Various script fixes

This commit is contained in:
Brian Zalewski 2024-05-10 02:53:38 +00:00
parent b2a8acfca7
commit 80e7fce908
18 changed files with 120 additions and 76 deletions

View file

@ -144,10 +144,10 @@ data:
headless: {{ $headless }}
home: "{{ .chezmoi.homeDir }}"
homeParentFolder: "{{ if eq .chezmoi.os "linux" }}/home{{ else if eq .chezmoi.os "darwin" }}/Users{{ else }}C:\Users{{ end }}"
hostname: "{{ $hostname }}"
hostname: "{{ $hostname -}}"
noReplyEmail: no-reply@megabyte.space
samba:
netbiosName: "{{ $sambaNetBiosName }}"
netbiosName: "{{ $sambaNetBiosName -}}"
workgroup: "{{ $sambaWorkGroupName }}"
smtp:
from: CombineOS <no-reply@megabyte.space>

View file

@ -4,9 +4,13 @@
if command -v atuin > /dev/null; then
source "${XDG_CONFIG_HOME:-$HOME/.config}/shell/private.sh"
logg info 'Registering Atuin account'
atuin register -u "$ATUIN_USERNAME" -e "$ATUIN_EMAIL" -p "$ATUIN_PASSWORD"
logg info 'Logging into Atuin account'
atuin login -u "$ATUIN_USERNAME" -p "$ATUIN_PASSWORD" -k "$ATUIN_KEY"
logg info 'Running atuin import auto'
atuin import auto
logg info 'Running atuin sync'
atuin sync
else
logg info 'atuin is not available in the PATH'

View file

@ -5,12 +5,23 @@
if command -v blocky > /dev/null; then
if [ -d /Applications ] && [ -d /System ]; then
### macOS
cp -f "$HOME/.local/etc/blocky/config.yaml" "$(brew --prefix)/etc/blocky/config.yaml"
if [ -f "$HOME/.local/etc/blocky/config.yaml" ]; then
logg info 'Ensuring /usr/local/etc/blocky directory is present'
sudo mkdir -p /usr/local/etc/blocky
logg info "Copying $HOME/.local/etc/blocky/config.yaml to /usr/local/etc/blocky/config.yaml"
sudo cp -f "$HOME/.local/etc/blocky/config.yaml" /usr/local/etc/blocky/config.yaml
if [ -d "${HOMEBREW_PREFIX:-/opt/homebrew}/etc/blocky" ] && [ ! -f "${HOMEBREW_PREFIX:-/opt/homebrew}/etc/blocky/config.yaml" ]; then
logg info "Symlinking $HOME/.local/etc/blocky/config.yaml to ${HOMEBREW_PREFIX:-/opt/homebrew}/etc/blocky/config.yaml"
ln -s /usr/local/etc/blocky/config.yaml "${HOMEBREW_PREFIX:-/opt/homebrew}/etc/blocky/config.yaml"
fi
fi
else
### Linux
logg info 'Ensuring /usr/local/etc/blocky is created'
sudo mkdir -p /usr/local/etc/blocky
if [ -d /usr/lib/systemd/system ]; then
sudo cp -f "$HOME/.local/etc/blocky/config.yaml" /usr/local/etc/blocky/config.yaml
if [ -d /usr/lib/systemd/system ]; then
logg info 'Copying blocky service file to system locations'
sudo cp -f "$HOME/.local/etc/blocky/blocky.service" /usr/lib/systemd/system/blocky.service
else
logg "/usr/lib/systemd/system is missing from the file system"

