This commit is contained in:
Brian Zalewski 2023-06-28 05:37:45 +00:00
parent 6102deaa33
commit df0f479f94
27 changed files with 238 additions and 125 deletions

View file

@ -23,6 +23,10 @@ This page outlines various projects and tasks that we are currently working on.
( [Title](https://github.com/StanGirard/quivr))
* [Title](https://github.com/PromtEngineer/localGPT)
* [Title](https://github.com/reworkd/AgentGPT)
* deprecate ansible roles in softwareyml
* Create seed for Lulu
* [Title](https://github.com/essandess/macOS-Fortress)
## Upstream
The following items are things we would like to include into the Install Doctor system but are waiting on upstream changes.

View file

@ -674,6 +674,7 @@ softwareGroups:
- obs-studio
- plex
- plex-htpc
- plex-media-server
- prezi-video
- raspberry-pi-imager
- shotcut
@ -760,6 +761,7 @@ softwareGroups:
- gixy
- mkcert
- nginx
- nginx-unit
# - maas
- ngxtop
Network-Enabled: &Network-Enabled

View file

@ -0,0 +1,20 @@
# macOS Firewall Rules
The macOS firewall rules are derived from the configurations defined in the `etc/firewalld/services/` folder using ChatGPT.
## Example Prompt
```
convert the following FirewallD configuration to commands that can be used to configure the macOS firewall in a similar fashion. Only return a single bash script with no other text and do not enable logging or the firewall. Do not include any text other than the bash script and do not provide instructions or "Here's the bash script" text or "Please note that" text or anything other than script that can be run: <?xml version="1.0" encoding="utf-8"?>
<service>
<short>Plex</short>
<description>.</description>
<port protocol="tcp" port="32400"/> # Plex Media Server
<port protocol="udp" port="1900"/> # Plex DLNA Server
<port protocol="tcp" port="32469"/> # Plex DLNA Server
<port protocol="udp" port="32410"/> # GDM Network Discovery
<port protocol="udp" port="32412"/> # GDM Network Discovery
<port protocol="udp" port="32413"/> # GDM Network Discovery
<port protocol="udp" port="32414"/> # GDM Network Discovery
</service>
```

View file

@ -0,0 +1,11 @@
#!/bin/bash
/usr/libexec/ApplicationFirewall/socketfilterfw --add --service "Plex" --getglobalstate
/usr/libexec/ApplicationFirewall/socketfilterfw --service "Plex" --setglobaldescription "."
/usr/libexec/ApplicationFirewall/socketfilterfw --service "Plex" --add --port 32400 --protocol tcp
/usr/libexec/ApplicationFirewall/socketfilterfw --service "Plex" --add --port 1900 --protocol udp
/usr/libexec/ApplicationFirewall/socketfilterfw --service "Plex" --add --port 32469 --protocol tcp
/usr/libexec/ApplicationFirewall/socketfilterfw --service "Plex" --add --port 32410 --protocol udp
/usr/libexec/ApplicationFirewall/socketfilterfw --service "Plex" --add --port 32412 --protocol udp
/usr/libexec/ApplicationFirewall/socketfilterfw --service "Plex" --add --port 32413 --protocol udp
/usr/libexec/ApplicationFirewall/socketfilterfw --service "Plex" --add --port 32414 --protocol udp

View file

@ -0,0 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>CUPS</short>
<description>Network printing service</description>
<port protocol="tcp" port="631"/>
</service>

View file

@ -1,7 +1,7 @@
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>FTP</short>
<description>FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.</description>
<description>Remote File Transfer Protocol server</description>
<port protocol="tcp" port="21"/>
<module name="nf_conntrack_ftp"/>
</service>

View file

@ -1,6 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>IPFS Daemon API</short>
<description>InterPlanetary File System (IPFS) is a protocol and peer-to-peer network for storing and sharing data in a distributed file system.</description>
<port protocol="tcp" port="5001"/>
</service>

View file

@ -1,7 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>IPFS Swarm</short>
<description>InterPlanetary File System (IPFS) is a protocol and peer-to-peer network for storing and sharing data in a distributed file system.</description>
<port protocol="tcp" port="4001"/>
<port protocol="udp" port="4001"/>
</service>

View file

@ -1,6 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>IPFS Swarm Websockets</short>
<description>InterPlanetary File System (IPFS) is a protocol and peer-to-peer network for storing and sharing data in a distributed file system.</description>
<port protocol="tcp" port="8081"/>
</service>

