From c8aaaafe40a75fda4e17808c6eb47da6d4d5dede Mon Sep 17 00:00:00 2001 From: Brian Zalewski <59970525+ProfessorManhattan@users.noreply.github.com> Date: Mon, 27 Nov 2023 17:07:24 +0000 Subject: [PATCH] Misc changes - added xcodeinstall routine --- docs/TODO.md | 2 + docs/customization/secrets.md | 3 + docs/scripts/profile/exports.sh.tmpl.md | 2 +- ...onchange_after_12-install-packages.sh.tmpl | 7 + .../secrets/AWS_ACCESS_KEY_ID | 7 + .../secrets/AWS_DEFAULT_REGION | 7 + .../secrets/AWS_SECRET_ACCESS_KEY | 7 + home/dot_config/powershell/profile.ps1 | 1 + home/dot_config/shell/exports.sh.tmpl | 3 +- home/dot_config/shell/private_private.sh.tmpl | 5 + .../clamd => dot_local/etc/clamav}/TODO.md | 0 .../etc/clamav}/clamd-freshclam.service | 0 home/dot_local/etc/clamav/clamd.conf | 800 ++++++++++++++++++ .../etc/clamav}/freshclam.conf | 0 software.yml | 137 ++- 15 files changed, 963 insertions(+), 18 deletions(-) create mode 100644 home/.chezmoitemplates/secrets/AWS_ACCESS_KEY_ID create mode 100644 home/.chezmoitemplates/secrets/AWS_DEFAULT_REGION create mode 100644 home/.chezmoitemplates/secrets/AWS_SECRET_ACCESS_KEY rename home/{dot_config/clamd => dot_local/etc/clamav}/TODO.md (100%) rename home/{dot_config/clamd => dot_local/etc/clamav}/clamd-freshclam.service (100%) create mode 100644 home/dot_local/etc/clamav/clamd.conf rename home/{dot_config/clamd => dot_local/etc/clamav}/freshclam.conf (100%) diff --git a/docs/TODO.md b/docs/TODO.md index 3cc525f0..3b348150 100644 --- a/docs/TODO.md +++ b/docs/TODO.md @@ -1,6 +1,8 @@ xattr -d com.apple.quarantine rclone Create issue about setting up completions - https://github.com/rsteube/lazycomplete +Use minimum permissions / IAM for https://iosexample.com/a-command-line-tool-to-download-and-install-apples-xcode/ +https://github.com/tiiiecherle/osx_install_config/blob/master/03_homebrew_casks_and_mas/3b_homebrew_casks_and_mas_install/6_mas_appstore.sh # TODOs This page outlines various projects and tasks that we are currently working on. Creating a GitHub issue for each of these items would be overkill. diff --git a/docs/customization/secrets.md b/docs/customization/secrets.md index 93a109e1..c46093aa 100644 --- a/docs/customization/secrets.md +++ b/docs/customization/secrets.md @@ -168,6 +168,9 @@ Unless otherwise specified in the description column, all of the variables in th | `ATUIN_EMAIL` | E-mail address used for registering with [Atuin](https://atuin.sh/) | | `ATUIN_PASSWORD` | Password used for registering with [Atuin](https://atuin.sh/) | | `ATUIN_USERNAME` | Username used for registering with [Atuin](https://atuin.sh/) | +| `AWS_ACCESS_KEY_ID` | AWS access key ID (used for storing / retrieving from AWS Secret Manager which is used for headless Xcode installations / developer account authentications) | +| `AWS_DEFAULT_REGION` | Default AWS region to use when region is not passed in via commands (e.g. `us-east-1`) | +| `AWS_SECRET_ACCESS_KEY` | AWS access key secret (used in conjunction with the `AWS_ACCESS_KEY_ID`) | | `CLOUDFLARE_API_KEY` | CloudFlare administration API key. Used by CloudFlare CLI. | | `CLOUDFLARE_ACCOUNT_ID` | The CloudFlare account ID | | `CLOUDFLARE_ORIGIN_CA_KEY` | The CloudFlare origin CA key (currently unused) | diff --git a/docs/scripts/profile/exports.sh.tmpl.md b/docs/scripts/profile/exports.sh.tmpl.md index 3fbfcfc8..fe145f2f 100644 --- a/docs/scripts/profile/exports.sh.tmpl.md +++ b/docs/scripts/profile/exports.sh.tmpl.md @@ -171,7 +171,7 @@ export PATH="$DOCKER_CONFIG/cli-plugins:$PATH" ### Dotnet export DOTNET_CLI_HOME="$XDG_CONFIG_HOME/dotnet" if [ -d /Applications ] && [ -d /Library ]; then - export DOTNET_ROOT="/usr/local/opt/dotnet/libexec" + export DOTNET_ROOT="${HOMEBREW_PREFIX:-/opt/homebrew}/opt/dotnet/libexec" elif [ -d /home/linuxbrew/.linuxbrew/opt/dotnet ]; then export DOTNET_ROOT="/home/linuxbrew/.linuxbrew/opt/dotnet/libexec" fi diff --git a/home/.chezmoiscripts/universal/run_onchange_after_12-install-packages.sh.tmpl b/home/.chezmoiscripts/universal/run_onchange_after_12-install-packages.sh.tmpl index 65fddc2e..cd362c74 100644 --- a/home/.chezmoiscripts/universal/run_onchange_after_12-install-packages.sh.tmpl +++ b/home/.chezmoiscripts/universal/run_onchange_after_12-install-packages.sh.tmpl @@ -43,9 +43,16 @@ if command -v install-program > /dev/null; then env | grep JAVA env | grep SDKMAN env | grep ASDF + if ! command -v unbuffer > /dev/null; then + if command -v brew > /dev/null; then + logg info 'Ensuring expect is installed for the unbuffer command' && brew install expect + fi + fi if command -v unbuffer > /dev/null; then + logg info 'Running unbuffer install-program' unbuffer install-program {{ $softwareList }} else + logg info 'Running install-program without unbuffer' install-program {{ $softwareList }} fi # TODO - Figure out how to configure no logs to print to ~/.ansible.log -- should be printing to the value specified in the ansible.cfg diff --git a/home/.chezmoitemplates/secrets/AWS_ACCESS_KEY_ID b/home/.chezmoitemplates/secrets/AWS_ACCESS_KEY_ID new file mode 100644 index 00000000..4bf9d297 --- /dev/null +++ b/home/.chezmoitemplates/secrets/AWS_ACCESS_KEY_ID @@ -0,0 +1,7 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1M2FJL2VBSTB3Zko4OUFY +SFQ2M2NEYmVCU01KQ2hvdkpucTFSMUV5Z2tRCnBJUzNhNS9pTE9lK3FTVlk1ZS9B +V25QeE44NFJ4QWYvNE55bXhlN2F4WlUKLS0tIFBreThtaDNnN2lKMEk3TUpDTHhL +WGlCU1paeitIeVFCRVpQRWdMS0Z1ZlUKpRet4slh5+Dim1wn2SvTiqQoj2BPl/Nh +rM6TRU5POyktGI3IhIfiZP5/fJ+WpkHsHxhHlA== +-----END AGE ENCRYPTED FILE----- \ No newline at end of file diff --git a/home/.chezmoitemplates/secrets/AWS_DEFAULT_REGION b/home/.chezmoitemplates/secrets/AWS_DEFAULT_REGION new file mode 100644 index 00000000..76cfd348 --- /dev/null +++ b/home/.chezmoitemplates/secrets/AWS_DEFAULT_REGION @@ -0,0 +1,7 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByQmF0dEtOdlZrUzBZb0hp +Zm9oNTlpdDJ3VFR2Rm51LzBiUTJpVFVHblJRCnZFcXRVWlMyVEpER0FUbGJSTFEv +OUc4bzlLZUZpS1o3ZlhkMFZRZC9zY2MKLS0tIENucWs5VzNWQlM4WXVlQThnYjNo +SzUrY1JQMnJaejJ4MlhvM3EyTXI2TEEKJO+A8U9A/OQaCKydiJZ+WtGDAaoUp7Ti +LQE4KuHNLenVlegbuJ/MPt0= +-----END AGE ENCRYPTED FILE----- \ No newline at end of file diff --git a/home/.chezmoitemplates/secrets/AWS_SECRET_ACCESS_KEY b/home/.chezmoitemplates/secrets/AWS_SECRET_ACCESS_KEY new file mode 100644 index 00000000..6c608a55 --- /dev/null +++ b/home/.chezmoitemplates/secrets/AWS_SECRET_ACCESS_KEY @@ -0,0 +1,7 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJSmtad2k1Uy95Umx5bHZy +WjlESFJTR3IwL1RhRmVOSWg3Z2lzQXphcUd3CmFJc2FyNVlFQ3ZvQ3o3d05SZHE3 +WDcyZ2poTTllaWptVnJ4c2xZdi9VWEUKLS0tIEUwU3N4ckw5Ym9waEwwMkNITkg4 +cWNiRmM0bHBodmZrL293SS9zQ1JQbDgKA8sbyRWGPNtXb3TubeXU/j1orAN2SN6e +37mv1r0l4nivPOfyI/CpQKJtnshn7PBVRdX7of5EP+1pWnY3a/MBlOwZnuoQbkFJ +-----END AGE ENCRYPTED FILE----- \ No newline at end of file diff --git a/home/dot_config/powershell/profile.ps1 b/home/dot_config/powershell/profile.ps1 index c120318a..befe4729 100644 --- a/home/dot_config/powershell/profile.ps1 +++ b/home/dot_config/powershell/profile.ps1 @@ -30,6 +30,7 @@ Set-PSReadlineKeyHandler -Key Tab -Function MenuComplete carapace _carapace | Out-String | Invoke-Expression ### Homebrew +# TODO - Add for case where value is /opt/homebrew/bin/brew shellenv Add-Content -Path $PROFILE.CurrentUserAllHosts -Value '$(/usr/local/bin/brew shellenv) | Invoke-Expression' ### posh-git settings diff --git a/home/dot_config/shell/exports.sh.tmpl b/home/dot_config/shell/exports.sh.tmpl index 2d561a68..1a09ccd5 100644 --- a/home/dot_config/shell/exports.sh.tmpl +++ b/home/dot_config/shell/exports.sh.tmpl @@ -184,10 +184,11 @@ export PATH="$DOCKER_CONFIG/cli-plugins:$PATH" ### Dotnet export DOTNET_CLI_HOME="${XDG_CONFIG_HOME:-$HOME/.config}/dotnet" if [ -d /Applications ] && [ -d /Library ]; then - export DOTNET_ROOT="/usr/local/opt/dotnet/libexec" + export DOTNET_ROOT="${HOMEBREW_PREFIX:-/opt/homebrew}/opt/dotnet/libexec" elif [ -d /home/linuxbrew/.linuxbrew/opt/dotnet ]; then export DOTNET_ROOT="/home/linuxbrew/.linuxbrew/opt/dotnet/libexec" fi +export MONO_GAC_PREFIX="${HOMEBREW_PREFIX:-/opt/homebrew}" export PATH="$PATH:${XDG_CONFIG_HOME:-$HOME/.config}/dotnet/.dotnet/tools" ### Elastic Agent diff --git a/home/dot_config/shell/private_private.sh.tmpl b/home/dot_config/shell/private_private.sh.tmpl index 1097a26b..7636ab3a 100644 --- a/home/dot_config/shell/private_private.sh.tmpl +++ b/home/dot_config/shell/private_private.sh.tmpl @@ -16,6 +16,11 @@ export ATUIN_EMAIL="{{ if (stat (joinPath .chezmoi.sourceDir ".chezmoitemplates" export ATUIN_PASSWORD="{{ if (stat (joinPath .chezmoi.sourceDir ".chezmoitemplates" "secrets" "ATUIN_PASSWORD")) }}{{ includeTemplate "secrets/ATUIN_PASSWORD" | decrypt | trim }}{{ else }}{{ env "ATUIN_PASSWORD" }}{{ end }}" export ATUIN_USERNAME="{{ if (stat (joinPath .chezmoi.sourceDir ".chezmoitemplates" "secrets" "ATUIN_USERNAME")) }}{{ includeTemplate "secrets/ATUIN_USERNAME" | decrypt | trim }}{{ else }}{{ env "ATUIN_USERNAME" }}{{ end }}" +### AWS +export AWS_ACCESS_KEY_ID="{{ if (stat (joinPath .chezmoi.sourceDir ".chezmoitemplates" "secrets" "AWS_ACCESS_KEY_ID")) }}{{ includeTemplate "secrets/AWS_ACCESS_KEY_ID" | decrypt | trim }}{{ else }}{{ env "AWS_ACCESS_KEY_ID" }}{{ end }}" +export AWS_SECRET_ACCESS_KEY="{{ if (stat (joinPath .chezmoi.sourceDir ".chezmoitemplates" "secrets" "AWS_SECRET_ACCESS_KEY")) }}{{ includeTemplate "secrets/AWS_SECRET_ACCESS_KEY" | decrypt | trim }}{{ else }}{{ env "AWS_SECRET_ACCESS_KEY" }}{{ end }}" +export AWS_DEFAULT_REGION="{{ if (stat (joinPath .chezmoi.sourceDir ".chezmoitemplates" "secrets" "AWS_DEFAULT_REGION")) }}{{ includeTemplate "secrets/AWS_DEFAULT_REGION" | decrypt | trim }}{{ else }}{{ env "AWS_DEFAULT_REGION" }}{{ end }}" + ### Google Cloud SDK export CLOUDSDK_CORE_PROJECT="{{ .user.gcloud.coreProject }}" export GCE_SERVICE_ACCOUNT_EMAIL="{{ .user.gcloud.email }}" diff --git a/home/dot_config/clamd/TODO.md b/home/dot_local/etc/clamav/TODO.md similarity index 100% rename from home/dot_config/clamd/TODO.md rename to home/dot_local/etc/clamav/TODO.md diff --git a/home/dot_config/clamd/clamd-freshclam.service b/home/dot_local/etc/clamav/clamd-freshclam.service similarity index 100% rename from home/dot_config/clamd/clamd-freshclam.service rename to home/dot_local/etc/clamav/clamd-freshclam.service diff --git a/home/dot_local/etc/clamav/clamd.conf b/home/dot_local/etc/clamav/clamd.conf new file mode 100644 index 00000000..38ebd9f3 --- /dev/null +++ b/home/dot_local/etc/clamav/clamd.conf @@ -0,0 +1,800 @@ +## +## Example config file for the Clam AV daemon +## Please read the clamd.conf(5) manual before editing this file. +## + + +# Comment or remove the line below. + +# Uncomment this option to enable logging. +# LogFile must be writable for the user running daemon. +# A full path is required. +# Default: disabled +#LogFile /tmp/clamd.log + +# By default the log file is locked for writing - the lock protects against +# running clamd multiple times (if want to run another clamd, please +# copy the configuration file, change the LogFile variable, and run +# the daemon with --config-file option). +# This option disables log file locking. +# Default: no +#LogFileUnlock yes + +# Maximum size of the log file. +# Value of 0 disables the limit. +# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) +# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size +# in bytes just don't use modifiers. If LogFileMaxSize is enabled, log +# rotation (the LogRotate option) will always be enabled. +# Default: 1M +#LogFileMaxSize 2M + +# Log time with each message. +# Default: no +#LogTime yes + +# Also log clean files. Useful in debugging but drastically increases the +# log size. +# Default: no +#LogClean yes + +# Use system logger (can work together with LogFile). +# Default: no +#LogSyslog yes + +# Specify the type of syslog messages - please refer to 'man syslog' +# for facility names. +# Default: LOG_LOCAL6 +#LogFacility LOG_MAIL + +# Enable verbose logging. +# Default: no +#LogVerbose yes + +# Enable log rotation. Always enabled when LogFileMaxSize is enabled. +# Default: no +#LogRotate yes + +# Enable Prelude output. +# Default: no +#PreludeEnable yes +# +# Set the name of the analyzer used by prelude-admin. +# Default: ClamAV +#PreludeAnalyzerName ClamAV + +# Log additional information about the infected file, such as its +# size and hash, together with the virus name. +#ExtendedDetectionInfo yes + +# This option allows you to save a process identifier of the listening +# daemon (main thread). +# This file will be owned by root, as long as clamd was started by root. +# It is recommended that the directory where this file is stored is +# also owned by root to keep other users from tampering with it. +# Default: disabled +#PidFile /var/run/clamd.pid + +# Optional path to the global temporary directory. +# Default: system specific (usually /tmp or /var/tmp). +#TemporaryDirectory /var/tmp + +# Path to the database directory. +# Default: hardcoded (depends on installation options) +#DatabaseDirectory /var/lib/clamav + +# Only load the official signatures published by the ClamAV project. +# Default: no +#OfficialDatabaseOnly no + +# The daemon can work in local mode, network mode or both. +# Due to security reasons we recommend the local mode. + +# Path to a local socket file the daemon will listen on. +# Default: disabled (must be specified by a user) +LocalSocket /var/run/clamd.socket + +# Sets the group ownership on the unix socket. +# Default: disabled (the primary group of the user running clamd) +#LocalSocketGroup virusgroup + +# Sets the permissions on the unix socket to the specified mode. +# Default: disabled (socket is world accessible) +#LocalSocketMode 660 + +# Remove stale socket after unclean shutdown. +# Default: yes +#FixStaleSocket yes + +# TCP port address. +# Default: no +#TCPSocket 3310 + +# TCP address. +# By default we bind to INADDR_ANY, probably not wise. +# Enable the following to provide some degree of protection +# from the outside world. This option can be specified multiple +# times if you want to listen on multiple IPs. IPv6 is now supported. +# Default: no +#TCPAddr localhost + +# Maximum length the queue of pending connections may grow to. +# Default: 200 +#MaxConnectionQueueLength 30 + +# Clamd uses FTP-like protocol to receive data from remote clients. +# If you are using clamav-milter to balance load between remote clamd daemons +# on firewall servers you may need to tune the options below. + +# Close the connection when the data size limit is exceeded. +# The value should match your MTA's limit for a maximum attachment size. +# Default: 100M +#StreamMaxLength 25M + +# Limit port range. +# Default: 1024 +#StreamMinPort 30000 +# Default: 2048 +#StreamMaxPort 32000 + +# Maximum number of threads running at the same time. +# Default: 10 +#MaxThreads 20 + +# Waiting for data from a client socket will timeout after this time (seconds). +# Default: 120 +#ReadTimeout 300 + +# This option specifies the time (in seconds) after which clamd should +# timeout if a client doesn't provide any initial command after connecting. +# Default: 30 +#CommandReadTimeout 30 + +# This option specifies how long to wait (in milliseconds) if the send buffer +# is full. +# Keep this value low to prevent clamd hanging. +# +# Default: 500 +#SendBufTimeout 200 + +# Maximum number of queued items (including those being processed by +# MaxThreads threads). +# It is recommended to have this value at least twice MaxThreads if possible. +# WARNING: you shouldn't increase this too much to avoid running out of file +# descriptors, the following condition should hold: +# MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual +# max is 1024). +# +# Default: 100 +#MaxQueue 200 + +# Waiting for a new job will timeout after this time (seconds). +# Default: 30 +#IdleTimeout 60 + +# Don't scan files and directories matching regex +# This directive can be used multiple times +# Default: scan all +#ExcludePath ^/proc/ +#ExcludePath ^/sys/ + +# Maximum depth directories are scanned at. +# Default: 15 +#MaxDirectoryRecursion 20 + +# Follow directory symlinks. +# Default: no +#FollowDirectorySymlinks yes + +# Follow regular file symlinks. +# Default: no +#FollowFileSymlinks yes + +# Scan files and directories on other filesystems. +# Default: yes +#CrossFilesystems yes + +# Perform a database check. +# Default: 600 (10 min) +#SelfCheck 600 + +# Enable non-blocking (multi-threaded/concurrent) database reloads. +# This feature will temporarily load a second scanning engine while scanning +# continues using the first engine. Once loaded, the new engine takes over. +# The old engine is removed as soon as all scans using the old engine have +# completed. +# This feature requires more RAM, so this option is provided in case users are +# willing to block scans during reload in exchange for lower RAM requirements. +# Default: yes +#ConcurrentDatabaseReload no + +# Execute a command when virus is found. In the command string %v will +# be replaced with the virus name and %f will be replaced with the file name. +# Additionally, two environment variables will be defined: $CLAM_VIRUSEVENT_FILENAME +# and $CLAM_VIRUSEVENT_VIRUSNAME. +# Default: no +#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v in %f" + +# Run as another user (clamd must be started by root for this option to work) +# Default: don't drop privileges +#User clamav + +# Stop daemon when libclamav reports out of memory condition. +#ExitOnOOM yes + +# Don't fork into background. +# Default: no +#Foreground yes + +# Enable debug messages in libclamav. +# Default: no +#Debug yes + +# Do not remove temporary files (for debug purposes). +# Default: no +#LeaveTemporaryFiles yes + +# Record metadata about the file being scanned. +# Scan metadata is useful for file analysis purposes and for debugging scan behavior. +# The JSON metadata will be printed after the scan is complete if Debug is enabled. +# A metadata.json file