Latest
This commit is contained in:
parent
21a87bd72d
commit
259bb8343a
5 changed files with 104 additions and 1 deletions
|
@ -26,6 +26,11 @@
|
|||
type = "file"
|
||||
url = "https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.pem"
|
||||
|
||||
### Curl / Google Cloud SDK
|
||||
[".local/share/curl/cacert.pem"]
|
||||
type = "file"
|
||||
url = "https://curl.se/ca/cacert.pem"
|
||||
|
||||
### Betelgeuse Theme
|
||||
[".local/src/betelgeuse"]
|
||||
type = "git-repo"
|
||||
|
|
|
@ -10,10 +10,11 @@
|
|||
# ## MDM Configuration
|
||||
#
|
||||
# If CloudFlare WARP successfully installs, it first applies MDM configurations (managed configurations). If you would like CloudFlare
|
||||
# WARP to connect completely headlessly (while losing some "user-posture" settings), then you can populate the following two secrets:
|
||||
# WARP to connect completely headlessly (while losing some "user-posture" settings), then you can populate the following three secrets:
|
||||
#
|
||||
# 1. `CLOUDFLARE_TEAMS_CLIENT_ID` - The ID from a CloudFlare Teams service token. See [this article](https://developers.cloudflare.com/cloudflare-one/identity/service-tokens/).
|
||||
# 2. `CLOUDFLARE_TEAMS_CLIENT_SECRET` - The secret from a CloudFlare Teams service token.
|
||||
# 3. `CLOUDFLARE_TEAMS_ORG` - The ID of your Zero Trust organization. This variable must be passed in as an environment variable and is housed in the `home/.chezmoi.yaml.tmpl` file.
|
||||
#
|
||||
# The two variables above can be passed in using either of the methods described in the [Secrets documentation](https://install.doctor/docs/customization/secrets).
|
||||
#
|
||||
|
@ -23,6 +24,21 @@
|
|||
# network, where you will get some of the benefits of a VPN for free. Otherwise, if they were passed in, then the script
|
||||
# finishes by connecting to CloudFlare Teams.
|
||||
#
|
||||
# ## Application Certificates
|
||||
#
|
||||
# This script applies the techniques described on the [CloudFlare Zero Trust Install certificate manually page](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert/)
|
||||
# to configure the following utilities that leverage seperate certificate authorities:
|
||||
#
|
||||
# * Python
|
||||
# * NPM
|
||||
# * Git
|
||||
# * Google Cloud SDK
|
||||
# * AWS CLI
|
||||
# * Google Drive for desktop
|
||||
#
|
||||
# Settings used to configure Firefox are housed inside of the Firefox configuration files stored as seperate configuration files
|
||||
# outside of this script.
|
||||
#
|
||||
# ## Notes
|
||||
#
|
||||
# According to CloudFlare Teams [documentation on MDM deployment](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/),
|
||||
|
@ -109,9 +125,76 @@ if [ -d /System ] && [ -d /Applications ] && command -v warp-cli > /dev/null; th
|
|||
else
|
||||
logg warn 'Unable to add `Cloudflare_CA.pem` because `/usr/local/etc/openssl@3/certs` and `/opt/homebrew/etc/openssl@3/certs` do not exist!'
|
||||
fi
|
||||
elif command -v warp-cli > /dev/null; then
|
||||
# System is Linux
|
||||
if command -v dpkg-reconfigure > /dev/null; then
|
||||
if [ -d /usr/local/share/ca-certificates ]; then
|
||||
logg info 'Copying CloudFlare Teams PEM file to /usr/local/share/ca-certificates/Cloudflare_CA.crt'
|
||||
sudo cp -f "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem" /usr/local/share/ca-certificates/Cloudflare_CA.crt
|
||||
logg info '`dpkg-reconfigure` executable detected so using Debian/Ubuntu method of updating system trusted certificates to include CloudFlare Teams certificate'
|
||||
sudo dpkg-reconfigure ca-certificates
|
||||
else
|
||||
logg warn
|
||||
fi
|
||||
elif command -v update-ca-trust > /dev/null; then
|
||||
if [ -d /etc/pki/ca-trust/source/anchors ]; then
|
||||
logg info 'Copying CloudFlare Teams certificates to /etc/pki/ca-trust/source/anchors'
|
||||
sudo cp -f "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.crt" "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem" /etc/pki/ca-trust/source/anchors
|
||||
logg info '`update-ca-trust` executable detected so using CentOS/Fedora method of updating system trusted certificates to include CloudFlare Teams certificate'
|
||||
sudo update-ca-trust
|
||||
else
|
||||
logg warn '/etc/pki/ca-trust/source/anchors does not exist so skipping the system certificate update process'
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
if command -v git > /dev/null; then
|
||||
#
|
||||
|
||||
|
||||
if command -v warp-cli > /dev/null; then
|
||||
### Application certificate configuration
|
||||
|
||||
### Git
|
||||
if command -v git > /dev/null; then
|
||||
logg info "Configuring git to use "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.crt""
|
||||
git config --global http.sslcainfo "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.crt"
