diff --git a/home/.chezmoiexternal.toml.tmpl b/home/.chezmoiexternal.toml.tmpl index 8227441b..bf715e25 100644 --- a/home/.chezmoiexternal.toml.tmpl +++ b/home/.chezmoiexternal.toml.tmpl @@ -18,6 +18,14 @@ clone.args = ["--branch", "release", "--depth", "1"] pull.args = ["--ff-only"] +### CloudFlare WARP Certificates +[".local/share/warp/Cloudflare_CA.crt"] + type = "file" + url = "https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.crt" +[".local/share/warp/Cloudflare_CA.pem"] + type = "file" + url = "https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.pem" + ### Betelgeuse Theme [".local/src/betelgeuse"] type = "git-repo" diff --git a/home/.chezmoiscripts/universal/run_onchange_after_14-warp.sh.tmpl b/home/.chezmoiscripts/disabled/run_onchange_after_14-warp.tmpl similarity index 100% rename from home/.chezmoiscripts/universal/run_onchange_after_14-warp.sh.tmpl rename to home/.chezmoiscripts/disabled/run_onchange_after_14-warp.tmpl diff --git a/home/.chezmoiscripts/universal/run_onchange_before_14-warp.sh.tmpl b/home/.chezmoiscripts/universal/run_onchange_before_14-warp.sh.tmpl index fcf6f044..c8316de7 100644 --- a/home/.chezmoiscripts/universal/run_onchange_before_14-warp.sh.tmpl +++ b/home/.chezmoiscripts/universal/run_onchange_before_14-warp.sh.tmpl @@ -1,34 +1,120 @@ -{{- if (eq .host.distro.family "linux") -}} +{{- if (ne .host.distro.family "windows") -}} #!/usr/bin/env bash -# @file CloudFlare WARP Repository -# @brief Adds the CloudFlare WARP `apt-get` repository to Debian and Ubuntu systems +# @file CloudFlare WARP +# @brief Installs CloudFlare WARP, ensures proper security certificates are in place, and connects the device to CloudFlare WARP. # @description -# This script adds the CloudFlare WARP `apt-get` repository to Debian and Ubuntu systems. It currently does not support adding -# repositories for other systems because they are not provided by CloudFlare. +# This script is intended to connect the device to CloudFlare's Zero Trust network with nearly all of its features unlocked. +# Homebrew is used to install the `warp-cli` on macOS. On Linux, it can install `warp-cli` on most Debian systems and some RedHat +# systems. CloudFlare WARP's [download page](https://pkg.cloudflareclient.com/packages/cloudflare-warp) is somewhat barren. +# +# ## MDM Configuration +# +# If CloudFlare WARP successfully installs, it first applies MDM configurations (managed configurations). If you would like CloudFlare +# WARP to connect completely headlessly (while losing some "user-posture" settings), then you can populate the following two secrets: +# +# 1. `CLOUDFLARE_TEAMS_CLIENT_ID` - The ID from a CloudFlare Teams service token. See [this article](https://developers.cloudflare.com/cloudflare-one/identity/service-tokens/). +# 2. `CLOUDFLARE_TEAMS_CLIENT_SECRET` - The secret from a CloudFlare Teams service token. +# +# The two variables above can be passed in using either of