will be written to the scan temp directory if LeaveTemporaryFiles is enabled. +# Default: no +#GenerateMetadataJson yes + +# Permit use of the ALLMATCHSCAN command. If set to no, clamd will reject +# any ALLMATCHSCAN command as invalid. +# Default: yes +#AllowAllMatchScan no + +# Detect Possibly Unwanted Applications. +# Default: no +#DetectPUA yes + +# Exclude a specific PUA category. This directive can be used multiple times. +# See https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md for +# the complete list of PUA categories. +# Default: Load all categories (if DetectPUA is activated) +#ExcludePUA NetTool +#ExcludePUA PWTool + +# Only include a specific PUA category. This directive can be used multiple +# times. +# Default: Load all categories (if DetectPUA is activated) +#IncludePUA Spy +#IncludePUA Scanner +#IncludePUA RAT + +# This option causes memory or nested map scans to dump the content to disk. +# If you turn on this option, more data is written to disk and is available +# when the LeaveTemporaryFiles option is enabled. +#ForceToDisk yes + +# This option allows you to disable the caching feature of the engine. By +# default, the engine will store an MD5 in a cache of any files that are +# not flagged as virus or that hit limits checks. Disabling the cache will +# have a negative performance impact on large scans. +# Default: no +#DisableCache yes + +# In some cases (eg. complex malware, exploits in graphic files, and others), +# ClamAV uses special algorithms to detect abnormal patterns and behaviors that +# may be malicious. This option enables alerting on such heuristically +# detected potential threats. +# Default: yes +#HeuristicAlerts yes + +# Allow heuristic alerts to take precedence. +# When enabled, if a heuristic scan (such as phishingScan) detects +# a possible virus/phish it will stop scan immediately. Recommended, saves CPU +# scan-time. +# When disabled, virus/phish detected by heuristic scans will be reported only +# at the end of a scan. If an archive contains both a heuristically detected +# virus/phish, and a real malware, the real malware will be reported +# +# Keep this disabled if you intend to handle "Heuristics.*" viruses +# differently from "real" malware. +# If a non-heuristically-detected virus (signature-based) is found first, +# the scan is interrupted immediately, regardless of this config option. +# +# Default: no +#HeuristicScanPrecedence yes + + +## +## Heuristic Alerts +## + +# With this option clamav will try to detect broken executables (both PE and +# ELF) and alert on them with the Broken.Executable heuristic signature. +# Default: no +#AlertBrokenExecutables yes + +# With this option clamav will try to detect broken media file (JPEG, +# TIFF, PNG, GIF) and alert on them with a Broken.Media heuristic signature. +# Default: no +#AlertBrokenMedia yes + +# Alert on encrypted archives _and_ documents with heuristic signature +# (encrypted .zip, .7zip, .rar, .pdf). +# Default: no +#AlertEncrypted yes + +# Alert on encrypted archives with heuristic signature (encrypted .zip, .7zip, +# .rar). +# Default: no +#AlertEncryptedArchive yes + +# Alert on encrypted archives with heuristic signature (encrypted .pdf). +# Default: no +#AlertEncryptedDoc yes + +# With this option enabled OLE2 files containing VBA macros, which were not +# detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros". +# Default: no +#AlertOLE2Macros yes + +# Alert on SSL mismatches in URLs, even if the URL isn't in the database. +# This can lead to false positives. +# Default: no +#AlertPhishingSSLMismatch yes + +# Alert on cloaked URLs, even if URL isn't in database. +# This can lead to false positives. +# Default: no +#AlertPhishingCloak yes + +# Alert on raw DMG image files containing partition intersections +# Default: no +#AlertPartitionIntersection yes + + +## +## Executable files +## + +# PE stands for Portable Executable - it's an executable file format used +# in all 32 and 64-bit versions of Windows operating systems. This option +# allows ClamAV to perform a deeper analysis of executable files and it's also +# required for decompression of popular executable packers such as UPX, FSG, +# and Petite. If you turn off this option, the original files will still be +# scanned, but without additional processing. +# Default: yes +#ScanPE yes + +# Certain PE files contain an authenticode signature. By default, we check +# the signature chain in the PE file against a database of trusted and +# revoked certificates if the file being scanned is marked as a virus. +# If any certificate in the chain validates against any trusted root, but +# does not match any revoked certificate, the file is marked as trusted. +# If the file does match a revoked certificate, the file is marked as virus. +# The following setting completely turns off authenticode verification. +# Default: no +#DisableCertCheck yes + +# Executable and Linking Format is a standard format for UN*X executables. +# This option allows you to control the scanning of ELF files. +# If you turn off this option, the original files will still be scanned, but +# without additional processing. +# Default: yes +#ScanELF yes + + +## +## Documents +## + +# This option enables scanning of OLE2 files, such as Microsoft Office +# documents and .msi files. +# If you turn off this option, the original files will still be scanned, but +# without additional processing. +# Default: yes +#ScanOLE2 yes + +# This option enables scanning within PDF files. +# If you turn off this option, the original files will still be scanned, but +# without decoding and additional processing. +# Default: yes +#ScanPDF yes + +# This option enables scanning within SWF files. +# If you turn off this option, the original files will still be scanned, but +# without decoding and additional processing. +# Default: yes +#ScanSWF yes + +# This option enables scanning xml-based document files supported by libclamav. +# If you turn off this option, the original