This commit is contained in:
Brian Zalewski 2023-06-28 02:53:52 +00:00
parent 25027816b6
commit 6102deaa33
32 changed files with 300 additions and 13 deletions

View file

@ -60,6 +60,7 @@
* https://github.com/pouchdb/pouchdb
* https://uppy.io/docs/dashboard/
* https://unkey.dev/
* [Title](https://github.com/vercel-labs/ai-chatbot)
## Serverless

View file

@ -2,6 +2,7 @@
This page outlines various projects and tasks that we are currently working on. Creating a GitHub issue for each of these items would be overkill.
* [Title](https://github.com/KnowledgeCanvas/knowledge)
* Configure Navi to automatically download and use the best cheat repositories
* Finish TS from 1400 stars
* Python
@ -14,7 +15,14 @@ This page outlines various projects and tasks that we are currently working on.
* JavaScript start at 10k
* Go through https://github.com/jaywcjlove/awesome-mac
* https://codesandbox.io/ https://github.com/firecracker-microvm/firecracker
* (https://www.kolide.com/features/checks/mac-firewall)
* (https://github.com/tobiasbueschel/search-gpt)
* Create IP set for CloudFlare [Title](https://firewalld.org/documentation/man-pages/firewalld.ipset.html)
* https://chainner.app/
* https://github.com/kyrolabs/awesome-langchain)
( [Title](https://github.com/StanGirard/quivr))
* [Title](https://github.com/PromtEngineer/localGPT)
* [Title](https://github.com/reworkd/AgentGPT)
## Upstream
The following items are things we would like to include into the Install Doctor system but are waiting on upstream changes.
@ -182,6 +190,15 @@ The following items have been reviewed but need to be revisited due to complexit
* https://github.com/OpenNebula/one /. https://github.com/OpenNebula/minione
* https://github.com/ConvoyPanel/panel
* https://github.com/hashicorp/nomad
* [Title](https://github.com/Soft/xcolor)
* [Title](https://github.com/Xpra-org/xpra)
* [Title](https://github.com/ksnip/ksnip)
* [Title](https://github.com/leftwm/leftwm)
* [Title](https://github.com/polybar/polybar)
* [Title](https://github.com/kingToolbox/WindTerm)
* [Title](https://github.com/hyprwm/Hypr)
* [Title](https://github.com/Sygil-Dev/sygil-webui)
* [Title](https://github.com/psychic-api/psychic)
## Docker Issue

View file

@ -360,6 +360,7 @@ softwareGroups:
- resume
- s-search
- sad
- search-gpt
- slack-term
- slides
- social-analyzer
@ -916,6 +917,7 @@ softwareGroups:
- cookiecutter
- gomplate
Terraform: &Terraform
- aiac
- terraform
- tfenv
- tflint

View file

@ -24,15 +24,15 @@ if [ -d /Applications ] && [ -d /System ]; then
# Only enable when computer is not a corporate / work computer
{{ if (ne .host.work true) -}}
logg info 'Enabling VNC using the `VNC_PASSWORD` variable which is `vncpass` when nothing is specified'
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -clientopts -setvnclegacy -vnclegacy yes -clientopts -setvncpw -vncpw {{- if and (stat (joinPath .host.home ".config" "age" "chezmoi.txt")) (stat (joinPath .chezmoi.sourceDir ".chezmoitemplates" "secrets" "VNC_PASSWORD")) }}{{ includeTemplate "secrets/VNC_PASSWORD" | decrypt | trim }}{{ else }}{{ default "vncpass" (env "VNC_PASSWORD") }}{{ end }} -restart -agent -privs -all
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -allowAccessFor -specifiedUsers -clientopts -setreqperm -reqperm yes -setvnclegacy -vnclegacy yes -setvncpw -vncpw {{- if and (stat (joinPath .host.home ".config" "age" "chezmoi.txt")) (stat (joinPath .chezmoi.sourceDir ".chezmoitemplates" "secrets" "VNC_PASSWORD")) }}{{ includeTemplate "secrets/VNC_PASSWORD" | decrypt | trim }}{{ else }}{{ default "vncpass" (env "VNC_PASSWORD") }}{{ end }} -restart -agent -privs -all -users {{ .user.name }}
{{- end }}
else
# System is Linux
### VNC set-up / configuration
if command -v vncpasswd > /dev/null; then
# TigerVNC (or alternative VNC program) is installed
logg info 'Copying VNC configuration files from ~/.config/vnc/etc to /'
sudo cp -Rf "${XDG_CONFIG_HOME:-$HOME/.config}/vnc/etc" /
sudo systemctl
if [ ! -d "${XDG_CONFIG_HOME:-$HOME/.config}/vnc" ]; then
mkdir -p "${XDG_CONFIG_HOME:-$HOME/.config}/vnc"
fi

