Fixes rclone permissions on managed macOS
This commit is contained in:
Brian Zalewski
parent
55516e373a
commit
65a40e74cf
20 changed files with 72 additions and 9 deletions
|
|
@ -6,5 +6,9 @@
|
|||
# This script ensures the Qubes desktop wallpaper is set to the Qubes Betelgeuse wallpaper on KDE by
|
||||
# using the `ksetwallpaper` script found in `~/.local/bin/ksetwallpaper`.
|
||||
|
||||
{{ includeTemplate "universal/profile" }}
|
||||
{{ includeTemplate "universal/logg" }}
|
||||
|
||||
logg info 'Setting wallpaper to /usr/local/share/wallpapers/Betelgeuse/contents/images/3440x1440.jpg'
|
||||
ksetwallpaper --file /usr/local/share/wallpapers/Betelgeuse/contents/images/3440x1440.jpg
|
||||
{{ end -}}
|
||||
|
|
|
|||
|
|
@ -6,6 +6,7 @@
|
|||
|
||||
{{ includeTemplate "universal/profile" }}
|
||||
{{ includeTemplate "universal/logg" }}
|
||||
|
||||
{{- $softwareGroup := nospace (cat "_" .host.softwareGroup) }}
|
||||
{{- $softwareList := list (index .softwareGroups $softwareGroup | toString | replace "[" "" | replace "]" "") | uniq | join " " }}
|
||||
|
||||
|
|
|
|||
|
|
@ -1,7 +1,19 @@
|
|||
#!/usr/bin/env bash
|
||||
# @file Firewall Configuration
|
||||
# @brief Configures the firewall (built-in for macOS and firewall-cmd / ufw for Linux)
|
||||
# @description
|
||||
# This script configures the firewall for macOS / Linux.
|
||||
|
||||
{{- includeTemplate "universal/profile" }}
|
||||
{{- includeTemplate "universal/logg" }}
|
||||
|
||||
if [ -d /Applications ] && [ -d /System ]; then
|
||||
# System is macOS
|
||||
logg info 'Enabling macOS firewall'
|
||||
|
||||
fi
|
||||
elif command -v firewall-cmd > /dev/null; then
|
||||
# System is Linux and has firewall-cmd present in PATH
|
||||
logg info 'Setting up firewall using firewall-cmd'
|
||||
elif command -v ufw > /dev/null; then
|
||||
# System is Linux and has ufw present in PATH
|
||||
logg info 'Setting up firewall using ufw'
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -6,10 +6,14 @@
|
|||
# This script ensures the macOS desktop wallpaper is set to the macOS Betelgeuse wallpaper. It uses the
|
||||
# `m` CLI to apply the change.
|
||||
|
||||
{{ includeTemplate "universal/profile" }}
|
||||
{{ includeTemplate "universal/logg" }}
|
||||
|
||||
# Betelgeuse-macOS wallpaper hash: {{ include (joinPath .chezmoi.homeDir ".local" "src" "betelgeuse" "share" "wallpapers" "Betelgeuse-macOS" "contents" "source.png") | sha256sum }}
|
||||
|
||||
### Set macOS wallpaper
|
||||
if command -v m > /dev/null && [ -f "${XDG_DATA_HOME:-$HOME/.local/share}/betelgeuse/share/wallpapers/Betelgeuse-macOS/contents/source.png" ]; then
|
||||
logg info 'Setting macOS wallpaper with m'
|
||||
m wallpaper "${XDG_DATA_HOME:-$HOME/.local/share}/betelgeuse/share/wallpapers/Betelgeuse-macOS/contents/source.png"
|
||||
else
|
||||
logg warn 'Either m or the macOS default wallpaper is missing.'
