Update 28 files
- /home/.chezmoiscripts/run_onchange_after_add-fonts.tmpl - /home/.chezmoiscripts/run_onchange_after_endlessh.tmpl - /home/.chezmoiscripts/run_onchange_after_fail2ban.tmpl - /home/.chezmoiscripts/run_onchange_after_symlink-ansible-configs.tmpl - /home/.chezmoiscripts/run_onchange_after_sshd.tmpl - /home/.chezmoiscripts/run_onchanges_after_decrypt-ssh-keys.tmpl - /home/.chezmoiscripts/run_onchange_ensure-executable.tmpl - /home/.chezmoiscripts/run_onchanges_after_ensure-private-key.tmpl - /home/.chezmoiscripts/run_onchanges_after_generate-public-keys.tmpl - /home/.chezmoiscripts/run_onchanges_after_symlink-custom.tmpl - /home/.chezmoitemplates/ssh/authorized-keys.yubikey - /home/.chezmoiscripts/universal/run_onchange_after_24-vpn-darwin.tmpl - /home/.chezmoiscripts/universal/run_onchange_after_20-font.sh.tmpl - /home/.chezmoiscripts/universal/run_onchange_after_02-ensure-executable.sh.tmpl - /home/.chezmoiscripts/universal/run_onchange_after_05-decrypt-ssh-keys.sh.tmpl - /home/.chezmoiscripts/universal/run_onchange_after_07-ensure-private-key.sh.tmpl - /home/.chezmoiscripts/universal/run_onchange_after_08-generate-public-keys.sh.tmpl - /home/.chezmoiscripts/universal/run_onchange_after_08-symlink-custom.sh.tmpl - /home/.chezmoiscripts/universal/run_onchange_after_24-vpn-darwin.sh.tmpl - /home/.chezmoiscripts/universal/run_onchange_after_30-endlessh.sh.tmpl - /home/.chezmoiscripts/universal/run_onchange_after_30-sshd.sh.tmpl - /home/.chezmoiscripts/universal/run_onchange_after_31-fail2ban.sh.tmpl - /home/.chezmoiscripts/disabled/run_onchange_after_symlink-ansible-configs.tmpl - /home/.chezmoiscripts/linux/run_onchange_before_01-requirements.sh.tmpl - /home/.chezmoiscripts/linux/run_onchange_before_10-system-tweaks.sh.tmpl - /home/.chezmoiscripts/linux/run_onchange_before_11-configure-swap.sh.tmpl - /home/.chezmoiscripts/linux/run_onchange_before_14-warp.sh.tmpl - /home/.chezmoitemplates/ssh/encrypted_authorized-keys.yubikey.tmpl
This commit is contained in:
parent
a2748ba201
commit
2f9a236021
19 changed files with 109 additions and 53 deletions
|
@ -1,3 +1,4 @@
|
|||
{{- if (eq .host.distro.family "linux") -}}
|
||||
#!/usr/bin/env bash
|
||||
# @file Linux Required Dependencies
|
||||
# @brief Ensures commonly used system packages that are common dependencies of other packages are installed
|
||||
|
@ -237,4 +238,5 @@ elif [ '{{ .host.distro.id }}' = 'ubuntu' ]; then
|
|||
fi
|
||||
fi
|
||||
done
|
||||
fi
|
||||
fi
|
||||
{{ end -}}
|
||||
|
|
|
@ -1,3 +1,4 @@
|
|||
{{- if (eq .host.distro.family "linux") -}}
|
||||
#!/usr/bin/env bash
|
||||
# @file Linux System Tweaks
|
||||
# @brief Applies a set of generic Linux system tweaks such as ensuring the hostname is set, setting the timezone, and more
|
||||
|
@ -27,3 +28,4 @@ if command -v sysctl > /dev/null; then
|
|||
logg info 'Increasing vm.max_map_count size to 262144'
|
||||
sudo sysctl -w vm.max_map_count=262144 > /dev/null
|
||||
fi
|
||||
{{ end -}}
|
||||
|
|
|
@ -1,3 +1,4 @@
|
|||
{{- if (eq .host.distro.family "linux") -}}
|
||||
#!/usr/bin/env bash
|
||||
# @file Linux Swap
|
||||
# @brief Determines the ideal size `/swapfile`, ensures it exists, and then enables it on Linux systems
|
||||
|
@ -55,3 +56,4 @@ if [ ! -f /swapfile ]; then
|
|||
fi
|
||||
fi
|
||||
fi
|
||||
{{ end -}}
|
||||
|
|
|
@ -1,3 +1,4 @@
|
|||
{{- if (eq .host.distro.family "linux") -}}
|
||||
#!/usr/bin/env bash
|
||||
# @file CloudFlare WARP Repository
|
||||
# @brief Adds the CloudFlare WARP `apt-get` repository to Debian and Ubuntu systems
|
||||
|
@ -30,3 +31,4 @@ elif [ '{{ .host.distro.id }}' = 'ubuntu' ]; then
|
|||
sudo apt-get update
|
||||
fi
|
||||
fi
|
||||