View file

@ -11,6 +11,7 @@ if command -v freshclam > /dev/null; then
ln -s /usr/local/etc/clamav/freshclam.conf "${HOMEBREW_PREFIX:-/opt/homebrew}/etc/clamav/freshclam.conf"
fi
fi
### Add clamd.conf
if [ -f "$HOME/.local/etc/clamav/clamd.conf" ]; then
sudo mkdir -p /usr/local/etc/clamav
@ -26,7 +27,16 @@ if command -v freshclam > /dev/null; then
# sudo chown $USER /var/log/clamav
sudo cp -f "$HOME/.local/etc/clamav/clamdscan.plist" /Library/LaunchDaemons/clamdscan.plist
sudo cp -f "$HOME/.local/etc/clamav/freshclam.plist" /Library/LaunchDaemons/freshclam.plist
if sudo launchctl list | grep 'clamav.clamdscan' > /dev/null; then
logg info 'Unloading previous ClamAV clamdscan configuration'
sudo launchctl unload /Library/LaunchDaemons/clamdscan.plist
fi
sudo launchctl load -w /Library/LaunchDaemons/clamdscan.plist
if sudo launchctl list | grep 'clamav.freshclam' > /dev/null; then
logg info 'Unloading previous ClamAV freshclam configuration'
sudo launchctl unload /Library/LaunchDaemons/freshclam.plist
fi
logg info 'Running sudo launchctl load -w /Library/LaunchDaemons/freshclam.plist'
sudo launchctl load -w /Library/LaunchDaemons/freshclam.plist
fi

