123 lines
No EOL
6.6 KiB
Cheetah
123 lines
No EOL
6.6 KiB
Cheetah
# @description
|
|
# This script pipes environment variables and a logger function to a temporary file that is included by other scripts.
|
|
# It is included as a temporary external file to aid in debugging since if the included files were inlined in scripts
|
|
# the scripts would be verbose when debugging.
|
|
addTemporaryIncludes() {
|
|
### Ensure /tmp/tmp-profile is created
|
|
# Add pre-scaffolding profile to /tmp/tmp-profile so it's easier to navigate through scripts
|
|
cat <<'EOF' > /tmp/tmp-profile
|
|
{{ includeTemplate "universal/profile-inline" }}
|
|
EOF
|
|
|
|
### Ensure /tmp/tmp-logg is created and owned by root
|
|
# Add pre-scaffolding /tmp/tmp-logg
|
|
cat <<'EOF' > /tmp/tmp-logg
|
|
{{ includeTemplate "universal/logg-inline" }}
|
|
EOF
|
|
}
|
|
|
|
# @description Enables VNC early in case a user prompt is required on macOS
|
|
configureMacOSVNC() {
|
|
if [ -d /Applications ] && [ -d /System ]; then
|
|
# Source: https://apple.stackexchange.com/questions/30238/how-to-enable-os-x-screen-sharing-vnc-through-ssh
|
|
# To disable, run: sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -configure -access -off
|
|
# Only enable when computer is not a corporate / work computer
|
|
logg info '**macOS Manual Security Permission** Enabling VNC using the VNC_PASSWORD variable which is vncpass when nothing is specified'
|
|
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -allowAccessFor -specifiedUsers -clientopts -setreqperm -reqperm yes -setvnclegacy -vnclegacy yes -setvncpw -vncpw "{{- if and (stat (joinPath .host.home ".config" "age" "chezmoi.txt")) (stat (joinPath .chezmoi.sourceDir ".chezmoitemplates" "secrets" "VNC_PASSWORD")) }}{{ includeTemplate "secrets/VNC_PASSWORD" | decrypt | trim }}{{ else }}{{ default "vncpass" (env "VNC_PASSWORD") }}{{ end }}" -restart -agent -privs -all -users "$USER" && logg success 'Finished running the macOS Remote Management kickstart executable'
|
|
fi
|
|
}
|
|
|
|
# @description
|
|
# This script detects for the presence of the `warp-cli` and the WARP connection status. If `warp-cli` is installed
|
|
# and WARP is connected, then the service is disconnected. This feature is here to ensure programs such as `volta`
|
|
# which do not support custom CA certificates can still function properly.
|
|
disconnectWarp() {
|
|
if command -v warp-cli > /dev/null; then
|
|
if warp-cli status | grep 'Connected' > /dev/null; then
|
|
logg info 'Disconnecting from CloudFlare Teams / WARP due to Volta ignoring CA specified in NPM configuration'
|
|
warp-cli disconnect
|
|
fi
|
|
fi
|
|
}
|
|
|
|
# @description Prints information describing why full disk access is required for the script to run on macOS.
|
|
printFullDiskAccessNotice() {
|
|
if [ -d /Applications ] && [ -d /System ]; then
|
|
logg md "${XDG_DATA_HOME:-$HOME/.local/share}/chezmoi/docs/terminal/full-disk-access.md"