View file

@ -0,0 +1,7 @@
#!/usr/bin/env bash
if [ -d /Applications ] && [ -d /System ]; then
# System is macOS
logg info 'Enabling macOS firewall'
fi

View file

@ -0,0 +1,7 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVNHB0YXhyR3NEQVZMaEw5
RjRSbE56Vk9VU2lZTWo2NHNoSXhjZUZYYVNzClh3ay9ZdStiWUlLMnNXT1RmT3Vw
aVRtNHAvR2xSdmRMQW1LYkR5MlRjbmMKLS0tIFJDcEphZUZZc0RjYmUwRTlkZDFh
SXlFSXErOEdHZHJkVmlDWHJvWDJjSnMKTZuglTRlnTiU/YMzQjNUZY3stUz8ujwP
FsyjC/1mp3eYNr5jEnRH1ACSpTesYZ/jgl0b/B3z2eGPN2ButzjAbQ62+0kDuTo=
-----END AGE ENCRYPTED FILE-----

View file

@ -0,0 +1,7 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUZjBDMy9yQW9LZTBQWFUr
SklhbWtWUVpzZDc3TkhzRkxydmppSmc2NkVZCkVyK1BWQ3UxQTE1OC8vL1VVVStz
Z2t1ckNhWDlPd1BuNXNLakNRZWpVSGMKLS0tIE5mdi9RaWhWUWtwcTZTeW9xWFgy
OUNpQWxnRnBpb1JXbU42SHhaa2Z5UFkKDrEwiM7oz62yvE72M87gABy+6ZWqyR95
DGFBDzXJqNtk7tyLHwkh7cZFd4MHKIL7sA==
-----END AGE ENCRYPTED FILE-----

View file

@ -0,0 +1,3 @@
[General]
notifications=true
show-inactive=true

View file

@ -0,0 +1,7 @@
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>FTP</short>
<description>FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.</description>
<port protocol="tcp" port="21"/>
<module name="nf_conntrack_ftp"/>
</service>

View file

@ -0,0 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>IPFS Daemon API</short>
<description>InterPlanetary File System (IPFS) is a protocol and peer-to-peer network for storing and sharing data in a distributed file system.</description>
<port protocol="tcp" port="5001"/>
</service>

View file

@ -0,0 +1,7 @@
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>IPFS Swarm</short>
<description>InterPlanetary File System (IPFS) is a protocol and peer-to-peer network for storing and sharing data in a distributed file system.</description>
<port protocol="tcp" port="4001"/>
<port protocol="udp" port="4001"/>
</service>

View file

@ -0,0 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>IPFS Swarm Websockets</short>
<description>InterPlanetary File System (IPFS) is a protocol and peer-to-peer network for storing and sharing data in a distributed file system.</description>
<port protocol="tcp" port="8081"/>
</service>

