Update 15 files

- /home/.chezmoiscripts/universal/run_onchange_after_14-warp.sh.tmpl
- /home/.chezmoitemplates/secrets/key-cloudflare-r2-id
- /home/.chezmoitemplates/secrets/key-cloudflare-r2-secret
- /home/.chezmoitemplates/secrets/key-digitalocean-spaces-bucket
- /home/.chezmoitemplates/secrets/key-digitalocean-spaces-key
- /home/.chezmoitemplates/secrets/key-digitalocean-spaces-secret
- /home/.chezmoiscripts/universal/run_onchange_before_14-warp.sh.tmpl
- /home/.chezmoiscripts/disabled/run_onchange_after_14-warp.tmpl
- /home/.chezmoiexternal.toml.tmpl
- /home/dot_config/warp/private_mdm.xml.tmpl
- /home/Library/Managed Preferences/private_com.cloudflare.warp.plist.tmpl
- /home/.chezmoitemplates/secrets/CLOUDFLARE_R2_ID
- /home/.chezmoitemplates/secrets/CLOUDFLARE_R2_SECRET
- /home/.chezmoitemplates/secrets/CLOUDFLARE_TEAMS_CLIENT_ID
- /home/.chezmoitemplates/secrets/CLOUDFLARE_TEAMS_CLIENT_SECRET
This commit is contained in:
Brian Zalewski 2023-04-17 03:24:54 +00:00
parent 4b5750acb2
commit 95f3aa05a0
14 changed files with 190 additions and 61 deletions

View file

@ -18,6 +18,14 @@
clone.args = ["--branch", "release", "--depth", "1"]
pull.args = ["--ff-only"]
### CloudFlare WARP Certificates
[".local/share/warp/Cloudflare_CA.crt"]
type = "file"
url = "https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.crt"
[".local/share/warp/Cloudflare_CA.pem"]
type = "file"
url = "https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.pem"
### Betelgeuse Theme
[".local/src/betelgeuse"]
type = "git-repo"