files will still be scanned, but +# without additional processing. +# Default: yes +#ScanXMLDOCS yes + +# This option enables scanning of HWP3 files. +# If you turn off this option, the original files will still be scanned, but +# without additional processing. +# Default: yes +#ScanHWP3 yes + + +## +## Mail files +## + +# Enable internal e-mail scanner. +# If you turn off this option, the original files will still be scanned, but +# without parsing individual messages/attachments. +# Default: yes +#ScanMail yes + +# Scan RFC1341 messages split over many emails. +# You will need to periodically clean up $TemporaryDirectory/clamav-partial +# directory. +# WARNING: This option may open your system to a DoS attack. +# Never use it on loaded servers. +# Default: no +#ScanPartialMessages yes + +# With this option enabled ClamAV will try to detect phishing attempts by using +# HTML.Phishing and Email.Phishing NDB signatures. +# Default: yes +#PhishingSignatures no + +# With this option enabled ClamAV will try to detect phishing attempts by +# analyzing URLs found in emails using WDB and PDB signature databases. +# Default: yes +#PhishingScanURLs no + + +## +## Data Loss Prevention (DLP) +## + +# Enable the DLP module +# Default: No +#StructuredDataDetection yes + +# This option sets the lowest number of Credit Card numbers found in a file +# to generate a detect. +# Default: 3 +#StructuredMinCreditCardCount 5 + +# With this option enabled the DLP module will search for valid Credit Card +# numbers only. Debit and Private Label cards will not be searched. +# Default: no +#StructuredCCOnly yes + +# This option sets the lowest number of Social Security Numbers found +# in a file to generate a detect. +# Default: 3 +#StructuredMinSSNCount 5 + +# With this option enabled the DLP module will search for valid +# SSNs formatted as xxx-yy-zzzz +# Default: yes +#StructuredSSNFormatNormal yes + +# With this option enabled the DLP module will search for valid +# SSNs formatted as xxxyyzzzz +# Default: no +#StructuredSSNFormatStripped yes + + +## +## HTML +## + +# Perform HTML normalisation and decryption of MS Script Encoder code. +# Default: yes +# If you turn off this option, the original files will still be scanned, but +# without additional processing. +#ScanHTML yes + + +## +## Archives +## + +# ClamAV can scan within archives and compressed files. +# If you turn off this option, the original files will still be scanned, but +# without unpacking and additional processing. +# Default: yes +#ScanArchive yes + + +## +## Limits +## + +# The options below protect your system against Denial of Service attacks +# using archive bombs. + +# This option sets the maximum amount of time to a scan may take. +# In this version, this field only affects the scan time of ZIP archives. +# Value of 0 disables the limit. +# Note: disabling this limit or setting it too high may result allow scanning +# of certain files to lock up the scanning process/threads resulting in a +# Denial of Service. +# Time is in milliseconds. +# Default: 120000 +#MaxScanTime 300000 + +# This option sets the maximum amount of data to be scanned for each input +# file. Archives and other containers are recursively extracted and scanned +# up to this value. +# Value of 0 disables the limit +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 400M +#MaxScanSize 1000M + +# Files larger than this limit won't be scanned. Affects the input file itself +# as well as files contained inside it (when the input file is an archive, a +# document or some other kind of container). +# Value of 0 disables the limit. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Technical design limitations prevent ClamAV from scanning files greater than +# 2 GB at this time. +# Default: 100M +#MaxFileSize 400M + +# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR +# file, all files within it will also be scanned. This options specifies how +# deeply the process should be continued. +# Note: setting this limit too high may result in severe damage to the system. +# Default: 17 +#MaxRecursion 10 + +# Number of files to be scanned within an archive, a document, or any other +# container file. +# Value of 0 disables the limit. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 10000 +#MaxFiles 15000 + +# Maximum size of a file to check for embedded PE. Files larger than this value +# will skip the additional analysis step. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 40M +#MaxEmbeddedPE 100M + +# Maximum size of a HTML file to normalize. HTML files larger than this value +# will not be normalized or scanned. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 40M +#MaxHTMLNormalize 100M + +# Maximum size of a normalized HTML file to scan. HTML files larger than this +# value after normalization will not be scanned. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 8M +#MaxHTMLNoTags 16M + +# Maximum size of a script file to normalize. Script content larger than this +# value will not be normalized or scanned. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 20M +#MaxScriptNormalize 50M + +# Maximum size of a ZIP file to reanalyze type recognition. ZIP files larger +# than this value will skip the step to potentially reanalyze as PE. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 1M +#MaxZipTypeRcg 1M + +# This option sets the maximum number of partitions of a raw disk image to be +# scanned. +# Raw disk images with more partitions than this value will have up to +# the value number partitions scanned. Negative values are not allowed. +# Note: setting this limit too high may result in severe damage or impact +# performance. +# Default: 50 +#MaxPartitions 128 + +# This option sets the maximum number of icons within a PE to be scanned. +# PE files with more icons than this value will have up to the value number +# icons scanned. +# Negative values are not allowed. +# WARNING: setting this limit too high may result in severe damage or impact +# performance. +# Default: 100 +#MaxIconsPE 200 + +# This option sets the maximum recursive calls for HWP3 parsing during +# scanning. HWP3 files using more than this limit will be terminated and +# alert the user. +# Scans will be unable to scan any HWP3 attachments if the recursive limit +# is reached. +# Negative values are not allowed. +# WARNING: setting this limit too high may result in severe damage or impact +# performance. +# Default: 16 +#MaxRecHWP3 16 + +# This option sets the maximum calls to the PCRE match function during +# an instance of regex matching. +# Instances using more than this limit will be terminated and alert the user +# but the scan will continue. +# For more information on match_limit, see the PCRE documentation. +# Negative values are not allowed. +# WARNING: setting this limit too high may severely impact performance. +# Default: 100000 +#PCREMatchLimit 20000 + +# This option sets the maximum recursive calls to the PCRE match function +# during an instance of regex matching. +# Instances using more than this limit will be terminated and alert the user +# but the scan will continue. +# For more information on match_limit_recursion, see the PCRE documentation. +# Negative values are not allowed and values > PCREMatchLimit are superfluous. +# WARNING: setting this limit too high may severely impact performance. +# Default: 2000 +#PCRERecMatchLimit 10000 + +# This option sets the maximum filesize for which PCRE subsigs will be +# executed. Files exceeding this limit will not have PCRE subsigs executed +# unless a subsig is encompassed to a smaller buffer. +# Negative values are not allowed. +# Setting this value to zero disables the limit. +# WARNING: setting this limit too high or disabling it may severely impact +# performance. +# Default: 100M +#PCREMaxFileSize 400M + +# When AlertExceedsMax is set, files exceeding the MaxFileSize, MaxScanSize, or +# MaxRecursion limit will be flagged with the virus name starting with +# "Heuristics.Limits.Exceeded". +# Default: no +#AlertExceedsMax yes + +## +## On-access Scan Settings +## + +# Don't scan files larger than OnAccessMaxFileSize +# Value of 0 disables the limit. +# Default: 5M +#OnAccessMaxFileSize 10M + +# Max number of scanning threads to allocate to the OnAccess thread pool at +# startup. These threads are the ones responsible for creating a connection +# with the daemon and kicking off scanning after an event has been processed. +# To prevent clamonacc from consuming all clamd's resources keep this lower +# than clamd's max threads. +# Default: 5 +#OnAccessMaxThreads 10 + +# Max amount of time (in milliseconds) that the OnAccess client should spend +# for every connect, send, and recieve attempt when communicating with clamd +# via curl. +# Default: 5000 (5 seconds) +# OnAccessCurlTimeout 10000 + +# Toggles dynamic directory determination. Allows for recursively watching +# include paths. +# Default: no +#OnAccessDisableDDD yes + +# Set the include paths (all files inside them will be scanned). You can have +# multiple OnAccessIncludePath directives but each directory must be added +# in a separate line. +# Default: disabled +#OnAccessIncludePath /home +#OnAccessIncludePath /students + +# Set the exclude paths. All subdirectories are also excluded. +# Default: disabled +#OnAccessExcludePath /home/user + +# Modifies fanotify blocking behaviour when handling permission events. +# If off, fanotify will only notify if the file scanned is a virus, +# and not perform any blocking. +# Default: no +#OnAccessPrevention yes + +# When using prevention, if this option is turned on, any errors that occur +# during scanning will result in the event attempt being denied. This could +# potentially lead to unwanted system behaviour with certain configurations, +# so the client defaults this to off and prefers allowing access events in +# case of scan or connection error. +# Default: no +#OnAccessDenyOnError yes + +# Toggles extra scanning and notifications when a file or directory is +# created or moved. +# Requires the DDD system to kick-off extra scans. +# Default: no +#OnAccessExtraScanning yes + +# Set the mount point to be scanned. The mount point specified, or the mount +# point containing the specified directory will be watched. If any directories +# are specified, this option will preempt (disable and ignore all options +# related to) the DDD system. This option will result in verdicts only. +# Note that prevention is explicitly disallowed to prevent common, fatal +# misconfigurations. (e.g. watching "/" with prevention on and no exclusions +# made on vital system directories) +# It can be used multiple times. +# Default: disabled +#OnAccessMountPath / +#OnAccessMountPath /home/user + +# With this option you can exclude the root UID (0). Processes run under +# root with be able to access all files without triggering scans or +# permission denied events. +# Note that if clamd cannot check the uid of the process that generated an +# on-access scan event (e.g., because OnAccessPrevention was not enabled, and +# the process already exited), clamd will perform a scan. Thus, setting +# OnAccessExcludeRootUID is not *guaranteed* to prevent every access by the +# root user from triggering a scan (unless OnAccessPrevention is enabled). +# Default: no +#OnAccessExcludeRootUID no + +# With this option you can exclude specific UIDs. Processes with these UIDs +# will be able to access all files without triggering scans or permission +# denied events. +# This option can be used multiple times (one per line). +# Using a value of 0 on any line will disable this option entirely. +# To exclude the root UID (0) please enable the OnAccessExcludeRootUID +# option. +# Also note that if clamd cannot check the uid of the process that generated an +# on-access scan event (e.g., because OnAccessPrevention was not enabled, and +# the process already exited), clamd will perform a scan. Thus, setting +# OnAccessExcludeUID is not *guaranteed* to