View file

@ -0,0 +1,9 @@
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>jellyfin</short>
<description>ellyfin is the volunteer-built media solution that puts you in control of your media. Stream to any device from your own server, with no strings attached. Your media, your server, your way.</description>
<port protocol="tcp" port="8096"/>
<port protocol="tcp" port="8920"/>
<port protocol="udp" port="1900"/>
<port protocol="udp" port="7359"/>
</service>

View file

@ -0,0 +1,10 @@
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>Kubernetes Master</short>
<description>Ports required for a Kubernetes Master node per https://kubernetes.io/docs/setup/independent/install-kubeadm/.</description>
<port port="6443" protocol="tcp"/>
<port port="2379" protocol="tcp"/>
<port port="2380" protocol="tcp"/>
<port port="10250-10252" protocol="tcp"/>
<port port="10255" protocol="tcp"/>
</service>

View file

@ -0,0 +1,8 @@
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>Kubernetes Worker</short>
<description>Ports required for a Kubernetes Worker node per https://kubernetes.io/docs/setup/independent/install-kubeadm/.</description>
<port port="10250" protocol="tcp"/>
<port port="10255" protocol="tcp"/>
<port port="30000-32767" protocol="tcp"/>
</service>

View file

@ -0,0 +1,7 @@
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>Multicast DNS (mDNS)</short>
<description>mDNS provides the ability to use DNS programming interfaces, packet formats and operating semantics in a small network without a conventional DNS server. If you plan to use Avahi, do not disable this option.</description>
<port protocol="udp" port="5353"/>
<destination ipv4="224.0.0.251" ipv6="ff02::fb"/>
</service>

View file

@ -0,0 +1,8 @@
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>OpenVPN Access Server</short>
<description>OpenVPN Access Server is a set of installation and configuration tools that come in one package that simplifies the rapid deployment of a VPN remote access solution.</description>
<port protocol="udp" port="1194"/>
<port protocol="tcp" port="9443"/>
<port protocol="tcp" port="943"/>
</service>

View file

@ -0,0 +1,12 @@
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>Plex</short>
<description>.</description>
<port protocol="tcp" port="32400"/> # Plex Media Server
<port protocol="udp" port="1900"/> # Plex DLNA Server
<port protocol="tcp" port="32469"/> # Plex DLNA Server
<port protocol="udp" port="32410"/> # GDM Network Discovery
<port protocol="udp" port="32412"/> # GDM Network Discovery
<port protocol="udp" port="32413"/> # GDM Network Discovery
<port protocol="udp" port="32414"/> # GDM Network Discovery
</service>

View file

@ -0,0 +1,13 @@
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>UniFi Controller</short>
<description>.</description>
<port protocol="udp" port="10001"/>
<port protocol="udp" port="3478"/>
<port protocol="tcp" port="8080"/>
<port protocol="tcp" port="8081"/>
<port protocol="tcp" port="8443"/>
<port protocol="tcp" port="8843"/>
<port protocol="tcp" port="8880"/>
<port protocol="tcp" port="6789"/>
</service>

View file

@ -0,0 +1,15 @@
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>unifi-video</short>
<description>.</description>
<port protocol="tcp" port="10001"/>
<port protocol="tcp" port="1935"/>
<port protocol="tcp" port="6666"/>
<port protocol="tcp" port="7080"/>
<port protocol="tcp" port="7442"/>
<port protocol="tcp" port="7443"/>
<port protocol="tcp" port="7444"/>
<port protocol="tcp" port="7445"/>
<port protocol="tcp" port="7446"/>
<port protocol="tcp" port="7447"/>
</service>

View file

@ -0,0 +1 @@
These profiles are unused but are left here as an example should we decide to support `ufw` as well.