{{ end -}}
|
||||
|
|
|
@ -1,23 +0,0 @@
|
|||
{{- if eq .host.distro.family "darwin" -}}
|
||||
#!/usr/bin/env bash
|
||||
|
||||
{{ includeTemplate "universal/profile" }}
|
||||
{{ includeTemplate "universal/logg" }}
|
||||
|
||||
{{ $fontFiles := (output "find" (joinPath .chezmoi.homeDir ".local" "share" "fonts") "-type" "f") -}}
|
||||
{{- range $fontFile := splitList "\n" $fontFiles -}}
|
||||
{{- if ne $fontFile "" -}}
|
||||
# {{ $fontFile }} hash: {{ $fontFile | sha256sum }}
|
||||
{{ end -}}
|
||||
{{- end }}
|
||||
|
||||
### Ensure all fonts are added to ~/Library/Fonts on macOS
|
||||
find "$HOME/.local/share/fonts" -type f | while read FONT_FILE; do
|
||||
BASENAME="$(basename "$FONT_FILE")"
|
||||
if [ ! -f "$HOME/Library/Fonts/$BASENAME" ] || [ "$(openssl sha256 "$HOME/Library/Fonts/$BASENAME" | sed 's/.*= //')" != "$(openssl sha256 "$FONT_FILE" | sed 's/.*= //')" ]; then
|
||||
logg info 'Adding '"$BASENAME"' to ~/Library/Fonts'
|
||||
cp "$FONT_FILE" "$HOME/Library/Fonts/$BASENAME"
|
||||
fi
|
||||
done
|
||||
|
||||
{{ end -}}
|
|
@ -1,11 +0,0 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
{{ includeTemplate "universal/profile" }}
|
||||
{{ includeTemplate "universal/logg" }}
|
||||
|
||||
### Ensure id_rsa is present and create one if it does not exist
|
||||
if [ ! -f "$HOME/.ssh/id_rsa" ]; then
|
||||
logg 'Generating missing default private key / public key (`~/.ssh/id_rsa`)'
|
||||
ssh-keygen -b 4096 -t rsa -f "$HOME/.ssh/id_rsa" -q -N ""
|
||||
chmod 600 "$HOME/.ssh/id_rsa"
|
||||
fi
|
|
@ -1,16 +0,0 @@
|
|||
{{- if (ne .host.distro.family "windows") -}}
|
||||
#!/usr/bin/env bash
|
||||
|
||||
{{ includeTemplate "universal/profile" }}
|
||||
{{ includeTemplate "universal/logg" }}
|
||||
|
||||
### Symlink custom code for Neovim configuration
|
||||
if [ ! -d "${XDG_CONFIG_HOME:-$HOME/.config}/nvim/lua/custom" ]; then
|
||||
logg info "Linking ${XDG_CONFIG_HOME:-$HOME/.config}/nvim-custom to ${XDG_CONFIG_HOME:-$HOME/.config}/nvim/lua/custom"
|
||||
logg info "Changes should go in ${XDG_CONFIG_HOME:-$HOME/.config}/nvim-custom"
|
||||
ln -s "${XDG_CONFIG_HOME:-$HOME/.config}/nvim-custom" "${XDG_CONFIG_HOME:-$HOME/.config}/nvim/lua/custom"
|
||||
else
|
||||
logg info "${XDG_CONFIG_HOME:-$HOME/.config}/nvim-custom appears to already be symlinked to ${XDG_CONFIG_HOME:-$HOME/.config}/nvim/lua/custom"
|
||||
fi
|
||||
|
||||
{{ end -}}
|
|
@ -1,4 +1,9 @@
|
|||
#!/usr/bin/env bash
|
||||
# @file Ensure Local Bin Executable
|
||||
# @brief Ensures all the scripts located in `~/.local/bin` have executable permissions
|
||||
# @description
|
||||
# This script cycles through the scripts in `~/.local/bin` are executable. It only cycles through
|
||||
# the scripts that are exactly one level deep in the `~/.local/bin` folder.
|
||||
|
||||
{{ includeTemplate "universal/profile" }}
|
||||
{{ includeTemplate "universal/logg" }}
|
|
@ -1,5 +1,15 @@
|
|||
{{- if (stat (joinPath .host.home ".config" "age" "chezmoi.txt")) -}}
|
||||
#!/usr/bin/env bash
|
||||
# @file Decrypt SSH Keys
|
||||
# @brief Decrypts the encrypted SSH key files stored in the `home/.chezmoitemplates/ssh` folder of the repository / fork
|
||||
# @description
|
||||
# This script decrypts the SSH key files that are housed in the `home/.chezmoitemplates/ssh` section of the repository.
|
||||
# It loops through all the files in `home/.chezmoitemplates/ssh` and stores them to the `~/.ssh` folder
|
||||
# when they are successfully decrypted.
|
||||
#
|
||||
# ## Secrets
|
||||
#
|
||||
# For more information about storing secrets like SSH keys and API keys, refer to our [Secrets documentation](https://install.doctor/docs/customization/secrets).
