Moved macOS stuff with system prompts earlier and fixed CloudFlare WARP rehashing issue
This commit is contained in:
parent
8c466aba77
commit
8fe5d6fccf
3 changed files with 46 additions and 12 deletions
|
@ -0,0 +1,28 @@
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
# @file macOS Security Settings
|
||||||
|
# @brief Prompts user for various security prompts as early as possible (to make headless automation more manageable)
|
||||||
|
# @description
|
||||||
|
# This script performs various tasks on macOS that have required manual security prompts so that the
|
||||||
|
# user can run the installation process as headlessly as possible. This script only runs when the `HEADLESS_INSTALL` variable
|
||||||
|
# is set. The various tasks include:
|
||||||
|
#
|
||||||
|
# 1. Add the `$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.crt` to the `System.keychain` for CloudFlare Zero Trust / WARP
|
||||||
|
# 2. Configure system VNC service to allow connections via the `USER` with the `VNC_PASSWORD`
|
||||||
|
|
||||||
|
{{ includeTemplate "universal/profile" }}
|
||||||
|
{{ includeTemplate "universal/logg" }}
|
||||||
|
|
||||||
|
if [ -n "$HEADLESS_INSTALL" ] && [ -z "$SSH_CONNECTION" ] && [ -d /System ] && [ -d /Applications ]; then
|
||||||
|
### Ensure certificate is installed
|
||||||
|
# Source: https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.crt
|
||||||
|
# Source: https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.pem
|
||||||
|
### Ensure certificate installed on macOS
|
||||||
|
logg info '**macOS Manual Security Permission** Requesting security authorization for Cloudflare trusted certificate'
|
||||||
|
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.crt"
|
||||||
|
|
||||||
|
# Source: https://apple.stackexchange.com/questions/30238/how-to-enable-os-x-screen-sharing-vnc-through-ssh
|
||||||
|
# To disable, run: sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -configure -access -off
|
||||||
|
# Only enable when computer is not a corporate / work computer
|
||||||
|
logg info '**macOS Manual Security Permission** Enabling VNC using the VNC_PASSWORD variable which is vncpass when nothing is specified'
|
||||||
|
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -allowAccessFor -specifiedUsers -clientopts -setreqperm -reqperm yes -setvnclegacy -vnclegacy yes -setvncpw -vncpw "{{- if and (stat (joinPath .host.home ".config" "age" "chezmoi.txt")) (stat (joinPath .chezmoi.sourceDir ".chezmoitemplates" "secrets" "VNC_PASSWORD")) }}{{ includeTemplate "secrets/VNC_PASSWORD" | decrypt | trim }}{{ else }}{{ default "vncpass" (env "VNC_PASSWORD") }}{{ end }}" -restart -agent -privs -all -users "$USER" && logg success 'Finished running the macOS Remote Management kickstart executable'
|
||||||
|
fi
|
|
@ -22,8 +22,10 @@ if [ -d /Applications ] && [ -d /System ]; then
|
||||||
# Source: https://apple.stackexchange.com/questions/30238/how-to-enable-os-x-screen-sharing-vnc-through-ssh
|
# Source: https://apple.stackexchange.com/questions/30238/how-to-enable-os-x-screen-sharing-vnc-through-ssh
|
||||||
# To disable, run: sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -configure -access -off
|
# To disable, run: sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -configure -access -off
|
||||||
# Only enable when computer is not a corporate / work computer
|
# Only enable when computer is not a corporate / work computer
|
||||||
logg info 'Enabling VNC using the VNC_PASSWORD variable which is vncpass when nothing is specified'
|
if [ -z "$HEADLESS_INSTALL" ] && [ -z "$SSH_CONNECTION" ]; then
|
||||||
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -allowAccessFor -specifiedUsers -clientopts -setreqperm -reqperm yes -setvnclegacy -vnclegacy yes -setvncpw -vncpw "{{- if and (stat (joinPath .host.home ".config" "age" "chezmoi.txt")) (stat (joinPath .chezmoi.sourceDir ".chezmoitemplates" "secrets" "VNC_PASSWORD")) }}{{ includeTemplate "secrets/VNC_PASSWORD" | decrypt | trim }}{{ else }}{{ default "vncpass" (env "VNC_PASSWORD") }}{{ end }}" -restart -agent -privs -all -users "$USER" && logg success 'Finished running the macOS Remote Management kickstart executable'
|
logg info '**macOS Manual Security Permission** Enabling VNC using the VNC_PASSWORD variable which is vncpass when nothing is specified'
|
||||||
|
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -allowAccessFor -specifiedUsers -clientopts -setreqperm -reqperm yes -setvnclegacy -vnclegacy yes -setvncpw -vncpw "{{- if and (stat (joinPath .host.home ".config" "age" "chezmoi.txt")) (stat (joinPath .chezmoi.sourceDir ".chezmoitemplates" "secrets" "VNC_PASSWORD")) }}{{ includeTemplate "secrets/VNC_PASSWORD" | decrypt | trim }}{{ else }}{{ default "vncpass" (env "VNC_PASSWORD") }}{{ end }}" -restart -agent -privs -all -users "$USER" && logg success 'Finished running the macOS Remote Management kickstart executable'
|
||||||
|
fi
|
||||||
else
|
else
|
||||||
# System is Linux
|
# System is Linux
|
||||||
### VNC set-up / configuration
|
### VNC set-up / configuration
|
||||||
|
|
|
@ -105,27 +105,31 @@ fi
|
||||||
# Source: https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.pem
|
# Source: https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.pem
|
||||||
if [ -d /System ] && [ -d /Applications ] && command -v warp-cli > /dev/null; then
|
if [ -d /System ] && [ -d /Applications ] && command -v warp-cli > /dev/null; then
|
||||||
### Ensure certificate installed on macOS
|
### Ensure certificate installed on macOS
|
||||||
if [ ! -n "$SSH_CONNECTION" ]; then
|
if [ -z "$SSH_CONNECTION" ]; then
|
||||||
logg info 'Requesting security authorization for Cloudflare trusted certificate'
|
if [ -z "$HEADLESS_INSTALL" ]; then
|
||||||
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.crt"
|
logg info '**macOS Manual Security Permission** Requesting security authorization for Cloudflare trusted certificate'
|
||||||
|
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.crt"
|
||||||
|
fi
|
||||||
logg info 'Updating the OpenSSL CA Store to include the Cloudflare certificate'
|
logg info 'Updating the OpenSSL CA Store to include the Cloudflare certificate'
|
||||||
echo | sudo tee -a /etc/ssl/cert.pem < "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.pem" > /dev/null
|
echo | sudo tee -a /etc/ssl/cert.pem < "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.pem" > /dev/null
|
||||||
echo "" | sudo tee -a /etc/ssl/cert.pem
|
echo "" | sudo tee -a /etc/ssl/cert.pem
|
||||||
else
|
else
|
||||||
logg warn 'Session is SSH so adding Cloudflare encryption key to trusted certificates via the security program is being bypassed since it requires Touch ID / Password verification.'
