Update 28 files

- /home/.chezmoiscripts/run_onchange_after_add-fonts.tmpl
- /home/.chezmoiscripts/run_onchange_after_endlessh.tmpl
- /home/.chezmoiscripts/run_onchange_after_fail2ban.tmpl
- /home/.chezmoiscripts/run_onchange_after_symlink-ansible-configs.tmpl
- /home/.chezmoiscripts/run_onchange_after_sshd.tmpl
- /home/.chezmoiscripts/run_onchanges_after_decrypt-ssh-keys.tmpl
- /home/.chezmoiscripts/run_onchange_ensure-executable.tmpl
- /home/.chezmoiscripts/run_onchanges_after_ensure-private-key.tmpl
- /home/.chezmoiscripts/run_onchanges_after_generate-public-keys.tmpl
- /home/.chezmoiscripts/run_onchanges_after_symlink-custom.tmpl
- /home/.chezmoitemplates/ssh/authorized-keys.yubikey
- /home/.chezmoiscripts/universal/run_onchange_after_24-vpn-darwin.tmpl
- /home/.chezmoiscripts/universal/run_onchange_after_20-font.sh.tmpl
- /home/.chezmoiscripts/universal/run_onchange_after_02-ensure-executable.sh.tmpl
- /home/.chezmoiscripts/universal/run_onchange_after_05-decrypt-ssh-keys.sh.tmpl
- /home/.chezmoiscripts/universal/run_onchange_after_07-ensure-private-key.sh.tmpl
- /home/.chezmoiscripts/universal/run_onchange_after_08-generate-public-keys.sh.tmpl
- /home/.chezmoiscripts/universal/run_onchange_after_08-symlink-custom.sh.tmpl
- /home/.chezmoiscripts/universal/run_onchange_after_24-vpn-darwin.sh.tmpl
- /home/.chezmoiscripts/universal/run_onchange_after_30-endlessh.sh.tmpl
- /home/.chezmoiscripts/universal/run_onchange_after_30-sshd.sh.tmpl
- /home/.chezmoiscripts/universal/run_onchange_after_31-fail2ban.sh.tmpl
- /home/.chezmoiscripts/disabled/run_onchange_after_symlink-ansible-configs.tmpl
- /home/.chezmoiscripts/linux/run_onchange_before_01-requirements.sh.tmpl
- /home/.chezmoiscripts/linux/run_onchange_before_10-system-tweaks.sh.tmpl
- /home/.chezmoiscripts/linux/run_onchange_before_11-configure-swap.sh.tmpl
- /home/.chezmoiscripts/linux/run_onchange_before_14-warp.sh.tmpl
- /home/.chezmoitemplates/ssh/encrypted_authorized-keys.yubikey.tmpl
This commit is contained in:
Brian Zalewski 2023-04-15 23:14:30 +00:00
parent a2748ba201
commit 2f9a236021
19 changed files with 109 additions and 53 deletions

View file

@ -1,3 +1,4 @@
{{- if (eq .host.distro.family "linux") -}}
#!/usr/bin/env bash
# @file Linux Required Dependencies
# @brief Ensures commonly used system packages that are common dependencies of other packages are installed
@ -237,4 +238,5 @@ elif [ '{{ .host.distro.id }}' = 'ubuntu' ]; then
fi
fi
done
fi
fi
{{ end -}}

View file

@ -1,3 +1,4 @@
{{- if (eq .host.distro.family "linux") -}}
#!/usr/bin/env bash
# @file Linux System Tweaks
# @brief Applies a set of generic Linux system tweaks such as ensuring the hostname is set, setting the timezone, and more
@ -27,3 +28,4 @@ if command -v sysctl > /dev/null; then
logg info 'Increasing vm.max_map_count size to 262144'
sudo sysctl -w vm.max_map_count=262144 > /dev/null
fi
{{ end -}}

View file

@ -1,3 +1,4 @@
{{- if (eq .host.distro.family "linux") -}}
#!/usr/bin/env bash
# @file Linux Swap
# @brief Determines the ideal size `/swapfile`, ensures it exists, and then enables it on Linux systems
@ -55,3 +56,4 @@ if [ ! -f /swapfile ]; then
fi
fi
fi
{{ end -}}

