Latest

docs/TODO.md

@@ -215,6 +215,7 @@ The following items have been reviewed but need to be revisited due to complexit
 * [Title](https://flathub.org/apps/com.airtame.Client)
 * [Title](https://github.com/Aloxaf/fzf-tab)
 [Title](https://github.com/haproxy/haproxy)
+* [Title](https://frappeframework.com/docs/v14/user/en/installation)
 
 ## Docker Issue
 

home/.chezmoiscripts/universal/run_onchange_after_14-cloudflare.sh.tmpl

@@ -1,7 +1,7 @@
 {{- if (ne .host.distro.family "windows") -}}
 #!/usr/bin/env bash
-# @file CloudFlare WARP
-# @brief Installs CloudFlare WARP, ensures proper security certificates are in place, and connects the device to CloudFlare WARP.
+# @file CloudFlare WARP and CloudFlare Argo Tunnels
+# @brief Installs CloudFlare WARP, ensures proper security certificates are in place, and connects the device to CloudFlare WARP. Also sets up Argo Tunnels.
 # @description
 #     This script is intended to connect the device to CloudFlare's Zero Trust network with nearly all of its features unlocked.
 #     Homebrew is used to install the `warp-cli` on macOS. On Linux, it can install `warp-cli` on most Debian systems and some RedHat
@@ -14,7 +14,7 @@
 #
 #     1. `CLOUDFLARE_TEAMS_CLIENT_ID` - The ID from a CloudFlare Teams service token. See [this article](https://developers.cloudflare.com/cloudflare-one/identity/service-tokens/).
 #     2. `CLOUDFLARE_TEAMS_CLIENT_SECRET` - The secret from a CloudFlare Teams service token.
-#     3. `CLOUDFLARE_TEAMS_ORG` - The ID of your Zero Trust organization. This variable must be passed in as an environment variable and is housed in the `home/.chezmoi.yaml.tmpl` file.
+#     3. `CLOUDFLARE_TEAMS_ORG` - The ID of your Zero Trust organization. This variable must be passed in as an environment variable and is housed in the `home/.chezmoi.yaml.tmpl` file. If you do not want to pass an environment variable, you can change the default value in `home/.chezmoi.yaml.tmpl` on your own fork.
 #
 #     The two variables above can be passed in using either of the methods described in the [Secrets documentation](https://install.doctor/docs/customization/secrets).
 #
@@ -154,43 +154,43 @@ if command -v warp-cli > /dev/null; then
     # Application-specific certificate authority modification is currently commented out because
     # it is merely for traffic inspection and `npm install` fails when configured to use the CloudFlare
     # certificate and the WARP client is not running.
-    # ### Git
-    # if command -v git > /dev/null; then
-    #     logg info "Configuring git to use "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem""
-    #     git config --global http.sslcainfo "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem"
-    # fi
+    ### Git
+    if command -v git > /dev/null; then
+        logg info "Configuring git to use "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem""
+        git config --global http.sslcainfo "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem"
+    fi
 
-    # ### NPM
-    # if command -v npm > /dev/null; then
-    #     logg info "Configuring npm to use "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem""
-    #     npm config set cafile "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem"
-    # fi
+    ### NPM
+    if command -v npm > /dev/null; then
+        logg info "Configuring npm to use "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem""
+        npm config set cafile "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem"
+    fi
 
-    # ### Python
-    # if command -v python3 > /dev/null; then
-    #     logg info "Configuring python3 / python to use "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem""
-    #     echo | cat - "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem" >> $(python3 -m certifi)
-    # fi
+    ### Python
+    if command -v python3 > /dev/null; then
+        logg info "Configuring python3 / python to use "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem""
+        echo | cat - "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem" >> $(python3 -m certifi)
+    fi
 
-    # ### Google Cloud SDK
-    # if command -v gcloud > /dev/null; then
-    #     logg info "Configuring gcloud to use "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem" and "${XDG_DATA_HOME:-$HOME/.local/share}/curl/cacert.pem""
-    #     mkdir -p "${XDG_DATA_HOME:-$HOME/.local/share}/gcloud"
-    #     cat cacert.pem "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem" > "${XDG_DATA_HOME:-$HOME/.local/share}/gcloud/ca.pem"
-    #     gcloud config set core/custom_ca_certs_file "${XDG_DATA_HOME:-$HOME/.local/share}/gcloud/ca.pem"
-    # fi
+    ### Google Cloud SDK
+    if command -v gcloud > /dev/null; then
+        logg info "Configuring gcloud to use "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem" and "${XDG_DATA_HOME:-$HOME/.local/share}/curl/cacert.pem""
+        mkdir -p "${XDG_DATA_HOME:-$HOME/.local/share}/gcloud"
+        cat cacert.pem "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem" > "${XDG_DATA_HOME:-$HOME/.local/share}/gcloud/ca.pem"
+        gcloud config set core/custom_ca_certs_file "${XDG_DATA_HOME:-$HOME/.local/share}/gcloud/ca.pem"
+    fi
 
