install.fairie/home/dot_local/bin/post-installx/executable_post-warp.sh

#!/usr/bin/env bash
# @file CloudFlare WARP
# @brief Installs CloudFlare WARP, ensures proper security certificates are in place, and connects the device to CloudFlare WARP.
# @description
#     This script is intended to connect the device to CloudFlare's Zero Trust network with nearly all of its features unlocked.
#     Homebrew is used to install the `warp-cli` on macOS. On Linux, it can install `warp-cli` on most Debian systems and some RedHat
#     systems. CloudFlare WARP's [download page](https://pkg.cloudflareclient.com/packages/cloudflare-warp) is somewhat barren.
#
#     ## MDM Configuration
#
#     If CloudFlare WARP successfully installs, it first applies MDM configurations (managed configurations). If you would like CloudFlare
#     WARP to connect completely headlessly (while losing some "user-posture" settings), then you can populate the following three secrets:
#
#     1. `CLOUDFLARE_TEAMS_CLIENT_ID` - The ID from a CloudFlare Teams service token. See [this article](https://developers.cloudflare.com/cloudflare-one/identity/service-tokens/).
#     2. `CLOUDFLARE_TEAMS_CLIENT_SECRET` - The secret from a CloudFlare Teams service token.
#     3. `CLOUDFLARE_TEAMS_ORG` - The ID of your Zero Trust organization. This variable must be passed in as an environment variable and is housed in the `home/.chezmoi.yaml.tmpl` file. If you do not want to pass an environment variable, you can change the default value in `home/.chezmoi.yaml.tmpl` on your own fork.
#
#     The two variables above can be passed in using either of the methods described in the [Secrets documentation](https://install.doctor/docs/customization/secrets).
#
#     ## Headless CloudFlare WARP Connection
#
#     Even if you do not provide the two variables mentioned above, the script will still headlessly connect your device to the public CloudFlare WARP
#     network, where you will get some of the benefits of a VPN for free. Otherwise, if they were passed in, then the script
#     finishes by connecting to CloudFlare Teams.
#
#     ## Application Certificates
#
#     This script applies the techniques described on the [CloudFlare Zero Trust Install certificate manually page](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert/)
#     to configure the following utilities that leverage seperate certificate authorities:
#
#     * Python
#     * NPM
#     * Git
#     * Google Cloud SDK
#     * AWS CLI
#     * Google Drive for desktop
#
#     Settings used to configure Firefox are housed inside of the Firefox configuration files stored as seperate configuration files
#     outside of this script. **Note: The scripts that enable CloudFlare certificates for all these programs are currently commented out
#     in this script.**
#
#     ## Notes
#
#     According to CloudFlare Teams [documentation on MDM deployment](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/),
#     on macOS the `com.cloudflare.warp.plist` file gets erased on reboot. Also, according to the documentation, the only way around this is to leverage
#     an MDM SaaS provider like JumpCloud.
#
#     ## Links
#
#     * [Linux managed configuration](https://github.com/megabyte-labs/install.doctor/tree/master/home/dot_config/warp/private_mdm.xml.tmpl)
#     * [macOS managed configuration](https://github.com/megabyte-labs/install.doctor/tree/master/home/Library/Managed%20Preferences/private_com.cloudflare.warp.plist.tmpl)

SSL_CERT_PATH="/etc/ssl/cert.pem"
### Install CloudFlare WARP (on non-WSL *nix systems)
if [[ ! "$(test -d /proc && grep Microsoft /proc/version > /dev/null)" ]]; then
  if [ -d /System ] && [ -d /Applications ]; then
    ### Install on macOS
    if [ ! -d "/Applications/Cloudflare WARP.app" ]; then
      brew install --cask --no-quarantine --quiet cloudflare-warp
    else
      logg info 'Cloudflare WARP already installed'
    fi
  elif [ '{{ .host.distro.id }}' = 'debian' ]; then
    ### Add CloudFlare WARP desktop app apt-get source
    if [ ! -f /etc/apt/sources.list.d/cloudflare-client.list ]; then
      logg info 'Adding CloudFlare WARP keyring'
      curl https://pkg.cloudflareclient.com/pubkey.gpg | sudo gpg --yes --dearmor --output /usr/share/keyrings/cloudflare-warp-archive-keyring.gpg
      logg info 'Adding apt source reference'
      echo "deb [arch=amd64 signed-by=/usr/share/keyrings/cloudflare-warp-archive-keyring.gpg] https://pkg.cloudflareclient.com/ $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/cloudflare-client.list
    fi