View file

@ -1,34 +1,120 @@
{{- if (eq .host.distro.family "linux") -}}
{{- if (ne .host.distro.family "windows") -}}
#!/usr/bin/env bash
# @file CloudFlare WARP Repository
# @brief Adds the CloudFlare WARP `apt-get` repository to Debian and Ubuntu systems
# @file CloudFlare WARP
# @brief Installs CloudFlare WARP, ensures proper security certificates are in place, and connects the device to CloudFlare WARP.
# @description
# This script adds the CloudFlare WARP `apt-get` repository to Debian and Ubuntu systems. It currently does not support adding
# repositories for other systems because they are not provided by CloudFlare.
# This script is intended to connect the device to CloudFlare's Zero Trust network with nearly all of its features unlocked.
# Homebrew is used to install the `warp-cli` on macOS. On Linux, it can install `warp-cli` on most Debian systems and some RedHat
# systems. CloudFlare WARP's [download page](https://pkg.cloudflareclient.com/packages/cloudflare-warp) is somewhat barren.
#
# ## MDM Configuration
#
# If CloudFlare WARP successfully installs, it first applies MDM configurations (managed configurations). If you would like CloudFlare
# WARP to connect completely headlessly (while losing some "user-posture" settings), then you can populate the following two secrets:
#
# 1. `CLOUDFLARE_TEAMS_CLIENT_ID` - The ID from a CloudFlare Teams service token. See [this article](https://developers.cloudflare.com/cloudflare-one/identity/service-tokens/).
# 2. `CLOUDFLARE_TEAMS_CLIENT_SECRET` - The secret from a CloudFlare Teams service token.
#
# The two variables above can be passed in using either of the methods described in the [Secrets documentation](https://install.doctor/docs/customization/secrets).
#
# ## Headless CloudFlare WARP Connection
#
# Even if you do not provide the two variables mentioned above, the script will still headlessly connect your device to the public CloudFlare WARP
# network, where you will get some of the benefits of a VPN for free. Otherwise, if they were passed in, then the script
# finishes by connecting to CloudFlare Teams.
#
# ## Notes
#
# According to CloudFlare Teams [documentation on MDM deployment](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/),
# on macOS the `com.cloudflare.warp.plist` file gets erased on reboot. Also, according to the documentation, the only way around this is to leverage
# an MDM SaaS provider like JumpCloud.
#
# ## Links
#
# * [Linux managed configuration](https://github.com/megabyte-labs/install.doctor/tree/master/home/dot_config/warp/private_mdm.xml.tmpl)
# * [macOS managed configuration](https://github.com/megabyte-labs/install.doctor/tree/master/home/Library/Managed%20Preferences/private_com.cloudflare.warp.plist.tmpl)
{{ includeTemplate "universal/logg-before" }}
if [ '{{ .host.distro.id }}' = 'debian' ]; then
### Add CloudFlare WARP desktop app apt-get source
if [ ! -f /etc/apt/sources.list.d/cloudflare-client.list ]; then
logg info 'Adding CloudFlare WARP keyring'
curl https://pkg.cloudflareclient.com/pubkey.gpg | sudo gpg --yes --dearmor --output /usr/share/keyrings/cloudflare-warp-archive-keyring.gpg
### Install CloudFlare WARP (on non-WSL *nix systems)
if [[ ! "$(test -d /proc && grep Microsoft /proc/version > /dev/null)" ]]; then
if [ -d /System ] && [ -d /Applications ]; then
### Install on macOS
brew install --cask cloudflare-warp
elif [ '{{ .host.distro.id }}' = 'debian' ]; then
### Add CloudFlare WARP desktop app apt-get source
if [ ! -f /etc/apt/sources.list.d/cloudflare-client.list ]; then
logg info 'Adding CloudFlare WARP keyring'
curl https://pkg.cloudflareclient.com/pubkey.gpg | sudo gpg --yes --dearmor --output /usr/share/keyrings/cloudflare-warp-archive-keyring.gpg
logg info 'Adding apt source reference'
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/cloudflare-warp-archive-keyring.gpg] https://pkg.cloudflareclient.com/ $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/cloudflare-client.list
fi
logg info 'Adding apt source reference'
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/cloudflare-warp-archive-keyring.gpg] https://pkg.cloudflareclient.com/ $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/cloudflare-client.list
### Update apt-get and install the CloudFlare WARP CLI
sudo apt-get update && sudo apt-get install -y cloudflare-warp
elif [ '{{ .host.distro.id }}' = 'ubuntu' ]; then
### Add CloudFlare WARP desktop app apt-get source
if [ ! -f /etc/apt/sources.list.d/cloudflare-client.list ]; then
logg info 'Adding CloudFlare WARP keyring'
curl https://pkg.cloudflareclient.com/pubkey.gpg | sudo gpg --yes --dearmor --output /usr/share/keyrings/cloudflare-warp-archive-keyring.gpg
logg info 'Adding apt source reference'
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/cloudflare-warp-archive-keyring.gpg] https://pkg.cloudflareclient.com/ $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/cloudflare-client.list
fi
sudo apt-get update
fi
elif [ '{{ .host.distro.id }}' = 'ubuntu' ]; then
### Add CloudFlare WARP desktop app apt-get source
if [ ! -f /etc/apt/sources.list.d/cloudflare-client.list ]; then
logg info 'Adding CloudFlare WARP keyring'
curl https://pkg.cloudflareclient.com/pubkey.gpg | sudo gpg --yes --dearmor --output /usr/share/keyrings/cloudflare-warp-archive-keyring.gpg
logg info 'Adding apt source reference'
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/cloudflare-warp-archive-keyring.gpg] https://pkg.cloudflareclient.com/ $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/cloudflare-client.list
sudo apt-get update
### Update apt-get and install the CloudFlare WARP CLI
sudo apt-get update && sudo apt-get install -y cloudflare-warp
elif command -v dnf > /dev/null && command -v rpm > /dev/null; then
### This is made for CentOS 8 and works on Fedora 36 (hopefully 36+ as well) with `nss-tools` as a dependency
sudo dnf instal -y nss-tools
### According to the download site, this is the only version available for RedHat-based systems
sudo rpm -ivh https://pkg.cloudflareclient.com/cloudflare-release-el8.rpm
fi
fi
### Ensure certificate is installed
### TODO: Ensure duplicate certificates are not stored in these files below
# Source: https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.crt
# Source: https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.pem
if [ -d /System ] && [ -d /Applications ] && command -v warp-cli > /dev/null; then
### Ensure certificate installed on macOS
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.crt"
if [ -f /usr/local/etc/ca-certificates/cert.pem ]; then
echo | sudo cat - "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem" >> /usr/local/etc/ca-certificates/cert.pem
else
logg error 'Unable to add `Cloudflare_CA.pem` because `/usr/local/etc/ca-certificates/cert.pem` does not exist!' && exit 1
fi
fi
if command -v warp-cli > /dev/null; then
### Ensure MDM settings are applied (deletes after reboot on macOS)
### TODO: Ensure `.plist` can be added to `~/Library/Managed Preferences` and not just `/Library/Managed Preferences`
# Source: https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/
# Source for JumpCloud: https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/CloudflareWARP.mobileconfig
if [ -d /System ] && [ -d /Applications ]; then
sudo cp -f "$HOME/Library/Managed Preferences/com.cloudflare.warp.plist" '/Library/Managed Preferences/com.cloudflare.warp.plist'
sudo plutil -convert binary1 '/Library/Managed Preferences/com.cloudflare.warp.plist'
elif [ -f "${XDG_CONFIG_HOME:-$HOME/.config}/warp/mdm.xml" ]; then
sudo mkdir -p /var/lib/cloudflare-warp
sudo cp -f "${XDG_CONFIG_HOME:-$HOME/.config}/warp/mdm.xml" /var/lib/cloudflare-warp/mdm.xml
fi
### Register CloudFlare WARP
if warp-cli --accept-tos status | grep 'Registration missing' > /dev/null; then
logg info 'Registering CloudFlare WARP'
warp-cli --accept-tos register
else
logg info 'Already registered with CloudFlare WARP'
fi
### Connect CloudFlare WARP
if warp-cli --accept-tos status | grep 'Disconnected' > /dev/null; then
logg info 'Connecting to CloudFlare WARP'
warp-cli --accept-tos connect
else
logg info 'Already connected to CloudFlare WARP'
fi
else
logg warn '`warp-cli` was not installed so CloudFlare Zero Trust cannot be joined'
fi
{{ end -}}

