Moved macOS stuff with system prompts earlier and fixed CloudFlare WARP rehashing issue

This commit is contained in:
Brian Zalewski 2023-11-27 05:34:56 +00:00
parent 8c466aba77
commit 8fe5d6fccf
3 changed files with 46 additions and 12 deletions

View file

@ -0,0 +1,28 @@
#!/usr/bin/env bash
# @file macOS Security Settings
# @brief Prompts user for various security prompts as early as possible (to make headless automation more manageable)
# @description
# This script performs various tasks on macOS that have required manual security prompts so that the
# user can run the installation process as headlessly as possible. This script only runs when the `HEADLESS_INSTALL` variable
# is set. The various tasks include:
#
# 1. Add the `$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.crt` to the `System.keychain` for CloudFlare Zero Trust / WARP
# 2. Configure system VNC service to allow connections via the `USER` with the `VNC_PASSWORD`
{{ includeTemplate "universal/profile" }}
{{ includeTemplate "universal/logg" }}
if [ -n "$HEADLESS_INSTALL" ] && [ -z "$SSH_CONNECTION" ] && [ -d /System ] && [ -d /Applications ]; then
### Ensure certificate is installed
# Source: https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.crt
# Source: https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.pem
### Ensure certificate installed on macOS
logg info '**macOS Manual Security Permission** Requesting security authorization for Cloudflare trusted certificate'
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.crt"
# Source: https://apple.stackexchange.com/questions/30238/how-to-enable-os-x-screen-sharing-vnc-through-ssh
# To disable, run: sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -configure -access -off
# Only enable when computer is not a corporate / work computer
logg info '**macOS Manual Security Permission** Enabling VNC using the VNC_PASSWORD variable which is vncpass when nothing is specified'
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -allowAccessFor -specifiedUsers -clientopts -setreqperm -reqperm yes -setvnclegacy -vnclegacy yes -setvncpw -vncpw "{{- if and (stat (joinPath .host.home ".config" "age" "chezmoi.txt")) (stat (joinPath .chezmoi.sourceDir ".chezmoitemplates" "secrets" "VNC_PASSWORD")) }}{{ includeTemplate "secrets/VNC_PASSWORD" | decrypt | trim }}{{ else }}{{ default "vncpass" (env "VNC_PASSWORD") }}{{ end }}" -restart -agent -privs -all -users "$USER" && logg success 'Finished running the macOS Remote Management kickstart executable'
fi

View file

@ -22,8 +22,10 @@ if [ -d /Applications ] && [ -d /System ]; then
# Source: https://apple.stackexchange.com/questions/30238/how-to-enable-os-x-screen-sharing-vnc-through-ssh
# To disable, run: sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -configure -access -off
# Only enable when computer is not a corporate / work computer
logg info 'Enabling VNC using the VNC_PASSWORD variable which is vncpass when nothing is specified'
if [ -z "$HEADLESS_INSTALL" ] && [ -z "$SSH_CONNECTION" ]; then
logg info '**macOS Manual Security Permission** Enabling VNC using the VNC_PASSWORD variable which is vncpass when nothing is specified'
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -allowAccessFor -specifiedUsers -clientopts -setreqperm -reqperm yes -setvnclegacy -vnclegacy yes -setvncpw -vncpw "{{- if and (stat (joinPath .host.home ".config" "age" "chezmoi.txt")) (stat (joinPath .chezmoi.sourceDir ".chezmoitemplates" "secrets" "VNC_PASSWORD")) }}{{ includeTemplate "secrets/VNC_PASSWORD" | decrypt | trim }}{{ else }}{{ default "vncpass" (env "VNC_PASSWORD") }}{{ end }}" -restart -agent -privs -all -users "$USER" && logg success 'Finished running the macOS Remote Management kickstart executable'
fi
else
# System is Linux
### VNC set-up / configuration

View file

@ -105,27 +105,31 @@ fi
# Source: https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.pem
if [ -d /System ] && [ -d /Applications ] && command -v warp-cli > /dev/null; then
### Ensure certificate installed on macOS
if [ ! -n "$SSH_CONNECTION" ]; then
logg info 'Requesting security authorization for Cloudflare trusted certificate'
if [ -z "$SSH_CONNECTION" ]; then
if [ -z "$HEADLESS_INSTALL" ]; then
logg info '**macOS Manual Security Permission** Requesting security authorization for Cloudflare trusted certificate'
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.crt"
fi
logg info 'Updating the OpenSSL CA Store to include the Cloudflare certificate'
echo | sudo tee -a /etc/ssl/cert.pem < "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.pem" > /dev/null
echo "" | sudo tee -a /etc/ssl/cert.pem
else
logg warn 'Session is SSH so adding Cloudflare encryption key to trusted certificates via the security program is being bypassed since it requires Touch ID / Password verification.'
fi
if [ -d "/usr/local/etc/openssl@3/certs" ]; then
if [ -f "/usr/local/opt/openssl@3/bin/c_rehash" ]; then
# Location on Intel macOS
logg info 'Ensuring /usr/local/etc/openssl@3/certs directory exists' && mkdir -p /usr/local/etc/openssl@3/certs
logg info 'Adding Cloudflare certificate to /usr/local/etc/openssl@3/certs/Cloudflare_CA.pem'
echo | sudo cat - "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.pem" >> /usr/local/etc/openssl@3/certs/Cloudflare_CA.pem
logg info 'Running /usr/local/opt/openssl@3/bin/c_rehash'
/usr/local/opt/openssl@3/bin/c_rehash > /dev/null && logg success 'OpenSSL certificate rehash successful'
elif [ -d "/opt/homebrew/etc/openssl@3/certs" ]; then
# Location on arm64 macOS
logg info 'Adding Cloudflare certificate to /opt/homebrew/etc/openssl@3/certs/Cloudflare_CA.pem'
echo | sudo cat - "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.pem" >> /opt/homebrew/etc/openssl@3/certs/Cloudflare_CA.pem
logg info 'Running /opt/homebrew/opt/openssl@3/bin/c_rehash'
/opt/homebrew/opt/openssl@3/bin/c_rehash > /dev/null && logg success 'OpenSSL certificate rehash successful'
elif [ -f "${HOMEBREW_PREFIX:-/opt/homebrew}/opt/openssl@3/bin/c_rehash" ]; then
# Location on arm64 macOS and custom Homebrew locations
logg info "Ensuring ${HOMEBREW_PREFIX:-/opt/homebrew}/etc/openssl@3/certs directory exists" && mkdir -p "${HOMEBREW_PREFIX:-/opt/homebrew}/etc/openssl@3/certs"
logg info "Adding Cloudflare certificate to ${HOMEBREW_PREFIX:-/opt/homebrew}/etc/openssl@3/certs/Cloudflare_CA.pem"
echo | sudo cat - "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.pem" >> "${HOMEBREW_PREFIX:-/opt/homebrew}/etc/openssl@3/certs/Cloudflare_CA.pem"
logg info "Running ${HOMEBREW_PREFIX:-/opt/homebrew}/opt/openssl@3/bin/c_rehash"
"${HOMEBREW_PREFIX:-/opt/homebrew}/opt/openssl@3/bin/c_rehash" > /dev/null && logg success 'OpenSSL certificate rehash successful'
else
logg warn 'Unable to add Cloudflare_CA.pem because /usr/local/etc/openssl@3/certs and /opt/homebrew/etc/openssl@3/certs do not exist!'
fi