diff --git a/scripts/.gomplate.yaml b/scripts/.gomplate.yaml
new file mode 100644
index 00000000..28ac7150
--- /dev/null
+++ b/scripts/.gomplate.yaml
@@ -0,0 +1,8 @@
+---
+inputDir: src/
+outputMap: |
+ build/{{ .in | strings.ReplaceAll ".tmpl" "" }}
+
+datasources:
+ partials:
+ url: partials/
diff --git a/scripts/README.md b/scripts/README.md
new file mode 100644
index 00000000..8e51b399
--- /dev/null
+++ b/scripts/README.md
@@ -0,0 +1,14 @@
+# Install Doctor Scripts
+
+The scripts in this folder are linked to from various https://install.doctor URLs. For instance, you can install
+Homebrew by running `bash <(curl -sSL https://install.doctor/brew)` which will direct to the `homebrew.sh` file in this
+directory.
+
+## Gomplate
+
+All the scripts are generated using `gomplate` so they can include shared partials. To re-generate the scripts ensure `gomplate`
+is installed by running `brew install gomplate` and then run `gomplate` in this `scripts/` directory.
+
+## TODO
+
+Pull requests are welcome. If someone wants to add variables to customize anything in the default scripts, please merge your changes back here upstream.
\ No newline at end of file
diff --git a/scripts/cloudflared-ssh.sh b/scripts/cloudflared-ssh.sh
new file mode 100644
index 00000000..abce126b
--- /dev/null
+++ b/scripts/cloudflared-ssh.sh
@@ -0,0 +1,111 @@
+#!/usr/bin/env bash
+# @file local/cloudflared.sh
+# @brief Installs and configures cloudflared for short-lived SSH certificates authenticated via SSO
+# @description
+# This script ensures Homebrew is installed and then uses Homebrew to ensure `cloudflared` is installed.
+# After that, it connects `cloudflared` to CloudFlare Teams and sets up short-lived SSH certificates so
+# that you do not have to manage SSH keys and instead use SSO (Single Sign-On) via CloudFlare Teams.
+#
+# **Note**: `https://install.doctor/cloudflared` points to this file.
+#
+# ## Variables
+#
+# The `SSH_DOMAIN` variable should be set to the endpoint you want to be able to SSH into. The SSH endpoint(s)
+# that are created depend on what type of system is being configured. Some device types include multiple
+# properties that need multiple unique SSH endpoints. The `SSH_DOMAIN` must be passed to this script or else
+# it will default to `ssh.megabyte.space`.
+#
+# * For most installations, the configured domain will be `$(hostname).${SSH_DOMAIN}`
+# * If Qubes is being configured, then the configured domain will be `$(hostname)-qube.${SSH_DOMAIN}`
+# * If [EasyEngine](https://easyengine.io/) is installed, then each domain setup with EasyEngine is configured to have an `ssh` subdomain (i.e. `ssh.example.com` for `example.com`)
+#
+# There are other optional variables that can be customized as well:
+#
+# * `CF_TUNNEL_NAME` - The ID to assign to the tunnel that `cloudflared` creates (`default-ssh-tunnel` by default)
+#
+# ## Notes
+#
+# Since the certificates are "short-lived", you will have to periodically re-authenticate against the
+# SSO authentication endpoint that is hosted by CloudFlare Teams (or an identity provider of your choosing).
+# This script will likely only work on AMD x64 devices.
+#
+# Some of the commands are conditionally run based on whether or not the `CRONTAB_JOB` environment variable is set.
+# This is to accomodate EasyEngine installations where the list of SSH endpoints is variable. Both the initial
+# setup and updates are applied using this script (via a cronjob that does not need to run initialization tasks during
+# the cronjobs).
+#
+# ## Links
+#
+# [SSH with short-lived certificates](https://developers.cloudflare.com/cloudflare-one/tutorials/ssh-cert-bastion/)
+
+# @description Ensures Homebrew is installed and loaded into the `PATH` variable if it is not already available
+if ! command -v brew > /dev/null; then
+ bash <(curl -sSL https://install.doctor/brew)
+
+fi
+
+# @description Ensures `cloudflared` is installed via Homebrew
+if ! command -v cloudflared > /dev/null; then
+ brew install cloudflared
+fi
+
+# @description Detect the SSH port being used
+SSH_PORT="22"
+if sudo cat /etc/ssh/sshd_config | grep '^Port ' > /dev/null; then
+ SSH_PORT="$(sudo cat /etc/ssh/sshd_config | grep '^Port ' | sed 's/Port //')"
+fi
+
+# @description Login to the CloudFlare network (if running outside a cronjob) and acquire the tunnel ID
+if [ -z "$CRONTAB_JOB" ]; then
+ sudo cloudflared tunnel login
+ sudo cloudflared tunnel create "${CF_TUNNEL_NAME:=default-ssh-tunnel}"
+fi
+TUNNEL_ID="$(sudo cloudflared tunnel list | grep " ${CF_TUNNEL_NAME} " | sed 's/^\([^ ]*\).*$/\1/')"
+
+# @description Ensure CloudFlare tunnel ID was acquired, then add tunnel route, and create
+# tunnel configuration based on what type of machine is being configured (i.e. regular, Qubes, or EasyEngine)