|
||||
|
|
|
|||
|
|
@ -13,6 +13,9 @@
|
|||
# defined at the end of the [`exports.sh.tmpl`](https://github.com/megabyte-labs/install.doctor/tree/master/home/dot_config/shell/exports.sh.tmpl)
|
||||
# file. This value is also populated from the `.chezmoi.yaml.tmpl` value.
|
||||
|
||||
{{ includeTemplate "universal/profile" }}
|
||||
{{ includeTemplate "universal/logg" }}
|
||||
|
||||
if [ -d /Applications ] && [ -d /System ]; then
|
||||
if ! command -v defaultbrowser > /dev/null; then
|
||||
logg info 'Installing defaultbrowser via Homebrew which is the preferred way of configuring the default browser'
|
||||
|
|
|
|||
|
|
@ -23,7 +23,7 @@
|
|||
# | `/mnt/Public` | Public system-wide bucket that can be accessed by anyone over HTTPS with the bucket's URL (provided by CloudFlare R2) |
|
||||
# | N/A | Private system-wide bucket used for storing Docker-related backups / files |
|
||||
# | N/A | Private system-wide bucket similar to `/mnt/Private` but intended for system file backups |
|
||||
# | `$HOME/.local/mnt/s3` | Private user-specific bucket (used for backing up application settings) |
|
||||
# | `$HOME/Public` | Private user-specific bucket (used for backing up application settings) |
|
||||
#
|
||||
# ## Permissions
|
||||
#
|
||||
|
|
|
|||
|
|
@ -76,17 +76,17 @@ if command -v smbd > /dev/null; then
|
|||
logg info "Ensuring $PRIVATE_SHARE is created"
|
||||
sudo mkdir -p "$PRIVATE_SHARE"
|
||||
sudo chmod 770 "$PRIVATE_SHARE"
|
||||
sudo chown -Rf rclone:rclone "$PRIVATE_SHARE"
|
||||
sudo chown -Rf rclone:$(id -g -n) "$PRIVATE_SHARE"
|
||||
|
||||
logg info "Ensuring $PUBLIC_SHARE is created"
|
||||
sudo mkdir -p "$PUBLIC_SHARE"
|
||||
sudo chmod 775 "$PUBLIC_SHARE"
|
||||
sudo chown -Rf rclone:rclone "$PUBLIC_SHARE"
|
||||
sudo chown -Rf rclone:$(id -g -n) "$PUBLIC_SHARE"
|
||||
|
||||
logg info "Ensuring $HOME/Public is created"
|
||||
mkdir -p "$HOME/Public"
|
||||
chmod 775 "$HOME/Public"
|
||||
chown -Rf {{ .user.username }}:rclone "$HOME/Public"
|
||||
chown -Rf {{ .user.username }}:$(id -g -n) "$HOME/Public"
|
||||
|
||||
sudo sharing -a "$PRIVATE_SHARE" -S "Private (System)" -n "Private (System)" -g 000 -s 001 -E 1 -R 1 && logg success "Configured $PRIVATE_SHARE as a private Samba share" || logg info 'sharing command failed - it is likely that the share was already set up'
|
||||
sudo sharing -a "$PUBLIC_SHARE" -S "Public (System)" -n "Public (System)" -g 001 -s 001 -E 1 -R 0 && logg success "Configured $PUBLIC_SHARE as a public Samba share" || logg info 'sharing command failed - it is likely that the share was already set up'
|
||||
|
|
|
|||
|
|
@ -8,6 +8,9 @@
|
|||
# This script will only run when `${XDG_DATA_HOME:-$HOME/.local/share}/emsdk` is present on the system. This folder
|
||||
# is populated via the definition in `home/.chezmoiexternal.toml.tmpl`.
|
||||
|
||||
{{ includeTemplate "universal/profile" }}
|
||||
{{ includeTemplate "universal/logg" }}
|
||||
|
||||
if [ -d "${XDG_DATA_HOME:-$HOME/.local/share}/emsdk" ]; then
|
||||
cd "${XDG_DATA_HOME:-$HOME/.local/share}/emsdk"
|
||||
logg info 'Pulling latest changes for Emscripten source code'
