install.fairie/home/.chezmoiscripts/universal/run_onchange_after_14-warp.sh.tmpl

{{- if (ne .host.distro.family "windows") -}}
#!/usr/bin/env bash
# @file CloudFlare WARP
# @brief Installs CloudFlare WARP, ensures proper security certificates are in place, and connects the device to CloudFlare WARP.
# @description
#     This script is intended to connect the device to CloudFlare's Zero Trust network with nearly all of its features unlocked.
#     Homebrew is used to install the `warp-cli` on macOS. On Linux, it can install `warp-cli` on most Debian systems and some RedHat
#     systems. CloudFlare WARP's [download page](https://pkg.cloudflareclient.com/packages/cloudflare-warp) is somewhat barren.
#
#     ## MDM Configuration
#
#     If CloudFlare WARP successfully installs, it first applies MDM configurations (managed configurations). If you would like CloudFlare
#     WARP to connect completely headlessly (while losing some "user-posture" settings), then you can populate the following three secrets:
#
#     1. `CLOUDFLARE_TEAMS_CLIENT_ID` - The ID from a CloudFlare Teams service token. See [this article](https://developers.cloudflare.com/cloudflare-one/identity/service-tokens/).
#     2. `CLOUDFLARE_TEAMS_CLIENT_SECRET` - The secret from a CloudFlare Teams service token.
#     3. `CLOUDFLARE_TEAMS_ORG` - The ID of your Zero Trust organization. This variable must be passed in as an environment variable and is housed in the `home/.chezmoi.yaml.tmpl` file.
#
#     The two variables above can be passed in using either of the methods described in the [Secrets documentation](https://install.doctor/docs/customization/secrets).
#
#     ## Headless CloudFlare WARP Connection
#
#     Even if you do not provide the two variables mentioned above, the script will still headlessly connect your device to the public CloudFlare WARP
#     network, where you will get some of the benefits of a VPN for free. Otherwise, if they were passed in, then the script
#     finishes by connecting to CloudFlare Teams.
#
#     ## Application Certificates
#
#     This script applies the techniques described on the [CloudFlare Zero Trust Install certificate manually page](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert/)
#     to configure the following utilities that leverage seperate certificate authorities:
#
#     * Python
#     * NPM
#     * Git
#     * Google Cloud SDK
#     * AWS CLI
#     * Google Drive for desktop
#
#     Settings used to configure Firefox are housed inside of the Firefox configuration files stored as seperate configuration files
#     outside of this script.
#
#     ## Notes
#
#     According to CloudFlare Teams [documentation on MDM deployment](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/),
#     on macOS the `com.cloudflare.warp.plist` file gets erased on reboot. Also, according to the documentation, the only way around this is to leverage
#     an MDM SaaS provider like JumpCloud.
#
#     ## Links
#
#     * [Linux managed configuration](https://github.com/megabyte-labs/install.doctor/tree/master/home/dot_config/warp/private_mdm.xml.tmpl)
#     * [macOS managed configuration](https://github.com/megabyte-labs/install.doctor/tree/master/home/Library/Managed%20Preferences/private_com.cloudflare.warp.plist.tmpl)

{{ includeTemplate "universal/profile" }}
{{ includeTemplate "universal/logg" }}

### Install CloudFlare WARP (on non-WSL *nix systems)
if [[ ! "$(test -d /proc && grep Microsoft /proc/version > /dev/null)" ]]; then
    if [ -d /System ] && [ -d /Applications ]; then
        ### Install on macOS
        if [ ! -d "/Applications/Cloudflare WARP.app" ]; then
            brew install --cask cloudflare-warp
        else
            logg info 'Cloudflare WARP already installed'
        fi
    elif [ '{{ .host.distro.id }}' = 'debian' ]; then
        ### Add CloudFlare WARP desktop app apt-get source
        if [ ! -f /etc/apt/sources.list.d/cloudflare-client.list ]; then
            logg info 'Adding CloudFlare WARP keyring'
            curl https://pkg.cloudflareclient.com/pubkey.gpg | sudo gpg --yes --dearmor --output /usr/share/keyrings/cloudflare-warp-archive-keyring.gpg
            logg info 'Adding apt source reference'
            echo "deb [arch=amd64 signed-by=/usr/share/keyrings/cloudflare-warp-archive-keyring.gpg] https://pkg.cloudflareclient.com/ $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/cloudflare-client.list
        fi