     ### Google Drive for desktop (macOS)
-    # if [ -d "/Applications/Google Drive.app" ]; then
-    #     if [ -d "/Applications/Google Drive.app/Contents/Resources" ]; then
-    #         logg info "Combining Google Drive roots.pem with CloudFlare certificate"
-    #         mkdir -p "${XDG_DATA_HOME:-$HOME/.local/share}/google-drive"
-    #         cat "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem" "/Applications/Google Drive.app/Contents/Resources/roots.pem" >> "${XDG_DATA_HOME:-$HOME/.local/share}/google-drive/roots.pem"
-    #         sudo defaults write /Library/Preferences/com.google.drivefs.settings TrustedRootsCertsFile -string "${XDG_DATA_HOME:-$HOME/.local/share}/google-drive/roots.pem"
-    #     else
-    #         logg warn 'Google Drive.app installed but roots.pem is not available yet'
-    #     fi
-    # fi
+    if [ -d "/Applications/Google Drive.app" ]; then
+        if [ -d "/Applications/Google Drive.app/Contents/Resources" ]; then
+            logg info "Combining Google Drive roots.pem with CloudFlare certificate"
+            mkdir -p "${XDG_DATA_HOME:-$HOME/.local/share}/google-drive"
+            cat "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem" "/Applications/Google Drive.app/Contents/Resources/roots.pem" >> "${XDG_DATA_HOME:-$HOME/.local/share}/google-drive/roots.pem"
+            sudo defaults write /Library/Preferences/com.google.drivefs.settings TrustedRootsCertsFile -string "${XDG_DATA_HOME:-$HOME/.local/share}/google-drive/roots.pem"
+        else
+            logg warn 'Google Drive.app installed but roots.pem is not available yet'
+        fi
+    fi
 
