diff --git a/home/.chezmoiscripts/universal/run_before_01-prepare.sh.tmpl b/home/.chezmoiscripts/universal/run_before_01-prepare.sh.tmpl index 31b08b13..a3dd8bb3 100644 --- a/home/.chezmoiscripts/universal/run_before_01-prepare.sh.tmpl +++ b/home/.chezmoiscripts/universal/run_before_01-prepare.sh.tmpl @@ -29,7 +29,7 @@ configureMacOSVNC() { # Source: https://apple.stackexchange.com/questions/30238/how-to-enable-os-x-screen-sharing-vnc-through-ssh # To disable, run: sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -configure -access -off # Only enable when computer is not a corporate / work computer - logg info '**macOS Manual Security Permission** Enabling VNC using the VNC_PASSWORD variable which is vncpass when nothing is specified' + logg info 'Enabling VNC using the VNC_PASSWORD variable which is vncpass when nothing is specified' sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -allowAccessFor -specifiedUsers -clientopts -setreqperm -reqperm yes -setvnclegacy -vnclegacy yes -setvncpw -vncpw "{{- if and (stat (joinPath .host.home ".config" "age" "chezmoi.txt")) (stat (joinPath .chezmoi.sourceDir ".chezmoitemplates" "secrets" "VNC_PASSWORD")) }}{{ includeTemplate "secrets/VNC_PASSWORD" | decrypt | trim }}{{ else }}{{ default "vncpass" (env "VNC_PASSWORD") }}{{ end }}" -restart -agent -privs -all -users "$USER" && logg success 'Finished running the macOS Remote Management kickstart executable' fi } diff --git a/scripts/partials/import-cloudflare-certificate b/scripts/partials/import-cloudflare-certificate new file mode 100644 index 00000000..ea08f2c7 --- /dev/null +++ b/scripts/partials/import-cloudflare-certificate @@ -0,0 +1,28 @@ +# @description Applies changes that require input from the user such as using Touch ID on macOS when +# importing certificates into the system keychain. +# +# * Ensures CloudFlare Teams certificate is imported into the system keychain +importCloudFlareCert() { + if [ -d /Applications ] && [ -d /System ] && [ -z "$HEADLESS_INSTALL" ]; then + ### Acquire certificate + if [ ! -f "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.crt" ]; then + logg info 'Downloading Cloudflare_CA.crt from https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.crt to determine if it is already in the System.keychain' + CRT_TMP="$(mktemp)" + curl -sSL https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.crt > "$CRT_TMP" + else + CRT_TMP="$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.crt" + fi + + ### Validate / import certificate + security verify-cert -c "$CRT_TMP" > /dev/null 2>&1 + if [ $? != 0 ]; then + logg info '**macOS Manual Security Permission** Requesting security authorization for Cloudflare trusted certificate' + sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "$CRT_TMP" && logg success 'Successfully imported Cloudflare_CA.crt into System.keychain' + fi + + ### Remove temporary file, if necessary + if [ ! -f "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.crt" ]; then + rm -f "$CRT_TMP" + fi + fi +} diff --git a/scripts/provision.sh b/scripts/provision.sh index 4342d764..3877c5ea 100644 --- a/scripts/provision.sh +++ b/scripts/provision.sh @@ -361,6 +361,36 @@ ensureFullDiskAccess() { fi } +# @description Applies changes that require input from the user such as using Touch ID on macOS when +# importing certificates into the system keychain. +# +# * Ensures CloudFlare Teams certificate is imported into the system keychain +importCloudFlareCert() { + if [ -d /Applications ] && [ -d /System ] && [ -z "$HEADLESS_INSTALL" ]; then + ### Acquire certificate + if [ ! -f "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.crt" ]; then + logg info 'Downloading Cloudflare_CA.crt from https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.crt to determine if it is already in the System.keychain' + CRT_TMP="$(mktemp)" + curl -sSL https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.crt > "$CRT_TMP" + else + CRT_TMP="$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.crt" + fi + + ### Validate / import certificate + security verify-cert -c "$CRT_TMP" > /dev/null 2>&1 + if [ $? != 0 ]; then + logg info '**macOS Manual Security Permission** Requesting security authorization for Cloudflare trusted certificate' + sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "$CRT_TMP" && logg success 'Successfully imported Cloudflare_CA.crt into System.keychain' + fi + + ### Remove temporary file, if necessary + if [ ! -f "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.crt" ]; then + rm -f "$CRT_TMP" + fi + fi +} + + # @description Load default settings if it is in a CI setting setCIEnvironmentVariables() { if [ -n "$CI" ] || [ -n "$TEST_INSTALL" ]; then @@ -535,11 +565,17 @@ ensureHomebrewDeps() { ### macOS if [ -d /Applications ] && [ -d /System ]; then - installBrewPackage "expect" + ### gsed installBrewPackage "gsed" + ### unbuffer / expect + if ! command -v unbuffer > /dev/null; then + installBrewPackage "expect" + fi + ### gtimeout / coreutils if ! command -v gtimeout > /dev/null; then brew install --quiet coreutils fi + ### ts / moreutils if ! command -v ts > /dev/null; then brew install --quiet moreutils fi @@ -683,7 +719,11 @@ provisionLogic() { logg info "Applying passwordless sudo" && setupPasswordlessSudo logg info "Ensuring system Homebrew dependencies are installed" && ensureBasicDeps logg info "Cloning / updating source repository" && cloneChezmoiSourceRepo - logg info "Ensuring full disk access on macOS" && ensureFullDiskAccess + if [ -d /Applications ] && [ -d /System ]; then + ### macOS only + logg info "Ensuring full disk access from current terminal application" && ensureFullDiskAccess + logg info "Ensuring CloudFlare certificate imported into system certificates" && importCloudFlareCert + fi logg info "Ensuring Homebrew is available" && ensureHomebrew logg info "Installing Homebrew packages" && ensureHomebrewDeps logg info "Handling Qubes dom0 logic (if applicable)" && handleQubesDom0 diff --git a/scripts/src/provision.sh.tmpl b/scripts/src/provision.sh.tmpl index 52318d84..90dc2deb 100644 --- a/scripts/src/provision.sh.tmpl +++ b/scripts/src/provision.sh.tmpl @@ -81,6 +81,8 @@ setEnvironmentVariables() { {{ include "partials" "homebrew" }} {{ include "partials" "reboot" }} {{ include "partials" "full-disk-access" }} +{{ include "partials" "import-cloudflare-certificate" }} + # @description Load default settings if it is in a CI setting setCIEnvironmentVariables() { if [ -n "$CI" ] || [ -n "$TEST_INSTALL" ]; then @@ -255,11 +257,17 @@ ensureHomebrewDeps() { ### macOS if [ -d /Applications ] && [ -d /System ]; then - installBrewPackage "expect" + ### gsed installBrewPackage "gsed" + ### unbuffer / expect + if ! command -v unbuffer > /dev/null; then + installBrewPackage "expect" + fi + ### gtimeout / coreutils if ! command -v gtimeout > /dev/null; then brew install --quiet coreutils fi + ### ts / moreutils if ! command -v ts > /dev/null; then brew install --quiet moreutils fi @@ -403,7 +411,11 @@ provisionLogic() { logg info "Applying passwordless sudo" && setupPasswordlessSudo logg info "Ensuring system Homebrew dependencies are installed" && ensureBasicDeps logg info "Cloning / updating source repository" && cloneChezmoiSourceRepo - logg info "Ensuring full disk access on macOS" && ensureFullDiskAccess + if [ -d /Applications ] && [ -d /System ]; then + ### macOS only + logg info "Ensuring full disk access from current terminal application" && ensureFullDiskAccess + logg info "Ensuring CloudFlare certificate imported into system certificates" && importCloudFlareCert + fi logg info "Ensuring Homebrew is available" && ensureHomebrew logg info "Installing Homebrew packages" && ensureHomebrewDeps logg info "Handling Qubes dom0 logic (if applicable)" && handleQubesDom0