diff --git a/home/.chezmoiscripts/run_onchange_after_symlink-ansible-configs.tmpl b/home/.chezmoiscripts/disabled/run_onchange_after_symlink-ansible-configs.tmpl similarity index 100% rename from home/.chezmoiscripts/run_onchange_after_symlink-ansible-configs.tmpl rename to home/.chezmoiscripts/disabled/run_onchange_after_symlink-ansible-configs.tmpl diff --git a/home/.chezmoiscripts/linux/run_onchange_before_01-requirements.sh.tmpl b/home/.chezmoiscripts/linux/run_onchange_before_01-requirements.sh.tmpl index 5dd489b1..2c1b3dfe 100644 --- a/home/.chezmoiscripts/linux/run_onchange_before_01-requirements.sh.tmpl +++ b/home/.chezmoiscripts/linux/run_onchange_before_01-requirements.sh.tmpl @@ -1,3 +1,4 @@ +{{- if (eq .host.distro.family "linux") -}} #!/usr/bin/env bash # @file Linux Required Dependencies # @brief Ensures commonly used system packages that are common dependencies of other packages are installed @@ -237,4 +238,5 @@ elif [ '{{ .host.distro.id }}' = 'ubuntu' ]; then fi fi done -fi \ No newline at end of file +fi +{{ end -}} diff --git a/home/.chezmoiscripts/linux/run_onchange_before_10-system-tweaks.sh.tmpl b/home/.chezmoiscripts/linux/run_onchange_before_10-system-tweaks.sh.tmpl index e4dbf591..fff8cc15 100644 --- a/home/.chezmoiscripts/linux/run_onchange_before_10-system-tweaks.sh.tmpl +++ b/home/.chezmoiscripts/linux/run_onchange_before_10-system-tweaks.sh.tmpl @@ -1,3 +1,4 @@ +{{- if (eq .host.distro.family "linux") -}} #!/usr/bin/env bash # @file Linux System Tweaks # @brief Applies a set of generic Linux system tweaks such as ensuring the hostname is set, setting the timezone, and more @@ -27,3 +28,4 @@ if command -v sysctl > /dev/null; then logg info 'Increasing vm.max_map_count size to 262144' sudo sysctl -w vm.max_map_count=262144 > /dev/null fi +{{ end -}} diff --git a/home/.chezmoiscripts/linux/run_onchange_before_11-configure-swap.sh.tmpl b/home/.chezmoiscripts/linux/run_onchange_before_11-configure-swap.sh.tmpl index e22fd5f2..08cf7450 100644 --- a/home/.chezmoiscripts/linux/run_onchange_before_11-configure-swap.sh.tmpl +++ b/home/.chezmoiscripts/linux/run_onchange_before_11-configure-swap.sh.tmpl @@ -1,3 +1,4 @@ +{{- if (eq .host.distro.family "linux") -}} #!/usr/bin/env bash # @file Linux Swap # @brief Determines the ideal size `/swapfile`, ensures it exists, and then enables it on Linux systems @@ -55,3 +56,4 @@ if [ ! -f /swapfile ]; then fi fi fi +{{ end -}} diff --git a/home/.chezmoiscripts/linux/run_onchange_before_14-warp.sh.tmpl b/home/.chezmoiscripts/linux/run_onchange_before_14-warp.sh.tmpl index 5eb08473..fcf6f044 100644 --- a/home/.chezmoiscripts/linux/run_onchange_before_14-warp.sh.tmpl +++ b/home/.chezmoiscripts/linux/run_onchange_before_14-warp.sh.tmpl @@ -1,3 +1,4 @@ +{{- if (eq .host.distro.family "linux") -}} #!/usr/bin/env bash # @file CloudFlare WARP Repository # @brief Adds the CloudFlare WARP `apt-get` repository to Debian and Ubuntu systems @@ -30,3 +31,4 @@ elif [ '{{ .host.distro.id }}' = 'ubuntu' ]; then sudo apt-get update fi fi +{{ end -}} diff --git a/home/.chezmoiscripts/run_onchange_after_add-fonts.tmpl b/home/.chezmoiscripts/run_onchange_after_add-fonts.tmpl deleted file mode 100644 index bb2d085f..00000000 --- a/home/.chezmoiscripts/run_onchange_after_add-fonts.tmpl +++ /dev/null @@ -1,23 +0,0 @@ -{{- if eq .host.distro.family "darwin" -}} -#!/usr/bin/env bash - -{{ includeTemplate "universal/profile" }} -{{ includeTemplate "universal/logg" }} - -{{ $fontFiles := (output "find" (joinPath .chezmoi.homeDir ".local" "share" "fonts") "-type" "f") -}} -{{- range $fontFile := splitList "\n" $fontFiles -}} -{{- if ne $fontFile "" -}} -# {{ $fontFile }} hash: {{ $fontFile | sha256sum }} -{{ end -}} -{{- end }} - -### Ensure all fonts are added to ~/Library/Fonts on macOS -find "$HOME/.local/share/fonts" -type f | while read FONT_FILE; do - BASENAME="$(basename "$FONT_FILE")" - if [ ! -f "$HOME/Library/Fonts/$BASENAME" ] || [ "$(openssl sha256 "$HOME/Library/Fonts/$BASENAME" | sed 's/.