    ### Update apt-get and install the CloudFlare WARP CLI
    sudo apt-get update && sudo apt-get install -y cloudflare-warp
  elif [ '{{ .host.distro.id }}' = 'ubuntu' ]; then
    ### Add CloudFlare WARP desktop app apt-get source
    if [ ! -f /etc/apt/sources.list.d/cloudflare-client.list ]; then
      logg info 'Adding CloudFlare WARP keyring'
      curl https://pkg.cloudflareclient.com/pubkey.gpg | sudo gpg --yes --dearmor --output /usr/share/keyrings/cloudflare-warp-archive-keyring.gpg
      logg info 'Adding apt source reference'
      echo "deb [arch=amd64 signed-by=/usr/share/keyrings/cloudflare-warp-archive-keyring.gpg] https://pkg.cloudflareclient.com/ $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/cloudflare-client.list
    fi

    ### Update apt-get and install the CloudFlare WARP CLI
    sudo apt-get update && sudo apt-get install -y cloudflare-warp
  elif command -v dnf > /dev/null && command -v rpm > /dev/null; then
    ### This is made for CentOS 8 and works on Fedora 36 (hopefully 36+ as well) with `nss-tools` as a dependency
    sudo dnf instal -y nss-tools || NSS_TOOL_EXIT=$?
    if [ -n "$NSS_TOOL_EXIT" ]; then
      logg warn 'Unable to install nss-tools which was a requirement on Fedora 36 and assumed to be one on other systems as well.'
    fi

    ### According to the download site, this is the only version available for RedHat-based systems
    sudo rpm -ivh https://pkg.cloudflareclient.com/cloudflare-release-el8.rpm || RPM_EXIT_CODE=$?
    if [ -n "$RPM_EXIT_CODE" ]; then
      logg error 'Unable to install CloudFlare WARP using RedHat 8 RPM package'
    fi
  fi
fi

### Ensure certificate is installed
# Source: https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.crt
# Source: https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.pem
if [ -d /System ] && [ -d /Applications ] && command -v warp-cli > /dev/null; then
  ### Ensure certificate installed on macOS
  if [ -z "$SSH_CONNECTION" ]; then
    # if [ -z "$HEADLESS_INSTALL" ]; then
    #     logg info '**macOS Manual Security Permission** Requesting security authorization for Cloudflare trusted certificate'
    #     sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.crt"
    # fi
    logg info 'Updating the OpenSSL CA Store to include the Cloudflare certificate'
    echo | sudo tee -a "$SSL_CERT_PATH" < "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.pem" > /dev/null
    echo "" | sudo tee -a "$SSL_CERT_PATH"
  else
    logg warn 'Session is SSH so adding Cloudflare encryption key to trusted certificates via the security program is being bypassed since it requires Touch ID / Password verification.'
  fi