|
logg warn 'Session is SSH so adding Cloudflare encryption key to trusted certificates via the security program is being bypassed since it requires Touch ID / Password verification.'
|
||||||
fi
|
fi
|
||||||
if [ -d "/usr/local/etc/openssl@3/certs" ]; then
|
if [ -f "/usr/local/opt/openssl@3/bin/c_rehash" ]; then
|
||||||
# Location on Intel macOS
|
# Location on Intel macOS
|
||||||
|
logg info 'Ensuring /usr/local/etc/openssl@3/certs directory exists' && mkdir -p /usr/local/etc/openssl@3/certs
|
||||||
logg info 'Adding Cloudflare certificate to /usr/local/etc/openssl@3/certs/Cloudflare_CA.pem'
|
logg info 'Adding Cloudflare certificate to /usr/local/etc/openssl@3/certs/Cloudflare_CA.pem'
|
||||||
echo | sudo cat - "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.pem" >> /usr/local/etc/openssl@3/certs/Cloudflare_CA.pem
|
echo | sudo cat - "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.pem" >> /usr/local/etc/openssl@3/certs/Cloudflare_CA.pem
|
||||||
logg info 'Running /usr/local/opt/openssl@3/bin/c_rehash'
|
logg info 'Running /usr/local/opt/openssl@3/bin/c_rehash'
|
||||||
/usr/local/opt/openssl@3/bin/c_rehash > /dev/null && logg success 'OpenSSL certificate rehash successful'
|
/usr/local/opt/openssl@3/bin/c_rehash > /dev/null && logg success 'OpenSSL certificate rehash successful'
|
||||||
elif [ -d "/opt/homebrew/etc/openssl@3/certs" ]; then
|
elif [ -f "${HOMEBREW_PREFIX:-/opt/homebrew}/opt/openssl@3/bin/c_rehash" ]; then
|
||||||
# Location on arm64 macOS
|
# Location on arm64 macOS and custom Homebrew locations
|
||||||
logg info 'Adding Cloudflare certificate to /opt/homebrew/etc/openssl@3/certs/Cloudflare_CA.pem'
|
logg info "Ensuring ${HOMEBREW_PREFIX:-/opt/homebrew}/etc/openssl@3/certs directory exists" && mkdir -p "${HOMEBREW_PREFIX:-/opt/homebrew}/etc/openssl@3/certs"
|
||||||
echo | sudo cat - "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.pem" >> /opt/homebrew/etc/openssl@3/certs/Cloudflare_CA.pem
|
logg info "Adding Cloudflare certificate to ${HOMEBREW_PREFIX:-/opt/homebrew}/etc/openssl@3/certs/Cloudflare_CA.pem"
|
||||||
logg info 'Running /opt/homebrew/opt/openssl@3/bin/c_rehash'
|
echo | sudo cat - "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.pem" >> "${HOMEBREW_PREFIX:-/opt/homebrew}/etc/openssl@3/certs/Cloudflare_CA.pem"
|
||||||
/opt/homebrew/opt/openssl@3/bin/c_rehash > /dev/null && logg success 'OpenSSL certificate rehash successful'
|
logg info "Running ${HOMEBREW_PREFIX:-/opt/homebrew}/opt/openssl@3/bin/c_rehash"
|
||||||
|
"${HOMEBREW_PREFIX:-/opt/homebrew}/opt/openssl@3/bin/c_rehash" > /dev/null && logg success 'OpenSSL certificate rehash successful'
|
||||||
else
|
else
|
||||||
logg warn 'Unable to add Cloudflare_CA.pem because /usr/local/etc/openssl@3/certs and /opt/homebrew/etc/openssl@3/certs do not exist!'
|
logg warn 'Unable to add Cloudflare_CA.pem because /usr/local/etc/openssl@3/certs and /opt/homebrew/etc/openssl@3/certs do not exist!'
|
||||||
fi
|
fi
|
||||||
|
|
Loading…
Reference in a new issue