the methods described in the [Secrets documentation](https://install.doctor/docs/customization/secrets). +# +# ## Headless CloudFlare WARP Connection +# +# Even if you do not provide the two variables mentioned above, the script will still headlessly connect your device to the public CloudFlare WARP +# network, where you will get some of the benefits of a VPN for free. Otherwise, if they were passed in, then the script +# finishes by connecting to CloudFlare Teams. +# +# ## Notes +# +# According to CloudFlare Teams [documentation on MDM deployment](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/), +# on macOS the `com.cloudflare.warp.plist` file gets erased on reboot. Also, according to the documentation, the only way around this is to leverage +# an MDM SaaS provider like JumpCloud. +# +# ## Links +# +# * [Linux managed configuration](https://github.com/megabyte-labs/install.doctor/tree/master/home/dot_config/warp/private_mdm.xml.tmpl) +# * [macOS managed configuration](https://github.com/megabyte-labs/install.doctor/tree/master/home/Library/Managed%20Preferences/private_com.cloudflare.warp.plist.tmpl) {{ includeTemplate "universal/logg-before" }} -if [ '{{ .host.distro.id }}' = 'debian' ]; then - ### Add CloudFlare WARP desktop app apt-get source - if [ ! -f /etc/apt/sources.list.d/cloudflare-client.list ]; then - logg info 'Adding CloudFlare WARP keyring' - curl https://pkg.cloudflareclient.com/pubkey.gpg | sudo gpg --yes --dearmor --output /usr/share/keyrings/cloudflare-warp-archive-keyring.gpg +### Install CloudFlare WARP (on non-WSL *nix systems) +if [[ ! "$(test -d /proc && grep Microsoft /proc/version > /dev/null)" ]]; then + if [ -d /System ] && [ -d /Applications ]; then + ### Install on macOS + brew install --cask cloudflare-warp + elif [ '{{ .host.distro.id }}' = 'debian' ]; then + ### Add CloudFlare WARP desktop app apt-get source + if [ ! -f /etc/apt/sources.list.d/cloudflare-client.list ]; then + logg info 'Adding CloudFlare WARP keyring' + curl https://pkg.cloudflareclient.com/pubkey.gpg | sudo gpg --yes --dearmor --output /usr/share/keyrings/cloudflare-warp-archive-keyring.gpg + logg info 'Adding apt source reference' + echo "deb [arch=amd64 signed-by=/usr/share/keyrings/cloudflare-warp-archive-keyring.gpg] https://pkg.cloudflareclient.com/ $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/cloudflare-client.list + fi - logg info 'Adding apt source reference' - echo "deb [arch=amd64 signed-by=/usr/share/keyrings/cloudflare-warp-archive-keyring.gpg] https://pkg.cloudflareclient.com/ $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/cloudflare-client.list + ### Update apt-get and install the CloudFlare WARP CLI + sudo apt-get update && sudo apt-get install -y cloudflare-warp + elif [ '{{ .host.distro.id }}' = 'ubuntu' ]; then + ### Add CloudFlare WARP desktop app apt-get source + if [ ! -f /etc/apt/sources.list.d/cloudflare-client.list ]; then + logg