  if [ -f "/usr/local/opt/openssl@3/bin/c_rehash" ]; then
    # Location on Intel macOS
    logg info 'Ensuring /usr/local/etc/openssl@3/certs directory exists' && mkdir -p /usr/local/etc/openssl@3/certs
    logg info 'Adding Cloudflare certificate to /usr/local/etc/openssl@3/certs/Cloudflare_CA.pem'
    echo | sudo cat - "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.pem" >> /usr/local/etc/openssl@3/certs/Cloudflare_CA.pem
    logg info 'Running /usr/local/opt/openssl@3/bin/c_rehash'
    /usr/local/opt/openssl@3/bin/c_rehash > /dev/null && logg info 'OpenSSL certificate rehash successful'
  elif [ -f "${HOMEBREW_PREFIX:-/opt/homebrew}/opt/openssl@3/bin/c_rehash" ]; then
    # Location on arm64 macOS and custom Homebrew locations
    logg info "Ensuring ${HOMEBREW_PREFIX:-/opt/homebrew}/etc/openssl@3/certs directory exists" && mkdir -p "${HOMEBREW_PREFIX:-/opt/homebrew}/etc/openssl@3/certs"
    logg info "Adding Cloudflare certificate to ${HOMEBREW_PREFIX:-/opt/homebrew}/etc/openssl@3/certs/Cloudflare_CA.pem"
    echo | sudo cat - "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.pem" >> "${HOMEBREW_PREFIX:-/opt/homebrew}/etc/openssl@3/certs/Cloudflare_CA.pem"
    logg info "Running ${HOMEBREW_PREFIX:-/opt/homebrew}/opt/openssl@3/bin/c_rehash"
    "${HOMEBREW_PREFIX:-/opt/homebrew}/opt/openssl@3/bin/c_rehash" > /dev/null && logg info 'OpenSSL certificate rehash successful'
  else
    logg warn 'Unable to add Cloudflare_CA.pem because /usr/local/etc/openssl@3/certs and /opt/homebrew/etc/openssl@3/certs do not exist!'
  fi
elif command -v warp-cli > /dev/null; then
  # System is Linux
  if command -v dpkg-reconfigure > /dev/null; then
    if [ -d /usr/local/share/ca-certificates ]; then
      logg info 'Copying CloudFlare Teams PEM file to /usr/local/share/ca-certificates/Cloudflare_CA.crt'
      sudo cp -f "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.pem" /usr/local/share/ca-certificates/Cloudflare_CA.crt
      logg info 'dpkg-reconfigure executable detected so using Debian/Ubuntu method of updating system trusted certificates to include CloudFlare Teams certificate'
      sudo dpkg-reconfigure ca-certificates -p high
      SSL_CERT_PATH="/etc/ssl/certs/ca-certificates.crt"
    else
      logg warn 'No /usr/local/share/ca-certificates folder present'
    fi
  elif command -v update-ca-trust > /dev/null; then
    if [ -d /etc/pki/ca-trust/source/anchors ]; then
      logg info 'Copying CloudFlare Teams certificates to /etc/pki/ca-trust/source/anchors'
      sudo cp -f "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.crt" "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.pem" /etc/pki/ca-trust/source/anchors
      logg info 'update-ca-trust executable detected so using CentOS/Fedora method of updating system trusted certificates to include CloudFlare Teams certificate'
      sudo update-ca-trust
      SSL_CERT_PATH="/etc/pki/tls/certs/ca-bundle.crt"
    else
      logg warn '/etc/pki/ca-trust/source/anchors does not exist so skipping the system certificate update process'
    fi
  fi
fi

if command -v warp-cli > /dev/null; then
  ### Application certificate configuration
  # Application-specific certificate authority modification is currently commented out because
  # it is merely for traffic inspection and `npm install` fails when configured to use the CloudFlare
  # certificate and the WARP client is not running.
  ### Git
  if command -v git > /dev/null; then
    logg info "Configuring git to use $SSL_CERT_PATH"
    git config --global http.sslcainfo "$SSL_CERT_PATH"
  fi

  ### NPM
  if command -v npm > /dev/null; then
    logg info "Configuring npm to use $SSL_CERT_PATH"
    npm config set cafile "$SSL_CERT_PATH"
  fi

  ### Python
  if command -v python3 > /dev/null; then
    ### Ensure Certifi package is available globally
    if ! pip3 list | grep certifi > /dev/null; then
      if command -v brew > /dev/null; then
        logg info 'Ensuring Python certifi is installed via Homebrew'
        brew install --quiet certifi
      else
        logg info 'Ensuring certifi is installed globally for Python 3'
        pip3 install certifi
      fi
    fi

    ### Copy CloudFlare PEM file to Python 3 location
    logg info "Configuring python3 / python to use "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.pem""
    echo | cat - "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.pem" >> $(python3 -m certifi)
  fi

  ### Google Cloud SDK
  if command -v gcloud > /dev/null; then
    logg info "Configuring gcloud to use "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.pem" and "$HOME/.local/etc/ssl/gcloud/ca.pem""
    mkdir -p "$HOME/.local/etc/ssl/gcloud"
    cat "$HOME/.local/etc/ssl/curl/cacert.pem" "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.pem" > "$HOME/.local/etc/ssl/gcloud/ca.pem"
    gcloud config set core/custom_ca_certs_file "$HOME/.local/etc/ssl/gcloud/ca.pem"
  fi

