Latest

home/.chezmoiscripts/universal/run_before_01-prepare.sh.tmpl

@@ -29,7 +29,7 @@ configureMacOSVNC() {
     # Source: https://apple.stackexchange.com/questions/30238/how-to-enable-os-x-screen-sharing-vnc-through-ssh
     # To disable, run: sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -configure -access -off
     # Only enable when computer is not a corporate / work computer
-    logg info '**macOS Manual Security Permission** Enabling VNC using the VNC_PASSWORD variable which is vncpass when nothing is specified'
+    logg info 'Enabling VNC using the VNC_PASSWORD variable which is vncpass when nothing is specified'
     sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -allowAccessFor -specifiedUsers -clientopts -setreqperm -reqperm yes -setvnclegacy -vnclegacy yes -setvncpw -vncpw "{{- if and (stat (joinPath .host.home ".config" "age" "chezmoi.txt")) (stat (joinPath .chezmoi.sourceDir ".chezmoitemplates" "secrets" "VNC_PASSWORD")) }}{{ includeTemplate "secrets/VNC_PASSWORD" | decrypt | trim }}{{ else }}{{ default "vncpass" (env "VNC_PASSWORD") }}{{ end }}" -restart -agent -privs -all -users "$USER" && logg success 'Finished running the macOS Remote Management kickstart executable'
   fi
 }

scripts/partials/import-cloudflare-certificate

@@ -0,0 +1,28 @@
+# @description Applies changes that require input from the user such as using Touch ID on macOS when
+#     importing certificates into the system keychain.
+#
+#     * Ensures CloudFlare Teams certificate is imported into the system keychain
+importCloudFlareCert() {
+  if [ -d /Applications ] && [ -d /System ] && [ -z "$HEADLESS_INSTALL" ]; then
+    ### Acquire certificate
+    if [ ! -f "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.crt" ]; then
+      logg info 'Downloading Cloudflare_CA.crt from https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.crt to determine if it is already in the System.keychain'
+      CRT_TMP="$(mktemp)"
+      curl -sSL https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.crt > "$CRT_TMP"
+    else
+      CRT_TMP="$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.crt"
+    fi
+
+    ### Validate / import certificate
+    security verify-cert -c "$CRT_TMP" > /dev/null 2>&1
+    if [ $? != 0 ]; then
+      logg info '**macOS Manual Security Permission** Requesting security authorization for Cloudflare trusted certificate'
+      sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "$CRT_TMP" && logg success 'Successfully imported Cloudflare_CA.crt into System.keychain'
+    fi
+
+    ### Remove temporary file, if necessary
+    if [ ! -f "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.crt" ]; then
+      rm -f "$CRT_TMP"
+    fi
+  fi
+}

scripts/provision.sh

@@ -361,6 +361,36 @@ ensureFullDiskAccess() {
   fi
 }
 
+# @description Applies changes that require input from the user such as using Touch ID on macOS when
+#     importing certificates into the system keychain.
+#
+#     * Ensures CloudFlare Teams certificate is imported into the system keychain
+importCloudFlareCert() {
+  if [ -d /Applications ] && [ -d /System ] && [ -z "$HEADLESS_INSTALL" ]; then
+    ### Acquire certificate
+    if [ ! -f "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.crt" ]; then
+      logg info 'Downloading Cloudflare_CA.crt from https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.crt to determine if it is already in the System.keychain'
+      CRT_TMP="$(mktemp)"
+      curl -sSL https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.crt > "$CRT_TMP"
+    else
+      CRT_TMP="$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.crt"
+    fi
+
+    ### Validate / import certificate
+    security verify-cert -c "$CRT_TMP" > /dev/null 2>&1
+    if [ $? != 0 ]; then
+      logg info '**macOS Manual Security Permission** Requesting security authorization for Cloudflare trusted certificate'
+      sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "$CRT_TMP" && logg success 'Successfully imported Cloudflare_CA.crt into System.keychain'
+    fi
+
+    ### Remove temporary file, if necessary
+    if [ ! -f "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.crt" ]; then
+      rm -f "$CRT_TMP"
+    fi
+  fi
+}
+
+
 # @description Load default settings if it is in a CI setting
 setCIEnvironmentVariables() {
   if [ -n "$CI" ] || [ -n "$TEST_INSTALL" ]; then
@@ -535,11 +565,17 @@ ensureHomebrewDeps() {
 
