This commit is contained in:
Brian Zalewski 2023-07-07 18:21:59 +00:00
parent 21a87bd72d
commit 259bb8343a
5 changed files with 104 additions and 1 deletions

View file

@ -26,6 +26,11 @@
type = "file" type = "file"
url = "https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.pem" url = "https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.pem"
### Curl / Google Cloud SDK
[".local/share/curl/cacert.pem"]
type = "file"
url = "https://curl.se/ca/cacert.pem"
### Betelgeuse Theme ### Betelgeuse Theme
[".local/src/betelgeuse"] [".local/src/betelgeuse"]
type = "git-repo" type = "git-repo"

View file

@ -10,10 +10,11 @@
# ## MDM Configuration # ## MDM Configuration
# #
# If CloudFlare WARP successfully installs, it first applies MDM configurations (managed configurations). If you would like CloudFlare # If CloudFlare WARP successfully installs, it first applies MDM configurations (managed configurations). If you would like CloudFlare
# WARP to connect completely headlessly (while losing some "user-posture" settings), then you can populate the following two secrets: # WARP to connect completely headlessly (while losing some "user-posture" settings), then you can populate the following three secrets:
# #
# 1. `CLOUDFLARE_TEAMS_CLIENT_ID` - The ID from a CloudFlare Teams service token. See [this article](https://developers.cloudflare.com/cloudflare-one/identity/service-tokens/). # 1. `CLOUDFLARE_TEAMS_CLIENT_ID` - The ID from a CloudFlare Teams service token. See [this article](https://developers.cloudflare.com/cloudflare-one/identity/service-tokens/).
# 2. `CLOUDFLARE_TEAMS_CLIENT_SECRET` - The secret from a CloudFlare Teams service token. # 2. `CLOUDFLARE_TEAMS_CLIENT_SECRET` - The secret from a CloudFlare Teams service token.
# 3. `CLOUDFLARE_TEAMS_ORG` - The ID of your Zero Trust organization. This variable must be passed in as an environment variable and is housed in the `home/.chezmoi.yaml.tmpl` file.
# #
# The two variables above can be passed in using either of the methods described in the [Secrets documentation](https://install.doctor/docs/customization/secrets). # The two variables above can be passed in using either of the methods described in the [Secrets documentation](https://install.doctor/docs/customization/secrets).
# #
@ -23,6 +24,21 @@
# network, where you will get some of the benefits of a VPN for free. Otherwise, if they were passed in, then the script # network, where you will get some of the benefits of a VPN for free. Otherwise, if they were passed in, then the script
# finishes by connecting to CloudFlare Teams. # finishes by connecting to CloudFlare Teams.
# #
# ## Application Certificates
#
# This script applies the techniques described on the [CloudFlare Zero Trust Install certificate manually page](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert/)
# to configure the following utilities that leverage seperate certificate authorities:
#
# * Python
# * NPM
# * Git
# * Google Cloud SDK
# * AWS CLI
# * Google Drive for desktop
#
# Settings used to configure Firefox are housed inside of the Firefox configuration files stored as seperate configuration files
# outside of this script.
#
# ## Notes # ## Notes
# #
# According to CloudFlare Teams [documentation on MDM deployment](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/), # According to CloudFlare Teams [documentation on MDM deployment](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/),
@ -109,9 +125,76 @@ if [ -d /System ] && [ -d /Applications ] && command -v warp-cli > /dev/null; th
else else
logg warn 'Unable to add `Cloudflare_CA.pem` because `/usr/local/etc/openssl@3/certs` and `/opt/homebrew/etc/openssl@3/certs` do not exist!' logg warn 'Unable to add `Cloudflare_CA.pem` because `/usr/local/etc/openssl@3/certs` and `/opt/homebrew/etc/openssl@3/certs` do not exist!'
fi fi