*= //')" != "$(openssl sha256 "$FONT_FILE" | sed 's/.*= //')" ]; then - logg info 'Adding '"$BASENAME"' to ~/Library/Fonts' - cp "$FONT_FILE" "$HOME/Library/Fonts/$BASENAME" - fi -done - -{{ end -}} diff --git a/home/.chezmoiscripts/run_onchanges_after_ensure-private-key.tmpl b/home/.chezmoiscripts/run_onchanges_after_ensure-private-key.tmpl deleted file mode 100644 index f0bd84aa..00000000 --- a/home/.chezmoiscripts/run_onchanges_after_ensure-private-key.tmpl +++ /dev/null @@ -1,11 +0,0 @@ -#!/usr/bin/env bash - -{{ includeTemplate "universal/profile" }} -{{ includeTemplate "universal/logg" }} - -### Ensure id_rsa is present and create one if it does not exist -if [ ! -f "$HOME/.ssh/id_rsa" ]; then - logg 'Generating missing default private key / public key (`~/.ssh/id_rsa`)' - ssh-keygen -b 4096 -t rsa -f "$HOME/.ssh/id_rsa" -q -N "" - chmod 600 "$HOME/.ssh/id_rsa" -fi diff --git a/home/.chezmoiscripts/run_onchanges_after_symlink-custom.tmpl b/home/.chezmoiscripts/run_onchanges_after_symlink-custom.tmpl deleted file mode 100644 index 9c949c0c..00000000 --- a/home/.chezmoiscripts/run_onchanges_after_symlink-custom.tmpl +++ /dev/null @@ -1,16 +0,0 @@ -{{- if (ne .host.distro.family "windows") -}} -#!/usr/bin/env bash - -{{ includeTemplate "universal/profile" }} -{{ includeTemplate "universal/logg" }} - -### Symlink custom code for Neovim configuration -if [ ! -d "${XDG_CONFIG_HOME:-$HOME/.config}/nvim/lua/custom" ]; then - logg info "Linking ${XDG_CONFIG_HOME:-$HOME/.config}/nvim-custom to ${XDG_CONFIG_HOME:-$HOME/.config}/nvim/lua/custom" - logg info "Changes should go in ${XDG_CONFIG_HOME:-$HOME/.config}/nvim-custom" - ln -s "${XDG_CONFIG_HOME:-$HOME/.config}/nvim-custom" "${XDG_CONFIG_HOME:-$HOME/.config}/nvim/lua/custom" -else - logg info "${XDG_CONFIG_HOME:-$HOME/.config}/nvim-custom appears to already be symlinked to ${XDG_CONFIG_HOME:-$HOME/.config}/nvim/lua/custom" -fi - -{{ end -}} diff --git a/home/.chezmoiscripts/run_onchange_ensure-executable.tmpl b/home/.chezmoiscripts/universal/run_onchange_after_02-ensure-executable.sh.tmpl similarity index 61% rename from home/.chezmoiscripts/run_onchange_ensure-executable.tmpl rename to home/.chezmoiscripts/universal/run_onchange_after_02-ensure-executable.sh.tmpl index 54674743..c355d6ba 100644 --- a/home/.chezmoiscripts/run_onchange_ensure-executable.tmpl +++ b/home/.chezmoiscripts/universal/run_onchange_after_02-ensure-executable.sh.tmpl @@ -1,4 +1,9 @@ #!/usr/bin/env bash +# @file Ensure Local Bin Executable +# @brief Ensures all the scripts located in `~/.local/bin` have executable permissions +# @description +# This script cycles through the scripts in `~/.local/bin` are executable. It only cycles through +# the scripts that are exactly one level deep in the `~/.local/bin` folder. {{ includeTemplate "universal/profile" }} {{ includeTemplate "universal/logg" }} diff --git a/home/.chezmoiscripts/run_onchanges_after_decrypt-ssh-keys.tmpl b/home/.chezmoiscripts/universal/run_onchange_after_05-decrypt-ssh-keys.sh.tmpl similarity index 62% rename from home/.chezmoiscripts/run_onchanges_after_decrypt-ssh-keys.tmpl rename to home/.chezmoiscripts/universal/run_onchange_after_05-decrypt-ssh-keys.sh.tmpl index 8ab6e5b7..535ce218 100644 --- a/home/.chezmoiscripts/run_onchanges_after_decrypt-ssh-keys.tmpl +++ b/home/.chezmoiscripts/universal/run_onchange_after_05-decrypt-ssh-keys.sh.tmpl @@ -1,5 +1,15 @@ {{- if (stat (joinPath .host.home ".config" "age" "chezmoi.txt")) -}} #!