prevent every access by the +# specified uid from triggering a scan (unless OnAccessPrevention is enabled). +# Default: disabled +#OnAccessExcludeUID -1 + +# This option allows exclusions via user names when using the on-access +# scanning client. It can be used multiple times. +# It has the same potential race condition limitations of the +# OnAccessExcludeUID option. +# Default: disabled +#OnAccessExcludeUname clamav + +# Number of times the OnAccess client will retry a failed scan due to +# connection problems (or other issues). +# Default: 0 +#OnAccessRetryAttempts 3 + +## +## Bytecode +## + +# With this option enabled ClamAV will load bytecode from the database. +# It is highly recommended you keep this option on, otherwise you'll miss +# detections for many new viruses. +# Default: yes +#Bytecode yes + +# Set bytecode security level. +# Possible values: +# None - No security at all, meant for debugging. +# DO NOT USE THIS ON PRODUCTION SYSTEMS. +# This value is only available if clamav was built +# with --enable-debug! +# TrustSigned - Trust bytecode loaded from signed .c[lv]d files, insert +# runtime safety checks for bytecode loaded from other sources. +# Paranoid - Don't trust any bytecode, insert runtime checks for all. +# Recommended: TrustSigned, because bytecode in .cvd files already has these +# checks. +# Note that by default only signed bytecode is loaded, currently you can only +# load unsigned bytecode in --enable-debug mode. +# +# Default: TrustSigned +#BytecodeSecurity TrustSigned + +# Allow loading bytecode from outside digitally signed .c[lv]d files. +# **Caution**: You should NEVER run bytecode signatures from untrusted sources. +# Doing so may result in arbitrary code execution. +# Default: no +#BytecodeUnsigned yes + +# Set bytecode timeout in milliseconds. +# +# Default: 5000 +# BytecodeTimeout 1000 \ No newline at end of file diff --git a/home/dot_config/clamd/freshclam.conf b/home/dot_local/etc/clamav/freshclam.conf similarity index 100% rename from home/dot_config/clamd/freshclam.conf rename to home/dot_local/etc/clamav/freshclam.conf diff --git a/software.yml b/software.yml index 057b9372..e0f176f4 100644 --- a/software.yml +++ b/software.yml @@ -718,6 +718,9 @@ softwarePackages: _github: https://github.com/0xERR0R/blocky _name: Blocky _service: blocky + _service:brew: + - name: blocky + sudo: true _serviceEnabled: true brew: blocky go: github.com/0xERR0R/blocky@mastergithub.com/0xERR0R/blocky@master @@ -730,11 +733,8 @@ softwarePackages: tart: _bin: tart _github: https://github.com/cirruslabs/tart - _when:brew:darwin: '[ $(uname -m) = "arm64" ]' _todo: Verify that this installs properly (error on arm64 macOS) - brew:darwin: - - tart - - cirruslabs/cli/gitlab-tart-executor + brew:darwin: gitlab-tart-executor web-ext: _bin: web-ext _github: https://github.com/mozilla/web-ext @@ -1898,11 +1898,30 @@ softwarePackages: _github: https://github.com/Cisco-Talos/clamav _home: https://www.clamav.net/ _name: ClamAV - _post: if [ -f "${XDG_CONFIG_HOME:-$HOME/.config}/clamav/freshclam.conf" ]; then sudo cp -f "${XDG_CONFIG_HOME:-$HOME/.config}/clamav/freshclam.conf" /usr/local/etc/clamav/freshclam.conf; fi && freshclam + _post: | + # Add freshclam.conf + if [ -f "$HOME/.local/etc/clamav/freshclam.conf" ]; then + sudo mkdir -p /usr/local/etc/clamav + sudo cp -f "$HOME/.local/etc/clamav/freshclam.conf" /usr/local/etc/clamav/freshclam.conf + if [ -d "${HOMEBREW_PREFIX:-/opt/homebrew}/etc/clamav" ] && [ ! -f "${HOMEBREW_PREFIX:-/opt/homebrew}/etc/clamav/freshclam.conf" ]; then + ln -s /usr/local/etc/clamav/freshclam.conf "${HOMEBREW_PREFIX:-/opt/homebrew}/etc/clamav/freshclam.conf" + fi + fi + # Add clamd.conf + if [ -f "$HOME/.local/etc/clamav/clamd.conf" ]; then + sudo mkdir -p /usr/local/etc/clamav + sudo cp -f "$HOME/.local/etc/clamav/clamd.conf" /usr/local/etc/clamav/clamd.conf + if [ -d "${HOMEBREW_PREFIX:-/opt/homebrew}/etc/clamav" ] && [ ! -f "${HOMEBREW_PREFIX:-/opt/homebrew}/etc/clamav/clamd.conf" ]; then + ln -s /usr/local/etc/clamav/clamd.conf "${HOMEBREW_PREFIX:-/opt/homebrew}/etc/clamav/clamd.conf" + fi + fi + # Update database + freshclam _service:apt: clamav-freshclam _service:dnf: clamd-freshclam _service:pacman: clamav-freshclam _service:brew: clamav + _serviceEnabled: true apt: - clamav - clamdscan @@ -2032,7 +2051,6 @@ softwarePackages: _github: https://github.com/CocoaPods/CocoaPods _home: https://cocoapods.org/ _name: cocoapods - _when:brew: test -d /usr/local/Cellar/cocoapods ansible:darwin: professormanhattan.cocoapods brew:darwin: cocoapods gem:darwin: cocoapods @@ -2934,8 +2952,8 @@ softwarePackages: _github: https://github.com/mongodb/mongo _name: MongoDB _service: mongodb - _service:brew: mongodb/brew/mongodb-community - brew: mongodb/brew/mongodb-community + _service:brew: mongodb-community + brew: mongodb-community choco: mongodb mongodb-compass: _bin: mongodb-compass @@ -3882,7 +3900,9 @@ softwarePackages: _github: null _home: null _name: Git LFS - _post: git lfs install + _post: | + sudo git lfs install --system + git lfs install ansible: professormanhattan.gitlfs brew: git-lfs scoop: git-lfs @@ -5799,7 +5819,18 @@ softwarePackages: ansible: professormanhattan.microsofttodo cask: ao snap: microsoft-todo-unofficial + hyperkit: + _deps:darwin: + - xcode + _bin: hyperkit + _github: https://github.com/moby/hyperkit + _name: HyperKit + brew:darwin: hyperkit minikube: + _deps:darwin: + - hyperkit + _deps: + - docker _bin: minikube _desc: minikube quickly sets up a local Kubernetes cluster on macOS, Linux, and Windows _docs: https://minikube.sigs.k8s.io/docs/ @@ -5807,13 +5838,9 @@ softwarePackages: _home: null _name: minikube # TODO - Prefer HyperV on Windows https://minikube.sigs.k8s.io/docs/drivers/hyperv/ - # TODO - Prefer HyperKit on macOS https://minikube.sigs.k8s.io/docs/drivers/hyperkit/ - _post: if command -v docker > /dev/null; then minikube config set driver docker; elif command -v VBoxManage > /dev/null; then minikube config set