtualBox is to use Linux's built-in Kernel Virtual Machine (KVM) plus QEMU and VirtManager for a GUI front-end.

sudo apt -y install bridge-utils cpu-checker libvirt-clients libvirt-daemon qemu qemu-kvm virt-manager

Check that your processor supports virtualization:

kvm-ok

Look for:

INFO: /dev/kvm exists
KVM acceleration can be used

Add the current user to the kvm group, being sure to replace yourusername with your actual user name:

sudo usermod -aG libvirt yourusername
sudo usermod -aG kvm yourusername

Restart your system and then run these commands:

sudo systemctl start libvirtd
sudo systemctl enable libvirtd

1. Download a Pop!_OS ISO or the ISO of your choice
2. Place the .iso file into the /var/lib/libvirt/images folder
3. Open the Virtual Machine Manager (aka virt-manager)
4. Add a new virtual machine. Note that if you get a connection error, you should reboot your machine.
5. Select Local install media and then Forward. Step 2 of 5 appears.
6. Select Browse. The ISO you copied into the /var/lib/libvirt/images folder should appear.
7. Select the ISO and choose Choose Volume
8. You may need to select an operating system. if Virtual Machine Manager couldn't auto-detect one based on the ISO. In our case, if using Pop!_OS 22.04, select "Ubuntu 22.04 LTS"
9. Select Forward
10. Choose at least "8192" for memory and 2 CPUs and then select Forward
11. Choose at least 25 GB of disk storage and select Forward
12. Use a distinctive name for the VM, such as "K3s-pop-os" and select Finish
13. The VM should start automatically. Go through the VM setup process.

Run sudo apt update && sudo apt upgrade -y after OS configuration.

Snapshots can be taken in virt-manager just like in Virtual Box. You must navigate into the VM window (not the Virtual Machine Manager window) and select the Manage VM Snapshots icon at the far right of the toolbar.

Instructions derived from https://hub.docker.com/_/mysql using MySQL 8.3.0 and are current as of 2024-03-11

One can run MySQL Server in a Docker container rather than installing MySQL locally. Start a MySQL Docker container by running the following two commands:

docker network create -d bridge my-bridge-network
docker run --network my-bridge-network -p 3306:3306 --name go-test-mysql -e MYSQL_ROOT_PASSWORD=my-secret-pw -d mysql:latest

The -p 3306:3306 is what allows you to connect to this MySQL container from the host system, such as what you might do when developing an app.

Next, start a second MySQL container that connects to the first:

docker run -it --network my-bridge-network --rm mysql mysql -hgo-test-mysql -uroot -pmy-secret-pw

You should now see a mysql> prompt. Type exit to return to the terminal. Exiting destroys this second container, so to get another MySQL prompt you will need to re-run the above command. This is a nice way to query the MySQL database without needing to install MySQL command line tools.

An empty database server is probably not that handy. To load a .sql database into the first MySQL container, named go-test-mysql in the commands above, you can issue the command below. Replace the /home/your-username/databases/data.sql path with an actual path to a .sql file on your file system.

docker exec -i go-test-mysql sh -c 'exec mysql -uroot -p"my-secret-pw"' < /home/your-username/databases/data.sql

Now run the second Docker container again using the same command as before:

docker run -it --network my-bridge-network --rm mysql mysql -hgo-test-mysql -uroot -pmy-secret-pw

You should once again see a mysql> prompt.

1. Enter SELECT DATABASE(); to see what database(s) are in your server.
2. Enter use yourdatabasename to open a database from the list, replacing yourdatabasename with the name of one of the databases listed in the output of the previous step.
3. Enter SHOW TABLES(); to see what tables exist in this database.

You can now run SELECT and other queries against the database. Be sure to end all of your commands with a ;.

Here's an example of how you can connect to this database and test the connection in a simple GoLang app:

package main

import (
	"database/sql"
	"fmt"
	"log"

	"github.com/go-sql-driver/mysql"
)

var db *sql.DB

func main() {
	dsn := mysql.Config{
		User:   "root",
		Passwd: "my-secret-pw",
		Net:    "tcp",
		Addr:   "127.0.0.1:3306",
		DBName: "yourdatabasename",
	}

	var err error
	db, err = sql.Open("mysql", dsn.FormatDSN())
	if err != nil {
		log.Fatal(err)
	}

	defer db.Close()

	pingErr := db.Ping()
	if pingErr != nil {
		log.Fatal(pingErr)
	} else {
		fmt.Println("Connected!")
	}
}

Instructions derived from https://hub.docker.com/_/mariadb using MariaDB 11.4.1 and are current as of 2024-03-11

One can run MariaDB in a Docker container rather than installing MariaDB locally. Start a Maria Docker container by running the following two commands:

docker network inspect my-bridge-network >/dev/null 2>&1 || docker network create --driver bridge my-bridge-network
docker run --detach --name some-mariadb --network my-bridge-network -p 3306:3306 --env MARIADB_ROOT_PASSWORD=my-secret-pw  mariadb:latest

The -p 3306:3306 is what allows you to connect to this MariaDB container from the host system, such as what you might do when developing an app.