View file

@ -2,77 +2,53 @@
# @file Cloudflared Configuration
# @brief Applies cloudflared configuration, connects to Argo tunnel with managed configuration, and enables it on system start
{{- $registrationToken := "" }}
{{- if and (stat (joinPath .host.home ".config" "age" "chezmoi.txt")) (stat (joinPath .chezmoi.sourceDir ".chezmoitemplates" "cloudflared" .host.hostname)) -}}
{{- $registrationToken = (includeTemplate (print "cloudflared/" .host.hostname) | decrypt) -}}
{{- end }}
### Set up CloudFlare tunnels
if command -v cloudflared > /dev/null && [ -d "$HOME/.local/etc/cloudflared" ]; then
if command -v cloudflared > /dev/null; then
# Show warning message about ~/.cloudflared already existing
if [ -d "$HOME/.cloudflared" ]; then
logg warn '~/.cloudflared is already in the home directory - to ensure proper deployment, remove previous tunnel configuration folders'
fi
### Ensure /usr/local/etc/cloudflared exists
if [ -d /usr/local/etc/cloudflared ]; then
logg info 'Creating folder /usr/local/etc/cloudflared'
sudo mkdir -p /usr/local/etc/cloudflared
fi
# Copy over configuration files
logg info 'Ensuring /usr/local/etc/cloudflared exists' && sudo mkdir -p /usr/local/etc/cloudflared
logg info 'Copying over configuration files from ~/.local/etc/cloudflared to /usr/local/etc/cloudflared'
sudo cp -f "$HOME/.local/etc/cloudflared/cert.pem" /usr/local/etc/cloudflared/cert.pem
sudo cp -f "$HOME/.local/etc/cloudflared/config.yml" /usr/local/etc/cloudflared/config.yml
### Register tunnel (if not already registered)
if sudo cloudflared tunnel list | grep "host-{{ .host.hostname }}" > /dev/null; then
logg info 'CloudFlare tunnel is already registered'
else
logg info 'Creating a CloudFlare tunnel to this host'
sudo cloudflared tunnel create "host-{{ .host.hostname }}"
fi
### Remove previous tunnels connected to host
while read TUNNEL_ID; do
logg info "Deleteing CloudFlared tunnel ID $TUNNEL_ID"
sudo cloudflared tunnel delete "$TUNNEL_ID"
sudo rm -f "/usr/local/etc/cloudflared/${TUNNEL_ID}.json"
done< <(sudo cloudflared tunnel list | grep "host-$HOSTNAME" | sed 's/ .*//')
TUNNEL_ID="$(sudo cloudflared tunnel list | grep 'host-{{ .host.hostname }}' | sed 's/ .*//')"
### Register tunnel (if not already registered)
logg info "Creating CloudFlared tunnel named host-$HOSTNAME"
sudo cloudflared tunnel create "host-$HOSTNAME"
TUNNEL_ID="$(sudo cloudflared tunnel list | grep "host-$HOSTNAME" | sed 's/ .*//')"
logg info "Tunnel ID: $TUNNEL_ID"
if [ -f "/usr/local/etc/cloudflared/${TUNNEL_ID}.json" ]; then
logg info 'Symlinking tunnel configuration to /usr/local/etc/cloudflared/credentials.json'
rm -f /usr/local/etc/cloudflared/credentials.json
sudo ln -s "/usr/local/etc/cloudflared/${TUNNEL_ID}.json" /usr/local/etc/cloudflared/credentials.json
else
logg info 'Handling case where the tunnel registration is not present in /usr/local/etc/cloudflared'
{{ if eq $registrationToken "" -}}
logg warn 'Registration token is unavailable - you might have to delete the pre-existing tunnel or set up secrets properly'
{{- else -}}
logg info 'Registration token retrieved from encrypted blob stored at home/.chezmoitemplates/cloudflared/{{ .host.hostname }}'
{{ if eq (substr 0 1 $registrationToken) "{" -}}
logg info 'Registration token stored in credential file form'
echo -n '{{ $registrationToken }}' | sudo tee /usr/local/etc/cloudflared/credentials.json > /dev/null
{{ else }}
logg info 'Registration token is in token form - it will be used in conjunction with sudo cloudflared service install'
{{- end }}
{{- end }}
fi
logg info "Symlinking /usr/local/etc/cloudflared/$TUNNEL_ID.json to /usr/local/etc/cloudflared/credentials.json"
sudo rm -f /usr/local/etc/cloudflared/credentials.json
sudo ln -s /usr/local/etc/cloudflared/$TUNNEL_ID.json /usr/local/etc/cloudflared/credentials.json
### Set up service
if [ -d /Applications ] && [ -d /System ]; then
# System is macOS
### macOS
if [ -f /Library/LaunchDaemons/com.cloudflare.cloudflared.plist ]; then
logg info 'cloudflared service is already installed'
else
logg info 'Running sudo cloudflared service install'
sudo cloudflared service install{{ if and (ne $registrationToken "") (eq (substr 0 1 $registrationToken) "{") -}} {{ $registrationToken }}{{ end }}
sudo cloudflared service install
fi
logg info 'Ensuring cloudflared service is installed'
logg info 'Ensuring cloudflared service is started'
sudo launchctl start com.cloudflare.cloudflared
elif [ -f /etc/os-release ]; then
# System is Linux
### Linux
if systemctl --all --type service | grep -q "cloudflared" > /dev/null; then
logg info 'cloudflared service is already available as a service'
else
logg info 'Running sudo cloudflared service install'
sudo cloudflared service install{{ if and (ne $registrationToken "") (eq (substr 0 1 $registrationToken) "{") -}} {{ $registrationToken }}{{ end }}
sudo cloudflared service install
fi
logg info 'Ensuring cloudflared service is started'
sudo systemctl start cloudflared
@ -87,5 +63,5 @@ if command -v cloudflared > /dev/null && [ -d "$HOME/.local/etc/cloudflared" ];
# https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/local/as-a-service/windows/
fi
else
logg info 'cloudflared was not installed so CloudFlare Tunnels cannot be enabled. (Or the ~/.local/etc/cloudflared folder is not present)'
logg info 'cloudflared was not installed so CloudFlare Tunnels cannot be enabled'
fi