View file

@ -1,3 +1,4 @@
{{- if (eq .host.distro.family "linux") -}}
#!/usr/bin/env bash
# @file CloudFlare WARP Repository
# @brief Adds the CloudFlare WARP `apt-get` repository to Debian and Ubuntu systems
@ -30,3 +31,4 @@ elif [ '{{ .host.distro.id }}' = 'ubuntu' ]; then
sudo apt-get update
fi
fi
{{ end -}}

View file

@ -1,23 +0,0 @@
{{- if eq .host.distro.family "darwin" -}}
#!/usr/bin/env bash
{{ includeTemplate "universal/profile" }}
{{ includeTemplate "universal/logg" }}
{{ $fontFiles := (output "find" (joinPath .chezmoi.homeDir ".local" "share" "fonts") "-type" "f") -}}
{{- range $fontFile := splitList "\n" $fontFiles -}}
{{- if ne $fontFile "" -}}
# {{ $fontFile }} hash: {{ $fontFile | sha256sum }}
{{ end -}}
{{- end }}
### Ensure all fonts are added to ~/Library/Fonts on macOS
find "$HOME/.local/share/fonts" -type f | while read FONT_FILE; do
BASENAME="$(basename "$FONT_FILE")"
if [ ! -f "$HOME/Library/Fonts/$BASENAME" ] || [ "$(openssl sha256 "$HOME/Library/Fonts/$BASENAME" | sed 's/.*= //')" != "$(openssl sha256 "$FONT_FILE" | sed 's/.*= //')" ]; then
logg info 'Adding '"$BASENAME"' to ~/Library/Fonts'
cp "$FONT_FILE" "$HOME/Library/Fonts/$BASENAME"
fi
done
{{ end -}}

View file

@ -1,11 +0,0 @@
#!/usr/bin/env bash
{{ includeTemplate "universal/profile" }}
{{ includeTemplate "universal/logg" }}
### Ensure id_rsa is present and create one if it does not exist
if [ ! -f "$HOME/.ssh/id_rsa" ]; then
logg 'Generating missing default private key / public key (`~/.ssh/id_rsa`)'
ssh-keygen -b 4096 -t rsa -f "$HOME/.ssh/id_rsa" -q -N ""
chmod 600 "$HOME/.ssh/id_rsa"
fi

View file

@ -1,16 +0,0 @@
{{- if (ne .host.distro.family "windows") -}}
#!/usr/bin/env bash
{{ includeTemplate "universal/profile" }}
{{ includeTemplate "universal/logg" }}
### Symlink custom code for Neovim configuration
if [ ! -d "${XDG_CONFIG_HOME:-$HOME/.config}/nvim/lua/custom" ]; then
logg info "Linking ${XDG_CONFIG_HOME:-$HOME/.config}/nvim-custom to ${XDG_CONFIG_HOME:-$HOME/.config}/nvim/lua/custom"
logg info "Changes should go in ${XDG_CONFIG_HOME:-$HOME/.config}/nvim-custom"
ln -s "${XDG_CONFIG_HOME:-$HOME/.config}/nvim-custom" "${XDG_CONFIG_HOME:-$HOME/.config}/nvim/lua/custom"
else
logg info "${XDG_CONFIG_HOME:-$HOME/.config}/nvim-custom appears to already be symlinked to ${XDG_CONFIG_HOME:-$HOME/.config}/nvim/lua/custom"
fi
{{ end -}}

View file

@ -1,4 +1,9 @@
#!/usr/bin/env bash
# @file Ensure Local Bin Executable
# @brief Ensures all the scripts located in `~/.local/bin` have executable permissions
# @description
# This script cycles through the scripts in `~/.local/bin` are executable. It only cycles through
# the scripts that are exactly one level deep in the `~/.local/bin` folder.
{{ includeTemplate "universal/profile" }}
{{ includeTemplate "universal/logg" }}