View file

@ -0,0 +1,4 @@
[CUPS]
title=CUPS
description=CUPS printer server
ports=631/tcp

View file

@ -0,0 +1,4 @@
[MAAS]
title=MAAS
description=Ubuntu management software for equipment that is controlled by LPMI
ports=5240|5248|5241:5247/tcp|5241:5247/udp|5250:5270/tcp|5250:5270/udp

View file

@ -0,0 +1,4 @@
[NetbootXYZ]
title=NetbootXYZ
description=Boot over LAN
ports=69/udp

View file

@ -0,0 +1,19 @@
[Nginx]
title=Nginx Server
description=Nginx server
ports=80/tcp
[Nginx Secure]
title=Nginx Server (HTTPS)
description=Nginx server (HTTPS)
ports=443/tcp
[Nginx Full]
title=Nginx Server (HTTP,HTTPS)
description=Nginx server (HTTP,HTTPS)
ports=80,443/tcp
[Nginx Cache]
title=Nginx Server (8080)
description=Nginx server (8080)
ports=8080/tcp

View file

@ -0,0 +1,14 @@
[PlexMediaServer]
title=Plex Media Server (Standard)
description=The Plex Media Server
ports=32400/tcp|3005/tcp|5353/udp|8324/tcp|32410:32414/udp
[PlexMediaServer DLNA]
title=Plex Media Server (DLNA)
description=The Plex Media Server (additional DLNA capability only)
ports=1900/udp|32469/tcp
[PlexMediaServer Full]
title=Plex Media Server (Standard + DLNA)
description=The Plex Media Server (with additional DLNA capability)
ports=32400/tcp|3005/tcp|5353/udp|8324/tcp|32410:32414/udp|1900/udp|32469/tcp

View file

@ -0,0 +1,4 @@
[RDP]
title=RDP
description=Remotely sign into a desktop computer
ports=3389/tcp

View file

@ -0,0 +1,4 @@
[UniFi]
title=UniFi controller
description=All ports available for UniFi inform, guest portal, speed testing, and access to admin GUI
ports=5514,6789,8080,8843,8880/tcp|1900,3478,10001/udp

View file

@ -74,6 +74,11 @@ export OPENAI_API_KEY="{{ if (stat (joinPath .chezmoi.sourceDir ".chezmoitemplat
### PyPi
export PYPI_TOKEN="{{ if (stat (joinPath .chezmoi.sourceDir ".chezmoitemplates" "secrets" "PYPI_TOKEN")) }}{{ includeTemplate "secrets/PYPI_TOKEN" | decrypt | trim }}{{ else }}{{ env "PYPI_TOKEN" }}{{ end }}"
### Search GPT
# Also relies on `OPENAI_API_KEY`
export GOOGLE_SEARCH_API_KEY="{{ if (stat (joinPath .chezmoi.sourceDir ".chezmoitemplates" "secrets" "GOOGLE_SEARCH_API_KEY")) }}{{ includeTemplate "secrets/GOOGLE_SEARCH_API_KEY" | decrypt | trim }}{{ else }}{{ env "GOOGLE_SEARCH_API_KEY" }}{{ end }}"
export GOOGLE_SEARCH_ID="{{ if (stat (joinPath .chezmoi.sourceDir ".chezmoitemplates" "secrets" "GOOGLE_SEARCH_ID")) }}{{ includeTemplate "secrets/GOOGLE_SEARCH_ID" | decrypt | trim }}{{ else }}{{ env "GOOGLE_SEARCH_ID" }}{{ end }}"
### Snapcraft
export SNAPCRAFT_EMAIL="{{ .user.snapcraft.username }}"
export SNAPCRAFT_MACAROON="{{ if (stat (joinPath .chezmoi.sourceDir ".chezmoitemplates" "secrets" "SNAPCRAFT_MACAROON")) }}{{ includeTemplate "secrets/SNAPCRAFT_MACAROON" | decrypt | trim }}{{ else }}{{ env "SNAPCRAFT_MACAROON" }}{{ end }}"