View file

@ -9,15 +9,43 @@
# variable).
if command -v docker > /dev/null; then
DOCKERHUB_TOKEN="{{ if (stat (joinPath .chezmoi.sourceDir ".chezmoitemplates" "secrets" "DOCKERHUB_TOKEN")) }}{{- includeTemplate "secrets/DOCKERHUB_TOKEN" | decrypt | trim -}}{{ else }}{{- env "DOCKERHUB_TOKEN" -}}{{ end }}"
DOCKERHUB_USER="{{ .user.docker.username }}"
### Acquire DOCKERHUB_TOKEN
DOCKERHUB_TOKEN_FILE="${XDG_DATA_HOME:-$HOME/.local/share}/chezmoi/home/.chezmoitemplates/secrets/DOCKERHUB_TOKEN"
if [ -f "$DOCKERHUB_TOKEN_FILE" ]; then
logg info "Found DOCKERHUB_TOKEN in ${XDG_DATA_HOME:-$HOME/.local/share}/chezmoi/home/.chezmoitemplates/secrets"
if [ -f "${XDG_CONFIG_HOME:-$HOME/.config}/age/chezmoi.txt" ]; then
logg info 'Decrypting DOCKERHUB_TOKEN token with Age encryption key'
DOCKERHUB_TOKEN="$(cat "$CLOUDFLARED_CERT" | chezmoi decrypt)"
else
logg warn 'Age encryption key is missing from ~/.config/age/chezmoi.txt'
fi
else
logg warn "DOCKERHUB_TOKEN is missing from ${XDG_DATA_HOME:-$HOME/.local/share}/chezmoi/home/.chezmoitemplates/secrets"
fi
### Acquire DOCKERHUB_USER
if [ -f "${XDG_CONFIG_HOME:-$HOME/.config}/chezmoi/chezmoi.yaml" ]; then
DOCKERHUB_USER="$(yq '.data.user.docker.username' ~/.config/chezmoi/chezmoi.yaml)"
else
logg info "${XDG_CONFIG_HOME:-$HOME/.config}/chezmoi/chezmoi.yaml is missing which is required for populating the DOCKERHUB_USER"
fi
### Launch Docker.app
if [ -d "/Applications/Docker.app" ] || [ -d "$HOME/Applications/Docker.app" ]; then
logg info 'Ensuring Docker.app is open' && open --background -a Docker --args --accept-license --unattended
fi
### Pre-authenticate with DockerHub
if [ -n "$DOCKERHUB_TOKEN" ] && [ -n "$DOCKERHUB_USER" ]; then
logg info 'Headlessly authenticating with DockerHub registry' && echo "$DOCKERHUB_TOKEN" | docker login -u "$DOCKERHUB_USER" --password-stdin > /dev/null && logg success 'Successfully authenticated with DockerHub registry'
fi
fi
### Symlink on macOS
if [ -f "$HOME/Library/Containers/com.docker.docker/Data/docker.raw.sock" ]; then
if [ -d /Applications ] && [ -d /System ]; then
if [ -f "$HOME/Library/Containers/com.docker.docker/Data/docker.raw.sock" ]; then
logg info 'Symlinking /var/run/docker.sock to macOS Library location' && sudo ln -s "$HOME/Library/Containers/com.docker.docker/Data/docker.raw.sock" /var/run/docker.sock
else
logg info "Skipping symlinking /var/run/docker.sock since $HOME/Library/Containers/com.docker.docker/Data/docker.raw.sock is missing"
fi
fi

View file

@ -12,9 +12,13 @@
# * [NGINX Amplify documentation](https://docs.nginx.com/nginx-amplify/#)
if command -v nginx > /dev/null; then
if [ -d Applications ] && [ -d /System ]; then
logg info 'Skipping installation of NGINX Amplify because macOS is not supported'
else
logg info 'Downloading the NGINX Amplify installer script'
TMP="$(mktemp)"
curl -sSL https://github.com/nginxinc/nginx-amplify-agent/raw/master/packages/install.sh > "$TMP"
logg info 'Running the NGINX Amplify setup script'
API_KEY="{{ if (stat (joinPath .chezmoi.sourceDir ".chezmoitemplates" "secrets" "NGINX_AMPLIFY_API_KEY")) }}{{- includeTemplate "secrets/NGINX_AMPLIFY_API_KEY" | decrypt | trim -}}{{ else }}{{- env "NGINX_AMPLIFY_API_KEY" -}}{{ end }}" sh "$TMP"
fi
fi