 
     ### Ensure MDM settings are applied (deletes after reboot on macOS)
@@ -221,6 +221,86 @@ if command -v warp-cli > /dev/null; then
         logg info 'Either there is a misconfiguration or the device is already connected with CloudFlare WARP'
     fi
 else
-    logg warn '`warp-cli` was not installed so CloudFlare Zero Trust cannot be joined'
+    logg warn '`warp-cli` was not installed so CloudFlare WARP cannot be joined'
+fi
+
+{{- $registrationToken := "" }}
+{{- if and (stat (joinPath .host.home ".config" "age" "chezmoi.txt")) (stat (joinPath .chezmoi.sourceDir ".chezmoitemplates" "cloudflared" .user.hostname)) -}}
+{{-   $registrationToken := (includeTemplate (joinPath "cloudflared" .user.hostname) | decrypt) -}}
+{{- end }}
+### Set up CloudFlare tunnels
+if command -v cloudflared > /dev/null && [ -d "$HOME/.local/etc/cloudflared" ]; then
+    # Show warning message about ~/.cloudflared already existing
+    if [ -d "$HOME/.cloudflared" ]; then
+        logg warn '~/.cloudflared is already in the home directory - to ensure proper deployment, remove previous tunnel configuration folders'
+    fi
+
+    # Copy over configuration files
+    logg info 'Copying over configuration files from ~/.local/etc/cloudflared to /usr/local/etc/cloudflared'
+    sudo cp -rf "$HOME/.local/etc/cloudflared/"* /usr/local/etc/cloudflared
+
+    # Register tunnel (if not already registered)
+    if cloudflared tunnel list | grep "host-{{ .user.hostname }}"; then
+        logg info 'CloudFlare tunnel is already registered'
+    else
+        logg info 'Creating a CloudFlare tunnel to this host'
+        sudo cloudflared tunnel create "host-{{ .user.hostname }}"
+    fi
+    TUNNEL_ID="$(cloudflared tunnel list | grep "host-{{ .user.hostname }}" | sed 's/ .*//')"
+    logg info "Tunnel ID: $TUNNEL_ID"
+    if [ -f "/usr/local/etc/cloudflared/${TUNNEL_ID}.json" ]
+        logg info 'Symlinking tunnel configuration to /usr/local/etc/cloudflared/credentials.json'
+        rm -f /usr/local/etc/cloudflared/credentials.json
+        sudo ln -s "/usr/local/etc/cloudflared/${TUNNEL_ID}.json" /usr/local/etc/cloudflared/credentials.json
+    else
+        logg info 'Handling case where the tunnel registration is not present in /usr/local/etc/cloudflared'
+        {{ if eq $registrationToken "" -}}
+        logg warn 'Registration token is unavailable - you might have to delete the pre-existing tunnel or set up secrets properly'
+        {{- else -}}
+        logg info 'Registration token retrieved from encrypted blob stored at `home/.chezmoitemplates/cloudflared/{{ .host.hostname }}`'
+        {{ if eq (substr 0 1 $registrationToken) "{" -}}
+        logg info 'Registration token stored in credential file form'
+        echo -n '{{ $registrationToken }}' | sudo tee /usr/local/etc/cloudflared/credentials.json > /dev/null
+        {{ else }}
+        logg info 'Registration token is in token form - it will be used in conjunction with `sudo cloudflared service install`'
+        {{- end }}
+        {{- end }}
+    fi
+
+    # Set up service
+    if [ -d /Applications ] && [ -d /System ]; then
+        # System is macOS
+        if [ -f /Library/LaunchDaemons/com.cloudflare.cloudflared.plist ]; then
+            logg info '`cloudflared` service is already installed'
+        else
+            logg info 'Running `sudo cloudflared service install`'
+            sudo cloudflared service install{{ if and (ne $registrationToken "") (eq (substr 0 1 $registrationToken) "{") -}} {{ $registrationToken }}{{ end }}
+        fi
+        logg info 'Ensuring cloudflared service is installed'
+        sudo launchctl start com.cloudflare.cloudflared
+    elif [ -f /etc/os-release ]; then
+        # System is Linux
+        logg info 'Copying over configuration files from ~/.local/etc/cloudflared to /usr/local/etc/cloudflared'
+        sudo cp -rf "$HOME/.local/etc/cloudflared" /usr/local/etc/cloudflared
+        if systemctl --all --type service | grep -q "cloudflared" > /dev/null; then
+            logg info '`cloudflared` service is already available as a service'
+        else
+            logg info 'Running `sudo cloudflared service install`'
+            sudo cloudflared service install{{ if and (ne $registrationToken "") (eq (substr 0 1 $registrationToken) "{") -}} {{ $registrationToken }}{{ end }}
+        fi
+        logg info 'Ensuring cloudflared service is started'
+        sudo systemctl start cloudflared
+        logg info 'Enabling cloudflared as a boot systemctl service'
+        sudo systemctl enable cloudflared
+    else
+        # System is Windows
+        cloudflared service install
+        mkdir C:\Windows\System32\config\systemprofile\.cloudflared
+        # Copy same cert.pem as being used above
+        # copy C:\Users\%USERNAME%\.cloudflared\cert.pem C:\Windows\System32\config\systemprofile\.cloudflared\cert.pem
+        # https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/local/as-a-service/windows/
+    fi
+else
+    logg info '`cloudflared` was not installed so CloudFlare Tunnels cannot be enabled. (Or the ~/.local/etc/cloudflared folder is not present)'
 fi
 {{ end -}}

home/.chezmoitemplates/cloudflared/C02X514PJG5M

@@ -0,0 +1,10 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxOFdoZHFuVFNhZVJyRnNU
+V2dOaEQ0SmpoWEJmNzZPdEpWbzB3b2d5RVFjCjF0VkswRndldS9hU1RRanlWUGZw
+TnpjT0p0RUJqUkwvSm1aR3lUYkJ4dDQKLS0tIFdVejhpY1paWGE4eHU1dDJtU3dr
+OUVXcVo2ei9yMm9wYkxZSU9qU2EwdEUKQ7uBNViwqmt07/hpa9Pz++1PVwzn4thU
+KtzWp48aLeYpOHoyvQuOOhXuC3l+SXtCHZxPXxNXpT/+UKcAQPKBXS/lSsuQji6b
+BMaqAVc/QXcWuVvCWdkWdF4P14aEvKZjHqQ2PD2mVcOPd5fWhN8qPzKSZHoS3VQK
+oBlRVGMcL44xIWFOUy7G315HGsipdKN7iI2HEoDBR3dn+Ld6wRECGCAZxk/nW/1I
+G7OngsuN2RNX2VsszE1e5knJd9h2fB/6EcuNpXEQ4vJlaawO+iVZ+HVJafPN2WA7
+-----END AGE ENCRYPTED FILE-----