|
||||
fi
|
||||
|
||||
### NPM
|
||||
if command -v npm > /dev/null; then
|
||||
logg info "Configuring `npm` to use "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.crt""
|
||||
npm config set cafile "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem"
|
||||
fi
|
||||
|
||||
### Python
|
||||
if command -v python3 > /dev/null; then
|
||||
logg info "Configuring `python3` / `python` to use "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem""
|
||||
echo | cat - "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem" >> $(python3 -m certifi)
|
||||
fi
|
||||
|
||||
### Google Cloud SDK
|
||||
if command -v gcloud > /dev/null; then
|
||||
logg info "Configuring `gcloud` to use "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem" and "${XDG_DATA_HOME:-$HOME/.local/share}/curl/cacert.pem""
|
||||
mkdir -p "${XDG_DATA_HOME:$HOME/.local/share}/gcloud"
|
||||
cat cacert.pem "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem" > "${XDG_DATA_HOME:$HOME/.local/share}/gcloud/ca.pem"
|
||||
gcloud config set core/custom_ca_certs_file "${XDG_DATA_HOME:$HOME/.local/share}/gcloud/ca.pem"
|
||||
fi
|
||||
|
||||
### Google Drive for desktop (macOS)
|
||||
if [ -d "/Applications/Google Drive.app" ]; then
|
||||
if [ -d "/Applications/Google Drive.app/Contents/Resources" ]; then
|
||||
logg info "Combining Google Drive roots.pem with CloudFlare certificate"
|
||||
mkdir -p "${XDG_DATA_HOME:-$HOME/.local/share}/google-drive"
|
||||
cat "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem" "/Applications/Google Drive.app/Contents/Resources/roots.pem" >> "${XDG_DATA_HOME:-$HOME/.local/share}/google-drive/roots.pem"
|
||||
sudo defaults write /Library/Preferences/com.google.drivefs.settings TrustedRootsCertsFile -string "${XDG_DATA_HOME:-$HOME/.local/share}/google-drive/roots.pem"
|
||||
else
|
||||
logg warn 'Google Drive.app installed but roots.pem is not available yet'
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
### Ensure MDM settings are applied (deletes after reboot on macOS)
|
||||
### TODO: Ensure `.plist` can be added to `~/Library/Managed Preferences` and not just `/Library/Managed Preferences`
|
||||
# Source: https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/
|
||||
|
|
|
@ -107,6 +107,7 @@ user_pref('privacy.trackingprotection.fingerprinting.enabled', true)
|
|||
user_pref('privacy.trackingprotection.pbmode.enabled', true)
|
||||
user_pref('privacy.usercontext.about_newtab_segregation.enabled', true)
|
||||
user_pref('prompts.tab_modal.enabled', false)
|
||||
user_pref('security.enterprise_roots.enabled', true)
|
||||
user_pref('security.fileuri.origin_policy', 3)
|
||||
user_pref('security.fileuri.strict_origin_policy', false)
|
||||
user_pref('security.ssl.disable_session_identifiers', true)
|
||||
|
|
|
@ -103,6 +103,9 @@ export ASDF_PYTHON_DEFAULT_PACKAGES_FILE="$XDG_CONFIG_HOME/asdf/default-python-p
|
|||
### AWS CLI
|
||||
export AWS_SHARED_CREDENTIALS_FILE="$XDG_CONFIG_HOME/aws/credentials"
|
||||
export AWS_CONFIG_FILE="$XDG_CONFIG_HOME/aws/config"
|
||||
if [ -f "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.crt" ]; then
|
||||
export AWS_CA_BUNDLE="${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.crt"
|
||||
fi
|
||||
|
||||
### Azure CLI
|
||||
export AZURE_CONFIG_DIR="$XDG_CONFIG_HOME/azure"
|
||||
|
@ -274,6 +277,9 @@ fi
|
|||
|
||||
### Node.js
|
||||
export NODE_REPL_HISTORY="$XDG_DATA_HOME/node_repl_history"
|
||||
if [ -f "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem" ]; then
|
||||
export NODE_EXTRA_CA_CERTS="${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem"
|
||||
fi
|
||||
|
||||
### NPM
|
||||
export NPM_CONFIG_USERCONFIG="$XDG_CONFIG_HOME/npm/npmrc"
|
||||
|
@ -315,6 +321,13 @@ export PATH="$PATH:$PNPM_HOME"
|
|||
# Specify location of the default Prettierd configuration
|
||||
# export PRETTIERD_DEFAULT_CONFIG=""
|
||||
|
||||
### Python
|
||||
if command -v python3 > /dev/null; then
|
||||
export CERT_PATH="$(python3 -m certifi)"
|
||||
export SSL_CERT_FILE="$CERT_PATH"
|
||||
export REQUESTS_CA_BUNDLE="$CERT_PATH"
|
||||
fi
|
||||
|
||||
### Readline
|
||||
export INPUTRC="$XDG_CONFIG_HOME/readline/inputrc"
|
||||
|
||||
|
|
|
@ -79,6 +79,7 @@ pref("privacy.trackingprotection.enabled", true);
|
|||
pref("privacy.trackingprotection.fingerprinting.enabled", true);
|
||||
pref("privacy.trackingprotection.pbmode.enabled", true);
|
||||
pref("privacy.usercontext.about_newtab_segregation.enabled", true);
|
||||
pref("security.enterprise_roots.enabled", true)
|
||||
pref("security.ssl.disable_session_identifiers", true);
|
||||
pref("services.sync.prefs.sync.browser.newtabpage.activity-stream.showSponsoredTopSite", false);
|
||||
pref("signon.autofillForms", false);
|
||||
|
|
Loading…
Reference in a new issue