View file

@ -0,0 +1,7 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2bFM5VUFoTDlxb2NjV2RV
d0UvM2pPYWZMeDRZeDZKYmZ3YlhwNlBsYlRvCmVTcEVzUndwSG1lQ3pKTFpxZ1Bs
NGtXcksrNnRmR1UxOXR2UGpiNHplOHcKLS0tIFBEZHBibnEzSnBxTUlxcHdQQmhT
MlUyZnRHWHY5UE43OXV1cFJjUnJGRHcK9s3V7BN+uHHJt8ekqFpP0XYaa+WwanmW
qQ7rr6AB5ZT7z8y9vpQNK+mzuB49zL87AiNspAacKP/RtKNUPmdEzpY=
-----END AGE ENCRYPTED FILE-----

View file

@ -0,0 +1,8 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpdjhHNWJEMlJjNTlCUmJv
RzRvUzRhUmR6OWpxWTVudDJ0NnVqbklqQmlrClhyNWpSZEZ1SHpEU0FROWZFYzlL
RmhEbmJ1ZWJtS2xjNmRsaVhZb3ExK0UKLS0tIE90dzZ5T0liQitNV0hQTHNmcFlj
eEdKZWdvK0NOdU1PK3I1NGxmTEVtQWsKJWhE2Q5wCLtvy7ZrrPwNvceLWEp7rV9I
YEVpLY6lWuHWIbg6h8GkwlrbP/e3evFpZ7T9eLmhsMIfYm7hPtYV3BkASNqpWRh/
o94FfrDqtg7Nu1/pZO8o/dt7QnVh0lMPYw==
-----END AGE ENCRYPTED FILE-----