View file

@ -1,7 +1,7 @@
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>jellyfin</short>
<description>ellyfin is the volunteer-built media solution that puts you in control of your media. Stream to any device from your own server, with no strings attached. Your media, your server, your way.</description>
<short>Jellyfin</short>
<description>Media streaming server</description>
<port protocol="tcp" port="8096"/>
<port protocol="tcp" port="8920"/>
<port protocol="udp" port="1900"/>

View file

@ -1,10 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>Kubernetes Master</short>
<description>Ports required for a Kubernetes Master node per https://kubernetes.io/docs/setup/independent/install-kubeadm/.</description>
<port port="6443" protocol="tcp"/>
<port port="2379" protocol="tcp"/>
<port port="2380" protocol="tcp"/>
<port port="10250-10252" protocol="tcp"/>
<port port="10255" protocol="tcp"/>
</service>

View file

@ -1,8 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>Kubernetes Worker</short>
<description>Ports required for a Kubernetes Worker node per https://kubernetes.io/docs/setup/independent/install-kubeadm/.</description>
<port port="10250" protocol="tcp"/>
<port port="10255" protocol="tcp"/>
<port port="30000-32767" protocol="tcp"/>
</service>

View file

@ -0,0 +1,13 @@
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>MAAS</short>
<description>Ubuntu management software for equipment that is controlled by LPMI</description>
<port protocol="tcp" port="5240"/>
<port protocol="udp" port="5240"/>
<port protocol="tcp" port="5248"/>
<port protocol="udp" port="5248"/>
<port protocol="tcp" port="5241-5247"/>
<port protocol="udp" port="5241-5247"/>
<port protocol="tcp" port="5250-5270"/>
<port protocol="udp" port="5250-5270"/>
</service>

View file

@ -1,7 +1,7 @@
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>Multicast DNS (mDNS)</short>
<description>mDNS provides the ability to use DNS programming interfaces, packet formats and operating semantics in a small network without a conventional DNS server. If you plan to use Avahi, do not disable this option.</description>
<description>DNS services without a traditional DNS server</description>
<port protocol="udp" port="5353"/>
<destination ipv4="224.0.0.251" ipv6="ff02::fb"/>
</service>

View file

@ -0,0 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>NetbootXYZ</short>
<description>Boot over LAN service provider</description>
<port protocol="udp" port="69"/>
</service>

View file

@ -0,0 +1,7 @@
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>NGINX</short>
<description>Website and application server / proxy</description>
<port protocol="tcp" port="80"/>
<port protocol="tcp" port="443"/>
</service>

View file

@ -1,8 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>OpenVPN Access Server</short>
<description>OpenVPN Access Server is a set of installation and configuration tools that come in one package that simplifies the rapid deployment of a VPN remote access solution.</description>
<port protocol="udp" port="1194"/>
<port protocol="tcp" port="9443"/>
<port protocol="tcp" port="943"/>
</service>

View file

@ -0,0 +1,12 @@
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>Plex Media Server</short>
<description>Media management and streaming platform</description>
<port protocol="tcp" port="32400"/>
<port protocol="tcp" port="3005"/>
<port protocol="udp" port="5353"/>
<port protocol="tcp" port="8324"/>
<port protocol="udp" port="32410-32414"/>
<port protocol="udp" port="1900"/>
<port protocol="tcp" port="32469"/>
</service>

View file

@ -2,11 +2,7 @@
<service>
<short>Plex</short>
<description>.</description>
<port protocol="tcp" port="32400"/> # Plex Media Server
<port protocol="udp" port="1900"/> # Plex DLNA Server
<port protocol="tcp" port="32469"/> # Plex DLNA Server
<port protocol="udp" port="32410"/> # GDM Network Discovery
<port protocol="udp" port="32412"/> # GDM Network Discovery
<port protocol="udp" port="32413"/> # GDM Network Discovery
<port protocol="udp" port="32414"/> # GDM Network Discovery
<port protocol="udp" port="32410-32414"/> # GDM Network Discovery
</service>

View file

@ -0,0 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>TigerVNC</short>
<description>High performance, multi-platform VNC server</description>
<port protocol="tcp" port="5900-5904"/>
</service>

View file

@ -1,13 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>UniFi Controller</short>
<description>.</description>
<port protocol="udp" port="10001"/>
<port protocol="udp" port="3478"/>
<port protocol="tcp" port="8080"/>
<port protocol="tcp" port="8081"/>
<port protocol="tcp" port="8443"/>
<port protocol="tcp" port="8843"/>
<port protocol="tcp" port="8880"/>
<port protocol="tcp" port="6789"/>
</service>