View file

@ -113,6 +113,7 @@ let installOrdersPre = []
let installOrdersPost = []
let installOrdersService = []
let installOrdersGroups = []
let installOrdersPorts = []
let installOrdersPlugins = []
let installOrdersBinLink = []
let brewUpdated, osType, osID, snapRefreshed
@ -446,6 +447,10 @@ async function updateInstallMaps(preference, packages, scopedPreference, pkg, pa
if (groupsHook) {
installOrdersGroups = installOrdersGroups.concat(typeof groupsHook === 'string' ? [groupsHook] : groupsHook)
}
const portsHook = getHook(packages, 'ports', scopedPreference, preference)
if (portsHook) {
installOrdersPorts = installOrdersPorts.concat(typeof portsHook === 'string' ? [portsHook] : portsHook)
}
processPluginOrders(pkg)
if (!installOrders[preference]) {
installOrders[preference] = []
@ -1543,6 +1548,41 @@ async function addUserGroup(group) {
}
}
/**
* Adds the rules specified in the `_ports` key of each entry in the `software.yml` file.
*
* @param rule Firewall rule in the form of 8888/tcp or 9999/udp. Can also be the XML file name stored in ~/.config/firewall/etc/firewalld/services.
*/
async function addFirewallRule(rule) {
const logStage = 'Firewall'
log('info', logStage, `Ensuring the ${rule} rule is added`)
if (osType === 'linux') {
const firewallCmd = which.sync('firewall-cmd', { nothrow: true })
// const ufw = which.sync('ufw', { nothrow: true })
if (firewallCmd) {
if (typeof rule.substring(0, 1) === 'number') {
runCommand(`Adding the ${rule} to the firewall configuration`, `sudo firewall-cmd --add-port=${rule} --permanent`)
} else {
runCommand(`Adding the ${rule} user / group`, `sudo firewall-cmd --add-service=${rule} --permanent`)
}
} else {
log('error', logStage, `The firewall-cmd executable is not present on the system so the firewall cannot be configured`)
}
} else if (osType === 'darwin') {
runCommand(`Creating the ${rule} group`, `sudo dscl . create /Groups/${rule}`)
runCommand(`Ensuring the ${rule} group has a GID`, `bash -c 'if [[ "$(sudo dscl . read /Groups/$GROUP gid 2>&1)" == *"No such key"* ]]; then MAX_ID_GROUP="$(dscl . -list /Groups gid | awk "{print $2}" | sort -ug | tail -1)"; GROUP_ID="$((MAX_ID_GROUP+1))"; sudo dscl . create /Groups/${rule} gid "$GROUP_ID"; fi'`)
runCommand(`Adding the ${rule} user`, `sudo dscl . create /Users/${rule}`)
runCommand(`Ensuring the ${rule} user has a PrimaryGroupID`, `bash -c 'if [[ "$(sudo dscl . read /Users/${rule} PrimaryGroupID 2>&1)" == *"No such key"* ]]; then sudo dscl . create /Users/${rule} PrimaryGroupID 20; fi'`)
runCommand(`Ensuring the ${rule} user has a UniqueID`, `bash -c 'if [[ "$(sudo dscl . read /Users/${rule} UniqueID 2>&1)" == *"No such key"* ]]; then MAX_ID_USER="$(dscl . -list /Users UniqueID | sort -nr -k 2 | head -1 | grep -oE "[0-9]+$")"; USER_ID="$((MAX_ID_USER+1))"; sudo dscl . create /Users/${rule} UniqueID "$USERID"; fi'`)
runCommand(`Adding the ${rule} user to the ${rule} group`, `sudo dseditgroup -o edit -t user -a ${rule} ${rule}`)
runCommand(`Adding the ${process.env.USER} user to the ${rule} group`, `sudo dseditgroup -o edit -t user -a ${process.env.USER} ${rule}`)
} else if (osType === 'windows') {
log('warn', logStage, `Windows support not yet added`)
} else {
log('warn', logStage, `Unknown operating system type`)
}
}
async function updateService(service) {
const logStage = 'Service Service'
if (osType === 'linux') {
@ -1805,6 +1845,10 @@ async function installSoftware(pkgsToInstall) {
asyncOrders.push(installPackageList(packageManager, installOrders[packageManager]))
await Promise.all(asyncOrders)
}
installOrdersPorts.length && log('info', 'Firewall', 'Configuring firewall exceptions')
for (const firewallRule of installOrdersPorts) {
await addFirewallRule(firewallRule)
}
installOrdersService.length && log('info', 'Post-Install', `Running package-specific post-installation steps`)
for (const service of installOrdersService) {
await updateService(service)