View file

@ -0,0 +1,7 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzV0lySnFOemZKdGo4ZEdB
a1lRMVJJZWorU1RaL2M4M25pSTl4UHlKUFYwClhJOU54bkNmTXcvcFZWVVVCTDhv
T0ZJSHVwcUhKZVVDVmdrSGZ6K0dwV3MKLS0tIFRTQ3BEeFFjL1BCVWMxS1RIR28y
WEhlblBmUWJYeDhIS1FJYXY1OEVQdmcKSAKdvbqBpY3s4oYUuiTDBT5K4Fpeo3bi
LsjWK64f48oGfxoNmsdXXVbu82jO8TmecwNgUOoLC1UQxy/xkymMPosOse8nIwhx
-----END AGE ENCRYPTED FILE-----

View file

@ -0,0 +1,8 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwbnREOXUxazRlWDZtM0lm
ZVc2UnlPVFlGM1N6czFnTDYzWmQ4YldqTmhrCnI3U2FLUytDamZDZ0dTT0V2M3ds
VGNFbTVLRDZteTErMFpaUlpqakp4T1UKLS0tIGErNkowbFBkWldjNHdhNnVjdGM4
REhXUW5Md21JSkhSMWxVN08rZFNGYjQKDuim4gInqRt4jagEQjo6+rtQ0Esrtkg5
nVo8R3P0gCd7r8BbYxmVy+ez9bVVetJcyr7m0rpderOVb9fy/AGRQT0ccD8KQ76N
ytpGa+AsMH/T8ExjRTgxKF1I2RF9yG29ig==
-----END AGE ENCRYPTED FILE-----

View file

@ -1,7 +0,0 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUa0ZtTm9PbE03R1RReDJZ
NUdueXVZSk1WY2RxMkpyM1VVL2t2ZlBobGxJCmRyWEtSYVMxU1VCL01hRXk5ODdR
MTJPZFVYbEEzeStBT3JLRWdoNUg0Z2MKLS0tIGhHdzExOEU1NmJkNHBFUW5DbXFs
S25MNHFGV01GYjkrYm0zVmhrVEFvd2sKQr2yI5Zlx+yEWa4igHFy2z1FpmEw6tux
M9i/y2J+Da15jAZgndmc1iWNBVDKVfROon4S60P99djZi/trWcy0jA==
-----END AGE ENCRYPTED FILE-----

View file

@ -1,8 +0,0 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFYnBRTkRVZ2hGTkZ4NUdQ
UWZBWmFxQkFXTUhESzhaaFJWMlpQSmh5cldjCjN0c0dScXQ1d0ZoalF1WXN3VG5h
WC9wQ0pQSmYyU29nN1YwOUNFSHgyRkEKLS0tIG5lOTRhamhySm5iN1V1d0haWFRo
VVZaczNScHd0ZHZRWmd4TFVRQWVaZzAKqbgfmbnHB5QbO0Z1JMgjNawfAD40Hzru
kVNSyh/zgIRlwuSzwlENDgrdGXaRjDj7jtchaWe/xPX88Ba5cFe9LC7eXJP1mU2U
l+nk1LFKSp24PZskcLzw4rxCsLap82KV
-----END AGE ENCRYPTED FILE-----

View file

@ -1,7 +0,0 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0K2lrQmh2RDhjUTBId1Ew
UWp5UGp6Uk5NeEd0UjhwaUtrZWlzempVbUVNCkM5Y3F2aUZadFdTK2V6aHJ0TWVI
RHltdXhYNGhlV0xSVVg0MGxhMUZITlkKLS0tIEEzTGpYZU9ScStKeVhRNkowVzlv
dG9jSWNDUzNZa0VLVDFYai9BS2VYVWcKyPT0jUzNIL1UXJfwJlq+W3BvjdJ+Nw3B
moY5Cz1fohjmKgOfVLYS+02yN3KwMsehTchZphIseCt8Qrh/CimJOpo0z48=
-----END AGE ENCRYPTED FILE-----