  ### Google Drive for desktop (macOS)
  if [ -d "/Applications/Google Drive.app" ]; then
    if [ -d "/Applications/Google Drive.app/Contents/Resources" ]; then
      logg info "Combining Google Drive roots.pem with CloudFlare certificate"
      mkdir -p "$HOME/.local/etc/ssl/google-drive"
      cat "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.pem" "/Applications/Google Drive.app/Contents/Resources/roots.pem" >> "$HOME/.local/etc/ssl/google-drive/roots.pem"
      sudo defaults write /Library/Preferences/com.google.drivefs.settings TrustedRootsCertsFile -string "$HOME/.local/etc/ssl/google-drive/roots.pem"
    else
      logg warn 'Google Drive.app installed but roots.pem is not available yet'
    fi
  fi

  ### Ensure MDM settings are applied (deletes after reboot on macOS)
  ### TODO: Ensure `.plist` can be added to `~/Library/Managed Preferences` and not just `/Library/Managed Preferences`
  # Source: https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/
  # Source for JumpCloud: https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/CloudflareWARP.mobileconfig
  if [ -d /System ] && [ -d /Applications ]; then
    sudo mkdir -p "/Library/Managed Preferences"
    sudo cp -f "$HOME/Library/Managed Preferences/com.cloudflare.warp.plist" '/Library/Managed Preferences/com.cloudflare.warp.plist'
    sudo plutil -convert binary1 '/Library/Managed Preferences/com.cloudflare.warp.plist'
    ### Enable CloudFlare WARP credentials auto-populate (since file is deleted when not managed with MDM)
    if [ -f "$HOME/Library/LaunchDaemons/com.cloudflare.warp.plist" ] && [ ! -f "/Library/LaunchDaemons/com.cloudflare.warp.plist" ]; then
      sudo mkdir -p /Library/LaunchDaemons
      sudo cp -f "$HOME/Library/LaunchDaemons/com.cloudflare.warp.plist" '/Library/LaunchDaemons/com.cloudflare.warp.plist'
      sudo launchctl load "/Library/LaunchDaemons/com.cloudflare.warp.plist"
    fi
  elif [ -f "${XDG_CONFIG_HOME:-$HOME/.config}/warp/mdm.xml" ]; then
    sudo mkdir -p /var/lib/cloudflare-warp
    sudo cp -f "${XDG_CONFIG_HOME:-$HOME/.config}/warp/mdm.xml" /var/lib/cloudflare-warp/mdm.xml
  fi

  ### Register CloudFlare WARP
  if warp-cli --accept-tos status | grep 'Registration Missing' > /dev/null; then
    logg info 'Registering CloudFlare WARP'
    warp-cli --accept-tos registration new
  else
    logg info 'Either there is a misconfiguration or the device is already registered with CloudFlare WARP'
  fi