/usr/bin/env bash +# @file Decrypt SSH Keys +# @brief Decrypts the encrypted SSH key files stored in the `home/.chezmoitemplates/ssh` folder of the repository / fork +# @description +# This script decrypts the SSH key files that are housed in the `home/.chezmoitemplates/ssh` section of the repository. +# It loops through all the files in `home/.chezmoitemplates/ssh` and stores them to the `~/.ssh` folder +# when they are successfully decrypted. +# +# ## Secrets +# +# For more information about storing secrets like SSH keys and API keys, refer to our [Secrets documentation](https://install.doctor/docs/customization/secrets). {{ includeTemplate "universal/profile" }} {{ includeTemplate "universal/logg" }} diff --git a/home/.chezmoiscripts/universal/run_onchange_after_07-ensure-private-key.sh.tmpl b/home/.chezmoiscripts/universal/run_onchange_after_07-ensure-private-key.sh.tmpl new file mode 100644 index 00000000..279a3edf --- /dev/null +++ b/home/.chezmoiscripts/universal/run_onchange_after_07-ensure-private-key.sh.tmpl @@ -0,0 +1,17 @@ +#!/usr/bin/env bash +# @file Default SSH Key +# @brief Create a default `id_rsa` SSH key if one is not present in the repository / fork of Install Doctor +# @description +# This script generates a pair of default `id_rsa` and `id_rsa.pub` keys if one is not already present +# on the system after the Install Doctor provisioning process completes. It also ensures the private +# key is only readable and writable the provisioning user. + +{{ includeTemplate "universal/profile" }} +{{ includeTemplate "universal/logg" }} + +### Ensure id_rsa is present and create one if it does not exist +if [ ! -f "$HOME/.ssh/id_rsa" ]; then + logg 'Generating missing default private key / public key (`~/.ssh/id_rsa`)' + ssh-keygen -b 4096 -t rsa -f "$HOME/.ssh/id_rsa" -q -N "" + chmod 600 "$HOME/.ssh/id_rsa" +fi diff --git a/home/.chezmoiscripts/run_onchanges_after_generate-public-keys.tmpl b/home/.chezmoiscripts/universal/run_onchange_after_08-generate-public-keys.sh.tmpl similarity index 65% rename from home/.chezmoiscripts/run_onchanges_after_generate-public-keys.tmpl rename to home/.chezmoiscripts/universal/run_onchange_after_08-generate-public-keys.sh.tmpl index 177f8f7f..ceda4e50 100644 --- a/home/.chezmoiscripts/run_onchanges_after_generate-public-keys.tmpl +++ b/home/.chezmoiscripts/universal/run_onchange_after_08-generate-public-keys.sh.tmpl @@ -1,4 +1,9 @@ #!/usr/bin/env bash +# @file Generate Missing Public SSH Keys +# @brief Attempts to create missing public SSH keys for all private keys that are missing a public key file +# @description +# Using private SSH keys, you can generate the corresponding public key. This script ensures that any SSH private key +# that does not have a matching `.pub` public key file has one generated. {{ $sshFiles := (output "find" (joinPath .chezmoi.homeDir ".ssh") "-type" "f") -}} {{- range $sshFile := splitList "\n" $sshFiles -}} diff --git a/home/.chezmoiscripts/universal/run_onchange_after_08-symlink-custom.sh.tmpl b/home/.chezmoiscripts/universal/run_onchange_after_08-symlink-custom.sh.tmpl new file mode 100644 index 00000000..7826c0a1 --- /dev/null +++ b/home/.chezmoiscripts/universal/run_onchange_after_08-symlink-custom.sh.tmpl @@ -0,0 +1,26 @@ +{{- if (ne .host.distro.family "windows") -}} +#!