View file

@ -1,5 +1,15 @@
{{- if (stat (joinPath .host.home ".config" "age" "chezmoi.txt")) -}}
#!/usr/bin/env bash
# @file Decrypt SSH Keys
# @brief Decrypts the encrypted SSH key files stored in the `home/.chezmoitemplates/ssh` folder of the repository / fork
# @description
# This script decrypts the SSH key files that are housed in the `home/.chezmoitemplates/ssh` section of the repository.
# It loops through all the files in `home/.chezmoitemplates/ssh` and stores them to the `~/.ssh` folder
# when they are successfully decrypted.
#
# ## Secrets
#
# For more information about storing secrets like SSH keys and API keys, refer to our [Secrets documentation](https://install.doctor/docs/customization/secrets).
{{ includeTemplate "universal/profile" }}
{{ includeTemplate "universal/logg" }}

View file

@ -0,0 +1,17 @@
#!/usr/bin/env bash
# @file Default SSH Key
# @brief Create a default `id_rsa` SSH key if one is not present in the repository / fork of Install Doctor
# @description
# This script generates a pair of default `id_rsa` and `id_rsa.pub` keys if one is not already present
# on the system after the Install Doctor provisioning process completes. It also ensures the private
# key is only readable and writable the provisioning user.
{{ includeTemplate "universal/profile" }}
{{ includeTemplate "universal/logg" }}
### Ensure id_rsa is present and create one if it does not exist
if [ ! -f "$HOME/.ssh/id_rsa" ]; then
logg 'Generating missing default private key / public key (`~/.ssh/id_rsa`)'
ssh-keygen -b 4096 -t rsa -f "$HOME/.ssh/id_rsa" -q -N ""
chmod 600 "$HOME/.ssh/id_rsa"
fi

View file

@ -1,4 +1,9 @@
#!/usr/bin/env bash
# @file Generate Missing Public SSH Keys
# @brief Attempts to create missing public SSH keys for all private keys that are missing a public key file
# @description
# Using private SSH keys, you can generate the corresponding public key. This script ensures that any SSH private key
# that does not have a matching `.pub` public key file has one generated.
{{ $sshFiles := (output "find" (joinPath .chezmoi.homeDir ".ssh") "-type" "f") -}}
{{- range $sshFile := splitList "\n" $sshFiles -}}

View file

@ -0,0 +1,26 @@
{{- if (ne .host.distro.family "windows") -}}
#!/usr/bin/env bash
# @file NvChad NVIM Customization Symlink
# @brief Symlinks `${XDG_CONFIG_HOME:-$HOME/.config}/nvim-custom` to the main NVIM configuration
# @description
# NVIM is a visual text editor for the terminal. It is like a fancy, improved version of VIM with compatibility
# for the same plugins and some other ones as well. The default configuration of Install Doctor integrates
# a well-received and popular shared NVIM configuration called [NvChad](https://github.com/NvChad/NvChad).
#
# To make it easy to update NVIM to the latest version as well as introduce custom configuration parameters for NvChad,
# this script symlinks the custom configuration from `${XDG_CONFIG_HOME:-$HOME/.config}/nvim-custom` to `${XDG_CONFIG_HOME:-$HOME/.config}/nvim/lua/custom`
# which is the location that NvChad's documentation recommends placing custom settings in.
{{ includeTemplate "universal/profile" }}
{{ includeTemplate "universal/logg" }}
### Symlink custom code for Neovim configuration
if [ ! -d "${XDG_CONFIG_HOME:-$HOME/.config}/nvim/lua/custom" ]; then
logg info "Linking ${XDG_CONFIG_HOME:-$HOME/.config}/nvim-custom to ${XDG_CONFIG_HOME:-$HOME/.config}/nvim/lua/custom"
logg info "Changes should go in ${XDG_CONFIG_HOME:-$HOME/.config}/nvim-custom"
ln -s "${XDG_CONFIG_HOME:-$HOME/.config}/nvim-custom" "${XDG_CONFIG_HOME:-$HOME/.config}/nvim/lua/custom"
else
logg info "${XDG_CONFIG_HOME:-$HOME/.config}/nvim-custom appears to already be symlinked to ${XDG_CONFIG_HOME:-$HOME/.config}/nvim/lua/custom"
fi
{{ end -}}