|
|
fi
|
|
}
|
|
|
|
# @description
|
|
# This script ensures the terminal running the provisioning process has full disk access permissions. It also
|
|
# prints information regarding the process of how to enable the permission as well as information related to
|
|
# the specific reasons that the terminal needs full disk access. More specifically, the scripts need full
|
|
# disk access to modify various system files and permissions.
|
|
#
|
|
# Ensures the terminal running the provisioning process script has full disk access on macOS. It does this
|
|
# by attempting to read a file that requires full disk access. If it does not, the program opens the preferences
|
|
# pane where the user can grant access so that the script can continue.
|
|
#
|
|
# ## Sources
|
|
#
|
|
# * [Detecting Full Disk Access permission on macOS](https://www.dzombak.com/blog/2021/11/macOS-Scripting-How-to-tell-if-the-Terminal-app-has-Full-Disk-Access.html)
|
|
ensureFullDiskAccess() {
|
|
if [ -d /Applications ] && [ -d /System ]; then
|
|
if ! plutil -lint /Library/Preferences/com.apple.TimeMachine.plist > /dev/null ; then
|
|
printFullDiskAccessNotice
|
|
logg star 'Opening Full Disk Access preference pane.. Grant full-disk access for the terminal you would like to run the provisioning process with.' && open "x-apple.systempreferences:com.apple.preference.security?Privacy_AllFiles"
|
|
logg info 'You may have to force quit the terminal and have it reload'
|
|
if [ ! -f "$HOME/.zshrc" ] || ! cat "$HOME/.zshrc" | grep '# TEMPORARY FOR INSTALL DOCTOR MACOS' > /dev/null; then
|
|
echo 'bash <(curl -sSL https://install.doctor/start) # TEMPORARY FOR INSTALL DOCTOR MACOS' >> "$HOME/.zshrc"
|
|
fi
|
|
logg prompt 'Press ENTER to check for Full Disk Access again' && read -r
|
|
ensureFullDiskAccess
|
|
else
|
|
logg success 'Current terminal has full disk access'
|
|
if [ -f "$HOME/.zshrc" ]; then
|
|
if command -v gsed > /dev/null; then
|
|
sudo gsed -i '/# TEMPORARY FOR INSTALL DOCTOR MACOS/d' "$HOME/.zshrc" || logg warn "Failed to remove kickstart script from .zshrc"
|
|
else
|
|
sudo sed -i '/# TEMPORARY FOR INSTALL DOCTOR MACOS/d' "$HOME/.zshrc" || logg warn "Failed to remove kickstart script from .zshrc"
|
|
fi
|
|
fi
|
|
fi
|
|
fi
|
|
}
|
|
|
|
# @description Applies changes that require input from the user such as using Touch ID on macOS when
|
|
# importing certificates into the system keychain.
|
|
#
|
|
# * Ensures CloudFlare Teams certificate is imported into the system keychain
|
|
importCloudFlareCert() {
|
|
if [ -d /Applications ] && [ -d /System ] && [ -z "$HEADLESS_INSTALL" ]; then
|
|
### Acquire certificate
|
|
if [ ! -f "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.crt" ]; then
|
|
logg info 'Downloading Cloudflare_CA.crt from https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.crt to determine if it is already in the System.keychain'
|
|
CRT_TMP="$(mktemp)"
|
|
curl -sSL https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.crt > "$CRT_TMP"
|
|
else
|
|
CRT_TMP="$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.crt"
|
|
fi
|
|
|
|
### Validate / import certificate
|
|
security verify-cert -c "$CRT_TMP" > /dev/null 2>&1
|
|
if [ $? != 0 ]; then
|
|
logg info '**macOS Manual Security Permission** Requesting security authorization for Cloudflare trusted certificate'
|
|
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "$CRT_TMP" && logg success 'Successfully imported Cloudflare_CA.crt into System.keychain'
|
|
fi
|
|
|
|
### Remove temporary file, if necessary
|
|
if [ ! -f "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.crt" ]; then
|
|
rm -f "$CRT_TMP"
|
|
fi
|
|
fi
|
|
}
|
|
|
|
addTemporaryIncludes
|
|
. /tmp/tmp-logg
|
|
. /tmp/tmp-profile
|
|
ensureFullDiskAccess
|
|
importCloudFlareCert
|
|
configureMacOSVNC
|
|
disconnectWarp
|
|
wait |