elif command -v warp-cli > /dev/null; then
# System is Linux
if command -v dpkg-reconfigure > /dev/null; then
if [ -d /usr/local/share/ca-certificates ]; then
logg info 'Copying CloudFlare Teams PEM file to /usr/local/share/ca-certificates/Cloudflare_CA.crt'
sudo cp -f "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem" /usr/local/share/ca-certificates/Cloudflare_CA.crt
logg info '`dpkg-reconfigure` executable detected so using Debian/Ubuntu method of updating system trusted certificates to include CloudFlare Teams certificate'
sudo dpkg-reconfigure ca-certificates
else
logg warn
fi
elif command -v update-ca-trust > /dev/null; then
if [ -d /etc/pki/ca-trust/source/anchors ]; then
logg info 'Copying CloudFlare Teams certificates to /etc/pki/ca-trust/source/anchors'
sudo cp -f "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.crt" "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem" /etc/pki/ca-trust/source/anchors
logg info '`update-ca-trust` executable detected so using CentOS/Fedora method of updating system trusted certificates to include CloudFlare Teams certificate'
sudo update-ca-trust
else
logg warn '/etc/pki/ca-trust/source/anchors does not exist so skipping the system certificate update process'
fi
fi
fi fi
if command -v git > /dev/null; then
#
if command -v warp-cli > /dev/null; then if command -v warp-cli > /dev/null; then
### Application certificate configuration
### Git
if command -v git > /dev/null; then
logg info "Configuring git to use "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.crt""
git config --global http.sslcainfo "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.crt"
fi
### NPM
if command -v npm > /dev/null; then
logg info "Configuring `npm` to use "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.crt""
npm config set cafile "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem"
fi
### Python
if command -v python3 > /dev/null; then
logg info "Configuring `python3` / `python` to use "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem""
echo | cat - "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem" >> $(python3 -m certifi)
fi
### Google Cloud SDK
if command -v gcloud > /dev/null; then
logg info "Configuring `gcloud` to use "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem" and "${XDG_DATA_HOME:-$HOME/.local/share}/curl/cacert.pem""
mkdir -p "${XDG_DATA_HOME:$HOME/.local/share}/gcloud"
cat cacert.pem "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem" > "${XDG_DATA_HOME:$HOME/.local/share}/gcloud/ca.pem"
gcloud config set core/custom_ca_certs_file "${XDG_DATA_HOME:$HOME/.local/share}/gcloud/ca.pem"
fi
### Google Drive for desktop (macOS)
if [ -d "/Applications/Google Drive.app" ]; then
if [ -d "/Applications/Google Drive.app/Contents/Resources" ]; then
logg info "Combining Google Drive roots.pem with CloudFlare certificate"
mkdir -p "${XDG_DATA_HOME:-$HOME/.local/share}/google-drive"
cat "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem" "/Applications/Google Drive.app/Contents/Resources/roots.pem" >> "${XDG_DATA_HOME:-$HOME/.local/share}/google-drive/roots.pem"
sudo defaults write /Library/Preferences/com.google.drivefs.settings TrustedRootsCertsFile -string "${XDG_DATA_HOME:-$HOME/.local/share}/google-drive/roots.pem"
else
logg warn 'Google Drive.app installed but roots.pem is not available yet'
fi
fi
### Ensure MDM settings are applied (deletes after reboot on macOS) ### Ensure MDM settings are applied (deletes after reboot on macOS)
### TODO: Ensure `.plist` can be added to `~/Library/Managed Preferences` and not just `/Library/Managed Preferences` ### TODO: Ensure `.plist` can be added to `~/Library/Managed Preferences` and not just `/Library/Managed Preferences`
# Source: https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/ # Source: https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/

