{{- if (ne .host.distro.family "windows") -}} #!/usr/bin/env bash # @file CloudFlare WARP and CloudFlare Argo Tunnels # @brief Installs CloudFlare WARP, ensures proper security certificates are in place, and connects the device to CloudFlare WARP. Also sets up Argo Tunnels. # @description # This script is intended to connect the device to CloudFlare's Zero Trust network with nearly all of its features unlocked. # Homebrew is used to install the `warp-cli` on macOS. On Linux, it can install `warp-cli` on most Debian systems and some RedHat # systems. CloudFlare WARP's [download page](https://pkg.cloudflareclient.com/packages/cloudflare-warp) is somewhat barren. # # ## MDM Configuration # # If CloudFlare WARP successfully installs, it first applies MDM configurations (managed configurations). If you would like CloudFlare # WARP to connect completely headlessly (while losing some "user-posture" settings), then you can populate the following three secrets: # # 1. `CLOUDFLARE_TEAMS_CLIENT_ID` - The ID from a CloudFlare Teams service token. See [this article](https://developers.cloudflare.com/cloudflare-one/identity/service-tokens/). # 2. `CLOUDFLARE_TEAMS_CLIENT_SECRET` - The secret from a CloudFlare Teams service token. # 3. `CLOUDFLARE_TEAMS_ORG` - The ID of your Zero Trust organization. This variable must be passed in as an environment variable and is housed in the `home/.chezmoi.yaml.tmpl` file. If you do not want to pass an environment variable, you can change the default value in `home/.chezmoi.yaml.tmpl` on your own fork. # # The two variables above can be passed in using either of the methods described in the [Secrets documentation](https://install.doctor/docs/customization/secrets). # # ## Headless CloudFlare WARP Connection # # Even if you do not provide the two variables mentioned above, the script will still headlessly connect your device to the public CloudFlare WARP # network, where you will get some of the benefits of a VPN for free. Otherwise, if they were passed in, then the script # finishes by connecting to CloudFlare Teams. # # ## Application Certificates # # This script applies the techniques described on the [CloudFlare Zero Trust Install certificate manually page](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert/) # to configure the following utilities that leverage seperate certificate authorities: # # * Python # * NPM # * Git # * Google Cloud SDK # * AWS CLI # * Google Drive for desktop # # Settings used to configure Firefox are housed inside of the Firefox configuration files stored as seperate configuration files # outside of this script. **Note: The scripts that enable CloudFlare certificates for all these programs are currently commented out # in this script.** # # ## Notes # # According to CloudFlare Teams [documentation on MDM deployment](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/), # on macOS the `com.cloudflare.warp.plist` file gets erased on reboot. Also, according to the documentation, the only way around this is to leverage # an MDM SaaS provider like JumpCloud. # # ## Links # # * [Linux managed configuration](https://github.com/megabyte-labs/install.doctor/tree/master/home/dot_config/warp/private_mdm.xml.tmpl) # * [macOS managed configuration](https://github.com/megabyte-labs/install.doctor/tree/master/home/Library/Managed%20Preferences/private_com.cloudflare.warp.plist.tmpl) {{ includeTemplate "universal/profile" }} {{ includeTemplate "universal/logg" }} ### Install CloudFlare WARP (on non-WSL *nix systems) if [[ ! "$(test -d /proc && grep Microsoft /proc/version > /dev/null)" ]]; then if [ -d /System ] && [ -d /Applications ]; then ### Install on macOS if [ ! -d "/Applications/Cloudflare WARP.app" ]; then brew install --cask cloudflare-warp else logg info 'Cloudflare WARP already installed' fi elif [ '{{ .host.distro.id }}' = 'debian' ]; then ### Add CloudFlare WARP desktop app apt-get source if [ ! -f /etc/apt/sources.list.d/cloudflare-client.list ]; then logg info 'Adding CloudFlare WARP keyring' curl https://pkg.cloudflareclient.com/pubkey.gpg | sudo gpg --yes --dearmor --output /usr/share/keyrings/cloudflare-warp-archive-keyring.gpg logg info 'Adding apt source reference' echo "deb [arch=amd64 signed-by=/usr/share/keyrings/cloudflare-warp-archive-keyring.gpg] https://pkg.cloudflareclient.com/ $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/cloudflare-client.list fi ### Update apt-get and install the CloudFlare WARP CLI sudo apt-get update && sudo apt-get install -y