View file

@ -1,15 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>unifi-video</short>
<description>.</description>
<port protocol="tcp" port="10001"/>
<port protocol="tcp" port="1935"/>
<port protocol="tcp" port="6666"/>
<port protocol="tcp" port="7080"/>
<port protocol="tcp" port="7442"/>
<port protocol="tcp" port="7443"/>
<port protocol="tcp" port="7444"/>
<port protocol="tcp" port="7445"/>
<port protocol="tcp" port="7446"/>
<port protocol="tcp" port="7447"/>
</service>

View file

@ -0,0 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>xRDP</short>
<description>Remote Desktop server</description>
<port protocol="tcp" port="3389"/>
</service>

View file

@ -1,4 +0,0 @@
[UniFi]
title=UniFi controller
description=All ports available for UniFi inform, guest portal, speed testing, and access to admin GUI
ports=5514,6789,8080,8843,8880/tcp|1900,3478,10001/udp

View file

@ -449,7 +449,12 @@ async function updateInstallMaps(preference, packages, scopedPreference, pkg, pa
}
const portsHook = getHook(packages, 'ports', scopedPreference, preference)
if (portsHook) {
installOrdersPorts = installOrdersPorts.concat(typeof portsHook === 'string' ? [portsHook] : portsHook)
installOrdersPorts = installOrdersPorts.concat(typeof portsHook === 'string' ? [{
packageKey,
ports: portsHook
}] : {
packageKey,
ports: portsHook})
}
processPluginOrders(pkg)
if (!installOrders[preference]) {
@ -1551,36 +1556,74 @@ async function addUserGroup(group) {
/**
* Adds the rules specified in the `_ports` key of each entry in the `software.yml` file.
*
* @param rule Firewall rule in the form of 8888/tcp or 9999/udp. Can also be the XML file name stored in ~/.config/firewall/etc/firewalld/services.
* @param rule {packageKey: string, ports: any} Firewall rule in the form of 8888/tcp or 9999/udp. Can also be the XML file name stored in ~/.config/firewall/etc/firewalld/services.
*/
async function addFirewallRule(rule) {
try {
const logStage = 'Firewall'
log('info', logStage, `Ensuring the ${rule} rule is added`)
const packageName = installData.softwarePackages[rule.packageKey] && installData.softwarePackages[rule.packageKey]._name
const packageDesc = installData.softwarePackages[rule.packageKey] && installData.softwarePackages[rule.packageKey]._desc
log('info', logStage, `Ensuring the ${rule.packageKey} rule is added since the _ports key is defined`)
if (osType === 'linux') {
const firewallCmd = which.sync('firewall-cmd', { nothrow: true })
// const ufw = which.sync('ufw', { nothrow: true })
if (firewallCmd) {
if (typeof rule.substring(0, 1) === 'number') {
runCommand(`Adding the ${rule} to the firewall configuration`, `sudo firewall-cmd --add-port=${rule} --permanent`)
const serviceFile = `${process.env.HOME}/.config/firewall/etc/firewalld/services/${rule.packageKey}.xml`
if (fileExists(serviceFile)) {
log('info', logStage, `Service file found at ${serviceFile} - using it to apply firewall-cmd configuration`)
runCommand(`Copying over ${serviceFile} file to /etc/firewalld/services`, `sudo cp -f "${serviceFile}" "/etc/firewalld/services/${rule.packageKey}.xml"`)
runCommand(`Adding the ${rule.packageKey} firewall-cmd service`, `sudo firewall-cmd --add-service=${rule.packageKey} --permanent`)
} else {
runCommand(`Adding the ${rule} user / group`, `sudo firewall-cmd --add-service=${rule} --permanent`)
if (typeof rule.ports === 'string') {
runCommand(`Adding the ${rule.packageKey} ${rule.ports} rule to the firewall configuration`, `sudo firewall-cmd --add-port=${rule.ports} --permanent`)
} else {
for (const port of rule.ports) {
if (typeof port === 'string') {
runCommand(`Adding the ${rule.packageKey} ${rule.ports} rule to the firewall configuration`, `sudo firewall-cmd --add-port=${rule.ports} --permanent`)
} else if (port.port && port.proto) {
runCommand(`Adding the ${rule.packageKey} ${port.port}/${port.proto} rule to the firewall configuration`, `sudo firewall-cmd --add-port=${port.port}/${port.proto} --permanent`)
} else {
log('error', logStage, `Unable to parse the firewall definition for ${rule.packageKey}`)
