💡 Feature/Idea

On macOS, we can improve SSH security by adding our keys to the Secure Enclave. Detect the presence of secretive and if it is installed then move all the keys in the ~/.ssh folder to the Secure Enclave. Add this script to home/.chezmoiscripts/universal and be sure to make sure that the macOS device to Secure Enclave compatible.

👍 Can you contribute?

No response

💡 Feature/Idea

The Qubes role in Gas Station along with the Qubes initialization script in the Gas Station project basically handled 50% of the setup of Qubes. This task is quite big and will involve porting over the pre-existing logic, finishing the provisioning process, and adding Qubes bells and whistles.

👍 Can you contribute?

No response

💡 Feature/Idea

Windows support is likely going to be challenging because all of our scripts are in bash format. Ideally, I'm looking for a way that we can still run bash scripts on Windows. I'm open to using WSL but we would still need access to PowerShell and stuff like Chocolatey. We can probably accomplish this with either WSL or Cygwin. What are your thoughts?

To bring support to Windows, after figuring out how to add Bash / other UNIX command line tools to Windows, we have to test / update the ZX installer (under home/dot_local/bin/install-program) and also debug all the scripts under home/.chezmoiscripts to make them work with Windows.

Be sure to read the docs: https://install.doctor/docs

👍 Can you contribute?

No response

💡 Feature/Idea

There is a script in home/.chezmoiscripts/universal/ that attempts to connect to the Tailscale network. This ticket involves ensuring that tailscale up runs on all systems automatically. I'm unsure if this needs to be run as a separate process on Linux. I'm pretty sure it should already be working on Linux - if you can get it working on Ubuntu it should work on all the other Linux systems.

However, for macOS (and possibly Windows) there is a Tailscale GUI client that is also installed (you can see the cask in the software.yml file). The script should automatically setup the Tailscale GUI client on macOS using the ephemeral AUTH_KEY that works on Linux. I believe we'll have to edit System Settings to give all permissions to Tailscale GUI app as well.

While you are looking into this, look into how we can headlessly give permissions to a set of apps on macOS. For instance, Brave Browser might need screen access (for screen sharing) and Tailscale will require a network addon access.

👍 Can you contribute?

No response

💡 Feature/Idea

The Firefox script found in home/.chezmoiscripts/universal is successfully installing plugins but it does not enable the plugins. Resolving this issue can be done by adding logic to the script that enables the plugins.

There is a commentted out section in the script where a method is used to enable the scripts but that is not sufficient since when plugins are unpacked using that method a security warning is shown in Firefox.

Worse comes to worse, we can accomplish this by running a browser automation script. This should be avoided though because it will be difficult to maintain.

👍 Can you contribute?

No response

💡 Feature/Idea

Add github-runner instructions to software.yml and include script in .chezmoiscripts/universal that automatically adds the runner to the ID specified in .chezmoi.yml.tmpl

👍 Can you contribute?

No response

❔ What are you experiencing an issue with?

Latest Release

❔ Version

Latest

🐞 Description

Currently, the PSFzf integration for the powershell profile stored in ~/.config/powershell/profile.ps1 is erroring when importing the PSFzf module because it can't find the install source.

⏺️ Steps To Reproduce

No response

📒 Relevant Log Output

No response

💡 Possible Solution

No response

💡 Feature/Idea

Right now environment variables (API keys etc.) are being stored in home/dot_config/shell/private_private.sh.tmpl. This is not exactly secure. We can improve security by implementing envchain (https://github.com/sorah/envchain).

Write a script in home/.chezmoiscripts/universal/*.sh.tmpl that scans the private_private.sh.tmpl file and imports all the variables into envchain and then deletes the profile_profile.sh.tmpl file. In environments where this is not possible with the system keyring, skip the envchain and leave the profile_profile.sh.tmpl file in place.

Be sure to make the logic idempotent.

👍 Can you contribute?

No response

❔ What are you experiencing an issue with?