  ### Connect CloudFlare WARP
  if warp-cli --accept-tos status | grep 'Disconnected' > /dev/null; then
    logg info 'Connecting to CloudFlare WARP'
    warp-cli --accept-tos connect > /dev/null && logg success 'Connected to CloudFlare WARP'
  else
    logg info 'Either there is a misconfiguration or the device is already connected with CloudFlare WARP'
  fi
else
  logg warn 'warp-cli was not installed so CloudFlare WARP cannot be joined'
fi
Moved around things 2024-05-04 21:05:33 -07:00			`#!/usr/bin/env bash`
			`# @file CloudFlare WARP`
			`# @brief Installs CloudFlare WARP, ensures proper security certificates are in place, and connects the device to CloudFlare WARP.`
			`# @description`
			`# This script is intended to connect the device to CloudFlare's Zero Trust network with nearly all of its features unlocked.`
			# Homebrew is used to install the `warp-cli` on macOS. On Linux, it can install `warp-cli` on most Debian systems and some RedHat
			`# systems. CloudFlare WARP's [download page](https://pkg.cloudflareclient.com/packages/cloudflare-warp) is somewhat barren.`
			`#`
			`# ## MDM Configuration`
			`#`
			`# If CloudFlare WARP successfully installs, it first applies MDM configurations (managed configurations). If you would like CloudFlare`
			`# WARP to connect completely headlessly (while losing some "user-posture" settings), then you can populate the following three secrets:`
			`#`
			# 1. `CLOUDFLARE_TEAMS_CLIENT_ID` - The ID from a CloudFlare Teams service token. See [this article](https://developers.cloudflare.com/cloudflare-one/identity/service-tokens/).
			# 2. `CLOUDFLARE_TEAMS_CLIENT_SECRET` - The secret from a CloudFlare Teams service token.
			# 3. `CLOUDFLARE_TEAMS_ORG` - The ID of your Zero Trust organization. This variable must be passed in as an environment variable and is housed in the `home/.chezmoi.yaml.tmpl` file. If you do not want to pass an environment variable, you can change the default value in `home/.chezmoi.yaml.tmpl` on your own fork.
			`#`
			`# The two variables above can be passed in using either of the methods described in the [Secrets documentation](https://install.doctor/docs/customization/secrets).`
			`#`
			`# ## Headless CloudFlare WARP Connection`
			`#`
			`# Even if you do not provide the two variables mentioned above, the script will still headlessly connect your device to the public CloudFlare WARP`
			`# network, where you will get some of the benefits of a VPN for free. Otherwise, if they were passed in, then the script`
			`# finishes by connecting to CloudFlare Teams.`
			`#`
			`# ## Application Certificates`
			`#`
			`# This script applies the techniques described on the [CloudFlare Zero Trust Install certificate manually page](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert/)`
			`# to configure the following utilities that leverage seperate certificate authorities:`
			`#`
			`# * Python`
			`# * NPM`
			`# * Git`
			`# * Google Cloud SDK`
			`# * AWS CLI`
			`# * Google Drive for desktop`
			`#`
			`# Settings used to configure Firefox are housed inside of the Firefox configuration files stored as seperate configuration files`
			`# outside of this script. **Note: The scripts that enable CloudFlare certificates for all these programs are currently commented out`
			`# in this script.**`
			`#`
			`# ## Notes`
			`#`
			`# According to CloudFlare Teams [documentation on MDM deployment](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/),`
			# on macOS the `com.cloudflare.warp.plist` file gets erased on reboot. Also, according to the documentation, the only way around this is to leverage
			`# an MDM SaaS provider like JumpCloud.`
			`#`
			`# ## Links`
			`#`
			`# * [Linux managed configuration](https://github.com/megabyte-labs/install.doctor/tree/master/home/dot_config/warp/private_mdm.xml.tmpl)`
			`# * [macOS managed configuration](https://github.com/megabyte-labs/install.doctor/tree/master/home/Library/Managed%20Preferences/private_com.cloudflare.warp.plist.tmpl)`

			`SSL_CERT_PATH="/etc/ssl/cert.pem"`
			`### Install CloudFlare WARP (on non-WSL *nix systems)`
			`if [[ ! "$(test -d /proc && grep Microsoft /proc/version > /dev/null)" ]]; then`
			`if [ -d /System ] && [ -d /Applications ]; then`
			`### Install on macOS`
			`if [ ! -d "/Applications/Cloudflare WARP.app" ]; then`
			`brew install --cask --no-quarantine --quiet cloudflare-warp`
			`else`
			`logg info 'Cloudflare WARP already installed'`
			`fi`
			`elif [ '{{ .host.distro.id }}' = 'debian' ]; then`
			`### Add CloudFlare WARP desktop app apt-get source`
			`if [ ! -f /etc/apt/sources.list.d/cloudflare-client.list ]; then`
			`logg info 'Adding CloudFlare WARP keyring'`
			`curl https://pkg.cloudflareclient.com/pubkey.gpg \| sudo gpg --yes --dearmor --output /usr/share/keyrings/cloudflare-warp-archive-keyring.gpg`
			`logg info 'Adding apt source reference'`
			`echo "deb [arch=amd64 signed-by=/usr/share/keyrings/cloudflare-warp-archive-keyring.gpg] https://pkg.cloudflareclient.com/ $(lsb_release -cs) main" \| sudo tee /etc/apt/sources.list.d/cloudflare-client.list`
			`fi`