View file

@ -11,7 +11,7 @@ if command -v rkhunter > /dev/null; then
logg info 'Updating file /etc/rkhunter.conf' && sed -i "s/^#WEB_CMD.*$/WEB_CMD=curl\ -L/" /etc/rkhunter.conf
fi
export PATH="$(echo "$PATH" | sed 's/VMware Fusion.app/VMwareFusion.app/')"
export PATH="$(echo "$PATH" | sed 's/IntelliJ IDEA CE.app/IntelliJIDEACE.map/')"
export PATH="$(echo "$PATH" | sed 's/IntelliJ IDEA CE.app/IntelliJIDEACE.app/')"
sudo rkhunter --propupd || RK_PROPUPD_EXIT_CODE=$?
if [ -n "$RK_PROPUPD_EXIT_CODE" ]; then
logg error "sudo rkhunter --propupd returned non-zero exit code"

View file

@ -3,5 +3,8 @@
# @brief Configures tfenv to use the latest version of Terraform
if command -v tfenv > /dev/null; then
logg info 'Configuring tfenv to use latest version of Terraform'
tfenv use latest
else
logg warn 'tfenv is not available in the PATH'
fi

View file

@ -18,6 +18,7 @@
if [ -d /Applications ] && [ -d /System ]; then
### macOS
TORRC_CONFIG_DIR=/usr/local/etc/tor
sudo mkdir -p "$TORRC_CONFIG_DIR"
else
### Linux
TORRC_CONFIG_DIR=/etc/tor

View file

@ -116,7 +116,13 @@ if command -v vmware > /dev/null; then
logg info 'VMware host modules are present'
fi
else
if [ -d /Applications ] && [ -d /System ]; then
### macOS
logg info 'System is macOS so there is no unlocker or modules that need to be enabled'
else
### Linux and VMWare not installed
logg warn 'VMware Workstation is not installed so the VMware Unlocker will not be installed'
fi
fi
# @description Only run logic if both Vagrant and VMWare are installed
@ -133,7 +139,7 @@ if command -v vagrant > /dev/null && command -v vmware-id > /dev/null; then
logg info 'Ensuring the Vagrant VMWare Utility service is enabled'
sudo vagrant-vmware-utility service install || EXIT_CODE=$?
if [ -n "$EXIT_CODE" ]; then
logg info 'The Vagrant VMWare Utility command vagrant-vmware-utility service install failed. It is probably already setup.'
logg info 'The Vagrant VMWare Utility command vagrant-vmware-utility service. If it was already set up, there should be a notice above.'
fi
fi
else

View file

@ -6,8 +6,11 @@ export VOLTA_HOME="${XDG_DATA_HOME:-$HOME/.local/share}/volta"
export PATH="$VOLTA_HOME/bin:$PATH"
if command -v volta > /dev/null; then
logg info 'Running volta setup'
volta setup
logg info 'Installing latest version of Node.js via Volta'
volta install node@latest
logg info 'Installing latest version of Yarn via Volta'
volta install yarn@latest
else
logg info 'Volta is not installed'