Latest Release

❔ Version

Latest

🐞 Description

The home/.chezmoi.yml.tmpl file has a few questions like "What is your full name?" and "Is this a restricted environment?". The question that asks for the Hostname ID is currently outputing $HOST in the question default answer. It should instead register the actual value of $HOST.

⏺️ Steps To Reproduce

No response

📒 Relevant Log Output

No response

💡 Possible Solution

No response

❔ What are you experiencing an issue with?

Latest Release

❔ Version

N/A

🐞 Description

The dotnet CLI gets installed and then a few plugins are installed which are listed at the bottom of the software.yml file. The plugins appears to install but once they are installed and you try to invoke them, they all report an error that looks like this:

❯ git-credential-manager configure
You must install or update .NET to run this application.

App: /Users/bzalewski/.config/dotnet/.dotnet/tools/git-credential-manager
Architecture: x64
Framework: 'Microsoft.NETCore.App', version '7.0.8' (x64)
.NET location: /usr/local/Cellar/dotnet/7.0.100/libexec

The following frameworks were found:
  7.0.0 at [/usr/local/Cellar/dotnet/7.0.100/libexec/shared/Microsoft.NETCore.App]

Learn about framework resolution:
https://aka.ms/dotnet/app-launch-failed

To install missing framework, download:
https://aka.ms/dotnet-core-applaunch?framework=Microsoft.NETCore.App&framework_version=7.0.8&arch=x64&rid=osx.13-x64

We need to figure out how to make the dotnet CLI install tools that can be invoked with the system's .NET version.

⏺️ Steps To Reproduce

No response

📒 Relevant Log Output

No response

💡 Possible Solution

No response

💡 Feature/Idea

We need logic that auto-joins the ELK stack with elastic-agent. Write a script in home/.chezmoiscripts/universal that checks for the presence of the elastic-agent as well as properly stored secrets (see documentation) and then auto-joins the cluster for log reporting - be sure to go through the documentation and implement any useful features like integrating syslog with ELK. There may be Ansible role logic we can recycle here.

👍 Can you contribute?

No response

💡 Feature/Idea

The installation logic is already ported over and I began configuring clamav (details in the other ticket). Is the current logic enough to port the Gas Station logic over? It starts the service on all three Linux platforms:

  clamav:
    _bin: clamav-config
    _desc: '[ClamAV](https://www.clamav.net/) is an open-source antivirus engine for detecting trojans, viruses, malware & other malicious threats.'
    _docs: https://docs.clamav.net/
    _github: https://github.com/Cisco-Talos/clamav
    _home: https://www.clamav.net/
    _name: ClamAV
    _post: freshclam
    _service:apt: clamav-freshclam
    _service:dnf: clamd-freshclam
    _service:pacman: clamav-freshclam
    _type: cli
    apt:
      - clamav
      - clamdscan
    brew: clamav
    dnf:
      - clamav
      - clamav-update
    pacman: clamav

However, I'm not sure how we can add the cron on macOS. The cron updater for freshclam should be added to macOS as well, if possible.

Then, for rkhunter, the configuration is:

  rkhunter:
    _bin: rkhunter
    _desc: rkhunter is a Unix-based tool that scans for rootkits, backdoors and possible local exploits
    _docs: null
    _github: null
    _home: https://rkhunter.sourceforge.net/
    _name: rkhunter
    _post: rkhunter --propupd && rkhunter --update
    _service:pacman: cronie
    _type: cli
    apt: rkhunter
    brew: rkhunter
    dnf: rkhunter
    pacman:
      - cronie
      - rkhunter
      - s-nail

I'm not exactly sure how it works. What is cronie is being enabled for? How does it know to work with rkhunter to automatically get updated?

Anyway, the configurations should be stored in home/dot_config/rkhunter/* and then they can be applied in the _post install hook in software.yml or be seperated out into another script (might make more sense unless there is very little post install code).