info 'Adding CloudFlare WARP keyring' + curl https://pkg.cloudflareclient.com/pubkey.gpg | sudo gpg --yes --dearmor --output /usr/share/keyrings/cloudflare-warp-archive-keyring.gpg + logg info 'Adding apt source reference' + echo "deb [arch=amd64 signed-by=/usr/share/keyrings/cloudflare-warp-archive-keyring.gpg] https://pkg.cloudflareclient.com/ $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/cloudflare-client.list + fi - sudo apt-get update - fi -elif [ '{{ .host.distro.id }}' = 'ubuntu' ]; then - ### Add CloudFlare WARP desktop app apt-get source - if [ ! -f /etc/apt/sources.list.d/cloudflare-client.list ]; then - logg info 'Adding CloudFlare WARP keyring' - curl https://pkg.cloudflareclient.com/pubkey.gpg | sudo gpg --yes --dearmor --output /usr/share/keyrings/cloudflare-warp-archive-keyring.gpg - - logg info 'Adding apt source reference' - echo "deb [arch=amd64 signed-by=/usr/share/keyrings/cloudflare-warp-archive-keyring.gpg] https://pkg.cloudflareclient.com/ $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/cloudflare-client.list - - sudo apt-get update + ### Update apt-get and install the CloudFlare WARP CLI + sudo apt-get update && sudo apt-get install -y cloudflare-warp + elif command -v dnf > /dev/null && command -v rpm > /dev/null; then + ### This is made for CentOS 8 and works on Fedora 36 (hopefully 36+ as well) with `nss-tools` as a dependency + sudo dnf instal -y nss-tools + ### According to the download site, this is the only version available for RedHat-based systems + sudo rpm -ivh https://pkg.cloudflareclient.com/cloudflare-release-el8.rpm fi fi + + +### Ensure certificate is installed +### TODO: Ensure duplicate certificates are not stored in these files below +# Source: https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.crt +# Source: https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.pem +if [ -d /System ] && [ -d /Applications ] && command -v warp-cli > /dev/null; then + ### Ensure certificate installed on macOS + sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.crt" + if [ -f /usr/local/etc/ca-certificates/cert.pem ]; then + echo | sudo cat - "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem" >> /usr/local/etc/ca-certificates/cert.pem + else + logg error 'Unable to add `Cloudflare_CA.pem` because `/usr/local/etc/ca-certificates/cert.pem` does not exist!' && exit 1 + fi +fi + +if command -v warp-cli > /dev/null; then + ### Ensure MDM settings are applied (deletes after reboot on macOS) + ### TODO: Ensure `.plist` can be added to `~/Library/Managed Preferences` and not just `/Library/Managed Preferences` + # Source: https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/ + # Source for JumpCloud: https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/CloudflareWARP.mobileconfig + if [ -d /System ] && [ -d /Applications ]; then + sudo cp -f "$HOME/Library/Managed Preferences/com.cloudflare.warp.plist" '/Library/Managed