From 8fe5d6fccfdf2ced8c2b48fcef61b34437570e62 Mon Sep 17 00:00:00 2001 From: Brian Zalewski <59970525+ProfessorManhattan@users.noreply.github.com> Date: Mon, 27 Nov 2023 05:34:56 +0000 Subject: [PATCH] Moved macOS stuff with system prompts earlier and fixed CloudFlare WARP rehashing issue --- ...n_onchange_after_03-macos-headless.sh.tmpl | 28 +++++++++++++++++++ .../run_onchange_after_16-vnc.sh.tmpl | 6 ++-- .../run_onchange_after_97-cloudflare.sh.tmpl | 24 +++++++++------- 3 files changed, 46 insertions(+), 12 deletions(-) create mode 100644 home/.chezmoiscripts/universal/run_onchange_after_03-macos-headless.sh.tmpl diff --git a/home/.chezmoiscripts/universal/run_onchange_after_03-macos-headless.sh.tmpl b/home/.chezmoiscripts/universal/run_onchange_after_03-macos-headless.sh.tmpl new file mode 100644 index 00000000..c4239d3b --- /dev/null +++ b/home/.chezmoiscripts/universal/run_onchange_after_03-macos-headless.sh.tmpl @@ -0,0 +1,28 @@ +#!/usr/bin/env bash +# @file macOS Security Settings +# @brief Prompts user for various security prompts as early as possible (to make headless automation more manageable) +# @description +# This script performs various tasks on macOS that have required manual security prompts so that the +# user can run the installation process as headlessly as possible. This script only runs when the `HEADLESS_INSTALL` variable +# is set. The various tasks include: +# +# 1. Add the `$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.crt` to the `System.keychain` for CloudFlare Zero Trust / WARP +# 2. Configure system VNC service to allow connections via the `USER` with the `VNC_PASSWORD` + +{{ includeTemplate "universal/profile" }} +{{ includeTemplate "universal/logg" }} + +if [ -n "$HEADLESS_INSTALL" ] && [ -z "$SSH_CONNECTION" ] && [ -d /System ] && [ -d /Applications ]; then + ### Ensure certificate is installed + # Source: https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.crt + # Source: https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.pem + ### Ensure certificate installed on macOS + logg info '**macOS Manual Security Permission** Requesting security authorization for Cloudflare trusted certificate' + sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.crt" + + # Source: https://apple.stackexchange.com/questions/30238/how-to-enable-os-x-screen-sharing-vnc-through-ssh + # To disable, run: sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -configure -access -off + # Only enable when computer is not a corporate / work computer + logg info '**macOS Manual Security Permission** Enabling VNC using the VNC_PASSWORD variable which is vncpass when nothing is specified' + sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -allowAccessFor -specifiedUsers -clientopts -setreqperm -reqperm yes -setvnclegacy -vnclegacy yes -setvncpw -vncpw "{{- if and (stat (joinPath .host.home ".config" "age" "chezmoi.txt")) (stat (joinPath .chezmoi.sourceDir ".chezmoitemplates" "secrets" "VNC_PASSWORD")) }}{{ includeTemplate "secrets/VNC_PASSWORD" | decrypt | trim }}{{ else }}{{ default "vncpass" (env "VNC_PASSWORD") }}{{ end }}" -restart -agent -privs -all -users "$USER" && logg success 'Finished running the macOS Remote Management kickstart executable' +fi diff --git a/home/.chezmoiscripts/universal/run_onchange_after_16-vnc.sh.tmpl b/home/.chezmoiscripts/universal/run_onchange_after_16-vnc.sh.tmpl index 3e436e01..f4e2f141 100644 --- a/home/.chezmoiscripts/universal/run_onchange_after_16-vnc.sh.tmpl +++ b/home/.chezmoiscripts/universal/run_onchange_after_16-vnc.sh.tmpl @@ -22,8 +22,10 @@ if [ -d /Applications ] && [ -d /System ]; then # Source: https://apple.stackexchange.com/questions/30238/how-to-enable-os-x-screen-sharing-vnc-through-ssh # To disable, run: sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -configure -access -off # Only enable when computer is not a corporate / work computer - logg info 'Enabling VNC using the VNC_PASSWORD variable which is vncpass when nothing is specified' - sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -allowAccessFor -specifiedUsers -clientopts -setreqperm -reqperm yes -setvnclegacy -vnclegacy yes -setvncpw -vncpw "{{- if and (stat (joinPath .host.home ".config" "age" "chezmoi.txt")) (stat (joinPath .chezmoi.sourceDir ".chezmoitemplates" "secrets" "VNC_PASSWORD")) }}{{ includeTemplate "secrets/VNC_PASSWORD" | decrypt | trim }}{{ else }}{{ default "vncpass" (env "VNC_PASSWORD") }}{{ end }}" -restart -agent -privs -all -users "$USER" && logg success 'Finished running the macOS Remote Management kickstart executable' + if [ -z "$HEADLESS_INSTALL" ] && [ -z "$SSH_CONNECTION" ]; then + logg info '**macOS Manual Security Permission** Enabling VNC using the VNC_PASSWORD variable which is vncpass when nothing is specified' + sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -allowAccessFor -specifiedUsers -clientopts -setreqperm -reqperm yes -setvnclegacy -vnclegacy yes -setvncpw -vncpw "{{- if and (stat (joinPath .host.home ".config" "age" "chezmoi.txt")) (stat (joinPath .chezmoi.sourceDir ".chezmoitemplates" "secrets" "VNC_PASSWORD")) }}{{ includeTemplate "secrets/VNC_PASSWORD" | decrypt | trim }}{{ else }}{{ default "vncpass" (env "VNC_PASSWORD") }}{{ end }}" -restart -agent -privs -all -users "$USER" && logg success 'Finished running the macOS Remote Management kickstart executable' + fi else # System is Linux ### VNC set-up / configuration diff --git a/home/.chezmoiscripts/universal/run_onchange_after_97-cloudflare.sh.tmpl b/home/.chezmoiscripts/universal/run_onchange_after_97-cloudflare.sh.tmpl index 699aa51f..5e186a6f 100644 --- a/home/.chezmoiscripts/universal/run_onchange_after_97-cloudflare.sh.tmpl +++ b/home/.chezmoiscripts/universal/run_onchange_after_97-cloudflare.sh.tmpl @@ -105,27 +105,31 @@ fi # Source: https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.pem if [ -d /System ] && [ -d /Applications ] && command -v warp-cli > /dev/null; then ### Ensure certificate installed on macOS - if [ ! -n "$SSH_CONNECTION" ]; then - logg info 'Requesting security authorization for Cloudflare trusted certificate' - sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.crt" + if [ -z "$SSH_CONNECTION" ]; then + if [ -z "$HEADLESS_INSTALL" ]; then + logg info '**macOS Manual Security Permission** Requesting security authorization for Cloudflare trusted certificate' + sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.crt" + fi logg info 'Updating the OpenSSL CA Store to include the Cloudflare certificate' echo | sudo tee -a /etc/ssl/cert.pem < "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.pem" > /dev/null echo "" | sudo tee -a /etc/ssl/cert.pem else logg warn 'Session is SSH so adding Cloudflare encryption key to trusted certificates via the security program is being bypassed since it requires Touch ID / Password verification.' fi - if [ -d "/usr/local/etc/openssl@3/certs" ]; then + if [ -f "/usr/local/opt/openssl@3/bin/c_rehash" ]; then # Location on Intel macOS + logg info 'Ensuring /usr/local/etc/openssl@3/certs directory exists' && mkdir -p /usr/local/etc/openssl@3/certs logg info 'Adding Cloudflare certificate to /usr/local/etc/openssl@3/certs/Cloudflare_CA.pem' echo | sudo cat - "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.pem" >> /usr/local/etc/openssl@3/certs/Cloudflare_CA.pem logg info 'Running /usr/local/opt/openssl@3/bin/c_rehash' /usr/local/opt/openssl@3/bin/c_rehash > /dev/null && logg success 'OpenSSL certificate rehash successful' - elif [ -d "/opt/homebrew/etc/openssl@3/certs" ]; then - # Location on arm64 macOS - logg info 'Adding Cloudflare certificate to /opt/homebrew/etc/openssl@3/certs/Cloudflare_CA.pem' - echo | sudo cat - "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.pem" >> /opt/homebrew/etc/openssl@3/certs/Cloudflare_CA.pem - logg info 'Running /opt/homebrew/opt/openssl@3/bin/c_rehash' - /opt/homebrew/opt/openssl@3/bin/c_rehash > /dev/null && logg success 'OpenSSL certificate rehash successful' + elif [ -f "${HOMEBREW_PREFIX:-/opt/homebrew}/opt/openssl@3/bin/c_rehash" ]; then + # Location on arm64 macOS and custom Homebrew locations + logg info "Ensuring ${HOMEBREW_PREFIX:-/opt/homebrew}/etc/openssl@3/certs directory exists" && mkdir -p "${HOMEBREW_PREFIX:-/opt/homebrew}/etc/openssl@3/certs" + logg info "Adding Cloudflare certificate to ${HOMEBREW_PREFIX:-/opt/homebrew}/etc/openssl@3/certs/Cloudflare_CA.pem" + echo | sudo cat - "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.pem" >> "${HOMEBREW_PREFIX:-/opt/homebrew}/etc/openssl@3/certs/Cloudflare_CA.pem" + logg info "Running ${HOMEBREW_PREFIX:-/opt/homebrew}/opt/openssl@3/bin/c_rehash" + "${HOMEBREW_PREFIX:-/opt/homebrew}/opt/openssl@3/bin/c_rehash" > /dev/null && logg success 'OpenSSL certificate rehash successful' else logg warn 'Unable to add Cloudflare_CA.pem because /usr/local/etc/openssl@3/certs and /opt/homebrew/etc/openssl@3/certs do not exist!' fi