Next, start a second MariaDB container that connects to the first:

docker run -it --network my-bridge-network --rm mariadb mariadb -hsome-mariadb -uroot -pmy-secret-pw

You should now see a MariaDB [(none)]> prompt. Type \s and press Enter to verify success. Type exit to return to the terminal.

One can run PostgreSQL in a Docker container rather than installing locally. Start a PostgreSQL Docker container by running the following two commands:

docker network inspect my-bridge-network >/dev/null 2>&1 || docker network create --driver bridge my-bridge-network
docker run --detach --name postgres --network my-bridge-network -p 5432:5432 --env POSTGRES_PASSWORD=my-secret-pw postgres:latest

The -p 5432:5432 is what allows you to connect to this PostgreSQL container from the host system, such as what you might do when developing an app.

Next, start a second PostgreSQL container that connects to the first:

docker run -it --network my-bridge-network --rm --name second-postgres postgres psql -U postgres

You should now see a postgres=# prompt. Type SELECT table_name FROM information_schema.tables; and press Enter to verify success. Type q to exit the table list view.

This section is if you're having trouble pairing Bluetooth devices. Edit this file first:

sudo nano /etc/bluetooth/main.conf

Find the line #ControllerMode = dual. Uncomment and replace dual with bredr. This is a mode that has higher compatibility with more devices.

Save the file and exit.

Apply the changes:

sudo service bluetooth restart

You can scan for Bluetooth devices by running this command:

bluetoothctl scan on

And you can pair with a device by its address:

bluetoothctl pair [device address]

Instructions derived from https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F on 2024-06-24

Let's install some needed packages:

sudo apt install libpam-u2f libu2f-udev libpam-yubico yubikey-manager

Plug in your USB key and run this command:

ykman list --serials

If a serial number was displayed then the key software is working correctly and has detected and identified your key.

Now run the following command, replacing 12345 with the serial number from the last command's output.

ykman --device 12345

You should see output similar to the following:

Device type: [Type of key you have]
Serial number: 12345
Firmware version: x.x.x
Form factor: Keychain (USB-x)
Enabled USB interfaces: ...
...

We can now proceed that we know everything is working.

It's a good idea to set a FIDO PIN for your hardware security keys. PINs are optional but recommended in the event the keys are stolen. Some websites will require the use of the PIN to use the key but others may not. Unlike a password, however, the PIN stays on your key and is not transmitted to the website or web service.

Warning: With YubiKeys, 8 failed PIN attempts will erase the key, so be warned if you set a PIN. Have backups and memorize your PIN code.

PINs can include letters and other characters, not just numbers. The max length of a PIN for YubiKeys is quite large, around 256 characters total.

Warning: If you already have a PIN and you change it, it will erase all access credentials previously stored on the key. Do not change the PIN without considering this first!

Issue this command to set a PIN for the first time:

ykman fido access change-pin

Or this command to change a PIN:

$ ykman fido access change-pin --pin 123456 --new-pin 456789

Now let's move on to registering the key with the OS. First execute another command to create a special folder:

mkdir -p ~/.config/Yubico

The -p flag in mkdir signals to create the parent folder if it doesn't already exist.

Now insert your hardware security key and run the following command:

pamu2fcfg > ~/.config/Yubico/u2f_keys

Touch the key (e.g. if you have a YubiKey with this feature) and the command should finish.

For your second, backup key, you will remove the first key and insert the backup. Now run this different command (not the previous command).

pamu2fcfg -n >> ~/.config/Yubico/u2f_keys

Again, touch the key (e.g. if you have a YubiKey with this feature) and the command should finish. Both primary and secondary keys are now configured in Linux.

We can optionally move the file to a safer location, one that requires sudo to modify. This is more secuire than the home directory.

sudo mkdir /etc/Yubico
sudo mv  ~/.config/Yubico/u2f_keys /etc/Yubico/u2f_keys

Your key is now setup such that you can require it's use for sudo access, LUKS, GDM, TTY, SSH access, and more.

Instructions derived from https://support.yubico.com/hc/en-us/articles/360016649039-Installing-Yubico-Software-on-Linux on 2024-06-26

If using YubiKeys, you can install a GUI app to manage your keys.