/usr/bin/env bash +# @file NvChad NVIM Customization Symlink +# @brief Symlinks `${XDG_CONFIG_HOME:-$HOME/.config}/nvim-custom` to the main NVIM configuration +# @description +# NVIM is a visual text editor for the terminal. It is like a fancy, improved version of VIM with compatibility +# for the same plugins and some other ones as well. The default configuration of Install Doctor integrates +# a well-received and popular shared NVIM configuration called [NvChad](https://github.com/NvChad/NvChad). +# +# To make it easy to update NVIM to the latest version as well as introduce custom configuration parameters for NvChad, +# this script symlinks the custom configuration from `${XDG_CONFIG_HOME:-$HOME/.config}/nvim-custom` to `${XDG_CONFIG_HOME:-$HOME/.config}/nvim/lua/custom` +# which is the location that NvChad's documentation recommends placing custom settings in. + +{{ includeTemplate "universal/profile" }} +{{ includeTemplate "universal/logg" }} + +### Symlink custom code for Neovim configuration +if [ ! -d "${XDG_CONFIG_HOME:-$HOME/.config}/nvim/lua/custom" ]; then + logg info "Linking ${XDG_CONFIG_HOME:-$HOME/.config}/nvim-custom to ${XDG_CONFIG_HOME:-$HOME/.config}/nvim/lua/custom" + logg info "Changes should go in ${XDG_CONFIG_HOME:-$HOME/.config}/nvim-custom" + ln -s "${XDG_CONFIG_HOME:-$HOME/.config}/nvim-custom" "${XDG_CONFIG_HOME:-$HOME/.config}/nvim/lua/custom" +else + logg info "${XDG_CONFIG_HOME:-$HOME/.config}/nvim-custom appears to already be symlinked to ${XDG_CONFIG_HOME:-$HOME/.config}/nvim/lua/custom" +fi + +{{ end -}} diff --git a/home/.chezmoiscripts/universal/run_onchange_after_20-font.sh.tmpl b/home/.chezmoiscripts/universal/run_onchange_after_20-font.sh.tmpl index 3960429e..073d4c6e 100644 --- a/home/.chezmoiscripts/universal/run_onchange_after_20-font.sh.tmpl +++ b/home/.chezmoiscripts/universal/run_onchange_after_20-font.sh.tmpl @@ -1,6 +1,6 @@ {{- if (eq .host.distro.family "linux") -}} #!/usr/bin/env bash -# @file Fonts +# @file Linux Fonts # @brief Ensures fonts are available at the system level and, on Linux, it configures the system font settings. # @description # This script is utilized to ensure the same fonts are consistently used across the system. diff --git a/home/.chezmoiscripts/universal/run_onchange_after_24-vpn-darwin.tmpl b/home/.chezmoiscripts/universal/run_onchange_after_24-vpn-darwin.sh.tmpl similarity index 93% rename from home/.chezmoiscripts/universal/run_onchange_after_24-vpn-darwin.tmpl rename to home/.chezmoiscripts/universal/run_onchange_after_24-vpn-darwin.sh.tmpl index fa1ccb69..13ea5ec2 100644 --- a/home/.chezmoiscripts/universal/run_onchange_after_24-vpn-darwin.tmpl +++ b/home/.chezmoiscripts/universal/run_onchange_after_24-vpn-darwin.sh.tmpl @@ -18,7 +18,6 @@ # # ## Links # -# * [`run_onchange_after_24-vpn-darwin.sh.tmpl`](https://github.com/megabyte-labs/install.doctor/blob/master/home/.chezmoiscripts/universal/run_onchange_after_24-vpn-darwin.sh.tmpl) # * [VPN profile folder](https://github.com/megabyte-labs/install.doctor/blob/master/home/dot_config/vpn) # * [VPN profile documentation](https://install.doctor/docs/customization/secrets#vpn-profiles) diff --git a/home/.chezmoiscripts/run_onchange_after_endlessh.tmpl b/home/.chezmoiscripts/universal/run_onchange_after_30-endlessh.sh.tmpl similarity index 53% rename from home/.chezmoiscripts/run_onchange_after_endlessh.tmpl rename to home/.chezmoiscripts/universal/run_onchange_after_30-endlessh.sh.tmpl index f2a5558a..d3c14ca7 100644 --- a/home/.chezmoiscripts/run_onchange_after_endlessh.tmpl +++ b/home/.chezmoiscripts/universal/run_onchange_after_30-endlessh.sh.tmpl @@ -1,5 +1,21 @@ {{- if eq .host.distro.family "linux" -}} #!