View file

@ -1,6 +1,6 @@
{{- if (eq .host.distro.family "linux") -}}
#!/usr/bin/env bash
# @file Fonts
# @file Linux Fonts
# @brief Ensures fonts are available at the system level and, on Linux, it configures the system font settings.
# @description
# This script is utilized to ensure the same fonts are consistently used across the system.

View file

@ -18,7 +18,6 @@
#
# ## Links
#
# * [`run_onchange_after_24-vpn-darwin.sh.tmpl`](https://github.com/megabyte-labs/install.doctor/blob/master/home/.chezmoiscripts/universal/run_onchange_after_24-vpn-darwin.sh.tmpl)
# * [VPN profile folder](https://github.com/megabyte-labs/install.doctor/blob/master/home/dot_config/vpn)
# * [VPN profile documentation](https://install.doctor/docs/customization/secrets#vpn-profiles)

View file

@ -1,5 +1,21 @@
{{- if eq .host.distro.family "linux" -}}
#!/usr/bin/env bash
# @file Endlessh Configuration
# @brief Applies the Endlessh configuration and starts the service on Linux systems
# @description
# Endlessh is a endless SSH tarpit that slowly shows an infinitely long SSH welcome banner on the default
# SSH port. It is intended to break unsophisticated malware that targets SSH.
#
# If the `endlessh` program is installed, this script applies the configuration stored in `home/private_dot_ssh/endlessh/config.tmpl`
# (that unpacks with Chezmoi to `~/.ssh/endlessh/config`) to the system location and then starts the service.
#
# **Note:** _This script runs under the assumption that the actual SSH port which is defined in `home/.chezmoidata.yaml`
# is assigned to a non-standard port like 2214. This allows the default port to be used for `endlessh`._
#
# ## Links
#
# * [Endlessh GitHub repository](https://github.com/skeeto/endlessh)
# * [Endlessh configuration](https://github.com/megabyte-labs/install.doctor/blob/master/home/private_dot_ssh/endlessh/config.tmpl)
# endlessh config hash: {{- include (joinPath .host.home ".ssh" "endlessh" "config") | sha256sum -}}

View file

@ -1,5 +1,14 @@
{{- if ne .host.distro.family "windows" -}}
#!/usr/bin/env bash
# @file SSHD Configuration
# @brief Applies SSHD system configuration and then restarts / enables the SSH server
# @description
# This script applies the SSH server MOTD banner and `sshd_config` (which are housed in the `home/private_dot_ssh/system` location)
# to the system by copying the files to the system location and then restarting / enabling the system SSH server.
#
# ## Links
#
# * [System SSHD configurations](https://github.com/megabyte-labs/install.doctor/tree/master/home/private_dot_ssh/system)
# sshd_config hash: {{- include (joinPath .host.home ".ssh" "system" "sshd_config") | sha256sum -}}
# banner hash: {{- include (joinPath .host.home ".ssh" "system" "banner") | sha256sum -}}

View file

@ -1,5 +1,16 @@
{{- if eq .host.distro.family "linux" -}}
#!/usr/bin/env bash
# @file Fail2ban Configuration
# @brief Applies the system `fail2ban` jail configuration and then restarts the service
# @description
# Fail2ban is an SSH security program that temporarily bans IP addresses that could possibly be
# attempting to gain unauthorized system access. This script applies the "jail" configuration
# located at `home/private_dot_ssh/fail2ban/` to the system location. It then enables and restarts
# the `fail2ban` configuration.
#
# ## Links
#
# * [`fail2ban` configuration folder](https://github.com/megabyte-labs/install.doctor/tree/master/home/private_dot_ssh/fail2ban)
# jail.local hash: {{- include (joinPath .host.home ".ssh" "fail2ban" "jail.local") | sha256sum -}}