Preferences/com.cloudflare.warp.plist' + sudo plutil -convert binary1 '/Library/Managed Preferences/com.cloudflare.warp.plist' + elif [ -f "${XDG_CONFIG_HOME:-$HOME/.config}/warp/mdm.xml" ]; then + sudo mkdir -p /var/lib/cloudflare-warp + sudo cp -f "${XDG_CONFIG_HOME:-$HOME/.config}/warp/mdm.xml" /var/lib/cloudflare-warp/mdm.xml + fi + + ### Register CloudFlare WARP + if warp-cli --accept-tos status | grep 'Registration missing' > /dev/null; then + logg info 'Registering CloudFlare WARP' + warp-cli --accept-tos register + else + logg info 'Already registered with CloudFlare WARP' + fi + + ### Connect CloudFlare WARP + if warp-cli --accept-tos status | grep 'Disconnected' > /dev/null; then + logg info 'Connecting to CloudFlare WARP' + warp-cli --accept-tos connect + else + logg info 'Already connected to CloudFlare WARP' + fi +else + logg warn '`warp-cli` was not installed so CloudFlare Zero Trust cannot be joined' +fi {{ end -}} diff --git a/home/.chezmoitemplates/secrets/CLOUDFLARE_R2_ID b/home/.chezmoitemplates/secrets/CLOUDFLARE_R2_ID new file mode 100644 index 00000000..fafd62b3 --- /dev/null +++ b/home/.chezmoitemplates/secrets/CLOUDFLARE_R2_ID @@ -0,0 +1,7 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2bFM5VUFoTDlxb2NjV2RV +d0UvM2pPYWZMeDRZeDZKYmZ3YlhwNlBsYlRvCmVTcEVzUndwSG1lQ3pKTFpxZ1Bs +NGtXcksrNnRmR1UxOXR2UGpiNHplOHcKLS0tIFBEZHBibnEzSnBxTUlxcHdQQmhT +MlUyZnRHWHY5UE43OXV1cFJjUnJGRHcK9s3V7BN+uHHJt8ekqFpP0XYaa+WwanmW +qQ7rr6AB5ZT7z8y9vpQNK+mzuB49zL87AiNspAacKP/RtKNUPmdEzpY= +-----END AGE ENCRYPTED FILE----- \ No newline at end of file diff --git a/home/.chezmoitemplates/secrets/CLOUDFLARE_R2_SECRET b/home/.chezmoitemplates/secrets/CLOUDFLARE_R2_SECRET new file mode 100644 index 00000000..63648b7f --- /dev/null +++ b/home/.chezmoitemplates/secrets/CLOUDFLARE_R2_SECRET @@ -0,0 +1,8 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpdjhHNWJEMlJjNTlCUmJv +RzRvUzRhUmR6OWpxWTVudDJ0NnVqbklqQmlrClhyNWpSZEZ1SHpEU0FROWZFYzlL +RmhEbmJ1ZWJtS2xjNmRsaVhZb3ExK0UKLS0tIE90dzZ5T0liQitNV0hQTHNmcFlj +eEdKZWdvK0NOdU1PK3I1NGxmTEVtQWsKJWhE2Q5wCLtvy7ZrrPwNvceLWEp7rV9I +YEVpLY6lWuHWIbg6h8GkwlrbP/e3evFpZ7T9eLmhsMIfYm7hPtYV3BkASNqpWRh/ +o94FfrDqtg7Nu1/pZO8o/dt7QnVh0lMPYw== +-----END AGE ENCRYPTED FILE----- \ No newline at end of file diff --git a/home/.chezmoitemplates/secrets/CLOUDFLARE_TEAMS_CLIENT_ID b/home/.chezmoitemplates/secrets/CLOUDFLARE_TEAMS_CLIENT_ID new file mode 100644 index 00000000..818c403d --- /dev/null +++ b/home/.chezmoitemplates/secrets/CLOUDFLARE_TEAMS_CLIENT_ID @@ -0,0 +1,7 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzV0lySnFOemZKdGo4ZEdB +a1lRMVJJZWorU1RaL2M4M25pSTl4UHlKUFYwClhJOU54bkNmTXcvcFZWVVVCTDhv +T0ZJSHVwcUhKZVVDVmdrSGZ6K0dwV3MKLS0tIFRTQ3BEeFFjL1BCVWMxS1RIR28y +WEhlblBmUWJYeDhIS1FJYXY1OEVQdmcKSAKdvbqBpY3s4oYUuiTDBT5K4Fpeo3bi +LsjWK64f48oGfxoNmsdXXVbu82jO8TmecwNgUOoLC1UQxy/xkymMPosOse8nIwhx +-----END AGE ENCRYPTED FILE----- \ No newline at end of