View file

@ -1,7 +0,0 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtS1oxQktQaDZIVHVIVEl0
YUxQNVhKbENHMG5WcHdRTys3UjFBa1JLejJrCnh2RElic0UrL0VoeFJmNDBvNzZP
bVJKQ2sxdE1EUnBlTG9nQjcrZmJRMk0KLS0tIHRldFpoQ2tPeU1OcU9TYzJIWk1M
UDFyVTdmY2JDN2ZEUlVWVHZIVG9adnMKIa/ISs/CRnXNct6eNcgpEPu8jfPTvRfF
M90QY4oha2Gnu2hN5UVz9Yk60IzE2OsyUmKChA==
-----END AGE ENCRYPTED FILE-----

View file

@ -1,8 +0,0 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvN0dyS2UrUGdDU0lSeTJ6
QUlHdFBabWNPaFNIQ0pxTE1ENThoMTRZNkNrCmtiaVJkUXZoU2ptN0xDcGk0SThQ
VWRYdVd0Y2szUGd4Y0E5bFRkY0xkR0UKLS0tIFJhbVRWSzllaldLaWVZWU0xMlNv
Y3JINkZLanFmK243UjBTOGRUVld3RUkKZgW5yOuUwwagazY4tzI4ofpKh4b9GCzW
G3tMyTR2CGBKThQgh2ibGtPMgMC2i6lSD3JuNug0B1gL1yWM8g3bhuo0b3KO6pSH
LLs3
-----END AGE ENCRYPTED FILE-----

View file

@ -0,0 +1,22 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>enable</key>
<true />
<key>onboarding</key>
<false />
<key>auto_connect</key>
<interger>60</interger>
<key>organization</key>
<string>manhattan</string>
<key>service_mode</key>
<string>warp</string>
<key>support_url</key>
<string>https://megabyte.space</string>
<key>auth_client_id</key>
<string>{{ if (stat (joinPath .chezmoi.sourceDir ".chezmoitemplates" "secrets" "CLOUDFLARE_TEAMS_CLIENT_ID")) }}{{ includeTemplate "secrets/CLOUDFLARE_TEAMS_CLIENT_ID" | decrypt }}{{ else }}{{ env "CLOUDFLARE_TEAMS_CLIENT_ID" }}{{ end }}</string>
<key>auth_client_secret</key>
<string>{{ if (stat (joinPath .chezmoi.sourceDir ".chezmoitemplates" "secrets" "CLOUDFLARE_TEAMS_CLIENT_SECRET")) }}{{ includeTemplate "secrets/CLOUDFLARE_TEAMS_CLIENT_SECRET" | decrypt }}{{ else }}{{ env "CLOUDFLARE_TEAMS_CLIENT_SECRET" }}{{ end }}</string>
</dict>
</plist>

View file

@ -0,0 +1,20 @@
{{ if eq .host.distro.family "linux" -}}
<dict>
<key>enable</key>
<true />
<key>onboarding</key>
<false />
<key>auto_connect</key>
<interger>60</interger>
<key>organization</key>
<string>manhattan</string>
<key>service_mode</key>
<string>warp</string>
<key>support_url</key>
<string>https://megabyte.space</string>
<key>auth_client_id</key>
<string>{{ if (stat (joinPath .chezmoi.sourceDir ".chezmoitemplates" "secrets" "CLOUDFLARE_TEAMS_CLIENT_ID")) }}{{ includeTemplate "secrets/CLOUDFLARE_TEAMS_CLIENT_ID" | decrypt }}{{ else }}{{ env "CLOUDFLARE_TEAMS_CLIENT_ID" }}{{ end }}</string>
<key>auth_client_secret</key>
<string>{{ if (stat (joinPath .chezmoi.sourceDir ".chezmoitemplates" "secrets" "CLOUDFLARE_TEAMS_CLIENT_SECRET")) }}{{ includeTemplate "secrets/CLOUDFLARE_TEAMS_CLIENT_SECRET" | decrypt }}{{ else }}{{ env "CLOUDFLARE_TEAMS_CLIENT_SECRET" }}{{ end }}</string>
</dict>
{{ end -}}