			`### Update apt-get and install the CloudFlare WARP CLI`
			`sudo apt-get update && sudo apt-get install -y cloudflare-warp`
			`elif [ '{{ .host.distro.id }}' = 'ubuntu' ]; then`
			`### Add CloudFlare WARP desktop app apt-get source`
			`if [ ! -f /etc/apt/sources.list.d/cloudflare-client.list ]; then`
			`logg info 'Adding CloudFlare WARP keyring'`
			`curl https://pkg.cloudflareclient.com/pubkey.gpg \| sudo gpg --yes --dearmor --output /usr/share/keyrings/cloudflare-warp-archive-keyring.gpg`
			`logg info 'Adding apt source reference'`
			`echo "deb [arch=amd64 signed-by=/usr/share/keyrings/cloudflare-warp-archive-keyring.gpg] https://pkg.cloudflareclient.com/ $(lsb_release -cs) main" \| sudo tee /etc/apt/sources.list.d/cloudflare-client.list`
			`fi`

			`### Update apt-get and install the CloudFlare WARP CLI`
			`sudo apt-get update && sudo apt-get install -y cloudflare-warp`
			`elif command -v dnf > /dev/null && command -v rpm > /dev/null; then`
			### This is made for CentOS 8 and works on Fedora 36 (hopefully 36+ as well) with `nss-tools` as a dependency
			`sudo dnf instal -y nss-tools \|\| NSS_TOOL_EXIT=$?`
			`if [ -n "$NSS_TOOL_EXIT" ]; then`
			`logg warn 'Unable to install nss-tools which was a requirement on Fedora 36 and assumed to be one on other systems as well.'`
			`fi`

			`### According to the download site, this is the only version available for RedHat-based systems`
			`sudo rpm -ivh https://pkg.cloudflareclient.com/cloudflare-release-el8.rpm \|\| RPM_EXIT_CODE=$?`
			`if [ -n "$RPM_EXIT_CODE" ]; then`
			`logg error 'Unable to install CloudFlare WARP using RedHat 8 RPM package'`
			`fi`
			`fi`
			`fi`

			`### Ensure certificate is installed`
			`# Source: https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.crt`
			`# Source: https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.pem`
			`if [ -d /System ] && [ -d /Applications ] && command -v warp-cli > /dev/null; then`
			`### Ensure certificate installed on macOS`
			`if [ -z "$SSH_CONNECTION" ]; then`
			`# if [ -z "$HEADLESS_INSTALL" ]; then`
			`# logg info 'macOS Manual Security Permission Requesting security authorization for Cloudflare trusted certificate'`
			`# sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.crt"`
			`# fi`
			`logg info 'Updating the OpenSSL CA Store to include the Cloudflare certificate'`
			`echo \| sudo tee -a "$SSL_CERT_PATH" < "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.pem" > /dev/null`
			`echo "" \| sudo tee -a "$SSL_CERT_PATH"`
			`else`
			`logg warn 'Session is SSH so adding Cloudflare encryption key to trusted certificates via the security program is being bypassed since it requires Touch ID / Password verification.'`
			`fi`