Finally, both clamav and rkhunter should run on crons daily at 4AM and send email reports if they find anything. The email address can be found in the home/.chezmoi.yaml.tmpl and is available through template bindings with {{ .user.email }}.

Perhaps it will make most sense to send the emails to the user account (or wherever they normally go) and then configure that account to forward the emails out to the internet email address. I think you might be able to do this with a ~/.forward file containing the email in the root user's home directory.

Configure outgoing SMTP to use a dummy GMail account that we can set in .chezmoi.yaml.tmpl.

👍 Can you contribute?

No response

💡 Feature/Idea

Add logic that will implement sync-ssh-keys. See: https://github.com/shoenig/ssh-key-sync. Be sure to test whether or not this works on macOS and how we can implement it on Windows as well. The system service should look up the GH username from $HOME/.config/chezmoi/chezmoi.yaml

👍 Can you contribute?

No response

💡 Feature/Idea

Write a script in home/.chezmoiscripts/universal that checks for the presence of gitomatic and then sets up services that run gitomatic (https://github.com/muesli/gitomatic) on a set of YML defined repo locations. You can store the repo locations in ~/.config/gitomatic/config.yml. The repositories stored in the config should get their services populated.

Explore whether or not its possible to run a script whenever there is a change to one of the defined git repositories. If the feature is not natively available with gitomatic we might need a work around.

👍 Can you contribute?

No response

❔ What are you experiencing an issue with?

Latest Release

❔ Version

Latest

🐞 Description

.zcompdump is showing up in the home directory on macOS but should be stored in the ZSH cache folder. See: ohmyzsh/ohmyzsh#7332

⏺️ Steps To Reproduce

No response

📒 Relevant Log Output

No response

💡 Possible Solution

No response

💡 Feature/Idea

Privaxy is a program that efficiently blocks ads across everything on the system that uses HTTP. Instead of running as a browser extension, it runs as a standalone menubar program which makes it more efficient than traditional blockers.

Add a script in home/.chezmoiscripts/universal that installs its CA certificate automatically (add to keychain on macOS and add to folder in Linux) and then configure the device to proxy HTTP traffic through 8100. The docs are here: https://github.com/Barre/privaxy. Also include logic that makes Privaxy open on boot.

👍 Can you contribute?

No response

💡 Feature/Idea

Hey, we need to figure out a way of automating the process of setting up macOS system settings. Normally, this requires us to use the TouchID each time.

Ideally, we should only have to verify once. If possible, we should verify with just the root password but I haven't been able to figure this out.

One item I'm looking to automate is the ability to dismiss all the notifications but this requires iTerm to have accessibility access so, I suppose to start we'll have to figure out a way of applying system permissions to all our apps using a single verification.

👍 Can you contribute?

No response

💡 Feature/Idea

We're getting to the point where we should be considering the fact that AI will be better at writing our code for us eventually. Please begin researching how we can leverage AI tools to write code for us, improve our code, and anything else that might help on overhead / time spent on this project.

This is just a reminder to keep up-to-date on the latest AI tools that people are rolling out.

To close this issue, write a blog article and / or documentation on 3-5 different tools we can leverage to improve our workflows and commit against the megabyte-labs/install.doctor-site repository in the blog section.

👍 Can you contribute?

No response

💡 Feature/Idea

I have a handful of domains on SendGrid that I would like to be able to send emails from using the command line. There's the ssmtp command and mail command. See https://www.atlantic.net/vps-hosting/how-to-use-ssmtp-to-send-an-email-from-linux-terminal/. There's also sendmail. Either one would be fine but I would like to be able to specify the "from" e-mail address. We need a solution that accepts one SendGrid API key that allows you to specify the E-MAIL FROM attribute on the e-mail (with a default specified in the configuration). So:

cat ~/.bashrc | mail -s "Test Subject" [email protected]

Should e-mail to [email protected] using the default email address.