}
}
}
}
} else {
log('error', logStage, `The firewall-cmd executable is not present on the system so the firewall cannot be configured`)
}
} else if (osType === 'darwin') {
runCommand(`Creating the ${rule} group`, `sudo dscl . create /Groups/${rule}`)
runCommand(`Ensuring the ${rule} group has a GID`, `bash -c 'if [[ "$(sudo dscl . read /Groups/$GROUP gid 2>&1)" == *"No such key"* ]]; then MAX_ID_GROUP="$(dscl . -list /Groups gid | awk "{print $2}" | sort -ug | tail -1)"; GROUP_ID="$((MAX_ID_GROUP+1))"; sudo dscl . create /Groups/${rule} gid "$GROUP_ID"; fi'`)
runCommand(`Adding the ${rule} user`, `sudo dscl . create /Users/${rule}`)
runCommand(`Ensuring the ${rule} user has a PrimaryGroupID`, `bash -c 'if [[ "$(sudo dscl . read /Users/${rule} PrimaryGroupID 2>&1)" == *"No such key"* ]]; then sudo dscl . create /Users/${rule} PrimaryGroupID 20; fi'`)
runCommand(`Ensuring the ${rule} user has a UniqueID`, `bash -c 'if [[ "$(sudo dscl . read /Users/${rule} UniqueID 2>&1)" == *"No such key"* ]]; then MAX_ID_USER="$(dscl . -list /Users UniqueID | sort -nr -k 2 | head -1 | grep -oE "[0-9]+$")"; USER_ID="$((MAX_ID_USER+1))"; sudo dscl . create /Users/${rule} UniqueID "$USERID"; fi'`)
runCommand(`Adding the ${rule} user to the ${rule} group`, `sudo dseditgroup -o edit -t user -a ${rule} ${rule}`)
runCommand(`Adding the ${process.env.USER} user to the ${rule} group`, `sudo dseditgroup -o edit -t user -a ${process.env.USER} ${rule}`)
const socketFilterFw = '/usr/libexec/ApplicationFirewall/socketfilterfw'
const serviceFile = `${process.env.HOME}/.config/firewall/darwin/${rule.packageKey}.sh`
if (fileExists(serviceFile)) {
runCommand(`Executing the matching ${serviceFile} service file`, `sudo bash "${serviceFile}"`)
} else {
if (typeof rule.ports === 'string') {
log('error', logStage, `_ports rules that are equal to strings are not yet implemented on macOS (package: ${rule.packageKey})`)
} else {
for (const port of rule.ports) {
if (typeof port === 'string') {
log('error', logStage, `_ports rules that are equal to strings are not yet implemented on macOS (package: ${rule.packageKey})`)
} else if (port.port && port.proto) {
runCommand(`Adding new service for ${rule.packageKey}`, `${socketFilterFw} --add --service "${packageName ? packageName : rule.packageKey}" --getglobalstate`)
if (packageDesc) {
runCommand(`Adding description to service defined for ${rule.packageKey}`, `${socketFilterFw} --service "${packageName ? packageName : rule.packageKey}" --setglobaldescription "${packageDesc}"`)
}
runCommand(`Adding firewall rule for ${rule.packageKey}`, `${socketFilterFw} --service "${packageName ? packageName : rule.packageKey}" --add --port ${port.port} --protocol ${port.proto}`)
} else {
log('error', logStage, `Unable to parse the firewall definition for ${rule.packageKey}`)
}
}
}
}
} else if (osType === 'windows') {
log('warn', logStage, `Windows support not yet added`)
} else {
log('warn', logStage, `Unknown operating system type`)
}
} catch (e) {
console.log(e)
log('error', 'Bin', `Error configuring firewall settings for ${rule.packageKey}`)
}
}
async function updateService(service) {

View file

@ -0,0 +1,11 @@
# Firejail
Firejail integration is pending. Firejail will allow us to improve security on Linux platforms by sandboxing executables and programs. Firejail already includes hundreds of definitions for programs. There are also custom lists maintained by the community which can be found on the [Firejail README](https://github.com/netblue30/firejail).
Ideally, we should create a few generic profiles that handle the following cases:
1. CLIs that don't need access to ~/.ssh and ~/.config etc.
2. CLIs that DO need access to specific folders
3. The configurations should be automatically generated from an array of options for each entry in the `software.yml` file
It would also be great if we could have Firejail automatically load anytime executables are called so that we can run `pnpm` instead of `firejail pnpm`, for instance.