			`if [ -f "/usr/local/opt/openssl@3/bin/c_rehash" ]; then`
			`# Location on Intel macOS`
			`logg info 'Ensuring /usr/local/etc/openssl@3/certs directory exists' && mkdir -p /usr/local/etc/openssl@3/certs`
			`logg info 'Adding Cloudflare certificate to /usr/local/etc/openssl@3/certs/Cloudflare_CA.pem'`
			`echo \| sudo cat - "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.pem" >> /usr/local/etc/openssl@3/certs/Cloudflare_CA.pem`
			`logg info 'Running /usr/local/opt/openssl@3/bin/c_rehash'`
			`/usr/local/opt/openssl@3/bin/c_rehash > /dev/null && logg info 'OpenSSL certificate rehash successful'`
			`elif [ -f "${HOMEBREW_PREFIX:-/opt/homebrew}/opt/openssl@3/bin/c_rehash" ]; then`
			`# Location on arm64 macOS and custom Homebrew locations`
			`logg info "Ensuring ${HOMEBREW_PREFIX:-/opt/homebrew}/etc/openssl@3/certs directory exists" && mkdir -p "${HOMEBREW_PREFIX:-/opt/homebrew}/etc/openssl@3/certs"`
			`logg info "Adding Cloudflare certificate to ${HOMEBREW_PREFIX:-/opt/homebrew}/etc/openssl@3/certs/Cloudflare_CA.pem"`
			`echo \| sudo cat - "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.pem" >> "${HOMEBREW_PREFIX:-/opt/homebrew}/etc/openssl@3/certs/Cloudflare_CA.pem"`
			`logg info "Running ${HOMEBREW_PREFIX:-/opt/homebrew}/opt/openssl@3/bin/c_rehash"`
			`"${HOMEBREW_PREFIX:-/opt/homebrew}/opt/openssl@3/bin/c_rehash" > /dev/null && logg info 'OpenSSL certificate rehash successful'`
			`else`
			`logg warn 'Unable to add Cloudflare_CA.pem because /usr/local/etc/openssl@3/certs and /opt/homebrew/etc/openssl@3/certs do not exist!'`
			`fi`
			`elif command -v warp-cli > /dev/null; then`
			`# System is Linux`
			`if command -v dpkg-reconfigure > /dev/null; then`
			`if [ -d /usr/local/share/ca-certificates ]; then`
			`logg info 'Copying CloudFlare Teams PEM file to /usr/local/share/ca-certificates/Cloudflare_CA.crt'`
			`sudo cp -f "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.pem" /usr/local/share/ca-certificates/Cloudflare_CA.crt`
			`logg info 'dpkg-reconfigure executable detected so using Debian/Ubuntu method of updating system trusted certificates to include CloudFlare Teams certificate'`
			`sudo dpkg-reconfigure ca-certificates -p high`
			`SSL_CERT_PATH="/etc/ssl/certs/ca-certificates.crt"`
			`else`
			`logg warn 'No /usr/local/share/ca-certificates folder present'`
			`fi`
			`elif command -v update-ca-trust > /dev/null; then`
			`if [ -d /etc/pki/ca-trust/source/anchors ]; then`
			`logg info 'Copying CloudFlare Teams certificates to /etc/pki/ca-trust/source/anchors'`
			`sudo cp -f "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.crt" "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.pem" /etc/pki/ca-trust/source/anchors`
			`logg info 'update-ca-trust executable detected so using CentOS/Fedora method of updating system trusted certificates to include CloudFlare Teams certificate'`
			`sudo update-ca-trust`
			`SSL_CERT_PATH="/etc/pki/tls/certs/ca-bundle.crt"`
			`else`
			`logg warn '/etc/pki/ca-trust/source/anchors does not exist so skipping the system certificate update process'`
			`fi`
			`fi`
			`fi`

			`if command -v warp-cli > /dev/null; then`
			`### Application certificate configuration`
			`# Application-specific certificate authority modification is currently commented out because`
			# it is merely for traffic inspection and `npm install` fails when configured to use the CloudFlare
			`# certificate and the WARP client is not running.`
			`### Git`
			`if command -v git > /dev/null; then`
			`logg info "Configuring git to use $SSL_CERT_PATH"`
			`git config --global http.sslcainfo "$SSL_CERT_PATH"`
			`fi`

			`### NPM`
			`if command -v npm > /dev/null; then`
			`logg info "Configuring npm to use $SSL_CERT_PATH"`
			`npm config set cafile "$SSL_CERT_PATH"`
			`fi`

			`### Python`
			`if command -v python3 > /dev/null; then`
			`### Ensure Certifi package is available globally`
			`if ! pip3 list \| grep certifi > /dev/null; then`
			`if command -v brew > /dev/null; then`
			`logg info 'Ensuring Python certifi is installed via Homebrew'`
			`brew install --quiet certifi`
			`else`
			`logg info 'Ensuring certifi is installed globally for Python 3'`
			`pip3 install certifi`
			`fi`
			`fi`

			`### Copy CloudFlare PEM file to Python 3 location`
			`logg info "Configuring python3 / python to use "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.pem""`
			`echo \| cat - "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.pem" >> $(python3 -m certifi)`
			`fi`

