Latest
This commit is contained in:
parent
ff29ee6347
commit
221e070193
4 changed files with 85 additions and 5 deletions
|
@ -29,7 +29,7 @@ configureMacOSVNC() {
|
|||
# Source: https://apple.stackexchange.com/questions/30238/how-to-enable-os-x-screen-sharing-vnc-through-ssh
|
||||
# To disable, run: sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -configure -access -off
|
||||
# Only enable when computer is not a corporate / work computer
|
||||
logg info '**macOS Manual Security Permission** Enabling VNC using the VNC_PASSWORD variable which is vncpass when nothing is specified'
|
||||
logg info 'Enabling VNC using the VNC_PASSWORD variable which is vncpass when nothing is specified'
|
||||
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -allowAccessFor -specifiedUsers -clientopts -setreqperm -reqperm yes -setvnclegacy -vnclegacy yes -setvncpw -vncpw "{{- if and (stat (joinPath .host.home ".config" "age" "chezmoi.txt")) (stat (joinPath .chezmoi.sourceDir ".chezmoitemplates" "secrets" "VNC_PASSWORD")) }}{{ includeTemplate "secrets/VNC_PASSWORD" | decrypt | trim }}{{ else }}{{ default "vncpass" (env "VNC_PASSWORD") }}{{ end }}" -restart -agent -privs -all -users "$USER" && logg success 'Finished running the macOS Remote Management kickstart executable'
|
||||
fi
|
||||
}
|
||||
|
|
28
scripts/partials/import-cloudflare-certificate
Normal file
28
scripts/partials/import-cloudflare-certificate
Normal file
|
@ -0,0 +1,28 @@
|
|||
# @description Applies changes that require input from the user such as using Touch ID on macOS when
|
||||
# importing certificates into the system keychain.
|
||||
#
|
||||
# * Ensures CloudFlare Teams certificate is imported into the system keychain
|
||||
importCloudFlareCert() {
|
||||
if [ -d /Applications ] && [ -d /System ] && [ -z "$HEADLESS_INSTALL" ]; then
|
||||
### Acquire certificate
|
||||
if [ ! -f "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.crt" ]; then
|
||||
logg info 'Downloading Cloudflare_CA.crt from https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.crt to determine if it is already in the System.keychain'
|
||||
CRT_TMP="$(mktemp)"
|
||||
curl -sSL https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.crt > "$CRT_TMP"
|
||||
else
|
||||
CRT_TMP="$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.crt"
|
||||
fi
|
||||
|
||||
### Validate / import certificate
|
||||
security verify-cert -c "$CRT_TMP" > /dev/null 2>&1
|
||||
if [ $? != 0 ]; then
|
||||
logg info '**macOS Manual Security Permission** Requesting security authorization for Cloudflare trusted certificate'
|
||||
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "$CRT_TMP" && logg success 'Successfully imported Cloudflare_CA.crt into System.keychain'
|
||||
fi
|
||||
|
||||
### Remove temporary file, if necessary
|
||||
if [ ! -f "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.crt" ]; then
|
||||
rm -f "$CRT_TMP"