|
||||
|
||||
{{ includeTemplate "universal/profile" }}
|
||||
{{ includeTemplate "universal/logg" }}
|
|
@ -0,0 +1,17 @@
|
|||
#!/usr/bin/env bash
|
||||
# @file Default SSH Key
|
||||
# @brief Create a default `id_rsa` SSH key if one is not present in the repository / fork of Install Doctor
|
||||
# @description
|
||||
# This script generates a pair of default `id_rsa` and `id_rsa.pub` keys if one is not already present
|
||||
# on the system after the Install Doctor provisioning process completes. It also ensures the private
|
||||
# key is only readable and writable the provisioning user.
|
||||
|
||||
{{ includeTemplate "universal/profile" }}
|
||||
{{ includeTemplate "universal/logg" }}
|
||||
|
||||
### Ensure id_rsa is present and create one if it does not exist
|
||||
if [ ! -f "$HOME/.ssh/id_rsa" ]; then
|
||||
logg 'Generating missing default private key / public key (`~/.ssh/id_rsa`)'
|
||||
ssh-keygen -b 4096 -t rsa -f "$HOME/.ssh/id_rsa" -q -N ""
|
||||
chmod 600 "$HOME/.ssh/id_rsa"
|
||||
fi
|
|
@ -1,4 +1,9 @@
|
|||
#!/usr/bin/env bash
|
||||
# @file Generate Missing Public SSH Keys
|
||||
# @brief Attempts to create missing public SSH keys for all private keys that are missing a public key file
|
||||
# @description
|
||||
# Using private SSH keys, you can generate the corresponding public key. This script ensures that any SSH private key
|
||||
# that does not have a matching `.pub` public key file has one generated.
|
||||
|
||||
{{ $sshFiles := (output "find" (joinPath .chezmoi.homeDir ".ssh") "-type" "f") -}}
|
||||
{{- range $sshFile := splitList "\n" $sshFiles -}}
|
|
@ -0,0 +1,26 @@
|
|||
{{- if (ne .host.distro.family "windows") -}}
|
||||
#!/usr/bin/env bash
|
||||
# @file NvChad NVIM Customization Symlink
|
||||
# @brief Symlinks `${XDG_CONFIG_HOME:-$HOME/.config}/nvim-custom` to the main NVIM configuration
|
||||
# @description
|
||||
# NVIM is a visual text editor for the terminal. It is like a fancy, improved version of VIM with compatibility
|
||||
# for the same plugins and some other ones as well. The default configuration of Install Doctor integrates
|
||||
# a well-received and popular shared NVIM configuration called [NvChad](https://github.com/NvChad/NvChad).
|
||||
#
|
||||
# To make it easy to update NVIM to the latest version as well as introduce custom configuration parameters for NvChad,
|
||||
# this script symlinks the custom configuration from `${XDG_CONFIG_HOME:-$HOME/.config}/nvim-custom` to `${XDG_CONFIG_HOME:-$HOME/.config}/nvim/lua/custom`
|
||||
# which is the location that NvChad's documentation recommends placing custom settings in.
|
||||
|
||||
{{ includeTemplate "universal/profile" }}
|
||||
{{ includeTemplate "universal/logg" }}
|
||||
|
||||
### Symlink custom code for Neovim configuration
|
||||
if [ ! -d "${XDG_CONFIG_HOME:-$HOME/.config}/nvim/lua/custom" ]; then
|
||||
logg info "Linking ${XDG_CONFIG_HOME:-$HOME/.config}/nvim-custom to ${XDG_CONFIG_HOME:-$HOME/.config}/nvim/lua/custom"
|
||||
logg info "Changes should go in ${XDG_CONFIG_HOME:-$HOME/.config}/nvim-custom"
|
||||
ln -s "${XDG_CONFIG_HOME:-$HOME/.config}/nvim-custom" "${XDG_CONFIG_HOME:-$HOME/.config}/nvim/lua/custom"
|
||||
else
|
||||
logg info "${XDG_CONFIG_HOME:-$HOME/.config}/nvim-custom appears to already be symlinked to ${XDG_CONFIG_HOME:-$HOME/.config}/nvim/lua/custom"