			`### Google Cloud SDK`
			`if command -v gcloud > /dev/null; then`
			`logg info "Configuring gcloud to use "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.pem" and "$HOME/.local/etc/ssl/gcloud/ca.pem""`
			`mkdir -p "$HOME/.local/etc/ssl/gcloud"`
			`cat "$HOME/.local/etc/ssl/curl/cacert.pem" "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.pem" > "$HOME/.local/etc/ssl/gcloud/ca.pem"`
			`gcloud config set core/custom_ca_certs_file "$HOME/.local/etc/ssl/gcloud/ca.pem"`
			`fi`

			`### Google Drive for desktop (macOS)`
			`if [ -d "/Applications/Google Drive.app" ]; then`
			`if [ -d "/Applications/Google Drive.app/Contents/Resources" ]; then`
			`logg info "Combining Google Drive roots.pem with CloudFlare certificate"`
			`mkdir -p "$HOME/.local/etc/ssl/google-drive"`
			`cat "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.pem" "/Applications/Google Drive.app/Contents/Resources/roots.pem" >> "$HOME/.local/etc/ssl/google-drive/roots.pem"`
			`sudo defaults write /Library/Preferences/com.google.drivefs.settings TrustedRootsCertsFile -string "$HOME/.local/etc/ssl/google-drive/roots.pem"`
			`else`
			`logg warn 'Google Drive.app installed but roots.pem is not available yet'`
			`fi`
			`fi`

			`### Ensure MDM settings are applied (deletes after reboot on macOS)`
			### TODO: Ensure `.plist` can be added to `~/Library/Managed Preferences` and not just `/Library/Managed Preferences`
			`# Source: https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/`
			`# Source for JumpCloud: https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/CloudflareWARP.mobileconfig`
			`if [ -d /System ] && [ -d /Applications ]; then`
			`sudo mkdir -p "/Library/Managed Preferences"`
			`sudo cp -f "$HOME/Library/Managed Preferences/com.cloudflare.warp.plist" '/Library/Managed Preferences/com.cloudflare.warp.plist'`
			`sudo plutil -convert binary1 '/Library/Managed Preferences/com.cloudflare.warp.plist'`
			`### Enable CloudFlare WARP credentials auto-populate (since file is deleted when not managed with MDM)`
			`if [ -f "$HOME/Library/LaunchDaemons/com.cloudflare.warp.plist" ] && [ ! -f "/Library/LaunchDaemons/com.cloudflare.warp.plist" ]; then`
			`sudo mkdir -p /Library/LaunchDaemons`
			`sudo cp -f "$HOME/Library/LaunchDaemons/com.cloudflare.warp.plist" '/Library/LaunchDaemons/com.cloudflare.warp.plist'`
			`sudo launchctl load "/Library/LaunchDaemons/com.cloudflare.warp.plist"`
			`fi`
			`elif [ -f "${XDG_CONFIG_HOME:-$HOME/.config}/warp/mdm.xml" ]; then`
			`sudo mkdir -p /var/lib/cloudflare-warp`
			`sudo cp -f "${XDG_CONFIG_HOME:-$HOME/.config}/warp/mdm.xml" /var/lib/cloudflare-warp/mdm.xml`
			`fi`

			`### Register CloudFlare WARP`
Fixed warp registration 2024-05-09 16:56:02 -07:00			`if warp-cli --accept-tos status \| grep 'Registration Missing' > /dev/null; then`
Moved around things 2024-05-04 21:05:33 -07:00			`logg info 'Registering CloudFlare WARP'`
Fixed warp registration 2024-05-09 16:56:02 -07:00			`warp-cli --accept-tos registration new`
Moved around things 2024-05-04 21:05:33 -07:00			`else`
			`logg info 'Either there is a misconfiguration or the device is already registered with CloudFlare WARP'`
			`fi`

			`### Connect CloudFlare WARP`
			`if warp-cli --accept-tos status \| grep 'Disconnected' > /dev/null; then`
			`logg info 'Connecting to CloudFlare WARP'`
			`warp-cli --accept-tos connect > /dev/null && logg success 'Connected to CloudFlare WARP'`
			`else`
			`logg info 'Either there is a misconfiguration or the device is already connected with CloudFlare WARP'`
			`fi`
			`else`
			`logg warn 'warp-cli was not installed so CloudFlare WARP cannot be joined'`
			`fi`