From 259bb8343a0f6c609e1f33ec6ac54084b688bc99 Mon Sep 17 00:00:00 2001 From: Brian Zalewski <59970525+ProfessorManhattan@users.noreply.github.com> Date: Fri, 7 Jul 2023 18:21:59 +0000 Subject: [PATCH] Latest --- home/.chezmoiexternal.toml.tmpl | 5 ++ .../run_onchange_after_14-warp.sh.tmpl | 85 ++++++++++++++++++- home/dot_config/firefox/user.js | 1 + home/dot_config/shell/exports.sh.tmpl | 13 +++ home/dot_local/share/firefox/firefox.cfg | 1 + 5 files changed, 104 insertions(+), 1 deletion(-) diff --git a/home/.chezmoiexternal.toml.tmpl b/home/.chezmoiexternal.toml.tmpl index 0ce99e2b..529eb187 100644 --- a/home/.chezmoiexternal.toml.tmpl +++ b/home/.chezmoiexternal.toml.tmpl @@ -26,6 +26,11 @@ type = "file" url = "https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.pem" +### Curl / Google Cloud SDK +[".local/share/curl/cacert.pem"] + type = "file" + url = "https://curl.se/ca/cacert.pem" + ### Betelgeuse Theme [".local/src/betelgeuse"] type = "git-repo" diff --git a/home/.chezmoiscripts/universal/run_onchange_after_14-warp.sh.tmpl b/home/.chezmoiscripts/universal/run_onchange_after_14-warp.sh.tmpl index 8d016695..9cc161a1 100644 --- a/home/.chezmoiscripts/universal/run_onchange_after_14-warp.sh.tmpl +++ b/home/.chezmoiscripts/universal/run_onchange_after_14-warp.sh.tmpl @@ -10,10 +10,11 @@ # ## MDM Configuration # # If CloudFlare WARP successfully installs, it first applies MDM configurations (managed configurations). If you would like CloudFlare -# WARP to connect completely headlessly (while losing some "user-posture" settings), then you can populate the following two secrets: +# WARP to connect completely headlessly (while losing some "user-posture" settings), then you can populate the following three secrets: # # 1. `CLOUDFLARE_TEAMS_CLIENT_ID` - The ID from a CloudFlare Teams service token. See [this article](https://developers.cloudflare.com/cloudflare-one/identity/service-tokens/). # 2. `CLOUDFLARE_TEAMS_CLIENT_SECRET` - The secret from a CloudFlare Teams service token. +# 3. `CLOUDFLARE_TEAMS_ORG` - The ID of your Zero Trust organization. This variable must be passed in as an environment variable and is housed in the `home/.chezmoi.yaml.tmpl` file. # # The two variables above can be passed in using either of the methods described in the [Secrets documentation](https://install.doctor/docs/customization/secrets). # @@ -23,6 +24,21 @@ # network, where you will get some of the benefits of a VPN for free. Otherwise, if they were passed in, then the script # finishes by connecting to CloudFlare Teams. # +# ## Application Certificates +# +# This script applies the techniques described on the [CloudFlare Zero Trust Install certificate manually page](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert/) +# to configure the following utilities that leverage seperate certificate authorities: +# +# * Python +# * NPM +# * Git +# * Google Cloud SDK +# * AWS CLI +# * Google Drive for desktop +# +# Settings used to configure Firefox are housed inside of the Firefox configuration files stored as seperate configuration files +# outside of this script. +# # ## Notes # # According to CloudFlare Teams [documentation on MDM deployment](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/), @@ -109,9 +125,76 @@ if [ -d /System ] && [ -d /Applications ] && command -v warp-cli > /dev/null; th else logg warn 'Unable to add `Cloudflare_CA.pem` because `/usr/local/etc/openssl@3/certs` and `/opt/homebrew/etc/openssl@3/certs` do not exist!' fi +elif command -v warp-cli > /dev/null; then + # System is Linux + if command -v dpkg-reconfigure > /dev/null; then + if [ -d /usr/local/share/ca-certificates ]; then + logg info 'Copying CloudFlare Teams PEM file to /usr/local/share/ca-certificates/Cloudflare_CA.crt' + sudo cp -f "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem" /usr/local/share/ca-certificates/Cloudflare_CA.crt + logg info '`dpkg-reconfigure` executable detected so using Debian/Ubuntu method of updating system trusted certificates to include CloudFlare Teams certificate' + sudo dpkg-reconfigure ca-certificates + else + logg warn + fi + elif command -v update-ca-trust > /dev/null; then + if [ -d /etc/pki/ca-trust/source/anchors ]; then + logg info 'Copying CloudFlare Teams certificates to /etc/pki/ca-trust/source/anchors' + sudo cp -f "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.crt" "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem" /etc/pki/ca-trust/source/anchors + logg info '`update-ca-trust` executable detected so using CentOS/Fedora method of updating system trusted certificates to include CloudFlare Teams certificate' + sudo update-ca-trust + else + logg warn '/etc/pki/ca-trust/source/anchors does not exist so skipping the system certificate update process' + fi + fi fi + +if command -v git > /dev/null; then +# + + if command -v warp-cli > /dev/null; then + ### Application certificate configuration + + ### Git + if command -v git > /dev/null; then + logg info "Configuring