cloudflare-warp elif [ '{{ .host.distro.id }}' = 'ubuntu' ]; then ### Add CloudFlare WARP desktop app apt-get source if [ ! -f /etc/apt/sources.list.d/cloudflare-client.list ]; then logg info 'Adding CloudFlare WARP keyring' curl https://pkg.cloudflareclient.com/pubkey.gpg | sudo gpg --yes --dearmor --output /usr/share/keyrings/cloudflare-warp-archive-keyring.gpg logg info 'Adding apt source reference' echo "deb [arch=amd64 signed-by=/usr/share/keyrings/cloudflare-warp-archive-keyring.gpg] https://pkg.cloudflareclient.com/ $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/cloudflare-client.list fi ### Update apt-get and install the CloudFlare WARP CLI sudo apt-get update && sudo apt-get install -y cloudflare-warp elif command -v dnf > /dev/null && command -v rpm > /dev/null; then ### This is made for CentOS 8 and works on Fedora 36 (hopefully 36+ as well) with `nss-tools` as a dependency sudo dnf instal -y nss-tools || NSS_TOOL_EXIT=$? if [ -n "$NSS_TOOL_EXIT" ]; then logg warn 'Unable to install nss-tools which was a requirement on Fedora 36 and assumed to be one on other systems as well.' fi ### According to the download site, this is the only version available for RedHat-based systems sudo rpm -ivh https://pkg.cloudflareclient.com/cloudflare-release-el8.rpm || RPM_EXIT_CODE=$? if [ -n "$RPM_EXIT_CODE" ]; then logg error 'Unable to install CloudFlare WARP using RedHat 8 RPM package' fi fi fi ### Ensure certificate is installed # Source: https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.crt # Source: https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.pem if [ -d /System ] && [ -d /Applications ] && command -v warp-cli > /dev/null; then ### Ensure certificate installed on macOS if [ ! -n "$SSH_CONNECTION" ]; then logg info 'Requesting security authorization for Cloudflare trusted certificate' sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.crt" logg info 'Updating the OpenSSL CA Store to include the Cloudflare certificate' echo | sudo tee -a /etc/ssl/cert.pem < "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.pem" > /dev/null echo "" | sudo tee -a /etc/ssl/cert.pem else logg warn 'Session is SSH so adding Cloudflare encryption key to trusted certificates via the security program is being bypassed since it requires Touch ID / Password verification.' fi if [ -d "/usr/local/etc/openssl@3/certs" ]; then # Location on Intel macOS logg info 'Adding Cloudflare certificate to /usr/local/etc/openssl@3/certs/Cloudflare_CA.pem' echo | sudo cat - "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.pem" >> /usr/local/etc/openssl@3/certs/Cloudflare_CA.pem logg info 'Running /usr/local/opt/openssl@3/bin/c_rehash' /usr/local/opt/openssl@3/bin/c_rehash > /dev/null && logg success 'OpenSSL certificate rehash successful' elif [ -d "/opt/homebrew/etc/openssl@3/certs" ]; then # Location on arm64 macOS logg info 'Adding Cloudflare certificate to /opt/homebrew/etc/openssl@3/certs/Cloudflare_CA.pem' echo | sudo cat - "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.pem" >> /opt/homebrew/etc/openssl@3/certs/Cloudflare_CA.pem logg info 'Running /opt/homebrew/opt/openssl@3/bin/c_rehash' /opt/homebrew/opt/openssl@3/bin/c_rehash > /dev/null && logg success 'OpenSSL certificate rehash successful' else logg warn 'Unable to add Cloudflare_CA.pem because /usr/local/etc/openssl@3/certs and /opt/homebrew/etc/openssl@3/certs do not exist!' fi elif command -v warp-cli > /dev/null; then # System is Linux if command -v dpkg-reconfigure > /dev/null; then if [ -d /usr/local/share/ca-certificates ]; then logg info 'Copying CloudFlare Teams PEM file to /usr/local/share/ca-certificates/Cloudflare_CA.crt' sudo cp -f "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.pem" /usr/local/share/ca-certificates/Cloudflare_CA.crt logg info 'dpkg-reconfigure executable detected so using Debian/Ubuntu method of updating system trusted certificates to include CloudFlare Teams certificate' sudo dpkg-reconfigure ca-certificates else logg warn fi elif command -v update-ca-trust > /dev/null; then if [ -d /etc/pki/ca-trust/source/anchors ]; then logg info 'Copying CloudFlare Teams certificates to /etc/pki/ca-trust/source/anchors' sudo cp -f "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.crt" "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.pem" /etc/pki/ca-trust/source/anchors logg info 'update-ca-trust executable detected so using CentOS/Fedora method of updating system trusted certificates to include CloudFlare Teams certificate' sudo