driver virtualbox; fi + _post: if command -v hyperkit > /dev/null; then minikube config set driver hyperkit; elif command -v docker > /dev/null; then minikube config set driver docker; elif command -v VBoxManage > /dev/null; then minikube config set driver virtualbox; fi _todo: A full installation of Xcode.app 9.0 is required. Also, hyperkit x86_64 architecture is required for this software. So automate install of Xcode.app 9.0 and add check for x86_64 prior to installing this brew: minikube - brew:darwin: - - hyperkit - - minikube choco: minikube mitmproxy: _bin: mitmproxy @@ -6271,6 +6298,9 @@ softwarePackages: _home: https://github.com/slackhq/nebula _name: nebula _service: nebula + _service:brew: + - name: nebula + sudo: true _serviceEnabled: true brew: nebula dnf: nebula @@ -7131,6 +7161,8 @@ softwarePackages: port: php scoop: php php-extensions: + _deps: + - postgresql _name: PHP Extensions _note: Needs testing apt: @@ -7154,8 +7186,6 @@ softwarePackages: - php-snmp - php-sqlite3 - php-xml - brew: - - postgresql dnf: - pcre-devel - postgresql-devel @@ -7215,6 +7245,17 @@ softwarePackages: - php-snmp - php-sqlite3 - php-xml + postgresql: + _bin: postgresql + _name: PostgreSQL + _github: https://github.com/postgres/postgres + _service:brew: postgresql@14 + brew: postgresql + zypper: postgresql + pacman: postgresql + apt: postgresql + dnf: postgresql + choco: postgresql pip: _bin: pip _desc: '[pip](https://pypi.org/project/pip/) is a package-management system written in Python used to install and manage software packages. It connects to an online repository of public and paid-for private packages, called the Python Package Index.' @@ -7564,6 +7605,7 @@ softwarePackages: - protonvpn yay: protonvpn protonvpn-cli: + # TODO - Add seperate entry for openvpn (sudo brew services start openvpn) _bin: protonvpn _desc: The ProtonVPN CLI official release for Linux along with an unofficial ProtonVPN CLI for macOS _docs: null @@ -8419,6 +8461,9 @@ softwarePackages: _name: sftpgo _post: sudo mkdir -p /usr/local/etc/sftpgo && sudo cp -f "$HOME/.local/etc/sftpgo/sftpgo.json" /usr/local/etc/sftpgo/sftpgo.json && sudo sftpgo initprovider _service: sftpgo + _service:brew: + - name: sftpgo + sudo: true _serviceEnabled: true brew: sftpgo choco: sftpgo @@ -10420,6 +10465,9 @@ softwarePackages: fail2ban: _bin: fail2ban-client _service: fail2ban + _service:brew: + - name: fail2ban + sudo: true _serviceEnabled: true # fail2ban cannot be installed on Qubes Fedora 36 without messing with the qubes-firewall since firewalld is required _when:linux: echo '! command -v qubes-firewall > /dev/null && test -f /proc/version && ! grep Microsoft /proc/version > /dev/null' | bash @@ -10598,6 +10646,8 @@ softwarePackages: _name: xcpretty gem:darwin: xcpretty xcode: + _deps:script:darwin: + - xcodeinstall _bin: xcodebuild _desc: "[Xcode](https://developer.apple.com/xcode/) is Apple's integrated development environment for macOS, used to develop software for macOS, iOS, iPadOS, watchOS, and tvOS." _docs: https://developer.apple.com/documentation/xcode @@ -10605,7 +10655,57 @@ softwarePackages: _home: https://developer.apple.com/xcode/ _name: XCode _post: sudo xcodebuild -license accept && sudo xcodebuild -runFirstLaunch + _when:darwin: '! test -d /Applications/Xcode.app' mas: 497799835 + script:darwin: | + ### Load AWS secrets + source "${XDG_CONFIG_HOME:-$HOME/.config}/shell/private.sh" + ### Setup passwordless sudo + if ! sudo cat /etc/sudoers | grep '# TEMPORARY FOR XCODEINSTALL' > /dev/null; then + if [ -n "$SUDO_PASSWORD" ]; then + printf '%s\n' "$SUDO_PASSWORD" | sudo -p "" -S echo "$(whoami) ALL=(ALL:ALL) NOPASSWD: ALL # TEMPORARY FOR XCODEINSTALL" | sudo tee -a /etc/sudoers + else + echo "$(whoami) ALL=(ALL:ALL) NOPASSWD: ALL # TEMPORARY FOR XCODEINSTALL" | sudo tee -a /etc/sudoers + fi + fi + ### Remove old files + rm -rf ~/.xcodeinstall + ### Authenticate + xcodeinstall authenticate -s "$AWS_DEFAULT_REGION" + ### Download files + while read XCODE_DOWNLOAD_ITEM; do + if [[ "$XCODE_DOWNLOAD_ITEM" != *"Command Line Tools"* ]]; then + DOWNLOAD_ID="$(echo "$XCODE_DOWNLOAD_ITEM" | sed 's/^\[\(.*\)\] .*/\1/')" + echo "$DOWNLOAD_ID" | xcodeinstall download -s "$AWS_DEFAULT_REGION" & + fi + done < <(xcodeinstall list -s "$AWS_DEFAULT_REGION" | grep --invert-match 'Release Candidate' | grep --invert-match ' beta ' | grep ' Xcode \d\d ') + wait + ### Install Xcode + xcodeinstall install --name "$(basename "$(find ~/.xcodeinstall/download -maxdepth 1 -name "*.xip")")" + ### Install Command Line Tools + # Commentted out because it is already installed by xcode-select in the provision.sh script + # xcodeinstall install --name "$(basename "$(find ~/.xcodeinstall/download -maxdepth 1 -name "*Command Line Tools*")")" + ### Install Additional Tools + while read ADDITIONAL_TOOLS; do + hdiutil attach "$ADDITIONAL_TOOLS" + rm -rf "/Applications/Additional Tools" + cp -rf "/Volumes/Additional Tools" "/Applications/Additional Tools" + hdiutil detach "$(find /Volumes -name "Additional Tools")" + done < <(find ~/.xcodeinstall/download -name "Additional Tools*") + ### Install Font Tools + while read FONT_TOOLS; do + hdiutil attach "$FONT_TOOLS" + cd "$(find /Volumes -maxdepth 1 -name "*Font Tools*")" + sudo installer -pkg "$(find . -maxdepth 1 -name "*Font Tools*.pkg")" -target / + cd / && hdiutil detach "$(find /Volumes -maxdepth 1 -name "*Font Tools*")" + done < <(find ~/.xcodeinstall/download -name "Font Tools*") + ### Remove cache / downloaded files + rm -rf ~/.xcodeinstall + ### Remove passwordless sudo + if ! command -v gsed > /dev/null; then + brew install gnu-sed + fi + sudo gsed -i '/# TEMPORARY FOR XCODEINSTALL/d' /etc/sudoers xurls: _bin: xurls _desc: Extract urls from text @@ -10625,6 +10725,11 @@ softwarePackages: brew: yamllint pipx: yamllint _service: null + xcodeinstall: + _bin: xcodeinstall + _name: Xcode Install + _github: https://github.com/sebsto/xcodeinstall + brew: sebsto/macos/xcodeinstall sshfs: _bin: sshfs _desc: null