View file

@ -107,6 +107,7 @@ user_pref('privacy.trackingprotection.fingerprinting.enabled', true)
user_pref('privacy.trackingprotection.pbmode.enabled', true) user_pref('privacy.trackingprotection.pbmode.enabled', true)
user_pref('privacy.usercontext.about_newtab_segregation.enabled', true) user_pref('privacy.usercontext.about_newtab_segregation.enabled', true)
user_pref('prompts.tab_modal.enabled', false) user_pref('prompts.tab_modal.enabled', false)
user_pref('security.enterprise_roots.enabled', true)
user_pref('security.fileuri.origin_policy', 3) user_pref('security.fileuri.origin_policy', 3)
user_pref('security.fileuri.strict_origin_policy', false) user_pref('security.fileuri.strict_origin_policy', false)
user_pref('security.ssl.disable_session_identifiers', true) user_pref('security.ssl.disable_session_identifiers', true)

View file

@ -103,6 +103,9 @@ export ASDF_PYTHON_DEFAULT_PACKAGES_FILE="$XDG_CONFIG_HOME/asdf/default-python-p
### AWS CLI ### AWS CLI
export AWS_SHARED_CREDENTIALS_FILE="$XDG_CONFIG_HOME/aws/credentials" export AWS_SHARED_CREDENTIALS_FILE="$XDG_CONFIG_HOME/aws/credentials"
export AWS_CONFIG_FILE="$XDG_CONFIG_HOME/aws/config" export AWS_CONFIG_FILE="$XDG_CONFIG_HOME/aws/config"
if [ -f "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.crt" ]; then
export AWS_CA_BUNDLE="${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.crt"
fi
### Azure CLI ### Azure CLI
export AZURE_CONFIG_DIR="$XDG_CONFIG_HOME/azure" export AZURE_CONFIG_DIR="$XDG_CONFIG_HOME/azure"
@ -274,6 +277,9 @@ fi
### Node.js ### Node.js
export NODE_REPL_HISTORY="$XDG_DATA_HOME/node_repl_history" export NODE_REPL_HISTORY="$XDG_DATA_HOME/node_repl_history"
if [ -f "${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem" ]; then
export NODE_EXTRA_CA_CERTS="${XDG_DATA_HOME:-$HOME/.local/share}/warp/Cloudflare_CA.pem"
fi
### NPM ### NPM
export NPM_CONFIG_USERCONFIG="$XDG_CONFIG_HOME/npm/npmrc" export NPM_CONFIG_USERCONFIG="$XDG_CONFIG_HOME/npm/npmrc"
@ -315,6 +321,13 @@ export PATH="$PATH:$PNPM_HOME"
# Specify location of the default Prettierd configuration # Specify location of the default Prettierd configuration
# export PRETTIERD_DEFAULT_CONFIG="" # export PRETTIERD_DEFAULT_CONFIG=""
### Python
if command -v python3 > /dev/null; then
export CERT_PATH="$(python3 -m certifi)"
export SSL_CERT_FILE="$CERT_PATH"
export REQUESTS_CA_BUNDLE="$CERT_PATH"
fi
### Readline ### Readline
export INPUTRC="$XDG_CONFIG_HOME/readline/inputrc" export INPUTRC="$XDG_CONFIG_HOME/readline/inputrc"

View file

@ -79,6 +79,7 @@ pref("privacy.trackingprotection.enabled", true);
pref("privacy.trackingprotection.fingerprinting.enabled", true); pref("privacy.trackingprotection.fingerprinting.enabled", true);
pref("privacy.trackingprotection.pbmode.enabled", true); pref("privacy.trackingprotection.pbmode.enabled", true);
pref("privacy.usercontext.about_newtab_segregation.enabled", true); pref("privacy.usercontext.about_newtab_segregation.enabled", true);
pref("security.enterprise_roots.enabled", true)
pref("security.ssl.disable_session_identifiers", true); pref("security.ssl.disable_session_identifiers", true);
pref("services.sync.prefs.sync.browser.newtabpage.activity-stream.showSponsoredTopSite", false); pref("services.sync.prefs.sync.browser.newtabpage.activity-stream.showSponsoredTopSite", false);
pref("signon.autofillForms", false); pref("signon.autofillForms", false);