And:

cat ~/.bashrc | mail --from "[email protected]" -s "Test Subject" [email protected]

Should do the same thing with the e-mail address changed.

This link might be helpful too: https://github.com/KuJoe/Sendmail-to-SSMTP/blob/master/setup.sh

Worst comes to worse, we'll just have to create a Postfix config and use postfix. This might be the preferred method since postfix is a standard component that many people are already comfortable using.

💡 Feature/Idea

The home/.chezmoiscripts/universal/*chrome.tmpl script is successfully installing extensions but, just like the Firefox script, is currently not auto-enabling the extensions. This feature should be added.

The extensions also have settings managed by Chrome that restrict the extension to "Only run on click" or "Only run with certain websites". If there is a way of storing these configurations as code in this repo, that would be ideal.

👍 Can you contribute?

No response

💡 Feature/Idea

Add script in home/.chezmoiscripts/universal that detects the presence of the Android SDK tools and then installs a configurable list of SDKs that are listed in home/.chezmoidata.yaml

👍 Can you contribute?

No response

💡 Feature/Idea

Support for Archlinux needs to be added. Linux support is general is complete but a few things need to be updated in order to bring Archlinux support.

The ZX installer script needs to be updated / tested. The file is here: https://github.com/megabyte-labs/install.doctor/blob/master/home/dot_local/bin/executable_install-program. The installation instructions for pacman are already in place but they have not been tested yet and likely need some tuning.

I'm not sure if Archlinux comes with GNOME or KDE but if it does not then we should install either GNOME or KDE as part of the installation routine.

👍 Can you contribute?

No response

💡 Feature/Idea

Create a script in home/.chezmoiscripts/universal that checks if wazuh is installed and then applies the system configuration and joins the Wazuh group. There may be an Ansible role's logic we can recycle for this.

👍 Can you contribute?

No response

❔ What are you experiencing an issue with?

Latest Release

❔ Version

Latest

🐞 Description

nvim on macOS opens with the following error:

Error detected while processing /Users/bzalewski/.config/nvim/init.lua:
E5113: Error while calling lua chunk: /Users/bzalewski/.config/nvim/lua/custom/init.lua:2: unexpected symbol near ':'
stack traceback:
        [C]: in function 'dofile'
        /Users/bzalewski/.config/nvim/init.lua:6: in main chunk

⏺️ Steps To Reproduce

No response

📒 Relevant Log Output

No response

💡 Possible Solution

No response

💡 Feature/Idea

The Firefox scripts in home/.chezmoiscripts/universal/*firefox.tmpl sets up multiple browser profiles with different characteristics. The Chrome scripts under the same location in *chrome.tmpl should do the same thing. Add logic that does the following (just like the Firefox firefox.tmpl does -- in fact you might be able to base most of the code off of what the Firefox logic does):

1. Headlessly launch Chrome / Brave / Edge to generate the initial default profile
2. Don't modify it at all
3. Rsync it to all the profiles listed at the top of the *firefox.tmpl with the exception of a profile that will be cloned from git and a profile that will be cloned from an encrypted .tar.gz somewhere in the cloud (I will be integrating CloudFlare R2 to handle this more seamlessly)
4. The default profile that loads should be based on the public git profile + with plugins installed

That's it --- just replicate the logic from the *firefox.tmpl file.

👍 Can you contribute?

No response

💡 Feature/Idea

This issue basically involves taking a deep dive into the Netdata documentation and implementing all the nice-to-haves low-hanging fruit that the documentation details.

We are already including Netdata into most of our templates. Netdata is a pretty sweet way of browsing through system metrics but in order for it to be truly useful, we need to implement a set of alert configurations. The alerts should include the alerts detailed on this page: https://learn.netdata.cloud/docs/alerts-and-notifications/configure-alerts

You can also use this GH repo as a reference: https://github.com/lKhanl/netstat-my-alerts

While you're tackling this issue, also be mindful of how we can extend Netdata to better suite our purposes. For example, it would be cool if we could track the number of system / homebrew packages with reported security alerts and then alert the user whenever there is a new security message for one of the installed packages. Granted, there might be a better way of handling this but we should explore leveraging Netdata to provide this feature since we are already integrating it. You should go through https://learn.netdata.cloud/docs/data-collection/monitor-anything/ and integrate all their examples that coincide with the tools that Install Doctor is providing.