+if [ -n "$TUNNEL_ID" ]; then
+ if [ -z "$CRONTAB_JOB" ]; then
+ sudo cloudflared tunnel route ip add 100.64.0.0/10 "${TUNNEL_ID}"
+ fi
+
+ # @description Create the `/root/.cloudflared/config.yml`
+ CONFIG_TMP="$(mktemp)"
+ echo "tunnel: ${TUNNEL_ID}" > "$CONFIG_TMP"
+ echo "credentials-file: /root/.cloudflared/${TUNNEL_ID}.json" >> "$CONFIG_TMP"
+ echo "" >> "$CONFIG_TMP"
+ echo "ingress:" >> "$CONFIG_TMP"
+ if [ -d '/opt/easyengine/sites' ]; then
+ DOMAINS_HOSTED="$(find /opt/easyengine/sites -maxdepth 1 -mindepth 1 -type d | sed 's/.*sites\///' | xargs)"
+ else
+ if [ -d /etc/qubes ]; then
+ DOMAINS_HOSTED="$(hostname)-qube.${SSH_DOMAIN:-ssh.megabyte.spaccec}"
+ else
+ DOMAINS_HOSTED="$(hostname).${SSH_DOMAIN:-ssh.megabyte.spaccec}"
+ fi
+ fi
+ for DOMAIN in $DOMAINS_HOSTED; do
+ echo " - hostname: ${DOMAIN}" >> "$CONFIG_TMP"
+ echo " service: ssh://localhost:$SSH_PORT" >> "$CONFIG_TMP"
+ done
+ echo " - service: http_status:404" >> "$CONFIG_TMP"
+ echo "" >> "$CONFIG_TMP"
+ sudo mkdir -p /root/.cloudflared
+ sudo mv "$CONFIG_TMP" /root/.cloudflared/config.yml
+
+ # @description Install the `cloudflared` system service (if it is not a cronjob)
+ if [ -z "$CRONTAB_JOB" ]; then
+ sudo cloudflared service install
+ fi
+else
+ echo "ERROR: Unable to acquire CloudFlare tunnel ID" && exit 1
+fi
+
+# @description Restart if the config file changed
+if [ ! -f /root/.cloudflared/config-previous.yml ] || [ "$(cat /root/.cloudflared/config-previous.yml)" != "$(cat /root/.cloudflared/config.yml)" ]; then
+ # @todo Add restart command for non-systemctl devices (i.e. macOS)
+ if command -v systemctl > /dev/null; then
+ sudo systemctl restart cloudflared
+ fi
+ sudo cp /root/.cloudflared/config.yml /root/.cloudflared/config-previous.yml
+fi
diff --git a/scripts/homebrew.sh b/scripts/homebrew.sh
new file mode 100644
index 00000000..f9e3a37f
--- /dev/null
+++ b/scripts/homebrew.sh
@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+# @file homebrew.sh
+# @brief Installs Homebrew on macOS and / or Linux.
+# @description
+# This script installs Homebrew on macOS and/or Linux machines. The script:
+#
+# 1. Ensures Homebrew is not already installed
+# 2. Installs Homebrew headlessly if sudo privileges are already given
+# 3. Prompts for the sudo password, if required
+# 4. Performs some clean up and update tasks when the Homebrew installation reports an error
+#
+# **Note**: `https://install.doctor/brew` points to this file.
+
+if ! command -v brew > /dev/null; then
+ if command -v sudo > /dev/null && sudo -n true; then
+ echo | /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
+ else
+ echo "Homebrew is not installed. The script will attempt to install Homebrew and you might be prompted for your password."
+ /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" || BREW_EXIT_CODE="$?"
+ if [ -n "$BREW_EXIT_CODE" ]; then
+ if command -v brew > /dev/null; then
+ echo "Homebrew was installed but part of the installation failed. Trying a few things to fix the installation.."
+ BREW_DIRS="share/man share/doc share/zsh/site-functions etc/bash_completion.d"
+ for BREW_DIR in $BREW_DIRS; do
+ if [ -d "$(brew --prefix)/$BREW_DIR" ]; then
+ sudo chown -R "$(whoami)" "$(brew --prefix)/$BREW_DIR"
+ fi
+ done
+ brew update --force --quiet
+ fi
+ fi
+ fi
+fi
diff --git a/scripts/partials/basic-deps b/scripts/partials/basic-deps
new file mode 100644
index 00000000..36d35d88
--- /dev/null
+++ b/scripts/partials/basic-deps
@@ -0,0 +1,29 @@
+if ! command -v curl > /dev/null || ! command -v git > /dev/null || ! command -v expect > /dev/null || ! command -v rsync > /dev/null; then
+ if command -v apt-get > /dev/null; then
+ # @description Ensure `build-essential`, `curl`, `expect`, `git`, and `rsync` are installed on Debian / Ubuntu
+ sudo apt-get update
+ sudo apt-get install -y build-essential curl expect git rsync
+ elif command -v dnf > /dev/null; then
+ # @description Ensure `curl`, `expect`, `git`, and `rsync` are installed on Fedora
+ sudo dnf install -y curl expect git rsync
+ elif command -v yum > /dev/null; then
+ # @description Ensure `curl`, `expect`, `git`, and `rsync` are installed on CentOS
+ sudo yum install -y curl expect git rsync
+ elif command -v pacman > /dev/null; then
+ # @description Ensure `curl`, `expect`, `git`, and `rsync` are installed on Archlinux
+ sudo pacman update
+ sudo pacman -Sy curl expect git rsync
+ elif command -v zypper > /dev/null; then
+ # @description Ensure `curl`, `expect`, `git`, and `rsync` are installed on OpenSUSE
+ sudo zypper install -y curl expect git rsync
+ elif command -v apk > /dev/null; then
+ # @description Ensure `curl`, `expect`, `git`, and `rsync` are installed on Alpine
+ apk add curl expect git rsync
+ elif [ -d /Applications ] && [ -d /Library ]; then
+ # @description Ensure CLI developer tools are available on macOS (via `xcode-select`)
+ sudo xcode-select -p >/dev/null 2>&1 || xcode-select --install
+ elif [[ "$OSTYPE" == 'cygwin' ]] || [[ "$OSTYPE" == 'msys' ]] || [[ "$OSTYPE" == 'win32' ]]; then
+ # @description Ensure `curl`, `expect`, `git`, and `rsync` are installed on Windows
+ choco install -y curl expect git rsync
+ fi
+fi
\ No newline at end of file
diff --git a/scripts/partials/homebrew b/scripts/partials/homebrew
new file mode 100644
index 00000000..d88a1396
--- /dev/null
+++ b/scripts/partials/homebrew
@@ -0,0 +1,34 @@
+if ! command -v brew > /dev/null; then
+ if [ -d /home/linuxbrew/.linuxbrew/bin ]; then
+ eval $(/home/linuxbrew/.linuxbrew/bin/brew shellenv)
+ if ! command -v brew > /dev/null; then
+ echo "The /home/linuxbrew/.linuxbrew directory exists but something is not right. Try removing it and running the script again." && exit 1
+ fi
+ else
+ # @description Installs Homebrew and addresses a couple potential issues
+ if command -v sudo > /dev/null && sudo -n true; then
+ echo | /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
+ else
+ echo "Homebrew is not installed. The script will attempt to install Homebrew and you might be prompted for your password."
+ /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" || BREW_EXIT_CODE="$?"
+ if [ -n "$BREW_EXIT_CODE" ]; then
+ if command -v brew > /dev/null; then
+ echo "Homebrew was installed but part of the installation failed. Trying a few things to fix the installation.."
+ BREW_DIRS="share/man share/doc share/zsh/site-functions etc/bash_completion.d"
+ for BREW_DIR in $BREW_DIRS; do
+ if [ -d "$(brew --prefix)/$BREW_DIR" ]; then
+ sudo chown -R "$(whoami)" "$(brew --prefix)/$BREW_DIR"
+ fi
+ done
+ brew update --force --quiet
+ fi
+ fi
+ fi
+
+ # @description Ensures the `brew` binary is available on Linux machines. macOS installs `brew` into the default `PATH`
+ # so nothing needs to be done for macOS.
+ if [ -d /home/linuxbrew/.linuxbrew/bin ]; then
+ eval $(/home/linuxbrew/.linuxbrew/bin/brew shellenv)
+ fi
+ fi
+fi
\ No newline at end of file
diff --git a/scripts/partials/logg b/scripts/partials/logg
new file mode 100644
index 00000000..f4f7c6be
--- /dev/null
+++ b/scripts/partials/logg
@@ -0,0 +1,62 @@
+# @description Logs with style using Gum if it is installed, otherwise it uses `echo`. It also leverages Glow to render markdown.
+# When Glow is not installed, it uses `cat`.
+# @example logger info "An informative log"
+logg() {
+ TYPE="$1"
+ MSG="$2"
+ if [ "$TYPE" == 'error' ]; then
+ if command -v gum > /dev/null; then
+ gum style --border="thick" "$(gum style --foreground="#ff0000" "✖") $(gum style --bold --background="#ff0000" --foreground="#ffffff" " ERROR ") $(gum style --bold "$MSG")"
+ else
+ echo "ERROR: $MSG"
+ fi
+ elif [ "$TYPE" == 'info' ]; then
+ if command -v gum > /dev/null; then
+ gum style " $(gum style --foreground="#00ffff" "○") $(gum style --faint --foreground="#ffffff" "$MSG")"
+ else
+ echo "INFO: $MSG"
+ fi
+ elif [ "$TYPE" == 'md' ]; then
+ if command -v glow > /dev/null; then
+ glow "$MSG"
+ else
+ cat "$MSG"
+ fi
+ elif [ "$TYPE" == 'prompt' ]; then
+ if command -v gum > /dev/null; then
+ gum style " $(gum style --foreground="#00008b" "▶") $(gum style --bold "$MSG")"
+ else
+ echo "PROMPT: $MSG"
+ fi
+ elif [ "$TYPE" == 'star' ]; then
+ if command -v gum > /dev/null; then
+ gum style " $(gum style --foreground="#d1d100" "◆") $(gum style --bold "$MSG")"
+ else
+ echo "STAR: $MSG"
+ fi
+ elif [ "$TYPE" == 'start' ]; then
+ if command -v gum > /dev/null; then
+ gum style " $(gum style --foreground="#00ff00" "▶") $(gum style --bold "$MSG")"
+ else
+ echo "START: $MSG"
+ fi
+ elif [ "$TYPE" == 'success' ]; then
+ if command -v gum > /dev/null; then
+ gum style "$(gum style --foreground="#00ff00" "✔") $(gum style --bold "$MSG")"
+ else
+ echo "SUCCESS: $MSG"
+ fi
+ elif [ "$TYPE" == 'warn' ]; then
+ if command -v gum > /dev/null; then
+ gum style " $(gum style --foreground="#d1d100" "◆") $(gum style --bold --background="#ffff00" --foreground="#000000" " WARNING ") $(gum style --bold "$MSG")"
+ else
+ echo "WARNING: $MSG"
+ fi
+ else
+ if command -v gum > /dev/null; then
+ gum style " $(gum style --foreground="#00ff00" "▶") $(gum style --bold "$TYPE")"
+ else
+ echo "$MSG"
+ fi
+ fi
+}
\ No newline at end of file
diff --git a/scripts/provision.sh b/scripts/provision.sh
new file mode 100644
index 00000000..0725d831
--- /dev/null
+++ b/scripts/provision.sh
@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+# @file scripts/cloudflared.sh
+# @brief Installs and configures cloudflared for short-lived SSH certificates authenticated via SSO
+# @description
+# This script ensures Homebrew is installed and then uses Homebrew to ensure `cloudflared` is installed.
+# After that, it connects `cloudflared` to CloudFlare Teams and sets up short-lived SSH certificates so
+# that you do not have to manage SSH keys and instead use SSO (Single Sign-On) via CloudFlare Teams.
+#
+# **Note**: `https://install.doctor/cloudflared` points to this file.
+#
+# ## Variables
+#
+# The `SSH_DOMAIN` variable should be set to the endpoint you want to be able to SSH into. The SSH endpoint(s)
+# that are created depend on what type of system is being configured. Some device types include multiple
+# properties that need multiple unique SSH endpoints. The `SSH_DOMAIN` must be passed to this script or else
+# it will default to `ssh.megabyte.space`.
+#
+# * For most installations, the configured domain will be `$(hostname).${SSH_DOMAIN}`
+# * If Qubes is being configured, then the configured domain will be `$(hostname)-qube.${SSH_DOMAIN}`
+# * If [EasyEngine](https://easyengine.io/) is installed, then each domain setup with EasyEngine is configured to have an `ssh` subdomain (i.e. `ssh.example.com` for `example.com`)
+#
+# There are other optional variables that can be customized as well:
+#
+# * `CF_TUNNEL_NAME` - The ID to assign to the tunnel that `cloudflared` creates (`default-ssh-tunnel` by default)
+#
+# ## Notes
+#
+# Since the certificates are "short-lived", you will have to periodically re-authenticate against the
+# SSO authentication endpoint that is hosted by CloudFlare Teams (or an identity provider of your choosing).
+# This script will likely only work on AMD x64 devices.
+#
+# Some of the commands are conditionally run based on whether or not the `CRONTAB_JOB` environment variable is set.
+# This is to accomodate EasyEngine installations where the list of SSH endpoints is variable. Both the initial
+# setup and updates are applied using this script (via a cronjob that does not need to run initialization tasks during
+# the cronjobs).
+#
+# ## Links
+#
+# [SSH with short-lived certificates](https://developers.cloudflare.com/cloudflare-one/tutorials/ssh-cert-bastion/)
\ No newline at end of file
diff --git a/scripts/src/cloudflared-ssh.sh.tmpl b/scripts/src/cloudflared-ssh.sh.tmpl
new file mode 100644
index 00000000..2647a08c
--- /dev/null
+++ b/scripts/src/cloudflared-ssh.sh.tmpl
@@ -0,0 +1,111 @@
+#!/usr/bin/env bash
+# @file scripts/cloudflared-ssh.sh
+# @brief Installs and configures cloudflared for short-lived SSH certificates authenticated via SSO
+# @description
+# This script ensures Homebrew is installed and then uses Homebrew to ensure `cloudflared` is installed.
+# After that, it connects `cloudflared` to CloudFlare Teams and sets up short-lived SSH certificates so
+# that you do not have to manage SSH keys and instead use SSO (Single Sign-On) via CloudFlare Teams.
+#
+# **Note**: `https://install.doctor/cloudflared` points to this file.
+#
+# ## Variables
+#
+# The `SSH_DOMAIN` variable should be set to the endpoint you want to be able to SSH into. The SSH endpoint(s)
+# that are created depend on what type of system is being configured. Some device types include multiple
+# properties that need multiple unique SSH endpoints. The `SSH_DOMAIN` must be passed to this script or else
+# it will default to `ssh.megabyte.space`.
+#
+# * For most installations, the configured domain will be `$(hostname).${SSH_DOMAIN}`
+# * If Qubes is being configured, then the configured domain will be `$(hostname)-qube.${SSH_DOMAIN}`
+# * If [EasyEngine](https://easyengine.io/) is installed, then each domain setup with EasyEngine is configured to have an `ssh` subdomain (i.e. `ssh.example.com` for `example.com`)
+#
+# There are other optional variables that can be customized as well:
+#
+# * `CF_TUNNEL_NAME` - The ID to assign to the tunnel that `cloudflared` creates (`default-ssh-tunnel` by default)
+#
+# ## Notes
+#
+# Since the certificates are "short-lived", you will have to periodically re-authenticate against the
+# SSO authentication endpoint that is hosted by CloudFlare Teams (or an identity provider of your choosing).
+# This script will likely only work on AMD x64 devices.
+#
+# Some of the commands are conditionally run based on whether or not the `CRONTAB_JOB` environment variable is set.
+# This is to accomodate EasyEngine installations where the list of SSH endpoints is variable. Both the initial
+# setup and updates are applied using this script (via a cronjob that does not need to run initialization tasks during
+# the cronjobs).
+#
+# ## Links
+#
+# [SSH with short-lived certificates](https://developers.cloudflare.com/cloudflare-one/tutorials/ssh-cert-bastion/)
+
+# @description Ensure dependencies like `git` and `curl` are installed (among a few other lightweight system packages)
+{{ include "partials" "basic-deps" }}
+
+# @description Ensure Homebrew is installed and available in the `PATH`
+{{ include "partials" "homebrew" }}
+
+# @description Ensures `cloudflared` is installed via Homebrew
+if ! command -v cloudflared > /dev/null; then
+ brew install cloudflared
+fi
+
+# @description Detect the SSH port being used
+SSH_PORT="22"
+if sudo cat /etc/ssh/sshd_config | grep '^Port ' > /dev/null; then
+ SSH_PORT="$(sudo cat /etc/ssh/sshd_config | grep '^Port ' | sed 's/Port //')"
+fi
+
+# @description Login to the CloudFlare network (if running outside a cronjob) and acquire the tunnel ID
+if [ -z "$CRONTAB_JOB" ]; then
+ sudo cloudflared tunnel login
+ sudo cloudflared tunnel create "${CF_TUNNEL_NAME:=default-ssh-tunnel}"
+fi
+TUNNEL_ID="$(sudo cloudflared tunnel list | grep " ${CF_TUNNEL_NAME} " | sed 's/^\([^ ]*\).*$/\1/')"
+
+# @description Ensure CloudFlare tunnel ID was acquired, then add tunnel route, and create
+# tunnel configuration based on what type of machine is being configured (i.e. regular, Qubes, or EasyEngine)
+if [ -n "$TUNNEL_ID" ]; then
+ if [ -z "$CRONTAB_JOB" ]; then
+ sudo cloudflared tunnel route ip add 100.64.0.0/10 "${TUNNEL_ID}"
+ fi
+
+ # @description Create the `/root/.cloudflared/config.yml`
+ CONFIG_TMP="$(mktemp)"
+ echo "tunnel: ${TUNNEL_ID}" > "$CONFIG_TMP"
+ echo "credentials-file: /root/.cloudflared/${TUNNEL_ID}.json" >> "$CONFIG_TMP"
+ echo "" >> "$CONFIG_TMP"
+ echo "ingress:" >> "$CONFIG_TMP"
+ if [ -d '/opt/easyengine/sites' ]; then
+ DOMAINS_HOSTED="$(find /opt/easyengine/sites -maxdepth 1 -mindepth 1 -type d | sed 's/.*sites\///' | xargs)"
+ else
+ if [ -d /etc/qubes ]; then
+ DOMAINS_HOSTED="$(hostname)-qube.${SSH_DOMAIN:-ssh.megabyte.spaccec}"
+ else
+ DOMAINS_HOSTED="$(hostname).${SSH_DOMAIN:-ssh.megabyte.spaccec}"
+ fi
+ fi
+ for DOMAIN in $DOMAINS_HOSTED; do
+ echo " - hostname: ${DOMAIN}" >> "$CONFIG_TMP"
+ echo " service: ssh://localhost:$SSH_PORT" >> "$CONFIG_TMP"
+ done
+ echo " - service: http_status:404" >> "$CONFIG_TMP"
+ echo "" >> "$CONFIG_TMP"
+ sudo mkdir -p /root/.cloudflared
+ sudo mv "$CONFIG_TMP" /root/.cloudflared/config.yml
+
+ # @description Install the `cloudflared` system service (if it is not a cronjob)
+ if [ -z "$CRONTAB_JOB" ]; then
+ sudo cloudflared service install
+ fi
+else
+ echo "ERROR: Unable to acquire CloudFlare tunnel ID" && exit 1
+fi
+
+# @description Restart if the config file changed
+if [ ! -f /root/.cloudflared/config-previous.yml ] || [ "$(cat /root/.cloudflared/config-previous.yml)" != "$(cat /root/.cloudflared/config.yml)" ]; then
+ # @todo Add restart command for non-systemctl devices (i.e. macOS)
+ if command -v systemctl > /dev/null; then
+ sudo systemctl restart cloudflared
+ fi
+ sudo cp /root/.cloudflared/config.yml /root/.cloudflared/config-previous.yml
+fi
diff --git a/scripts/src/homebrew.sh.tmpl b/scripts/src/homebrew.sh.tmpl
new file mode 100644
index 00000000..c0b423ae
--- /dev/null
+++ b/scripts/src/homebrew.sh.tmpl
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+# @file scripts/homebrew.sh
+# @brief Installs Homebrew on macOS and / or Linux.
+# @description
+# This script installs Homebrew on macOS and/or Linux machines. The script:
+#
+# 1. Ensures Homebrew is not already installed
+# 2. Installs Homebrew headlessly if sudo privileges are already given
+# 3. Prompts for the sudo password, if required
+# 4. Performs some clean up and update tasks when the Homebrew installation reports an error
+#
+# **Note**: `https://install.doctor/brew` points to this file.
+
+{{ include "partials" "homebrew" }}
diff --git a/scripts/src/provision.sh.tmpl b/scripts/src/provision.sh.tmpl
new file mode 100644
index 00000000..36d9fa3f
--- /dev/null
+++ b/scripts/src/provision.sh.tmpl
@@ -0,0 +1,279 @@
+#!/usr/bin/env bash
+# @file scripts/provision.sh
+# @brief Main entry point for Install Doctor that ensures Homebrew and a few dependencies are installed before cloning the repository and running Chezmoi.
+# @description
+# This script ensures Homebrew is installed and then installs a few dependencies that Install Doctor relies on.
+# After setting up the minimal amount of changes required, it clones the Install Doctor repository (which you
+# can customize the location of so you can use your own fork). It then proceeds by handing things over to
+# Chezmoi which handles the dotfile application and synchronous scripts. Task is used in conjunction with
+# Chezmoi to boost the performance in some spots by introducing asynchronous features.
+#
+# **Note**: `https://install.doctor/start` points to this file.
+#
+# ## Dependencies
+#
+# The chart below shows the dependencies we rely on to get Install Doctor going. The dependencies that are bolded
+# are mandatory. The ones that are not bolded are conditionally installed only if they are required.
+#
+# | Dependency | Description |
+# |--------------------|--------------------------------------------------------------------------------------|
+# | **Chezmoi** | Dotfile configuration manager (on-device provisioning) |
+# | **Task** | Task runner used on-device for task parallelization and dependency management |
+# | **ZX / Node.js** | ZX is a Node.js abstraction that allows for better scripts |
+# | Gum | Gum is a terminal UI prompt CLI (which allows sweet, interactive prompts) |
+# | Glow | Glow is a markdown renderer used for applying terminal-friendly styled to markdown |
+#
+# There are also a handful of system packages that are installed like `curl` and `git`. Then, during the Chezmoi provisioning
+# process, there are a handful of system packages that are installed to ensure things run smoothly. You can find more details
+# about these extra system packages by browsing through the `home/.chezmoiscripts/${DISTRO_ID}/` folder and other applicable
+# folders (e.g. `universal`).
+#
+# Although Install Doctor comes with presets that install a whole gigantic amount of software, it can actually
+# be quite good at provisioning minimal server environments where you want to keep the binaries to a minimum.
+#
+# ## Variables
+#
+# Specify certain environment variables to customize the behavior of Install Doctor. With the right combination of
+# environment variables, this script can be run completely headlessly. This allows us to do things like test our
+# provisioning script on a wide variety of operating systems.
+#
+# | Variable | Description |
+# |------------------------|-----------------------------------------------------------------------------------|
+# | `START_REPO` | Variable to specify the Git fork to use when provisioning |
+# | `ANSIBLE_PROVISION_VM` | **For Qubes**, determines the name of the VM used to provision the system |
+# | `DEBUG_MODE` | Set to true to enable verbose logging |
+#
+# For a full list of variables you can use to customize Install Doctor, check out our [Customization](https://install.doctor/docs/customization)
+# and [Secrets](https://install.doctor/docs/customization/secrets) documentation.
+#
+# ## Links
+#
+# [Install Doctor homepage](https://install.doctor)
+# [Install Doctor documentation portal](https://install.doctor/docs) (includes tips, tricks, and guides on how to customize the system to your liking)
+
+# @description Ensure Ubuntu / Debian run in `noninteractive` mode
+export DEBIAN_FRONTEND=noninteractive
+
+# @description Detect `START_REPO` format and determine appropriate git address, otherwise use the master Install Doctor branch
+if [ -z "$START_REPO" ]; then
+ START_REPO="https://gitlab.com/megabyte-labs/install.doctor.git"
+else
+ if [[ "$START_REPO == *"/"* ]]; then
+ # Either full git address or GitHubUser/RepoName
+ if [[ "$START_REPO" == *":"* ]] || [[ "$START_REPO" == *"//"* ]]; then
+ START_REPO="$START_REPO"
+ else
+ START_REPO="https://github.com/${START_REPO}.git"
+ fi
+ else
+ START_REPO="https://github.com/$START_REPO/install.doctor.git"
+ fi
+fi
+
+{{ include "partials" "logg" }}
+
+# @description Notify user that they can press CTRL+C to prevent /etc/sudoers from being modified (which is currently required for headless installs on some systems)
+sudo -n true || SUDO_EXIT_CODE=$?
+logg info 'Your user will temporarily be granted passwordless sudo for the duration of the script'
+if [ -n "$SUDO_EXIT_CODE" ]; then
+ logg info 'Press `CTRL+C` to bypass this prompt to either enter your password when needed or perform a non-privileged installation'
+ logg info 'Note: Non-privileged installations are not yet supported'
+fi
+
+# @description Add current user to /etc/sudoers so that headless automation is possible
+if ! sudo cat /etc/sudoers | grep '# TEMPORARY FOR INSTALL DOCTOR' > /dev/null; then
+ echo "$(whoami) ALL=(ALL:ALL) NOPASSWD: ALL # TEMPORARY FOR INSTALL DOCTOR" | sudo tee -a /etc/sudoers
+ REMOVE_TMP_SUDOERS_MACOS=true
+fi
+
+# @section Qubes dom0 Bootstrap
+# @description Perform Qubes dom0 specific logic like updating system packages, setting up the Tor VM, updating TemplateVMs, and
+# beginning the provisioning process using Ansible and an AppVM used to handle the provisioning process
+if command -v qubesctl > /dev/null; then
+ # @description Ensure sys-whonix is configured (for Qubes dom0)
+ CONFIG_WIZARD_COUNT=0
+ function configureWizard() {
+ if xwininfo -root -tree | grep "Anon Connection Wizard"; then
+ WINDOW_ID="$(xwininfo -root -tree | grep "Anon Connection Wizard" | sed 's/^ *\([^ ]*\) .*/\1/')"
+ xdotool windowactivate "$WINDOW_ID" && sleep 1 && xdotool key 'Enter' && sleep 1 && xdotool key 'Tab Tab Enter' && sleep 24 && xdotool windowactivate "$WINDOW_ID" && sleep 1 && xdotool key 'Enter' && sleep 300
+ qvm-shutdown --wait sys-whonix
+ sleep 3
+ qvm-start sys-whonix
+ if xwininfo -root -tree | grep "systemcheck | Whonix" > /dev/null; then
+ WINDOW_ID_SYS_CHECK="$(xwininfo -root -tree | grep "systemcheck | Whonix" | sed 's/^ *\([^ ]*\) .*/\1/')"
+ if xdotool windowactivate "$WINDOW_ID_SYS_CHECK"; then
+ sleep 1
+ xdotool key 'Enter'
+ fi
+ fi
+ else
+ sleep 3
+ CONFIG_WIZARD_COUNT=$((CONFIG_WIZARD_COUNT + 1))
+ if [[ "$CONFIG_WIZARD_COUNT" == '4' ]]; then
+ echo "The sys-whonix anon-connection-wizard utility did not open."
+ else
+ echo "Checking for anon-connection-wizard again.."
+ configureWizard
+ fi
+ fi
+ }
+
+ # @description Ensure dom0 is updated
+ if [ ! -f /root/dom0-updated ]; then
+ sudo qubesctl --show-output state.sls update.qubes-dom0
+ sudo qubes-dom0-update --clean -y
+ touch /root/dom0-updated
+ fi
+
+ # @description Ensure sys-whonix is running
+ if ! qvm-check --running sys-whonix; then
+ qvm-start sys-whonix --skip-if-running
+ configureWizard > /dev/null
+ fi
+
+ # @description Ensure TemplateVMs are updated
+ if [ ! -f /root/templatevms-updated ]; then
+ # timeout of 10 minutes is added here because the whonix-gw VM does not like to get updated
+ # with this method. Anyone know how to fix this?
+ sudo timeout 600 qubesctl --show-output --skip-dom0 --templates state.sls update.qubes-vm &> /dev/null || true
+ while read -r RESTART_VM; do
+ qvm-shutdown --wait "$RESTART_VM"
+ done< <(qvm-ls --all --no-spinner --fields=name,state | grep Running | grep -v sys-net | grep -v sys-firewall | grep -v sys-whonix | grep -v dom0 | awk '{print $1}')
+ sudo touch /root/templatevms-updated
+ fi
+
+ # @description Ensure provisioning VM can run commands on any VM
+ echo "/bin/bash" | sudo tee /etc/qubes-rpc/qubes.VMShell
+ sudo chmod 755 /etc/qubes-rpc/qubes.VMShell
+ echo "${ANSIBLE_PROVISION_VM:=provision}"' dom0 allow' | sudo tee /etc/qubes-rpc/policy/qubes.VMShell
+ echo "$ANSIBLE_PROVISION_VM"' $anyvm allow' | sudo tee -a /etc/qubes-rpc/policy/qubes.VMShell
+ sudo chown "$(whoami):$(whoami)" /etc/qubes-rpc/policy/qubes.VMShell
+ sudo chmod 644 /etc/qubes-rpc/policy/qubes.VMShell
+
+
+ # @description Create provisioning VM and initialize the provisioning process from there
+ qvm-create --label red --template debian-11 "$ANSIBLE_PROVISION_VM" &> /dev/null || true
+ qvm-volume extend "$ANSIBLE_PROVISION_VM:private" "40G"
+ if [ -f ~/.vaultpass ]; then
+ qvm-run "$ANSIBLE_PROVISION_VM" 'rm -f ~/QubesIncoming/dom0/.vaultpass'
+ qvm-copy-to-vm "$ANSIBLE_PROVISION_VM" ~/.vaultpass
+ qvm-run "$ANSIBLE_PROVISION_VM" 'cp ~/QubesIncoming/dom0/.vaultpass ~/.vaultpass'
+ fi
+
+ # @description Restart the provisioning process with the same script but from the provisioning VM
+ qvm-run --pass-io "$ANSIBLE_PROVISION_VM" 'curl -sSL https://install.doctor/start > ~/start.sh && bash ~/start.sh'
+ exit 0
+fi
+
+# @description Ensure basic system packages are available on the device
+{{ include "partials" "basic-deps" }}
+
+# @description Ensure Homebrew is installed and available
+{{ include "partials" "homebrew" }}
+
+# @description Ensure Chezmoi is installed
+if ! command -v chezmoi > /dev/null; then
+ brew install chezmoi
+fi
+
+# @description Ensure Node.js is installed
+if ! command -v node > /dev/null; then
+ brew install node
+fi
+
+# @description Ensure ZX is installed
+if ! command -v zx > /dev/null; then
+ brew install zx
+fi
+
+# @description Install Glow / Gum if the `HEADLESS_INSTALL` variable is not set to true
+if [ "$HEADLESS_INSTALL" != 'true' ]; then
+ # @description Ensure Gum is installed
+ if ! command -v gum > /dev/null; then
+ brew install gum
+ fi
+
+ # @description Ensure Glow is installed
+ if ! command -v glow > /dev/null; then
+ brew install glow
+ fi
+fi
+
+# @description Ensure the ${XDG_DATA_HOME:-$HOME/.local/share}/chezmoi directory is cloned and up-to-date
+if [ -d "${XDG_DATA_HOME:-$HOME/.local/share}/chezmoi/.git" ]; then
+ cd "${XDG_DATA_HOME:-$HOME/.local/share}/chezmoi"
+ logg info "Pulling the latest changes from ${START_REPO:-https://gitlab.com/megabyte-labs/install.doctor.git}"
+ git pull origin master
+else
+ logg info "Cloning ${START_REPO} to ${XDG_DATA_HOME:-$HOME/.local/share}/chezmoi"
+ git clone ${START_REPO} "${XDG_DATA_HOME:-$HOME/.local/share}/chezmoi"
+fi
+
+# @description If the `${XDG_CONFIG_HOME:-$HOME/.config}/chezmoi/chezmoi.yaml` file is missing, then guide the user through the initial setup
+if [ ! -f "${XDG_CONFIG_HOME:-$HOME/.config}/chezmoi/chezmoi.yaml" ]; then
+ # @description Show introduction message if Glow is installed
+ if command -v glow > /dev/null; then
+ glow "${XDG_DATA_HOME:-$HOME/.local/share}/chezmoi/docs/CHEZMOI-INTRO.md"
+ fi
+
+ # @description Prompt for the software group if the `SOFTWARE_GROUP` variable is not defined
+ if command -v gum > /dev/null; then
+ if [ -z "$SOFTWARE_GROUP" ]; then
+ logg prompt 'Select the software group you would like to install. If your environment is a macOS, Windows, or environment with the DISPLAY environment variable then desktop software will be installed too. The software groups are in the '"${XDG_CONFIG_HOME:-$HOME/.config}/chezmoi/chezmoi.yaml"' file.'
+ SOFTWARE_GROUP="$(gum choose "Basic" "Standard" "Full")"
+ export SOFTWARE_GROUP
+ fi
+ else
+ logg error 'Woops! Gum needs to be installed for the guided installation. Try running brew install gum' && exit 1
+ fi
+
+ # @description Run `chezmoi init` when the Chezmoi configuration is missing
+ logg info 'Running `chezmoi init` since the '"${XDG_CONFIG_HOME:-$HOME/.config}/chezmoi/chezmoi.yaml"' is not present'
+ chezmoi init
+fi
+
+# @description Run `chezmoi apply` and enable verbose mode if the `DEBUG_MODE` environment variable is set to true
+logg info 'Running `chezmoi apply`'
+if [ "$DEBUG_MODE" = 'true' ]; then
+ DEBUG_MODIFIER="-vvvvv"
+fi
+
+# @description Save the log of the provision process to `${XDG_DATA_HOME:-$HOME/.local/share}/install.doctor.$(date +%s).log` and add the Chezmoi
+# `--force` flag if the `HEADLESS_INSTALL` variable is set to true.
+if [ "$HEADLESS_INSTALL" = 'true' ]; then
+ if command -v unbuffer > /dev/null; then
+ unbuffer -p chezmoi apply $DEBUG_MODIFIER -k --force 2>&1 | tee "${XDG_DATA_HOME:-$HOME/.local/share}/install.doctor.$(date +%s).log"
+ else
+ chezmoi apply $DEBUG_MODIFIER -k --force 2>&1 | tee "${XDG_DATA_HOME:-$HOME/.local/share}/install.doctor.$(date +%s).log"
+ fi
+else
+ if command -v unbuffer > /dev/null; then
+ unbuffer -p chezmoi apply $DEBUG_MODIFIER -k 2>&1 | tee "${XDG_DATA_HOME:-$HOME/.local/share}/install.doctor.$(date +%s).log"
+ else
+ chezmoi apply $DEBUG_MODIFIER -k 2>&1 | tee "${XDG_DATA_HOME:-$HOME/.local/share}/install.doctor.$(date +%s).log"
+ fi
+fi
+
+# @description Ensure gsed is available on macOS (for modifying `/etc/sudoers` to remove passwordless sudo)
+if [ -n "$REMOVE_TMP_SUDOERS" ] && [ -d /Applications ] && [ -d /System ]; then
+ if ! command -v gsed > /dev/null; then
+ if command -v brew > /dev/null; then
+ brew install gsed
+ else
+ logg warn 'Homebrew is not available and passwordless sudo might still be enabled in /etc/sudoers. Modify the file manually if you wish to disable passwordless sudo.'
+ fi
+ fi
+fi
+
+# @description Ensure temporary passwordless sudo privileges are removed from `/etc/sudoers`
+if command -v gsed > /dev/null; then
+ sudo gsed -i '/# TEMPORARY FOR INSTALL DOCTOR/d' /etc/sudoers || logg warn 'Failed to remove passwordless sudo from the /etc/sudoers file'
+else
+ sudo sed -i '/# TEMPORARY FOR INSTALL DOCTOR/d' /etc/sudoers || logg warn 'Failed to remove passwordless sudo from the /etc/sudoers file'
+fi
+
+# @description Render the `docs/POST-INSTALL.md` file to the terminal at the end of the provisioning process
+logg success 'Provisioning complete!'
+if command -v glow > /dev/null && [ -f "${XDG_DATA_HOME:-$HOME/.local/share}/chezmoi/docs/POST-INSTALL.md" ]; then
+ glow "$HOME/.local/share/chezmoi/docs/POST-INSTALL.md"
+fi