        ### Update apt-get and install the CloudFlare WARP CLI
        sudo apt-get update && sudo apt-get install -y cloudflare-warp
    elif [ '{{ .host.distro.id }}' = 'ubuntu' ]; then
        ### Add CloudFlare WARP desktop app apt-get source
        if [ ! -f /etc/apt/sources.list.d/cloudflare-client.list ]; then
            logg info 'Adding CloudFlare WARP keyring'
            curl https://pkg.cloudflareclient.com/pubkey.gpg | sudo gpg --yes --dearmor --output /usr/share/keyrings/cloudflare-warp-archive-keyring.gpg
            logg info 'Adding apt source reference'
            echo "deb [arch=amd64 signed-by=/usr/share/keyrings/cloudflare-warp-archive-keyring.gpg] https://pkg.cloudflareclient.com/ $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/cloudflare-client.list
        fi

        ### Update apt-get and install the CloudFlare WARP CLI
        sudo apt-get update && sudo apt-get install -y cloudflare-warp
    elif command -v dnf > /dev/null && command -v rpm > /dev/null; then
        ### This is made for CentOS 8 and works on Fedora 36 (hopefully 36+ as well) with `nss-tools` as a dependency
        sudo dnf instal -y nss-tools || NSS_TOOL_EXIT=$?
        if [ -n "$NSS_TOOL_EXIT" ]; then
            logg warn 'Unable to install `nss-tools` which was a requirement on Fedora 36 and assumed to be one on other systems as well.'
        fi
        ### According to the download site, this is the only version available for RedHat-based systems
        sudo rpm -ivh https://pkg.cloudflareclient.com/cloudflare-release-el8.rpm || RPM_EXIT_CODE=$?
        if [ -n "$RPM_EXIT_CODE" ]; then
            logg error 'Unable to install CloudFlare WARP using RedHat 8 RPM package'
        fi
    fi
fi


### Ensure certificate is installed
# Source: https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.crt
# Source: https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.pem
if [ -d /System ] && [ -d /Applications ] && command -v warp-cli > /dev/null; then
    ### Ensure certificate installed on macOS
    if [ ! -n "$SSH_CONNECTION" ]; then
        logg info 'Requesting security authorization for Cloudflare trusted certificate'
        sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.crt"
    else
        logg warn 'Session is SSH so adding Cloudflare encryption key to trusted certificates via the security program is being bypassed since it requires Touch ID / Password verification.'
    fi
    if [ -d "/usr/local/etc/openssl@3/certs" ]; then
        # Location on Intel macOS
        logg info 'Adding Cloudflare certificate to `/usr/local/etc/openssl@3/certs/Cloudflare_CA.pem`'
        echo | sudo cat - "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem" >> /usr/local/etc/openssl@3/certs/Cloudflare_CA.pem
        logg info 'Running `/usr/local/opt/openssl@3/bin/c_rehash`'
        /usr/local/opt/openssl@3/bin/c_rehash
    elif [ -d "/opt/homebrew/etc/openssl@3/certs" ]; then
        # Location on arm64 macOS
        logg info 'Adding Cloudflare certificate to `/opt/homebrew/etc/openssl@3/certs/Cloudflare_CA.pem`'
        echo | sudo cat - "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem" >> /opt/homebrew/etc/openssl@3/certs/Cloudflare_CA.pem
        logg info 'Running `/opt/homebrew/opt/openssl@3/bin/c_rehash`'
        /opt/homebrew/opt/openssl@3/bin/c_rehash
    else
        logg warn 'Unable to add `Cloudflare_CA.pem` because `/usr/local/etc/openssl@3/certs` and `/opt/homebrew/etc/openssl@3/certs` do not exist!'
    fi
elif command -v warp-cli > /dev/null; then
    # System is Linux
    if command -v dpkg-reconfigure > /dev/null; then
        if [ -d /usr/local/share/ca-certificates ]; then
            logg info 'Copying CloudFlare Teams PEM file to /usr/local/share/ca-certificates/Cloudflare_CA.crt'
            sudo cp -f "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem" /usr/local/share/ca-certificates/Cloudflare_CA.crt
            logg info '`dpkg-reconfigure` executable detected so using Debian/Ubuntu method of updating system trusted certificates to include CloudFlare Teams certificate'
            sudo dpkg-reconfigure ca-certificates
        else
            logg warn 
        fi
    elif command -v update-ca-trust > /dev/null; then
        if [ -d /etc/pki/ca-trust/source/anchors ]; then
            logg info 'Copying CloudFlare Teams certificates to /etc/pki/ca-trust/source/anchors'
            sudo cp -f "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.crt" "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem" /etc/pki/ca-trust/source/anchors
            logg info '`update-ca-trust` executable detected so using CentOS/Fedora method of updating system trusted certificates to include CloudFlare Teams certificate'
            sudo update-ca-trust
        else
            logg warn '/etc/pki/ca-trust/source/anchors does not exist so skipping the system certificate update process'
        fi
    fi
fi