|
||||
fi
|
||||
|
||||
{{ end -}}
|
|
@ -1,6 +1,6 @@
|
|||
{{- if (eq .host.distro.family "linux") -}}
|
||||
#!/usr/bin/env bash
|
||||
# @file Fonts
|
||||
# @file Linux Fonts
|
||||
# @brief Ensures fonts are available at the system level and, on Linux, it configures the system font settings.
|
||||
# @description
|
||||
# This script is utilized to ensure the same fonts are consistently used across the system.
|
||||
|
|
|
@ -18,7 +18,6 @@
|
|||
#
|
||||
# ## Links
|
||||
#
|
||||
# * [`run_onchange_after_24-vpn-darwin.sh.tmpl`](https://github.com/megabyte-labs/install.doctor/blob/master/home/.chezmoiscripts/universal/run_onchange_after_24-vpn-darwin.sh.tmpl)
|
||||
# * [VPN profile folder](https://github.com/megabyte-labs/install.doctor/blob/master/home/dot_config/vpn)
|
||||
# * [VPN profile documentation](https://install.doctor/docs/customization/secrets#vpn-profiles)
|
||||
|
|
@ -1,5 +1,21 @@
|
|||
{{- if eq .host.distro.family "linux" -}}
|
||||
#!/usr/bin/env bash
|
||||
# @file Endlessh Configuration
|
||||
# @brief Applies the Endlessh configuration and starts the service on Linux systems
|
||||
# @description
|
||||
# Endlessh is a endless SSH tarpit that slowly shows an infinitely long SSH welcome banner on the default
|
||||
# SSH port. It is intended to break unsophisticated malware that targets SSH.
|
||||
#
|
||||
# If the `endlessh` program is installed, this script applies the configuration stored in `home/private_dot_ssh/endlessh/config.tmpl`
|
||||
# (that unpacks with Chezmoi to `~/.ssh/endlessh/config`) to the system location and then starts the service.
|
||||
#
|
||||
# **Note:** _This script runs under the assumption that the actual SSH port which is defined in `home/.chezmoidata.yaml`
|
||||
# is assigned to a non-standard port like 2214. This allows the default port to be used for `endlessh`._
|
||||
#
|
||||
# ## Links
|
||||
#
|
||||
# * [Endlessh GitHub repository](https://github.com/skeeto/endlessh)
|
||||
# * [Endlessh configuration](https://github.com/megabyte-labs/install.doctor/blob/master/home/private_dot_ssh/endlessh/config.tmpl)
|
||||
|
||||
# endlessh config hash: {{- include (joinPath .host.home ".ssh" "endlessh" "config") | sha256sum -}}
|
||||
|
|
@ -1,5 +1,14 @@
|
|||
{{- if ne .host.distro.family "windows" -}}
|
||||
#!/usr/bin/env bash
|
||||
# @file SSHD Configuration
|
||||
# @brief Applies SSHD system configuration and then restarts / enables the SSH server
|
||||
# @description
|
||||
# This script applies the SSH server MOTD banner and `sshd_config` (which are housed in the `home/private_dot_ssh/system` location)
|
||||
# to the system by copying the files to the system location and then restarting / enabling the system SSH server.
|
||||
#
|
||||
# ## Links
|
||||
#
|
||||
# * [System SSHD configurations](https://github.com/megabyte-labs/install.doctor/tree/master/home/private_dot_ssh/system)
|
||||
|
||||
# sshd_config hash: {{- include (joinPath .host.home ".ssh" "system" "sshd_config") | sha256sum -}}
|
||||
# banner hash: {{- include (joinPath .host.home ".ssh" "system" "banner") | sha256sum -}}
|
|
@ -1,5 +1,16 @@
|
|||
{{- if eq .host.distro.family "linux" -}}
|
||||
#!/usr/bin/env bash
|
||||
# @file Fail2ban Configuration
|
||||
# @brief Applies the system `fail2ban` jail configuration and then restarts the service
|
||||
# @description
|
||||
# Fail2ban is an SSH security program that temporarily bans IP addresses that could possibly be
|
||||
# attempting to gain unauthorized system access. This script applies the "jail" configuration
|
||||
# located at `home/private_dot_ssh/fail2ban/` to the system location. It then enables and restarts
|
||||
# the `fail2ban` configuration.
|
||||
#
|
||||
# ## Links
|
||||
#
|
||||
# * [`fail2ban` configuration folder](https://github.com/megabyte-labs/install.doctor/tree/master/home/private_dot_ssh/fail2ban)
|
||||
|
||||
# jail.local hash: {{- include (joinPath .host.home ".ssh" "fail2ban" "jail.local") | sha256sum -}}
|
||||
|
Loading…
Reference in a new issue