View file

@ -2820,14 +2820,6 @@ softwarePackages:
dnf: firefox
flatpak: org.mozilla.firefox
pacman: firefox
firewall:
_bin: null
_desc: This role is intended to be used with the ProfessorManhattan playbook. It integrates tightly with the other roles included with the playbook.
_docs: null
_github: null
_home: null
_name: Firewall
ansible: professormanhattan.firewall
fission:
_bin: fission
_desc: Fast and Simple Serverless Functions for Kubernetes
@ -5795,6 +5787,11 @@ softwarePackages:
_github: https://github.com/nginx/nginx
_home: https://nginx.org/
_name: NGINX
_ports:
- port: 80
proto: udp
- port: 443
proto: udp
ansible: professormanhattan.nginx
apt: nginx
brew: nginx
@ -7099,13 +7096,37 @@ softwarePackages:
_name: Microsoft Remote Desktop
_when:cask: '! test -d "/Applications/Microsoft Remote Desktop.app"'
cask: microsoft-remote-desktop
aiac:
_bin: aiac
_github: https://github.com/gofireflyio/aiac
_name: AIAC
brew: gofireflyio/aiac/aiac
go: github.com/gofireflyio/aiac/v3@latest
firewalld:
_bin: firewall-cmd
_github: https://github.com/firewalld/firewalld
_name: FirewallD
_service: firewalld
_pre: if command -v ufw > /dev/null; then sudo ufw disable; fi
_service: firewalld
_notes: https://computingforgeeks.com/install-and-use-firewalld-on-ubuntu/
apt: firewalld
dnf: firewalld
emerge: net-firewall/firewalld
pacman: firewalld
script:darwin: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
zypper: firewalld
xrdp:
_bin: xrdp
_desc: null
_docs: null
_github: null
_home: null
_github: https://github.com/neutrinolabs/xrdp
_home: http://www.xrdp.org/
_name: xrdp
_ports:
- port: 3389
proto: tcp
_post: sudo adduser xrdp ssl-cert
_service: xrdp
_service:yay:
- xrdp
@ -7113,6 +7134,8 @@ softwarePackages:
_note: Should work like professormanhattan.remotedesktop
apt: xrdp
dnf: xrdp
pacman: xrdp
zypper: xrdp
yay: xrdp
responsively:
_bin: null
@ -9566,6 +9589,11 @@ softwarePackages:
_home: null
_name: Yarnhook
npm: yarnhook
search-gpt:
_bin: searchgpt
_github: https://github.com/tobiasbueschel/search-gpt
_name: Search GPT
npm: search-gpt
yj:
_bin: yj
_desc: CLI program that allows you to convert between YAML, TOML, JSON, and HCL.
@ -9687,6 +9715,9 @@ softwarePackages:
_bin: tigervncpasswd
_github: https://github.com/DukeyToo/tightvnc-server
_name: TightVNC Server
_ports:
- port: 5900-5909
proto: tcp
apt: tigervnc-standalone-server
dnf: tigervnc-server
pacman: tigervnc
@ -9830,6 +9861,7 @@ softwarePlugins:
raycast:
cmd: null
plugins:
- https://www.raycast.com/abielzulio/chatgpt
- https://www.raycast.com/BalliAsghar/mailsy
steampipe:
cmd: steampipe plugin install {PLUGIN}