View file

@ -12,9 +12,10 @@ if [ -d /Applications ] && [ -d /System ]; then
PKG_URL="https://packages.wazuh.com/4.x/macos/wazuh-agent-4.7.4-1.intel64.pkg"
fi
curl -sSL "$PKG_URL" > wazuh-agent.pkg
log info 'Setting Wazuh launch parameters in /tmp/wazuh_envs'
logg info 'Setting Wazuh launch parameters in /tmp/wazuh_envs'
# https://documentation.wazuh.com/current/user-manual/agent/deployment-variables/deployment-variables-macos.html
echo "WAZUH_MANAGER='$WAZUH_MANAGER'" > /tmp/wazuh_envs
echo "WAZUH_MANAGER='$WAZUH_MANAGER' && WAZUH_REGISTRATION_SERVER='$WAZUH_MANAGER' && WAZUH_REGISTRATION_PASSWORD='WazuhRegister' && \
WAZUH_AGENT_NAME='$WAZUH_AGENT_NAME'" > /tmp/wazuh_envs
logg info 'Installing the Wazuh agent pkg'
sudo installer -pkg wazuh-agent.pkg -target /
sudo chmod 755 /Library/Ossec

View file

@ -22,13 +22,10 @@
# TODO - Populate Tunnelblick on macOS using the .ovpn profiles located in $HOME/.config/vpn (execpt in the `openvpn` entry of software.yml)
# along with the secrets for the protonVPN OpenVPN (check vpn-linux.tmpl)
### Backs up previous network settings to `/Library/Preferences/com.apple.networkextension.plist.old` before applying new VPN profiles
if [ -f /Library/Preferences/com.apple.networkextension.plist ] && [ ! -f "/Library/Preferences/com.apple.networkextension.plist.old" ]; then
logg info 'Backing up /Library/Preferences/com.apple.networkextension.plist to /Library/Preferences/com.apple.networkextension.plist.old'
sudo cp -f /Library/Preferences/com.apple.networkextension.plist /Library/Preferences/com.apple.networkextension.plist.old
else
logg info 'The /Library/Preferences/com.apple.networkextension.plist does not exist or is already backed up to com.apple.networkextension.plist.old'
fi
logg info 'Backing up /Library/Preferences/com.apple.networkextension.plist to /Library/Preferences/com.apple.networkextension.plist.old'
sudo cp -f /Library/Preferences/com.apple.networkextension.plist /Library/Preferences/com.apple.networkextension.plist.old
### Ensures the `/etc/wireguard` directory exists and has the lowest possible permission-level
if [ ! -d /etc/wireguard ]; then

View file

@ -5,7 +5,7 @@ After = network.target
[Service]
Type = forking
ExecStart = /usr/bin/freshclam --daemon --checks 2
ExecStart = {{ lookPath "freshclam" }} --daemon --checks 2
Restart = on-failure
PrivateTmp = true

View file

@ -7,7 +7,7 @@
<string>clamav.clamdscan</string>
<key>ProgramArguments</key>
<array>
<string>/usr/local/bin/clamdscan</string>
<string> {{ lookPath "clamdscan" }}</string>
<string>/</string>
</array>
<key>StartCalendarInterval</key>

View file

@ -7,7 +7,7 @@
<string>clamav.freshclam</string>
<key>ProgramArguments</key>
<array>
<string>/usr/local/bin/freshclam</string>
<string> {{ lookPath "freshclam" }}</string>
<string>-v</string>
</array>
<key>StartCalendarInterval</key>

View file

@ -1,6 +1,6 @@
{{- $baseDomain := (join (join .host.hostname ".") .host.domain) -}}
{{- $baseDomain := printf "%s%s%s" .host.hostname "." .host.domain -}}
{{- if eq .host.qubes true -}}
{{- $baseDomain := (join (join .host.hostname "-qube.") .host.domain) -}}
{{- $baseDomain := printf "%s%s%s" .host.hostname "-qube." .host.domain -}}
{{- end -}}
---
tunnel: {{ if eq .host.qubes true }}qube{{ else }}host{{ end }}-{{ .host.hostname }}
@ -31,7 +31,7 @@ ingress:
- hostname: rsyslog.{{ $baseDomain }}
service: tcp://localhost:514
- hostname: netdata.{{ $baseDomain }}
service: https://localhost:19999
service: http://localhost:19999
- hostname: rundeck.{{ $baseDomain }}
service: https://localhost:4440
- hostname: portainer.{{ .host.domain }}