View file

@ -1852,6 +1852,9 @@ softwarePackages:
_github: https://github.com/apple/cups
_home: null
_name: CUPS
_ports:
- port: 631
proto: tcp
ansible: professormanhattan.cups
apt:
- avahi-daemon
@ -5004,6 +5007,23 @@ softwarePackages:
_github: https://github.com/maas/maas
_home: https://maas.io/
_name: MAAS
_ports:
- port: 5240
proto: tcp
- port: 5240
proto: udp
- port: 5248
proto: tcp
- port: 5248
proto: udp
- port: 5241-5247
proto: tcp
- port: 5241-5247
proto: udp
- port: 5250-5270
proto: tcp
- port: 5250-5270
proto: udp
ansible:ubuntu: professormanhattan.maas
snap:ubuntu: maas
mackup:
@ -5789,9 +5809,9 @@ softwarePackages:
_name: NGINX
_ports:
- port: 80
proto: udp
proto: tcp
- port: 443
proto: udp
proto: tcp
ansible: professormanhattan.nginx
apt: nginx
brew: nginx
@ -6564,28 +6584,46 @@ softwarePackages:
plex:
_bin: plex
_desc: '[Plex](https://www.plex.tv/) is a global streaming service of free ad-supported video, with TV shows and movies from distributors such as Crackle, Warner Bros., MGM, Endemol Shine Group, Lionsgate, and Legendary. Plex is also a clientserver media player system plus an ancillary software suite.'
_docs: https://forums.plex.tv/t/introducing-plex-htpc/703075
_github: https://github.com/plexinc/plex-media-player
_github: false
_home: https://www.plex.tv/
_name: Plex
_when:cask: '! test -d /Applications/Plex.app'
ansible: professormanhattan.plex
cask:
- plex
- plex-media-player
- plex-media-server
choco:
- plex
- plexmediaplayer
cask: plex
choco: plex
flatpak: tv.plex.PlexDesktop
plex-media-server:
_bin: plex-media-server
_github: false
_name: Plex Media Server
_when:cask: '! test -d "/Applications/Plex Media Server.app"'
_ports:
- port: 32400
proto: tcp
- port: 3005
proto: tcp
- port: 5353
proto: udp
- port: 8324
proto: tcp
- port: 32410-32414
proto: udp
- port: 1900
proto: udp
- port: 32469
proto: tcp
cask: plex-media-server
choco: plexmediaserver
snap: plexmediaserver
yay: plex-media-server
plex-htpc:
_bin: plex-htpc
_github: false
_home: https://www.plex.tv/
_name: Plex HTPC
_when:cask: '! test -d "/Applications/Plex HTPC.app"'
cask: plex-htpc
choco: plex-home-theater
flatpak: tv.plex.PlexHTPC
snap: plex-htpc
pm2:
@ -7114,7 +7152,6 @@ softwarePackages:
dnf: firewalld
emerge: net-firewall/firewalld
pacman: firewalld
script:darwin: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
zypper: firewalld
xrdp:
_bin: xrdp
@ -9674,6 +9711,12 @@ softwarePackages:
dnf:fedora: yubikey-manager
pacman: yubikey-manager
pipx: yubikey-manager
nginx-unit:
_bin: unitd
_github: https://github.com/nginx/unit
_name: NGINX Unit
_service:brew: nginx/unit/unit
brew: nginx/unit/unit
yubikey-manager-qt:
_bin: yubikey-manager-qt
_desc: Cross-platform application for configuring any YubiKey over all USB interfaces.
@ -9713,10 +9756,10 @@ softwarePackages:
pipx: shell-gpt
tigervnc:
_bin: tigervncpasswd
_github: https://github.com/DukeyToo/tightvnc-server
_name: TightVNC Server
_github: https://github.com/TigerVNC/tigervnc
_name: TigerVNC Server
_ports:
- port: 5900-5909
- port: 5900-5904
proto: tcp
apt: tigervnc-standalone-server
dnf: tigervnc-server
@ -9807,6 +9850,10 @@ softwarePlugins:
- redhatdeveloper/openshift-dd-ext
- snyk/snyk-docker-desktop-extension
- tailscale/docker-extension
dockerImages:
cmd: null
plugins:
- docker.io/nginx/unit
dotnet:
cmd: sudo chown -r "$USER" "$HOME/.local/share/NuGet" && dotnet tool install -g {PLUGIN}
plugins: