From 2f9a23602172871261edac0727cb6b0b8f987c56 Mon Sep 17 00:00:00 2001
From: Brian Zalewski <brian@megabyte.space>
Date: Sat, 15 Apr 2023 23:14:30 +0000
Subject: [PATCH] Update 28 files

- /home/.chezmoiscripts/run_onchange_after_add-fonts.tmpl
- /home/.chezmoiscripts/run_onchange_after_endlessh.tmpl
- /home/.chezmoiscripts/run_onchange_after_fail2ban.tmpl
- /home/.chezmoiscripts/run_onchange_after_symlink-ansible-configs.tmpl
- /home/.chezmoiscripts/run_onchange_after_sshd.tmpl
- /home/.chezmoiscripts/run_onchanges_after_decrypt-ssh-keys.tmpl
- /home/.chezmoiscripts/run_onchange_ensure-executable.tmpl
- /home/.chezmoiscripts/run_onchanges_after_ensure-private-key.tmpl
- /home/.chezmoiscripts/run_onchanges_after_generate-public-keys.tmpl
- /home/.chezmoiscripts/run_onchanges_after_symlink-custom.tmpl
- /home/.chezmoitemplates/ssh/authorized-keys.yubikey
- /home/.chezmoiscripts/universal/run_onchange_after_24-vpn-darwin.tmpl
- /home/.chezmoiscripts/universal/run_onchange_after_20-font.sh.tmpl
- /home/.chezmoiscripts/universal/run_onchange_after_02-ensure-executable.sh.tmpl
- /home/.chezmoiscripts/universal/run_onchange_after_05-decrypt-ssh-keys.sh.tmpl
- /home/.chezmoiscripts/universal/run_onchange_after_07-ensure-private-key.sh.tmpl
- /home/.chezmoiscripts/universal/run_onchange_after_08-generate-public-keys.sh.tmpl
- /home/.chezmoiscripts/universal/run_onchange_after_08-symlink-custom.sh.tmpl
- /home/.chezmoiscripts/universal/run_onchange_after_24-vpn-darwin.sh.tmpl
- /home/.chezmoiscripts/universal/run_onchange_after_30-endlessh.sh.tmpl
- /home/.chezmoiscripts/universal/run_onchange_after_30-sshd.sh.tmpl
- /home/.chezmoiscripts/universal/run_onchange_after_31-fail2ban.sh.tmpl
- /home/.chezmoiscripts/disabled/run_onchange_after_symlink-ansible-configs.tmpl
- /home/.chezmoiscripts/linux/run_onchange_before_01-requirements.sh.tmpl
- /home/.chezmoiscripts/linux/run_onchange_before_10-system-tweaks.sh.tmpl
- /home/.chezmoiscripts/linux/run_onchange_before_11-configure-swap.sh.tmpl
- /home/.chezmoiscripts/linux/run_onchange_before_14-warp.sh.tmpl
- /home/.chezmoitemplates/ssh/encrypted_authorized-keys.yubikey.tmpl
---
 ...nchange_after_symlink-ansible-configs.tmpl |  0
 ...un_onchange_before_01-requirements.sh.tmpl |  4 ++-
 ...n_onchange_before_10-system-tweaks.sh.tmpl |  2 ++
 ..._onchange_before_11-configure-swap.sh.tmpl |  2 ++
 .../linux/run_onchange_before_14-warp.sh.tmpl |  2 ++
 .../run_onchange_after_add-fonts.tmpl         | 23 ----------------
 ...un_onchanges_after_ensure-private-key.tmpl | 11 --------
 .../run_onchanges_after_symlink-custom.tmpl   | 16 ------------
 ...change_after_02-ensure-executable.sh.tmpl} |  5 ++++
 ...nchange_after_05-decrypt-ssh-keys.sh.tmpl} | 10 +++++++
 ...change_after_07-ensure-private-key.sh.tmpl | 17 ++++++++++++
 ...nge_after_08-generate-public-keys.sh.tmpl} |  5 ++++
 ...n_onchange_after_08-symlink-custom.sh.tmpl | 26 +++++++++++++++++++
 .../run_onchange_after_20-font.sh.tmpl        |  2 +-
 ... run_onchange_after_24-vpn-darwin.sh.tmpl} |  1 -
 .../run_onchange_after_30-endlessh.sh.tmpl}   | 16 ++++++++++++
 .../run_onchange_after_30-sshd.sh.tmpl}       |  9 +++++++
 .../run_onchange_after_31-fail2ban.sh.tmpl}   | 11 ++++++++
 ...=> encrypted_authorized-keys.yubikey.tmpl} |  0
 19 files changed, 109 insertions(+), 53 deletions(-)
 rename home/.chezmoiscripts/{ => disabled}/run_onchange_after_symlink-ansible-configs.tmpl (100%)
 delete mode 100644 home/.chezmoiscripts/run_onchange_after_add-fonts.tmpl
 delete mode 100644 home/.chezmoiscripts/run_onchanges_after_ensure-private-key.tmpl
 delete mode 100644 home/.chezmoiscripts/run_onchanges_after_symlink-custom.tmpl
 rename home/.chezmoiscripts/{run_onchange_ensure-executable.tmpl => universal/run_onchange_after_02-ensure-executable.sh.tmpl} (61%)
 rename home/.chezmoiscripts/{run_onchanges_after_decrypt-ssh-keys.tmpl => universal/run_onchange_after_05-decrypt-ssh-keys.sh.tmpl} (62%)
 create mode 100644 home/.chezmoiscripts/universal/run_onchange_after_07-ensure-private-key.sh.tmpl
 rename home/.chezmoiscripts/{run_onchanges_after_generate-public-keys.tmpl => universal/run_onchange_after_08-generate-public-keys.sh.tmpl} (65%)
 create mode 100644 home/.chezmoiscripts/universal/run_onchange_after_08-symlink-custom.sh.tmpl
 rename home/.chezmoiscripts/universal/{run_onchange_after_24-vpn-darwin.tmpl => run_onchange_after_24-vpn-darwin.sh.tmpl} (93%)
 rename home/.chezmoiscripts/{run_onchange_after_endlessh.tmpl => universal/run_onchange_after_30-endlessh.sh.tmpl} (53%)
 rename home/.chezmoiscripts/{run_onchange_after_sshd.tmpl => universal/run_onchange_after_30-sshd.sh.tmpl} (77%)
 rename home/.chezmoiscripts/{run_onchange_after_fail2ban.tmpl => universal/run_onchange_after_31-fail2ban.sh.tmpl} (70%)
 rename home/.chezmoitemplates/ssh/{authorized-keys.yubikey => encrypted_authorized-keys.yubikey.tmpl} (100%)

diff --git a/home/.chezmoiscripts/run_onchange_after_symlink-ansible-configs.tmpl b/home/.chezmoiscripts/disabled/run_onchange_after_symlink-ansible-configs.tmpl
similarity index 100%
rename from home/.chezmoiscripts/run_onchange_after_symlink-ansible-configs.tmpl
rename to home/.chezmoiscripts/disabled/run_onchange_after_symlink-ansible-configs.tmpl
diff --git a/home/.chezmoiscripts/linux/run_onchange_before_01-requirements.sh.tmpl b/home/.chezmoiscripts/linux/run_onchange_before_01-requirements.sh.tmpl
index 5dd489b1..2c1b3dfe 100644
--- a/home/.chezmoiscripts/linux/run_onchange_before_01-requirements.sh.tmpl
+++ b/home/.chezmoiscripts/linux/run_onchange_before_01-requirements.sh.tmpl
@@ -1,3 +1,4 @@
+{{- if (eq .host.distro.family "linux") -}}
 #!/usr/bin/env bash
 # @file Linux Required Dependencies
 # @brief Ensures commonly used system packages that are common dependencies of other packages are installed
@@ -237,4 +238,5 @@ elif [ '{{ .host.distro.id }}' = 'ubuntu' ]; then
             fi
         fi
     done
-fi
\ No newline at end of file
+fi
+{{ end -}}
diff --git a/home/.chezmoiscripts/linux/run_onchange_before_10-system-tweaks.sh.tmpl b/home/.chezmoiscripts/linux/run_onchange_before_10-system-tweaks.sh.tmpl
index e4dbf591..fff8cc15 100644
--- a/home/.chezmoiscripts/linux/run_onchange_before_10-system-tweaks.sh.tmpl
+++ b/home/.chezmoiscripts/linux/run_onchange_before_10-system-tweaks.sh.tmpl
@@ -1,3 +1,4 @@
+{{- if (eq .host.distro.family "linux") -}}
 #!/usr/bin/env bash
 # @file Linux System Tweaks
 # @brief Applies a set of generic Linux system tweaks such as ensuring the hostname is set, setting the timezone, and more
@@ -27,3 +28,4 @@ if command -v sysctl > /dev/null; then
   logg info 'Increasing vm.max_map_count size to 262144'
   sudo sysctl -w vm.max_map_count=262144 > /dev/null
 fi
+{{ end -}}
diff --git a/home/.chezmoiscripts/linux/run_onchange_before_11-configure-swap.sh.tmpl b/home/.chezmoiscripts/linux/run_onchange_before_11-configure-swap.sh.tmpl
index e22fd5f2..08cf7450 100644
--- a/home/.chezmoiscripts/linux/run_onchange_before_11-configure-swap.sh.tmpl
+++ b/home/.chezmoiscripts/linux/run_onchange_before_11-configure-swap.sh.tmpl
@@ -1,3 +1,4 @@
+{{- if (eq .host.distro.family "linux") -}}
 #!/usr/bin/env bash
 # @file Linux Swap
 # @brief Determines the ideal size `/swapfile`, ensures it exists, and then enables it on Linux systems
@@ -55,3 +56,4 @@ if [ ! -f /swapfile ]; then
     fi
   fi
 fi
+{{ end -}}
diff --git a/home/.chezmoiscripts/linux/run_onchange_before_14-warp.sh.tmpl b/home/.chezmoiscripts/linux/run_onchange_before_14-warp.sh.tmpl
index 5eb08473..fcf6f044 100644
--- a/home/.chezmoiscripts/linux/run_onchange_before_14-warp.sh.tmpl
+++ b/home/.chezmoiscripts/linux/run_onchange_before_14-warp.sh.tmpl
@@ -1,3 +1,4 @@
+{{- if (eq .host.distro.family "linux") -}}
 #!/usr/bin/env bash
 # @file CloudFlare WARP Repository
 # @brief Adds the CloudFlare WARP `apt-get` repository to Debian and Ubuntu systems
@@ -30,3 +31,4 @@ elif [ '{{ .host.distro.id }}' = 'ubuntu' ]; then
         sudo apt-get update
     fi
 fi
+{{ end -}}
diff --git a/home/.chezmoiscripts/run_onchange_after_add-fonts.tmpl b/home/.chezmoiscripts/run_onchange_after_add-fonts.tmpl
deleted file mode 100644
index bb2d085f..00000000
--- a/home/.chezmoiscripts/run_onchange_after_add-fonts.tmpl
+++ /dev/null
@@ -1,23 +0,0 @@
-{{- if eq .host.distro.family "darwin" -}}
-#!/usr/bin/env bash
-
-{{ includeTemplate "universal/profile" }}
-{{ includeTemplate "universal/logg" }}
-
-{{ $fontFiles := (output "find" (joinPath .chezmoi.homeDir ".local" "share" "fonts") "-type" "f") -}}
-{{- range $fontFile := splitList "\n" $fontFiles -}}
-{{- if ne $fontFile "" -}}
-# {{ $fontFile }} hash: {{ $fontFile | sha256sum }}
-{{ end -}}
-{{- end }}
-
-### Ensure all fonts are added to ~/Library/Fonts on macOS
-find "$HOME/.local/share/fonts" -type f | while read FONT_FILE; do
-  BASENAME="$(basename "$FONT_FILE")"
-  if [ ! -f "$HOME/Library/Fonts/$BASENAME" ] || [ "$(openssl sha256 "$HOME/Library/Fonts/$BASENAME" | sed 's/.*= //')" != "$(openssl sha256 "$FONT_FILE" | sed 's/.*= //')" ]; then
-    logg info 'Adding '"$BASENAME"' to ~/Library/Fonts'
-    cp "$FONT_FILE" "$HOME/Library/Fonts/$BASENAME"
-  fi
-done
-
-{{ end -}}
diff --git a/home/.chezmoiscripts/run_onchanges_after_ensure-private-key.tmpl b/home/.chezmoiscripts/run_onchanges_after_ensure-private-key.tmpl
deleted file mode 100644
index f0bd84aa..00000000
--- a/home/.chezmoiscripts/run_onchanges_after_ensure-private-key.tmpl
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/usr/bin/env bash
-
-{{ includeTemplate "universal/profile" }}
-{{ includeTemplate "universal/logg" }}
-
-### Ensure id_rsa is present and create one if it does not exist
-if [ ! -f "$HOME/.ssh/id_rsa" ]; then
-  logg 'Generating missing default private key / public key (`~/.ssh/id_rsa`)'
-  ssh-keygen -b 4096 -t rsa -f "$HOME/.ssh/id_rsa" -q -N ""
-  chmod 600 "$HOME/.ssh/id_rsa"
-fi
diff --git a/home/.chezmoiscripts/run_onchanges_after_symlink-custom.tmpl b/home/.chezmoiscripts/run_onchanges_after_symlink-custom.tmpl
deleted file mode 100644
index 9c949c0c..00000000
--- a/home/.chezmoiscripts/run_onchanges_after_symlink-custom.tmpl
+++ /dev/null
@@ -1,16 +0,0 @@
-{{- if (ne .host.distro.family "windows") -}}
-#!/usr/bin/env bash
-
-{{ includeTemplate "universal/profile" }}
-{{ includeTemplate "universal/logg" }}
-
-### Symlink custom code for Neovim configuration
-if [ ! -d "${XDG_CONFIG_HOME:-$HOME/.config}/nvim/lua/custom" ]; then
-    logg info "Linking ${XDG_CONFIG_HOME:-$HOME/.config}/nvim-custom to ${XDG_CONFIG_HOME:-$HOME/.config}/nvim/lua/custom"
-    logg info "Changes should go in ${XDG_CONFIG_HOME:-$HOME/.config}/nvim-custom"
-    ln -s "${XDG_CONFIG_HOME:-$HOME/.config}/nvim-custom" "${XDG_CONFIG_HOME:-$HOME/.config}/nvim/lua/custom"
-else
-    logg info "${XDG_CONFIG_HOME:-$HOME/.config}/nvim-custom appears to already be symlinked to ${XDG_CONFIG_HOME:-$HOME/.config}/nvim/lua/custom"
-fi
-
-{{ end -}}
diff --git a/home/.chezmoiscripts/run_onchange_ensure-executable.tmpl b/home/.chezmoiscripts/universal/run_onchange_after_02-ensure-executable.sh.tmpl
similarity index 61%
rename from home/.chezmoiscripts/run_onchange_ensure-executable.tmpl
rename to home/.chezmoiscripts/universal/run_onchange_after_02-ensure-executable.sh.tmpl
index 54674743..c355d6ba 100644
--- a/home/.chezmoiscripts/run_onchange_ensure-executable.tmpl
+++ b/home/.chezmoiscripts/universal/run_onchange_after_02-ensure-executable.sh.tmpl
@@ -1,4 +1,9 @@
 #!/usr/bin/env bash
+# @file Ensure Local Bin Executable
+# @brief Ensures all the scripts located in `~/.local/bin` have executable permissions
+# @description
+#     This script cycles through the scripts in `~/.local/bin` are executable. It only cycles through
+#     the scripts that are exactly one level deep in the `~/.local/bin` folder.
 
 {{ includeTemplate "universal/profile" }}
 {{ includeTemplate "universal/logg" }}
diff --git a/home/.chezmoiscripts/run_onchanges_after_decrypt-ssh-keys.tmpl b/home/.chezmoiscripts/universal/run_onchange_after_05-decrypt-ssh-keys.sh.tmpl
similarity index 62%
rename from home/.chezmoiscripts/run_onchanges_after_decrypt-ssh-keys.tmpl
rename to home/.chezmoiscripts/universal/run_onchange_after_05-decrypt-ssh-keys.sh.tmpl
index 8ab6e5b7..535ce218 100644
--- a/home/.chezmoiscripts/run_onchanges_after_decrypt-ssh-keys.tmpl
+++ b/home/.chezmoiscripts/universal/run_onchange_after_05-decrypt-ssh-keys.sh.tmpl
@@ -1,5 +1,15 @@
 {{- if (stat (joinPath .host.home ".config" "age" "chezmoi.txt")) -}}
 #!/usr/bin/env bash
+# @file Decrypt SSH Keys
+# @brief Decrypts the encrypted SSH key files stored in the `home/.chezmoitemplates/ssh` folder of the repository / fork
+# @description
+#     This script decrypts the SSH key files that are housed in the `home/.chezmoitemplates/ssh` section of the repository.
+#     It loops through all the files in `home/.chezmoitemplates/ssh` and stores them to the `~/.ssh` folder
+#     when they are successfully decrypted.
+#
+#     ## Secrets
+#
+#     For more information about storing secrets like SSH keys and API keys, refer to our [Secrets documentation](https://install.doctor/docs/customization/secrets).
 
 {{ includeTemplate "universal/profile" }}
 {{ includeTemplate "universal/logg" }}
diff --git a/home/.chezmoiscripts/universal/run_onchange_after_07-ensure-private-key.sh.tmpl b/home/.chezmoiscripts/universal/run_onchange_after_07-ensure-private-key.sh.tmpl
new file mode 100644
index 00000000..279a3edf
--- /dev/null
+++ b/home/.chezmoiscripts/universal/run_onchange_after_07-ensure-private-key.sh.tmpl
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+# @file Default SSH Key
+# @brief Create a default `id_rsa` SSH key if one is not present in the repository / fork of Install Doctor
+# @description
+#     This script generates a pair of default `id_rsa` and `id_rsa.pub` keys if one is not already present
+#     on the system after the Install Doctor provisioning process completes. It also ensures the private
+#     key is only readable and writable the provisioning user.
+
+{{ includeTemplate "universal/profile" }}
+{{ includeTemplate "universal/logg" }}
+
+### Ensure id_rsa is present and create one if it does not exist
+if [ ! -f "$HOME/.ssh/id_rsa" ]; then
+  logg 'Generating missing default private key / public key (`~/.ssh/id_rsa`)'
+  ssh-keygen -b 4096 -t rsa -f "$HOME/.ssh/id_rsa" -q -N ""
+  chmod 600 "$HOME/.ssh/id_rsa"
+fi
diff --git a/home/.chezmoiscripts/run_onchanges_after_generate-public-keys.tmpl b/home/.chezmoiscripts/universal/run_onchange_after_08-generate-public-keys.sh.tmpl
similarity index 65%
rename from home/.chezmoiscripts/run_onchanges_after_generate-public-keys.tmpl
rename to home/.chezmoiscripts/universal/run_onchange_after_08-generate-public-keys.sh.tmpl
index 177f8f7f..ceda4e50 100644
--- a/home/.chezmoiscripts/run_onchanges_after_generate-public-keys.tmpl
+++ b/home/.chezmoiscripts/universal/run_onchange_after_08-generate-public-keys.sh.tmpl
@@ -1,4 +1,9 @@
 #!/usr/bin/env bash
+# @file Generate Missing Public SSH Keys
+# @brief Attempts to create missing public SSH keys for all private keys that are missing a public key file
+# @description
+#     Using private SSH keys, you can generate the corresponding public key. This script ensures that any SSH private key
+#     that does not have a matching `.pub` public key file has one generated.
 
 {{ $sshFiles := (output "find" (joinPath .chezmoi.homeDir ".ssh") "-type" "f") -}}
 {{- range $sshFile := splitList "\n" $sshFiles -}}
diff --git a/home/.chezmoiscripts/universal/run_onchange_after_08-symlink-custom.sh.tmpl b/home/.chezmoiscripts/universal/run_onchange_after_08-symlink-custom.sh.tmpl
new file mode 100644
index 00000000..7826c0a1
--- /dev/null
+++ b/home/.chezmoiscripts/universal/run_onchange_after_08-symlink-custom.sh.tmpl
@@ -0,0 +1,26 @@
+{{- if (ne .host.distro.family "windows") -}}
+#!/usr/bin/env bash
+# @file NvChad NVIM Customization Symlink
+# @brief Symlinks `${XDG_CONFIG_HOME:-$HOME/.config}/nvim-custom` to the main NVIM configuration
+# @description
+#     NVIM is a visual text editor for the terminal. It is like a fancy, improved version of VIM with compatibility
+#     for the same plugins and some other ones as well. The default configuration of Install Doctor integrates
+#     a well-received and popular shared NVIM configuration called [NvChad](https://github.com/NvChad/NvChad).
+#
+#     To make it easy to update NVIM to the latest version as well as introduce custom configuration parameters for NvChad,
+#     this script symlinks the custom configuration from `${XDG_CONFIG_HOME:-$HOME/.config}/nvim-custom` to `${XDG_CONFIG_HOME:-$HOME/.config}/nvim/lua/custom`
+#     which is the location that NvChad's documentation recommends placing custom settings in.
+
+{{ includeTemplate "universal/profile" }}
+{{ includeTemplate "universal/logg" }}
+
+### Symlink custom code for Neovim configuration
+if [ ! -d "${XDG_CONFIG_HOME:-$HOME/.config}/nvim/lua/custom" ]; then
+    logg info "Linking ${XDG_CONFIG_HOME:-$HOME/.config}/nvim-custom to ${XDG_CONFIG_HOME:-$HOME/.config}/nvim/lua/custom"
+    logg info "Changes should go in ${XDG_CONFIG_HOME:-$HOME/.config}/nvim-custom"
+    ln -s "${XDG_CONFIG_HOME:-$HOME/.config}/nvim-custom" "${XDG_CONFIG_HOME:-$HOME/.config}/nvim/lua/custom"
+else
+    logg info "${XDG_CONFIG_HOME:-$HOME/.config}/nvim-custom appears to already be symlinked to ${XDG_CONFIG_HOME:-$HOME/.config}/nvim/lua/custom"
+fi
+
+{{ end -}}
diff --git a/home/.chezmoiscripts/universal/run_onchange_after_20-font.sh.tmpl b/home/.chezmoiscripts/universal/run_onchange_after_20-font.sh.tmpl
index 3960429e..073d4c6e 100644
--- a/home/.chezmoiscripts/universal/run_onchange_after_20-font.sh.tmpl
+++ b/home/.chezmoiscripts/universal/run_onchange_after_20-font.sh.tmpl
@@ -1,6 +1,6 @@
 {{- if (eq .host.distro.family "linux") -}}
 #!/usr/bin/env bash
-# @file Fonts
+# @file Linux Fonts
 # @brief Ensures fonts are available at the system level and, on Linux, it configures the system font settings.
 # @description
 #     This script is utilized to ensure the same fonts are consistently used across the system.
diff --git a/home/.chezmoiscripts/universal/run_onchange_after_24-vpn-darwin.tmpl b/home/.chezmoiscripts/universal/run_onchange_after_24-vpn-darwin.sh.tmpl
similarity index 93%
rename from home/.chezmoiscripts/universal/run_onchange_after_24-vpn-darwin.tmpl
rename to home/.chezmoiscripts/universal/run_onchange_after_24-vpn-darwin.sh.tmpl
index fa1ccb69..13ea5ec2 100644
--- a/home/.chezmoiscripts/universal/run_onchange_after_24-vpn-darwin.tmpl
+++ b/home/.chezmoiscripts/universal/run_onchange_after_24-vpn-darwin.sh.tmpl
@@ -18,7 +18,6 @@
 #
 #     ## Links
 #
-#     * [`run_onchange_after_24-vpn-darwin.sh.tmpl`](https://github.com/megabyte-labs/install.doctor/blob/master/home/.chezmoiscripts/universal/run_onchange_after_24-vpn-darwin.sh.tmpl)
 #     * [VPN profile folder](https://github.com/megabyte-labs/install.doctor/blob/master/home/dot_config/vpn)
 #     * [VPN profile documentation](https://install.doctor/docs/customization/secrets#vpn-profiles)
 
diff --git a/home/.chezmoiscripts/run_onchange_after_endlessh.tmpl b/home/.chezmoiscripts/universal/run_onchange_after_30-endlessh.sh.tmpl
similarity index 53%
rename from home/.chezmoiscripts/run_onchange_after_endlessh.tmpl
rename to home/.chezmoiscripts/universal/run_onchange_after_30-endlessh.sh.tmpl
index f2a5558a..d3c14ca7 100644
--- a/home/.chezmoiscripts/run_onchange_after_endlessh.tmpl
+++ b/home/.chezmoiscripts/universal/run_onchange_after_30-endlessh.sh.tmpl
@@ -1,5 +1,21 @@
 {{- if eq .host.distro.family "linux" -}}
 #!/usr/bin/env bash
+# @file Endlessh Configuration
+# @brief Applies the Endlessh configuration and starts the service on Linux systems
+# @description
+#     Endlessh is a endless SSH tarpit that slowly shows an infinitely long SSH welcome banner on the default
+#     SSH port. It is intended to break unsophisticated malware that targets SSH.
+#
+#     If the `endlessh` program is installed, this script applies the configuration stored in `home/private_dot_ssh/endlessh/config.tmpl`
+#     (that unpacks with Chezmoi to `~/.ssh/endlessh/config`) to the system location and then starts the service.
+#
+#     **Note:** _This script runs under the assumption that the actual SSH port which is defined in `home/.chezmoidata.yaml`
+#     is assigned to a non-standard port like 2214. This allows the default port to be used for `endlessh`._
+#
+#     ## Links
+#
+#     * [Endlessh GitHub repository](https://github.com/skeeto/endlessh)
+#     * [Endlessh configuration](https://github.com/megabyte-labs/install.doctor/blob/master/home/private_dot_ssh/endlessh/config.tmpl)
 
 # endlessh config hash: {{- include (joinPath .host.home ".ssh" "endlessh" "config") | sha256sum -}}
 
diff --git a/home/.chezmoiscripts/run_onchange_after_sshd.tmpl b/home/.chezmoiscripts/universal/run_onchange_after_30-sshd.sh.tmpl
similarity index 77%
rename from home/.chezmoiscripts/run_onchange_after_sshd.tmpl
rename to home/.chezmoiscripts/universal/run_onchange_after_30-sshd.sh.tmpl
index 68bdb574..15880738 100644
--- a/home/.chezmoiscripts/run_onchange_after_sshd.tmpl
+++ b/home/.chezmoiscripts/universal/run_onchange_after_30-sshd.sh.tmpl
@@ -1,5 +1,14 @@
 {{- if ne .host.distro.family "windows" -}}
 #!/usr/bin/env bash
+# @file SSHD Configuration
+# @brief Applies SSHD system configuration and then restarts / enables the SSH server
+# @description
+#     This script applies the SSH server MOTD banner and `sshd_config` (which are housed in the `home/private_dot_ssh/system` location)
+#     to the system by copying the files to the system location and then restarting / enabling the system SSH server.
+#
+#     ## Links
+#
+#     * [System SSHD configurations](https://github.com/megabyte-labs/install.doctor/tree/master/home/private_dot_ssh/system)
 
 # sshd_config hash: {{- include (joinPath .host.home ".ssh" "system" "sshd_config") | sha256sum -}}
 # banner hash: {{- include (joinPath .host.home ".ssh" "system" "banner") | sha256sum -}}
diff --git a/home/.chezmoiscripts/run_onchange_after_fail2ban.tmpl b/home/.chezmoiscripts/universal/run_onchange_after_31-fail2ban.sh.tmpl
similarity index 70%
rename from home/.chezmoiscripts/run_onchange_after_fail2ban.tmpl
rename to home/.chezmoiscripts/universal/run_onchange_after_31-fail2ban.sh.tmpl
index 2fad118d..bc4fe487 100644
--- a/home/.chezmoiscripts/run_onchange_after_fail2ban.tmpl
+++ b/home/.chezmoiscripts/universal/run_onchange_after_31-fail2ban.sh.tmpl
@@ -1,5 +1,16 @@
 {{- if eq .host.distro.family "linux" -}}
 #!/usr/bin/env bash
+# @file Fail2ban Configuration
+# @brief Applies the system `fail2ban` jail configuration and then restarts the service
+# @description
+#     Fail2ban is an SSH security program that temporarily bans IP addresses that could possibly be
+#     attempting to gain unauthorized system access. This script applies the "jail" configuration
+#     located at `home/private_dot_ssh/fail2ban/` to the system location. It then enables and restarts
+#     the `fail2ban` configuration.
+#
+#     ## Links
+#
+#     * [`fail2ban` configuration folder](https://github.com/megabyte-labs/install.doctor/tree/master/home/private_dot_ssh/fail2ban)
 
 # jail.local hash: {{- include (joinPath .host.home ".ssh" "fail2ban" "jail.local") | sha256sum -}}
 
diff --git a/home/.chezmoitemplates/ssh/authorized-keys.yubikey b/home/.chezmoitemplates/ssh/encrypted_authorized-keys.yubikey.tmpl
similarity index 100%
rename from home/.chezmoitemplates/ssh/authorized-keys.yubikey
rename to home/.chezmoitemplates/ssh/encrypted_authorized-keys.yubikey.tmpl