home/Library/LaunchDaemons/com.cloudflare.warp.plist.tmpl

@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+    <dict>
+       <key>Label</key>
+       <string>com.cloudflare.warp</string>
+       <key>ProgramArguments</key>
+       <array>
+           <string>/usr/local/bin/bash</string>
+           <string>-c</string>
+           <string>cp -f "{{ .user.home }}/Library/Managed Preferences/com.cloudflare.warp.plist" "/Library/Managed Preferences/com.cloudflare.warp.plist" && plutil -convert binary1 "/Library/Managed Preferences/com.cloudflare.warp.plist"</string>
+       </array>
+       <key>StartCalendarInterval</key>
+       <dict>
+           <key>Minute</key>
+           <integer>0</integer>
+       </dict>
+   </dict>
+</plist>

home/Library/LaunchDaemons/run_onchange_after_launch-daemons.sh.tmpl

@@ -1,10 +1,17 @@
 #!/usr/bin/env bash
 
-### Enable automated updates on macOS
 if [ -d /Applications ] && [ -d /System ]; then
+    ### Enable automated updates on macOS
     if [ -f "$HOME/Library/LaunchDaemons/com.apple.automatedupdates.plist" ] && [ ! -f "/Library/LaunchDaemons/com.apple.automatedupdates.plist" ]; then
         sudo mkdir -p /Library/LaunchDaemons
         sudo cp -f "$HOME/Library/LaunchDaemons/com.apple.automatedupdates.plist" "/Library/LaunchDaemons/com.apple.automatedupdates.plist"
         sudo launchctl load "/Library/LaunchDaemons/com.apple.automatedupdates.plist"
     fi
+
+    ### Enable CloudFlare WARP credentials auto-populate (since file is deleted when not managed with MDM)
+    if [ -f "$HOME/Library/LaunchDaemons/com.cloudflare.warp.plist" ] && [ ! -f "/Library/LaunchDaemons/com.cloudflare.warp.plist" ]; then
+        sudo mkdir -p /Library/LaunchDaemons
+        sudo cp -f "$HOME/Library/LaunchDaemons/com.cloudflare.warp.plist" '/Library/LaunchDaemons/com.cloudflare.warp.plist'
+        sudo launchctl load "/Library/LaunchDaemons/com.cloudflare.warp.plist"
+    fi
 fi

home/dot_config/cloudflared/config.yaml

@@ -1,4 +0,0 @@
-tunnel: The tunnel UUID
-credentials-file: /path/your-tunnels-credentials-file.json
-warp-routing:
-    enabled: true

home/dot_local/etc/cloudflared/cert.pem.tmpl

@@ -1,3 +1,3 @@
 {{- if and (stat (joinPath .host.home ".config" "age" "chezmoi.txt")) (stat (joinPath .chezmoi.sourceDir ".chezmoitemplates" "files" "cloudflared.pem")) -}}
 {{   includeTemplate "files/cloudflared.pem" | decrypt -}}
-{{ end -}}
+{{- end -}}

home/dot_local/etc/cloudflared/config.yaml.tmpl

@@ -0,0 +1,36 @@
+{{- $baseDomain := (join .host.hostname "." .host.domain) -}}
+{{- if .host.qubes -}}
+{{-   $baseDomain := (join .host.hostname "-qube." .host.domain) -}}
+{{- end -}}
+---
+tunnel: {{ if .host.qubes }}qube{{ else }}host{{ end }}-{{ .host.hostname }}
+credentials-file: /usr/local/etc/cloudflared/credentials.json
+
+warp-routing:
+    enabled: true
+
+ingress:
+  - hostname: {{ $baseDomain }}
+    service: https://localhost:8014
+  - hostname: test.{{ $baseDomain }}
+    service: hello_world
+  - hostname: ssh.{{ $baseDomain }}
+    service: ssh://localhost:{{ .host.ssh.port }}
+  - hostname: rdp.{{ $baseDomain }}
+    service: rdp://localhost:3389
+  - hostname: samba.{{ $baseDomain }}
+    service: localhost:8445
+  - hostname: vnc.{{ $baseDomain }}
+    service: tcp://localhost:5901
+  # Example of an HTTP request over a Unix socket:
+  # - hostname: {{ $baseDomain }}
+  #   service: unix:/home/production/echo.sock
+  # Tunnel the baked-in Hello World test app for testing purposes
+  # Rules can match the request's path to a regular expression:
+  # - hostname: static.example.com
+  #   path: \.(jpg|png|css|js)$
+  #   service: https://localhost:8001
+  # Rules can match the request's hostname to a wildcard character:
+  # - hostname: "*.example.com"
+  #   service: https://localhost:8002
+  - service: http_status:404