update-ca-trust else logg warn '/etc/pki/ca-trust/source/anchors does not exist so skipping the system certificate update process' fi fi fi if command -v warp-cli > /dev/null; then ### Application certificate configuration # Application-specific certificate authority modification is currently commented out because # it is merely for traffic inspection and `npm install` fails when configured to use the CloudFlare # certificate and the WARP client is not running. ### Git if command -v git > /dev/null; then logg info "Configuring git to use "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.pem"" git config --global http.sslcainfo "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.pem" fi ### NPM if command -v npm > /dev/null; then logg info "Configuring npm to use "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.pem"" npm config set cafile "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.pem" fi ### Python if command -v python3 > /dev/null; then ### Ensure Certifi package is available globally if ! pip3 list certifi | grep certifi > /dev/null; then if command -v brew > /dev/null; then logg info 'Ensuring Python certifi is installed via Homebrew' brew install python-certifi else logg info 'Ensuring certifi is installed globally for Python 3' pip3 install certifibrew link --overwrite python-certifi fi fi ### Copy CloudFlare PEM file to Python 3 location logg info "Configuring python3 / python to use "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.pem"" echo | cat - "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.pem" >> $(python3 -m certifi) fi ### Google Cloud SDK if command -v gcloud > /dev/null; then logg info "Configuring gcloud to use "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.pem" and "$HOME/.local/etc/ssl/gcloud/ca.pem"" mkdir -p "$HOME/.local/etc/ssl/gcloud" cat "$HOME/.local/etc/ssl/curl/cacert.pem" "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.pem" > "$HOME/.local/etc/ssl/gcloud/ca.pem" gcloud config set core/custom_ca_certs_file "$HOME/.local/etc/ssl/gcloud/ca.pem" fi ### Google Drive for desktop (macOS) if [ -d "/Applications/Google Drive.app" ]; then if [ -d "/Applications/Google Drive.app/Contents/Resources" ]; then logg info "Combining Google Drive roots.pem with CloudFlare certificate" mkdir -p "$HOME/.local/etc/ssl/google-drive" cat "$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.pem" "/Applications/Google Drive.app/Contents/Resources/roots.pem" >> "$HOME/.local/etc/ssl/google-drive/roots.pem" sudo defaults write /Library/Preferences/com.google.drivefs.settings TrustedRootsCertsFile -string "$HOME/.local/etc/ssl/google-drive/roots.pem" else logg warn 'Google Drive.app installed but roots.pem is not available yet' fi fi ### Ensure MDM settings are applied (deletes after reboot on macOS) ### TODO: Ensure `.plist` can be added to `~/Library/Managed Preferences` and not just `/Library/Managed Preferences` # Source: https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/ # Source for JumpCloud: https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/CloudflareWARP.mobileconfig if [ -d /System ] && [ -d /Applications ]; then sudo cp -f "$HOME/Library/Managed Preferences/com.cloudflare.warp.plist" '/Library/Managed Preferences/com.cloudflare.warp.plist' sudo plutil -convert binary1 '/Library/Managed Preferences/com.cloudflare.warp.plist' ### Enable CloudFlare WARP credentials auto-populate (since file is deleted when not managed with MDM) if [ -f "$HOME/Library/LaunchDaemons/com.cloudflare.warp.plist" ] && [ ! -f "/Library/LaunchDaemons/com.cloudflare.warp.plist" ]; then sudo mkdir -p /Library/LaunchDaemons sudo cp -f "$HOME/Library/LaunchDaemons/com.cloudflare.warp.plist" '/Library/LaunchDaemons/com.cloudflare.warp.plist' sudo launchctl load "/Library/LaunchDaemons/com.cloudflare.warp.plist" fi elif [ -f "${XDG_CONFIG_HOME:-$HOME/.config}/warp/mdm.xml" ]; then sudo mkdir -p /var/lib/cloudflare-warp sudo cp -f "${XDG_CONFIG_HOME:-$HOME/.config}/warp/mdm.xml" /var/lib/cloudflare-warp/mdm.xml fi ### Register CloudFlare WARP if warp-cli --accept-tos status | grep 'Registration missing' > /dev/null; then logg info 'Registering CloudFlare WARP' warp-cli --accept-tos register else logg info 'Either there is a misconfiguration or the device is already registered with CloudFlare WARP' fi ### Connect CloudFlare WARP if warp-cli --accept-tos status | grep 'Disconnected' > /dev/null; then logg info 'Connecting to CloudFlare WARP' warp-cli --accept-tos connect > /dev/null && logg success 'Connected to CloudFlare WARP' else logg info 'Either there is a misconfiguration or the device is already connected with CloudFlare WARP' fi else logg warn 'warp-cli was not installed so CloudFlare WARP cannot be joined' fi {{- $registrationToken := "" }} {{- if and (stat (joinPath .host.home ".config" "age" "chezmoi.txt")) (stat (joinPath .chezmoi.sourceDir ".chezmoitemplates" "cloudflared" .host.hostname)) -}} {{- $registrationToken = (includeTemplate (print "cloudflared/" .host.hostname) | decrypt) -}} {{- end }} ### Set up CloudFlare tunnels if command -v cloudflared > /dev/null && [ -d "$HOME/.local/etc/cloudflared" ]; then # Show warning message about ~/.cloudflared already existing if [ -d "$HOME/.cloudflared" ]; then logg warn '~/.cloudflared is already in the home directory - to ensure proper deployment, remove previous tunnel configuration folders' fi # Copy over configuration files logg info 'Copying over configuration files from ~/.local/etc/cloudflared to /usr/local/etc/cloudflared' sudo cp -f "$HOME/.local/etc/cloudflared/cert.pem" /usr/local/etc/cloudflared/cert.pem sudo cp -f "$HOME/.local/etc/cloudflared/config.yml" /usr/local/etc/cloudflared/config.yml # Register tunnel (if not already registered) if sudo cloudflared tunnel list | grep "host-{{ .host.hostname }}" > /dev/null; then logg info 'CloudFlare tunnel is already registered' else logg info 'Creating a CloudFlare tunnel to this host' sudo cloudflared tunnel create "host-{{ .host.hostname }}" fi TUNNEL_ID="$(sudo cloudflared tunnel list | grep 'host-{{ .host.hostname }}' | sed 's/ .*//')" logg info "Tunnel ID: $TUNNEL_ID" if [ -f "/usr/local/etc/cloudflared/${TUNNEL_ID}.json" ]; then logg info 'Symlinking tunnel configuration to /usr/local/etc/cloudflared/credentials.json' rm -f /usr/local/etc/cloudflared/credentials.json sudo ln -s "/usr/local/etc/cloudflared/${TUNNEL_ID}.json" /usr/local/etc/cloudflared/credentials.json else logg info 'Handling case where the tunnel registration is not present in /usr/local/etc/cloudflared' {{ if eq $registrationToken "" -}} logg warn 'Registration token is unavailable - you might have to delete the pre-existing tunnel or set up secrets properly' {{- else -}} logg info 'Registration token retrieved from encrypted blob stored at home/.chezmoitemplates/cloudflared/{{ .host.hostname }}' {{ if eq (substr 0 1 $registrationToken) "{" -}} logg info 'Registration token stored in credential file form' echo -n '{{ $registrationToken }}' | sudo tee /usr/local/etc/cloudflared/credentials.json > /dev/null {{ else }} logg info 'Registration token is in token form - it will be used in conjunction with sudo cloudflared service install' {{- end }} {{- end }} fi # Set up service if [ -d /Applications ] && [ -d /System ]; then # System is macOS if [ -f /Library/LaunchDaemons/com.cloudflare.cloudflared.plist ]; then logg info 'cloudflared service is already installed' else logg info 'Running sudo cloudflared service install' sudo cloudflared service install{{ if and (ne $registrationToken "") (eq (substr 0 1 $registrationToken) "{") -}} {{ $registrationToken }}{{ end }} fi logg info 'Ensuring cloudflared service is installed' sudo launchctl start com.cloudflare.cloudflared elif [ -f /etc/os-release ]; then # System is Linux logg info 'Copying over configuration files from ~/.local/etc/cloudflared to /usr/local/etc/cloudflared' sudo cp -rf "$HOME/.local/etc/cloudflared" /usr/local/etc/cloudflared if systemctl --all --type service | grep -q "cloudflared" > /dev/null; then logg info 'cloudflared service is already available as a service' else logg info 'Running sudo cloudflared service install' sudo cloudflared service install{{ if and (ne $registrationToken "") (eq (substr 0 1 $registrationToken) "{") -}} {{ $registrationToken }}{{ end }} fi logg info 'Ensuring cloudflared service is started' sudo systemctl start cloudflared logg info 'Enabling cloudflared as a boot systemctl service' sudo systemctl enable cloudflared else # System is Windows cloudflared service install mkdir C:\Windows\System32\config\systemprofile\.cloudflared # Copy same cert.pem as being used above # copy C:\Users\%USERNAME%\.cloudflared\cert.pem C:\Windows\System32\config\systemprofile\.cloudflared\cert.pem # https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/local/as-a-service/windows/ fi else logg info 'cloudflared was not installed so CloudFlare Tunnels cannot be enabled. (Or the ~/.local/etc/cloudflared folder is not present)' fi {{ end -}}