git to use "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.crt"" + git config --global http.sslcainfo "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.crt" + fi + + ### NPM + if command -v npm > /dev/null; then + logg info "Configuring `npm` to use "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.crt"" + npm config set cafile "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem" + fi + + ### Python + if command -v python3 > /dev/null; then + logg info "Configuring `python3` / `python` to use "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem"" + echo | cat - "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem" >> $(python3 -m certifi) + fi + + ### Google Cloud SDK + if command -v gcloud > /dev/null; then + logg info "Configuring `gcloud` to use "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem" and "${XDG_DATA_HOME:-$HOME/.local/share}/curl/cacert.pem"" + mkdir -p "${XDG_DATA_HOME:$HOME/.local/share}/gcloud" + cat cacert.pem "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem" > "${XDG_DATA_HOME:$HOME/.local/share}/gcloud/ca.pem" + gcloud config set core/custom_ca_certs_file "${XDG_DATA_HOME:$HOME/.local/share}/gcloud/ca.pem" + fi + + ### Google Drive for desktop (macOS) + if [ -d "/Applications/Google Drive.app" ]; then + if [ -d "/Applications/Google Drive.app/Contents/Resources" ]; then + logg info "Combining Google Drive roots.pem with CloudFlare certificate" + mkdir -p "${XDG_DATA_HOME:-$HOME/.local/share}/google-drive" + cat "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem" "/Applications/Google Drive.app/Contents/Resources/roots.pem" >> "${XDG_DATA_HOME:-$HOME/.local/share}/google-drive/roots.pem" + sudo defaults write /Library/Preferences/com.google.drivefs.settings TrustedRootsCertsFile -string "${XDG_DATA_HOME:-$HOME/.local/share}/google-drive/roots.pem" + else + logg warn 'Google Drive.app installed but roots.pem is not available yet' + fi + fi + + ### Ensure MDM settings are applied (deletes after reboot on macOS) ### TODO: Ensure `.plist` can be added to `~/Library/Managed Preferences` and not just `/Library/Managed Preferences` # Source: https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/ diff --git a/home/dot_config/firefox/user.js b/home/dot_config/firefox/user.js index c3c6fb7b..dad76fb0 100644 --- a/home/dot_config/firefox/user.js +++ b/home/dot_config/firefox/user.js @@ -107,6 +107,7 @@ user_pref('privacy.trackingprotection.fingerprinting.enabled', true) user_pref('privacy.trackingprotection.pbmode.enabled', true) user_pref('privacy.usercontext.about_newtab_segregation.enabled', true) user_pref('prompts.tab_modal.enabled', false) +user_pref('security.enterprise_roots.enabled', true) user_pref('security.fileuri.origin_policy', 3) user_pref('security.fileuri.strict_origin_policy', false) user_pref('security.ssl.disable_session_identifiers', true) diff --git a/home/dot_config/shell/exports.sh.tmpl b/home/dot_config/shell/exports.sh.tmpl index 25f5607b..c2229684 100644 --- a/home/dot_config/shell/exports.sh.tmpl +++ b/home/dot_config/shell/exports.sh.tmpl @@ -103,6 +103,9 @@ export ASDF_PYTHON_DEFAULT_PACKAGES_FILE="$XDG_CONFIG_HOME/asdf/default-python-p ### AWS CLI export AWS_SHARED_CREDENTIALS_FILE="$XDG_CONFIG_HOME/aws/credentials" export AWS_CONFIG_FILE="$XDG_CONFIG_HOME/aws/config" +if [ -f "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.crt" ]; then + export AWS_CA_BUNDLE="${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.crt" +fi ### Azure CLI export AZURE_CONFIG_DIR="$XDG_CONFIG_HOME/azure" @@ -274,6 +277,9 @@ fi ### Node.js export NODE_REPL_HISTORY="$XDG_DATA_HOME/node_repl_history" +if [ -f "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem" ]; then + export NODE_EXTRA_CA_CERTS="${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem" +fi ### NPM export NPM_CONFIG_USERCONFIG="$XDG_CONFIG_HOME/npm/npmrc" @@ -315,6 +321,13 @@ export PATH="$PATH:$PNPM_HOME" # Specify location of the default Prettierd configuration # export PRETTIERD_DEFAULT_CONFIG="" +### Python +if command -v python3 > /dev/null; then + export CERT_PATH="$(python3 -m certifi)" + export SSL_CERT_FILE="$CERT_PATH" + export REQUESTS_CA_BUNDLE="$CERT_PATH" +fi + ### Readline export INPUTRC="$XDG_CONFIG_HOME/readline/inputrc" diff --git a/home/dot_local/share/firefox/firefox.cfg b/home/dot_local/share/firefox/firefox.cfg index fa6bc3e2..25e4cf1a 100644 --- a/home/dot_local/share/firefox/firefox.cfg +++ b/home/dot_local/share/firefox/firefox.cfg @@ -79,6 +79,7 @@ pref("privacy.trackingprotection.enabled", true); pref("privacy.trackingprotection.fingerprinting.enabled", true); pref("privacy.trackingprotection.pbmode.enabled", true); pref("privacy.usercontext.about_newtab_segregation.enabled", true); +pref("security.enterprise_roots.enabled", true) pref("security.ssl.disable_session_identifiers", true); pref("services.sync.prefs.sync.browser.newtabpage.activity-stream.showSponsoredTopSite", false); pref("signon.autofillForms", false);