file diff --git a/home/.chezmoitemplates/secrets/CLOUDFLARE_TEAMS_CLIENT_SECRET b/home/.chezmoitemplates/secrets/CLOUDFLARE_TEAMS_CLIENT_SECRET new file mode 100644 index 00000000..ff6f2157 --- /dev/null +++ b/home/.chezmoitemplates/secrets/CLOUDFLARE_TEAMS_CLIENT_SECRET @@ -0,0 +1,8 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwbnREOXUxazRlWDZtM0lm +ZVc2UnlPVFlGM1N6czFnTDYzWmQ4YldqTmhrCnI3U2FLUytDamZDZ0dTT0V2M3ds +VGNFbTVLRDZteTErMFpaUlpqakp4T1UKLS0tIGErNkowbFBkWldjNHdhNnVjdGM4 +REhXUW5Md21JSkhSMWxVN08rZFNGYjQKDuim4gInqRt4jagEQjo6+rtQ0Esrtkg5 +nVo8R3P0gCd7r8BbYxmVy+ez9bVVetJcyr7m0rpderOVb9fy/AGRQT0ccD8KQ76N +ytpGa+AsMH/T8ExjRTgxKF1I2RF9yG29ig== +-----END AGE ENCRYPTED FILE----- \ No newline at end of file diff --git a/home/.chezmoitemplates/secrets/key-cloudflare-r2-id b/home/.chezmoitemplates/secrets/key-cloudflare-r2-id deleted file mode 100644 index 772fbb89..00000000 --- a/home/.chezmoitemplates/secrets/key-cloudflare-r2-id +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUa0ZtTm9PbE03R1RReDJZ -NUdueXVZSk1WY2RxMkpyM1VVL2t2ZlBobGxJCmRyWEtSYVMxU1VCL01hRXk5ODdR -MTJPZFVYbEEzeStBT3JLRWdoNUg0Z2MKLS0tIGhHdzExOEU1NmJkNHBFUW5DbXFs -S25MNHFGV01GYjkrYm0zVmhrVEFvd2sKQr2yI5Zlx+yEWa4igHFy2z1FpmEw6tux -M9i/y2J+Da15jAZgndmc1iWNBVDKVfROon4S60P99djZi/trWcy0jA== ------END AGE ENCRYPTED FILE----- \ No newline at end of file diff --git a/home/.chezmoitemplates/secrets/key-cloudflare-r2-secret b/home/.chezmoitemplates/secrets/key-cloudflare-r2-secret deleted file mode 100644 index ae0c4dbb..00000000 --- a/home/.chezmoitemplates/secrets/key-cloudflare-r2-secret +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFYnBRTkRVZ2hGTkZ4NUdQ -UWZBWmFxQkFXTUhESzhaaFJWMlpQSmh5cldjCjN0c0dScXQ1d0ZoalF1WXN3VG5h -WC9wQ0pQSmYyU29nN1YwOUNFSHgyRkEKLS0tIG5lOTRhamhySm5iN1V1d0haWFRo -VVZaczNScHd0ZHZRWmd4TFVRQWVaZzAKqbgfmbnHB5QbO0Z1JMgjNawfAD40Hzru -kVNSyh/zgIRlwuSzwlENDgrdGXaRjDj7jtchaWe/xPX88Ba5cFe9LC7eXJP1mU2U -l+nk1LFKSp24PZskcLzw4rxCsLap82KV ------END AGE ENCRYPTED FILE----- \ No newline at end of file diff --git a/home/.chezmoitemplates/secrets/key-digitalocean-spaces-bucket b/home/.chezmoitemplates/secrets/key-digitalocean-spaces-bucket deleted file mode 100644 index 935bfdaf..00000000 --- a/home/.chezmoitemplates/secrets/key-digitalocean-spaces-bucket +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0K2lrQmh2RDhjUTBId1Ew -UWp5UGp6Uk5NeEd0UjhwaUtrZWlzempVbUVNCkM5Y3F2aUZadFdTK2V6aHJ0TWVI -RHltdXhYNGhlV0xSVVg0MGxhMUZITlkKLS0tIEEzTGpYZU9ScStKeVhRNkowVzlv -dG9jSWNDUzNZa0VLVDFYai9BS2VYVWcKyPT0jUzNIL1UXJfwJlq+W3BvjdJ+Nw3B -moY5Cz1fohjmKgOfVLYS+02yN3KwMsehTchZphIseCt8Qrh/CimJOpo0z48= ------END AGE ENCRYPTED FILE----- \ No newline at end of file diff --git a/home/.chezmoitemplates/secrets/key-digitalocean-spaces-key b/home/.chezmoitemplates/secrets/key-digitalocean-spaces-key deleted file mode 100644 index feb9db81..00000000 --- a/home/.chezmoitemplates/secrets/key-digitalocean-spaces-key +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtS1oxQktQaDZIVHVIVEl0 -YUxQNVhKbENHMG5WcHdRTys3UjFBa1JLejJrCnh2RElic0UrL0VoeFJmNDBvNzZP -bVJKQ2sxdE1EUnBlTG9nQjcrZmJRMk0KLS0tIHRldFpoQ2tPeU1OcU9TYzJIWk1M -UDFyVTdmY2JDN2ZEUlVWVHZIVG9adnMKIa/ISs/CRnXNct6eNcgpEPu8jfPTvRfF -M90QY4oha2Gnu2hN5UVz9Yk60IzE2OsyUmKChA== ------END AGE ENCRYPTED FILE----- \ No newline at end of file diff --git a/home/.chezmoitemplates/secrets/key-digitalocean-spaces-secret b/home/.chezmoitemplates/secrets/key-digitalocean-spaces-secret deleted file mode 100644 index 8a3df774..00000000 --- a/home/.chezmoitemplates/secrets/key-digitalocean-spaces-secret +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvN0dyS2UrUGdDU0lSeTJ6 -QUlHdFBabWNPaFNIQ0pxTE1ENThoMTRZNkNrCmtiaVJkUXZoU2ptN0xDcGk0SThQ -VWRYdVd0Y2szUGd4Y0E5bFRkY0xkR0UKLS0tIFJhbVRWSzllaldLaWVZWU0xMlNv -Y3JINkZLanFmK243UjBTOGRUVld3RUkKZgW5yOuUwwagazY4tzI4ofpKh4b9GCzW -G3tMyTR2CGBKThQgh2ibGtPMgMC2i6lSD3JuNug0B1gL1yWM8g3bhuo0b3KO6pSH -LLs3 ------END AGE ENCRYPTED FILE----- \ No newline at end of file diff --git a/home/Library/Managed Preferences/private_com.cloudflare.warp.plist.tmpl b/home/Library/Managed Preferences/private_com.cloudflare.warp.plist.tmpl new file mode 100644 index 00000000..0adcf6f3 --- /dev/null +++ b/home/Library/Managed Preferences/private_com.cloudflare.warp.plist.tmpl @@ -0,0 +1,22 @@ + + + + + enable + + onboarding + + auto_connect + 60 + organization + manhattan + service_mode + warp + support_url + https://megabyte.space + auth_client_id + {{ if (stat (joinPath .chezmoi.sourceDir ".chezmoitemplates" "secrets" "CLOUDFLARE_TEAMS_CLIENT_ID")) }}{{ includeTemplate "secrets/CLOUDFLARE_TEAMS_CLIENT_ID" | decrypt }}{{ else }}{{ env "CLOUDFLARE_TEAMS_CLIENT_ID" }}{{ end }} + auth_client_secret + {{ if (stat (joinPath .chezmoi.sourceDir ".chezmoitemplates" "secrets" "CLOUDFLARE_TEAMS_CLIENT_SECRET")) }}{{ includeTemplate "secrets/CLOUDFLARE_TEAMS_CLIENT_SECRET" | decrypt }}{{ else }}{{ env "CLOUDFLARE_TEAMS_CLIENT_SECRET" }}{{ end }} + + diff --git a/home/dot_config/warp/private_mdm.xml.tmpl b/home/dot_config/warp/private_mdm.xml.tmpl new file mode 100644 index 00000000..4597aef5 --- /dev/null +++ b/home/dot_config/warp/private_mdm.xml.tmpl @@ -0,0 +1,20 @@ +{{ if eq .host.distro.family "linux" -}} + + enable + + onboarding + + auto_connect + 60 + organization + manhattan + service_mode + warp + support_url + https://megabyte.space + auth_client_id + {{ if (stat (joinPath .chezmoi.sourceDir ".chezmoitemplates" "secrets" "CLOUDFLARE_TEAMS_CLIENT_ID")) }}{{ includeTemplate "secrets/CLOUDFLARE_TEAMS_CLIENT_ID" | decrypt }}{{ else }}{{ env "CLOUDFLARE_TEAMS_CLIENT_ID" }}{{ end }} + auth_client_secret + {{ if (stat (joinPath .chezmoi.sourceDir ".chezmoitemplates" "secrets" "CLOUDFLARE_TEAMS_CLIENT_SECRET")) }}{{ includeTemplate "secrets/CLOUDFLARE_TEAMS_CLIENT_SECRET" | decrypt }}{{ else }}{{ env "CLOUDFLARE_TEAMS_CLIENT_SECRET" }}{{ end }} + +{{ end -}}