if command -v warp-cli > /dev/null; then
    ### Application certificate configuration
    
    ### Git
    if command -v git > /dev/null; then
        logg info "Configuring git to use "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.crt""
        git config --global http.sslcainfo "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.crt"
    fi

    ### NPM
    if command -v npm > /dev/null; then
        logg info "Configuring npm to use "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.crt""
        npm config set cafile "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem"
    fi

    ### Python
    if command -v python3 > /dev/null; then
        logg info "Configuring python3 / python to use "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem""
        echo | cat - "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem" >> $(python3 -m certifi)
    fi

    ### Google Cloud SDK
    if command -v gcloud > /dev/null; then
        logg info "Configuring gcloud to use "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem" and "${XDG_DATA_HOME:-$HOME/.local/share}/curl/cacert.pem""
        mkdir -p "${XDG_DATA_HOME:$HOME/.local/share}/gcloud"
        cat cacert.pem "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem" > "${XDG_DATA_HOME:$HOME/.local/share}/gcloud/ca.pem"
        gcloud config set core/custom_ca_certs_file "${XDG_DATA_HOME:$HOME/.local/share}/gcloud/ca.pem"
    fi

    ### Google Drive for desktop (macOS)
    if [ -d "/Applications/Google Drive.app" ]; then
        if [ -d "/Applications/Google Drive.app/Contents/Resources" ]; then
            logg info "Combining Google Drive roots.pem with CloudFlare certificate"
            mkdir -p "${XDG_DATA_HOME:-$HOME/.local/share}/google-drive"
            cat "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem" "/Applications/Google Drive.app/Contents/Resources/roots.pem" >> "${XDG_DATA_HOME:-$HOME/.local/share}/google-drive/roots.pem"
            sudo defaults write /Library/Preferences/com.google.drivefs.settings TrustedRootsCertsFile -string "${XDG_DATA_HOME:-$HOME/.local/share}/google-drive/roots.pem"
        else
            logg warn 'Google Drive.app installed but roots.pem is not available yet'
        fi
    fi


    ### Ensure MDM settings are applied (deletes after reboot on macOS)
    ### TODO: Ensure `.plist` can be added to `~/Library/Managed Preferences` and not just `/Library/Managed Preferences`
    # Source: https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/
    # Source for JumpCloud: https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/CloudflareWARP.mobileconfig
    if [ -d /System ] && [ -d /Applications ]; then
        sudo cp -f "$HOME/Library/Managed Preferences/com.cloudflare.warp.plist" '/Library/Managed Preferences/com.cloudflare.warp.plist'
        sudo plutil -convert binary1 '/Library/Managed Preferences/com.cloudflare.warp.plist'
    elif [ -f "${XDG_CONFIG_HOME:-$HOME/.config}/warp/mdm.xml" ]; then
        sudo mkdir -p /var/lib/cloudflare-warp
        sudo cp -f "${XDG_CONFIG_HOME:-$HOME/.config}/warp/mdm.xml" /var/lib/cloudflare-warp/mdm.xml
    fi
    
    ### Register CloudFlare WARP
    if warp-cli --accept-tos status | grep 'Registration missing' > /dev/null; then
        logg info 'Registering CloudFlare WARP'
        warp-cli --accept-tos register
    else
        logg info 'Either there is a misconfiguration or the device is already registered with CloudFlare WARP'
    fi

    ### Connect CloudFlare WARP
    if warp-cli --accept-tos status | grep 'Disconnected' > /dev/null; then
        logg info 'Connecting to CloudFlare WARP'
        warp-cli --accept-tos connect
    else
        logg info 'Either there is a misconfiguration or the device is already connected with CloudFlare WARP'
    fi
else
    logg warn '`warp-cli` was not installed so CloudFlare Zero Trust cannot be joined'
fi
{{ end -}}