|
||||
fi
|
||||
fi
|
||||
}
|
|
@ -361,6 +361,36 @@ ensureFullDiskAccess() {
|
|||
fi
|
||||
}
|
||||
|
||||
# @description Applies changes that require input from the user such as using Touch ID on macOS when
|
||||
# importing certificates into the system keychain.
|
||||
#
|
||||
# * Ensures CloudFlare Teams certificate is imported into the system keychain
|
||||
importCloudFlareCert() {
|
||||
if [ -d /Applications ] && [ -d /System ] && [ -z "$HEADLESS_INSTALL" ]; then
|
||||
### Acquire certificate
|
||||
if [ ! -f "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.crt" ]; then
|
||||
logg info 'Downloading Cloudflare_CA.crt from https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.crt to determine if it is already in the System.keychain'
|
||||
CRT_TMP="$(mktemp)"
|
||||
curl -sSL https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.crt > "$CRT_TMP"
|
||||
else
|
||||
CRT_TMP="$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.crt"
|
||||
fi
|
||||
|
||||
### Validate / import certificate
|
||||
security verify-cert -c "$CRT_TMP" > /dev/null 2>&1
|
||||
if [ $? != 0 ]; then
|
||||
logg info '**macOS Manual Security Permission** Requesting security authorization for Cloudflare trusted certificate'
|
||||
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "$CRT_TMP" && logg success 'Successfully imported Cloudflare_CA.crt into System.keychain'
|
||||
fi
|
||||
|
||||
### Remove temporary file, if necessary
|
||||
if [ ! -f "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.crt" ]; then
|
||||
rm -f "$CRT_TMP"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
# @description Load default settings if it is in a CI setting
|
||||
setCIEnvironmentVariables() {
|
||||
if [ -n "$CI" ] || [ -n "$TEST_INSTALL" ]; then
|
||||
|
@ -535,11 +565,17 @@ ensureHomebrewDeps() {
|
|||
|
||||
### macOS
|
||||
if [ -d /Applications ] && [ -d /System ]; then
|
||||
installBrewPackage "expect"
|
||||
### gsed
|
||||
installBrewPackage "gsed"
|
||||
### unbuffer / expect
|
||||
if ! command -v unbuffer > /dev/null; then
|
||||
installBrewPackage "expect"
|
||||
fi
|
||||
### gtimeout / coreutils
|
||||
if ! command -v gtimeout > /dev/null; then
|
||||
brew install --quiet coreutils
|
||||
fi
|
||||
### ts / moreutils
|
||||
if ! command -v ts > /dev/null; then
|
||||
brew install --quiet moreutils
|
||||
fi
|
||||
|
@ -683,7 +719,11 @@ provisionLogic() {
|
|||
logg info "Applying passwordless sudo" && setupPasswordlessSudo
|
||||
logg info "Ensuring system Homebrew dependencies are installed" && ensureBasicDeps
|
||||
logg info "Cloning / updating source repository" && cloneChezmoiSourceRepo
|
||||
logg info "Ensuring full disk access on macOS" && ensureFullDiskAccess
|
||||
if [ -d /Applications ] && [ -d /System ]; then
|
||||
### macOS only
|
||||
logg info "Ensuring full disk access from current terminal application" && ensureFullDiskAccess
|
||||
logg info "Ensuring CloudFlare certificate imported into system certificates" && importCloudFlareCert
|
||||
fi
|
||||
logg info "Ensuring Homebrew is available" && ensureHomebrew
|
||||
logg info "Installing Homebrew packages" && ensureHomebrewDeps
|
||||
logg info "Handling Qubes dom0 logic (if applicable)" && handleQubesDom0
|
||||
|
|
|
@ -81,6 +81,8 @@ setEnvironmentVariables() {
|
|||
{{ include "partials" "homebrew" }}
|
||||
{{ include "partials" "reboot" }}
|
||||
{{ include "partials" "full-disk-access" }}
|
||||
{{ include "partials" "import-cloudflare-certificate" }}
|
||||
|
||||
# @description Load default settings if it is in a CI setting
|
||||
setCIEnvironmentVariables() {
|
||||
if [ -n "$CI" ] || [ -n "$TEST_INSTALL" ]; then
|
||||
|
@ -255,11 +257,17 @@ ensureHomebrewDeps() {
|
|||
|
||||
### macOS
|
||||
if [ -d /Applications ] && [ -d /System ]; then
|
||||
installBrewPackage "expect"
|
||||
### gsed
|
||||
installBrewPackage "gsed"
|
||||
### unbuffer / expect
|
||||
if ! command -v unbuffer > /dev/null; then
|
||||
installBrewPackage "expect"
|
||||
fi
|
||||
### gtimeout / coreutils
|
||||
if ! command -v gtimeout > /dev/null; then
|
||||
brew install --quiet coreutils
|
||||
fi
|
||||
### ts / moreutils
|
||||
if ! command -v ts > /dev/null; then
|
||||
brew install --quiet moreutils
|
||||
fi
|
||||
|
@ -403,7 +411,11 @@ provisionLogic() {
|
|||
logg info "Applying passwordless sudo" && setupPasswordlessSudo
|
||||
logg info "Ensuring system Homebrew dependencies are installed" && ensureBasicDeps
|
||||
logg info "Cloning / updating source repository" && cloneChezmoiSourceRepo
|
||||
logg info "Ensuring full disk access on macOS" && ensureFullDiskAccess
|
||||
if [ -d /Applications ] && [ -d /System ]; then
|
||||
### macOS only
|
||||
logg info "Ensuring full disk access from current terminal application" && ensureFullDiskAccess
|
||||
logg info "Ensuring CloudFlare certificate imported into system certificates" && importCloudFlareCert
|
||||
fi
|
||||
logg info "Ensuring Homebrew is available" && ensureHomebrew
|
||||
logg info "Installing Homebrew packages" && ensureHomebrewDeps
|
||||
logg info "Handling Qubes dom0 logic (if applicable)" && handleQubesDom0
|
||||
|
|
Loading…
Reference in a new issue