Make sure pcscd is installed and running before starting the GUI app. To install pcscd:

sudo apt install pcscd

To check if pcscd is already running:

sudo systemctl status pcscd

To start pcscd if it's not already running, run this command:

sudo systemctl enable --now pcscd

With pcscd installed and running we can now install the YubiKey Manager (GUI) app:

1. Download the YubiKey Manager (GUI) AppImage.
2. Run chmod a+x yubikey-manager-qt-1.2.5-linux.AppImage in a terminal.
3. Run ./yubikey-manager-qt-1.2.5-linux.AppImage in a terminal to start the app.

Warning: If you already have a FIDO PIN and you change it, it will erase all access credentials previously stored on the key. Do not change the FIDO PIN without considering this first!

USBGuard enables you to block USB device access. This is useful for protecting against rogue USB devices (think "BadUSB") by implementing a USB blocklist and USB device policy.

Warning: Installing USBGuard using the steps below will create a policy that allows only currently-connected USB devices to be usable on the next boot. You can and should review this policy right after installation to ensure you can continue to use your PC. For instance, if you use hardware security keys to login, and they were not inserted at the time of USBGuard's installation, you could be locked out of your system permanently. Be cautious.

Let's install some packages:

sudo apt install usbguard usbutils udisks2 usbview

You can graphically view USB devices by running one of the packages we just installed:

sudo usbview

Or through either of these terminal commands:

lsusb
usb-devices | less

Let's next start and stop the service to generate the necessary configuration files:

sudo systemctl enable usbguard.service --now
sudo systemctl start usbguard.service
sudo systemctl stop usbguard.service

Now let's modify these configuration files. Open a root terminal and navigate to the usbguard directory:

sudo -i
cd /etc/usbguard
ls -laF

total 36
drwxr-xr-x   3 root root  4096 Jun 27 08:36 ./
drwxr-xr-x 149 root root 12288 Jun 27 08:36 ../
drwxr-xr-x   2 root root  4096 Jun 25 19:09 IPCAccessControl.d/
-rw-------   1 root root  4535 Jun 27 08:36 rules.conf
-rw-------   1 root root  6653 Apr 13  2022 usbguard-daemon.conf

Let's look at the policy:

sudo grep -vE '^#|^$' /etc/usbguard/usbguard-daemon.conf

RuleFile=/etc/usbguard/rules.conf
ImplicitPolicyTarget=block
PresentDevicePolicy=apply-policy
PresentControllerPolicy=keep
InsertedDevicePolicy=apply-policy
AuthorizedDefault=none
RestoreControllerDeviceState=false
DeviceManagerBackend=uevent
IPCAllowedUsers=root
IPCAllowedGroups=root plugdev
IPCAccessControlFiles=/etc/usbguard/IPCAccessControl.d/
DeviceRulesWithPort=false
AuditBackend=FileAudit
AuditFilePath=/var/log/usbguard/usbguard-audit.log
HidePII=false

See ImplicitPolicyTarget=block on line 2. This line tells the daemon how to treat USB devices that fail to match a rule in the policy. Allowed values are allow, block or reject. A policy of reject logically removes the device node from the system.

See PresentDevicePolicy on line 3. This line tells the daemon how to treat USB devices that are already connected when the daemon starts. Allowed values are allow, block, reject, keep (this maintains the state the device is in) or apply-policy. The apply-policy default simply means to apply the rules to each USB device.

Let's look at the default policy that was created when we started and then stopped the daemon:

sudo nano /etc/usbguard/rules.conf

You should see that all currently connected devices are listed with allow as the permission.

Now let's start the daemon and check to see if it's working:

sudo systemctl restart usbguard.service
sudo systemctl status usbguard.service
sudo usbguard list-rules

You can list all USB devices recognized by the daemon:

sudo usbguard list-devices

You can verify it's working by plugging in a USB device and running:

lsusb

Look for the USB device in the list. It should appear, but it shouldn't work - that is, if you plugged in a USB thumb drive, it shouldn't appear as new storage. Let's confirm by running this command:

sudo dmesg | grep -i 'authorized'

If you see the following message or type of message then USBGuard successfully blocked the device:

[xxxxx.xxxxxx] usb x-x.x: Device is not authorized for usage

Let's authorize the device. We first need to find the device id and serial number. Run this command to list all the blocked devices:

sudo usbguard list-devices -b

Note the device ID and serial number. You will need these values. Then run the command below. Before doing so, replace the 1234:5678 and ABCDEF with the values outputted from the sudo usbguard list-devices -b command. Executing this command permanently updates the rules.conf with an allow rule for that device.

The -p flag is for permanent; leaving it off the command would make this a temporary rule that would not persist across a reboot.

sudo usbguard allow-device '1234:5678 serial "ABCDEF"' -p

Restart the USBGuard service:

sudo systemctl restart usbguard.service

With your device still plugged in, run:

sudo usbguard list-devices -b

If your device does not appear in the list of blocked devices then you've successfully whitelisted it.