|
||||
|
|
|
|||
|
|
@ -6,6 +6,9 @@
|
|||
# This script loops through the `.removeLinuxShortcuts` value in `home/.chezmoidata.yaml` and removes
|
||||
# desktop shortcuts that have been deemed to be unnecessary or obtrusive.
|
||||
|
||||
{{ includeTemplate "universal/profile" }}
|
||||
{{ includeTemplate "universal/logg" }}
|
||||
|
||||
{{ $removeShortcuts := join " " .removeLinuxShortcuts }}
|
||||
# shortcuts to remove: {{ $removeShortcuts }}
|
||||
|
||||
|
|
|
|||
|
|
@ -5,6 +5,9 @@
|
|||
# This script removes various files in the `HOME` directory that are either no longer necessary
|
||||
# or cluttery.
|
||||
|
||||
{{ includeTemplate "universal/profile" }}
|
||||
{{ includeTemplate "universal/logg" }}
|
||||
|
||||
### Remove meta sudo file
|
||||
if [ -f "$HOME/.sudo_as_admin_successful" ]; then
|
||||
rm -f "$HOME/.sudo_as_admin_successful"
|
||||
|
|
|
|||
|
|
@ -13,6 +13,9 @@
|
|||
# Regardless of whether or not this script runs, you can access the provisioning logs by browsing through
|
||||
# `${XDG_DATA_HOME:-$HOME/.local/share}/megabyte-labs/betelgeuse.$(date +%s).log`
|
||||
|
||||
{{ includeTemplate "universal/profile" }}
|
||||
{{ includeTemplate "universal/logg" }}
|
||||
|
||||
### Restart GNOME if `HEADLESS_INSTALL` is defined and `gnome-shell` is available
|
||||
if [ -n "$HEADLESS_INSTALL" ] && command -v gnome-shell > /dev/null; then
|
||||
logg info 'Reloading gnome-shell'
|
||||
|
|
|
|||
|
|
@ -12,6 +12,9 @@
|
|||
# qubes-dom0.repo hash: {{ include (joinPath .chezmoi.homeDir ".config" "qubes" "qubes-dom0.repo") | sha256sum }}
|
||||
# qubes packages: {{ .qubes.dom0Packages | toString | replace "[" "" | replace "]" "" }}
|
||||
|
||||
{{ includeTemplate "universal/profile-before" }}
|
||||
{{ includeTemplate "universal/logg-before" }}
|
||||
|
||||
### Configure dom0 repos
|
||||
logg info 'Updating dom0 repos to include auxilary branches'
|
||||
sudo cp -f "${XDG_CONFIG_HOME:-$HOME/.config}/qubes/qubes-templates.repo" /etc/qubes/repo-templates/qubes-templates.repo
|
||||
|
|
|
|||
|
|
@ -5,6 +5,9 @@
|
|||
# @description
|
||||
# This script runs in dom0 and ensures the templates defined in `home/.chezmoidata.yaml` are all installed.
|
||||
|
||||
{{ includeTemplate "universal/profile-before" }}
|
||||
{{ includeTemplate "universal/logg-before" }}
|
||||
|
||||
### Ensure Qubes templates exist and download if they are not present
|
||||
for TEMPLATE of {{ .qubes.templates | toString | replace "[" "" | replace "]" "" }}; do
|
||||
if [ ! -f "/var/lib/qubes/vm-templates/$TEMPLATE" ]; then
|
||||
|
|
|
|||
|
|
@ -6,6 +6,9 @@
|
|||
# This script runs in dom0 and ensures the templates defined in the `.qubes.templates` data key of `home/.chezmoidata.yaml` all have
|
||||
# the `qubes-core-agent-passwordless-root` package installed so that they can be provisioned headlessly.
|
||||
|
||||
{{ includeTemplate "universal/profile-before" }}
|
||||
{{ includeTemplate "universal/logg-before" }}
|
||||
|
||||
### Ensure Qubes minimal templates have passwordless sudo
|
||||
for TEMPLATE of {{ .qubes.templates | toString | replace "[" "" | replace "]" "" }}; do
|
||||
if [[ "$TEMPLATE" == *'-minimal' ]]; then
|
||||
|
|
|
|||
|
|
@ -6,6 +6,9 @@
|
|||
# This script downloads unofficial templates defined in the `.qubes.templatesUnofficial` data key of `home/.chezmoidata.yaml` and then
|
||||
# installs them in dom0 after transferring the downloads from a temporary Qube used for downloading the templates.
|
||||
|
||||
{{ includeTemplate "universal/profile-before" }}
|
||||
{{ includeTemplate "universal/logg-before" }}
|
||||
|
||||
### Ensure unofficial templates are installed
|
||||
for TEMPLATE_URL of {{ .qubes.templatesUnofficial | toString | replace "[" "" | replace "]" "" }}; do
|
||||
logg info "Template URL: $TEMPLATE_URL"