   ### macOS
   if [ -d /Applications ] && [ -d /System ]; then
-    installBrewPackage "expect"
+    ### gsed
     installBrewPackage "gsed"
+    ### unbuffer / expect
+    if ! command -v unbuffer > /dev/null; then
+      installBrewPackage "expect"
+    fi
+    ### gtimeout / coreutils
     if ! command -v gtimeout > /dev/null; then
       brew install --quiet coreutils
     fi
+    ### ts / moreutils
     if ! command -v ts > /dev/null; then
       brew install --quiet moreutils
     fi
@@ -683,7 +719,11 @@ provisionLogic() {
   logg info "Applying passwordless sudo" && setupPasswordlessSudo
   logg info "Ensuring system Homebrew dependencies are installed" && ensureBasicDeps
   logg info "Cloning / updating source repository" && cloneChezmoiSourceRepo
-  logg info "Ensuring full disk access on macOS" && ensureFullDiskAccess
+  if [ -d /Applications ] && [ -d /System ]; then
+    ### macOS only
+    logg info "Ensuring full disk access from current terminal application" && ensureFullDiskAccess
+    logg info "Ensuring CloudFlare certificate imported into system certificates" && importCloudFlareCert
+  fi
   logg info "Ensuring Homebrew is available" && ensureHomebrew
   logg info "Installing Homebrew packages" && ensureHomebrewDeps
   logg info "Handling Qubes dom0 logic (if applicable)" && handleQubesDom0

scripts/src/provision.sh.tmpl

@@ -81,6 +81,8 @@ setEnvironmentVariables() {
 {{ include "partials" "homebrew" }}
 {{ include "partials" "reboot" }}
 {{ include "partials" "full-disk-access" }}
+{{ include "partials" "import-cloudflare-certificate" }}
+
 # @description Load default settings if it is in a CI setting
 setCIEnvironmentVariables() {
   if [ -n "$CI" ] || [ -n "$TEST_INSTALL" ]; then
@@ -255,11 +257,17 @@ ensureHomebrewDeps() {
 
   ### macOS
   if [ -d /Applications ] && [ -d /System ]; then
-    installBrewPackage "expect"
+    ### gsed
     installBrewPackage "gsed"
+    ### unbuffer / expect
+    if ! command -v unbuffer > /dev/null; then
+      installBrewPackage "expect"
+    fi
+    ### gtimeout / coreutils
     if ! command -v gtimeout > /dev/null; then
       brew install --quiet coreutils
     fi
+    ### ts / moreutils
     if ! command -v ts > /dev/null; then
       brew install --quiet moreutils
     fi
@@ -403,7 +411,11 @@ provisionLogic() {
   logg info "Applying passwordless sudo" && setupPasswordlessSudo
   logg info "Ensuring system Homebrew dependencies are installed" && ensureBasicDeps
   logg info "Cloning / updating source repository" && cloneChezmoiSourceRepo
-  logg info "Ensuring full disk access on macOS" && ensureFullDiskAccess
+  if [ -d /Applications ] && [ -d /System ]; then
+    ### macOS only
+    logg info "Ensuring full disk access from current terminal application" && ensureFullDiskAccess
+    logg info "Ensuring CloudFlare certificate imported into system certificates" && importCloudFlareCert
+  fi
   logg info "Ensuring Homebrew is available" && ensureHomebrew
   logg info "Installing Homebrew packages" && ensureHomebrewDeps
   logg info "Handling Qubes dom0 logic (if applicable)" && handleQubesDom0