/usr/bin/env bash +# @file Endlessh Configuration +# @brief Applies the Endlessh configuration and starts the service on Linux systems +# @description +# Endlessh is a endless SSH tarpit that slowly shows an infinitely long SSH welcome banner on the default +# SSH port. It is intended to break unsophisticated malware that targets SSH. +# +# If the `endlessh` program is installed, this script applies the configuration stored in `home/private_dot_ssh/endlessh/config.tmpl` +# (that unpacks with Chezmoi to `~/.ssh/endlessh/config`) to the system location and then starts the service. +# +# **Note:** _This script runs under the assumption that the actual SSH port which is defined in `home/.chezmoidata.yaml` +# is assigned to a non-standard port like 2214. This allows the default port to be used for `endlessh`._ +# +# ## Links +# +# * [Endlessh GitHub repository](https://github.com/skeeto/endlessh) +# * [Endlessh configuration](https://github.com/megabyte-labs/install.doctor/blob/master/home/private_dot_ssh/endlessh/config.tmpl) # endlessh config hash: {{- include (joinPath .host.home ".ssh" "endlessh" "config") | sha256sum -}} diff --git a/home/.chezmoiscripts/run_onchange_after_sshd.tmpl b/home/.chezmoiscripts/universal/run_onchange_after_30-sshd.sh.tmpl similarity index 77% rename from home/.chezmoiscripts/run_onchange_after_sshd.tmpl rename to home/.chezmoiscripts/universal/run_onchange_after_30-sshd.sh.tmpl index 68bdb574..15880738 100644 --- a/home/.chezmoiscripts/run_onchange_after_sshd.tmpl +++ b/home/.chezmoiscripts/universal/run_onchange_after_30-sshd.sh.tmpl @@ -1,5 +1,14 @@ {{- if ne .host.distro.family "windows" -}} #!/usr/bin/env bash +# @file SSHD Configuration +# @brief Applies SSHD system configuration and then restarts / enables the SSH server +# @description +# This script applies the SSH server MOTD banner and `sshd_config` (which are housed in the `home/private_dot_ssh/system` location) +# to the system by copying the files to the system location and then restarting / enabling the system SSH server. +# +# ## Links +# +# * [System SSHD configurations](https://github.com/megabyte-labs/install.doctor/tree/master/home/private_dot_ssh/system) # sshd_config hash: {{- include (joinPath .host.home ".ssh" "system" "sshd_config") | sha256sum -}} # banner hash: {{- include (joinPath .host.home ".ssh" "system" "banner") | sha256sum -}} diff --git a/home/.chezmoiscripts/run_onchange_after_fail2ban.tmpl b/home/.chezmoiscripts/universal/run_onchange_after_31-fail2ban.sh.tmpl similarity index 70% rename from home/.chezmoiscripts/run_onchange_after_fail2ban.tmpl rename to home/.chezmoiscripts/universal/run_onchange_after_31-fail2ban.sh.tmpl index 2fad118d..bc4fe487 100644 --- a/home/.chezmoiscripts/run_onchange_after_fail2ban.tmpl +++ b/home/.chezmoiscripts/universal/run_onchange_after_31-fail2ban.sh.tmpl @@ -1,5 +1,16 @@ {{- if eq .host.distro.family "linux" -}} #!/usr/bin/env bash +# @file Fail2ban Configuration +# @brief Applies the system `fail2ban` jail configuration and then restarts the service +# @description +# Fail2ban is an SSH security program that temporarily bans IP addresses that could possibly be +# attempting to gain unauthorized system access. This script applies the "jail" configuration +# located at `home/private_dot_ssh/fail2ban/` to the system location. It then enables and restarts +# the `fail2ban` configuration. +# +# ## Links +# +# * [`fail2ban` configuration folder](https://github.com/megabyte-labs/install.doctor/tree/master/home/private_dot_ssh/fail2ban) # jail.local hash: {{- include (joinPath .host.home ".ssh" "fail2ban" "jail.local") | sha256sum -}} diff --git a/home/.chezmoitemplates/ssh/authorized-keys.yubikey b/home/.chezmoitemplates/ssh/encrypted_authorized-keys.yubikey.tmpl similarity index 100% rename from home/.chezmoitemplates/ssh/authorized-keys.yubikey rename to home/.chezmoitemplates/ssh/encrypted_authorized-keys.yubikey.tmpl