|
||||
|
|
|
|||
|
|
@ -7,6 +7,9 @@
|
|||
# Due to issues with the Whonix Qubes, the update process will timeout after 15 minutes which should be enough time
|
||||
# for the updates to finish.
|
||||
|
||||
{{ includeTemplate "universal/profile-before" }}
|
||||
{{ includeTemplate "universal/logg-before" }}
|
||||
|
||||
### Update TemplateVMs
|
||||
logg info 'Updating TemplateVMs via qubesctl'
|
||||
timeout 900 qubesctl --show-output --skip-dom0 --templates state.sls update.qubes-vm
|
||||
|
|
|
|||
|
|
@ -6,6 +6,9 @@
|
|||
# This script first ensures the TemplateVMs are updated and then downloads the Mirage firewall. It configures
|
||||
# Mirage firewall so it can be used as a unikernel firewall VM.
|
||||
|
||||
{{ includeTemplate "universal/profile-before" }}
|
||||
{{ includeTemplate "universal/logg-before" }}
|
||||
|
||||
### Update TemplateVMs
|
||||
logg info 'Updating TemplateVMs via qubesctl'
|
||||
timeout 900 qubesctl --show-output --skip-dom0 --templates state.sls update.qubes-vm
|
||||
|
|
|
|||
|
|
@ -6,6 +6,9 @@
|
|||
# This script ensures that Qubes uses `sys-usb` for USB connections. It also optimizes the configuration
|
||||
# by applying security configurations that the Qubes documentation recommends.
|
||||
|
||||
{{ includeTemplate "universal/profile-before" }}
|
||||
{{ includeTemplate "universal/logg-before" }}
|
||||
|
||||
### Enable sys-usb
|
||||
logg info 'Modifying Salt configuration to be able to enable sys-usb'
|
||||
qubesctl top.enabled pillar=True || EXIT_CODE=$?
|
||||
|
|
|
|||
|
|
@ -6,6 +6,9 @@
|
|||
# This script enables `sys-gui-gpu` which allows you to secure dom0 even more by seperating the GUI
|
||||
# management from dom0 and into a seperate Qube.
|
||||
|
||||
{{ includeTemplate "universal/profile-before" }}
|
||||
{{ includeTemplate "universal/logg-before" }}
|
||||
|
||||
### Enables sys-gui-gpu
|
||||
enableSysGUIGPU() {
|
||||
logg info 'Enabling sys-gui-gpu'
|
||||
|
|
|
|||
|
|
@ -134,20 +134,23 @@ const osPlatform = osPlatformData === 'win32' ? 'windows' : osPlatformData
|
|||
async function downloadInstallData() {
|
||||
const response = await fetch('https://github.com/megabyte-labs/install.doctor/raw/master/software.yml')
|
||||
if (response.ok) {
|
||||
log('info', 'Catalog Download', `Received ok response from download`)
|
||||
const text = await response.text()
|
||||
return YAML.parse(text)
|
||||
log('info', 'Catalog Download', `Parsing software.yml`)
|
||||
return YAML.parse(text, { maxAliasCount: -1 })
|
||||
} else {
|
||||
log('error', 'Catalog Download', `Failed to download the installation map`)
|
||||
log('info', 'Catalog Download', `Falling back to local version of software.yml`)
|
||||
const text = fs.readFileSync(process.env.HOME + '/.local/share/chezmoi/software.yml').toString()
|
||||
return YAML.parse(text)
|
||||
log('info', 'Catalog Download', `Parsing local software.yml file`)
|
||||
return YAML.parse(text, { maxAliasCount: -1 })
|
||||
}
|
||||
}
|
||||
|
||||
// Download the installation map
|
||||
async function getChezmoiData() {
|
||||
const text = fs.readFileSync(process.env.HOME + '/.local/share/chezmoi/home/.chezmoidata.yaml').toString()
|
||||
return YAML.parse(text)
|
||||
return YAML.parse(text, { maxAliasCount: -1 })
|
||||
}
|
||||
|
||||
// Creates the installOrders object which maps package managers to arrays of packages to install
|
||||
|
|
|
|||
Loading…
Reference in a new issue