The following alert notification integrations should be included:

1. https://learn.netdata.cloud/docs/alerts-and-notifications/notifications/agent-alert-notifications/syslog
2. https://learn.netdata.cloud/docs/alerts-and-notifications/notifications/agent-alert-notifications/email
3. https://learn.netdata.cloud/docs/alerts-and-notifications/notifications/agent-alert-notifications/slack

👍 Can you contribute?

No response

💡 Feature/Idea

Hey, I added the VIM plugin for GitHub co-pilot but we should also add the plugin for Visual Studio. Here's the instructions: https://docs.github.com/en/copilot/getting-started-with-github-copilot?tool=visualstudio

TODO:

1. Add the Visual Studio plugin to the visual-studio: section in the software.yml
2. Populate the cmd: field with the appropriate command that will install VS plugins
3. Determine whether or not it is possible to automate the login of GH CoPilot for VIM / Visual Studio
4. Create new plugin sections at the bottom of software.yml for any JetBrains-like IDEs we support and add the Copilot plugin: https://docs.github.com/en/copilot/getting-started-with-github-copilot?tool=jetbrains

💡 Feature/Idea

It might make things smoother if we can leverage managed deployments so that machines can automatically join CF Teams via WARP. Here are the details:

• https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/

Also, here is the service we would be using for macOS / Windows support: https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/partners/jumpcloud/

We should deploy like this so that the end-user does not have to login each time. We have to provide the CF Teams client ID and secret in a mdm file on macOS for instance. This needs to be done for Linux / Windows as well.

❔ What are you experiencing an issue with?

Latest Release

❔ Version

Current

🐞 Description

Currently, it looks like the installer logic is successfully creating a system user and group with the following commands:

❯ sudo dscl . -create /Users/rclone
❯ sudo dscl . -create /Groups/rclone
❯ sudo dscl . -append /Groups/rclone GroupMembership rclone
❯ id -Gn rclone
id: ‘rclone’: no such user: Invalid argument
❯ dscacheutil -q group -a name rclone
❯ echo $?
0

However, the logic needs to be fixed so that the rclone user is added to the rclone system group. Then, there should be logic that adds the $USER to the rclone group as well.

If you know how to do this, you can just post it right here and I will implement it. Thanks.

⏺️ Steps To Reproduce

No response

📒 Relevant Log Output

No response

💡 Possible Solution

No response

💡 Feature/Idea

We integrated IntelliJ into the installer for this project but we're missing some of the features that the IntelliJ role provided. Auto-accepting the license, installing plugins, theme.

The license should be added as a _post install hook in the software.yml. The plugins should be added to the bottom of the .chezmoidata.yaml file and follow the format the other plugins are using where you specify the command in the .chezmoidata.yaml file at the bottom, and the themes can be downloaded directly to their target destination by leveraging the .chezmoiexternal file in the home/ directory.

👍 Can you contribute?

No response

💡 Feature/Idea

Nebula is a free and open-source alternative to Tailscale that we can use for connecting all our devices into a mesh VPN network. This will allow all our devices to share a LAN-like network regardless of where they are hosted.

Create a script that runs when nebula is installed that joins the devices to a specific network defined in home/.chezmoidata.yaml with credentials saved as encrypted secrets. For testing, you can run the lighthouse locally.

👍 Can you contribute?

No response

💡 Feature/Idea

Write a script that, when run, converts all of the firewall profiles stored in home/dot_config/firewall/etc/ to firewall profiles for darwin stored at home/dot_config/firewall/darwin/ --- there's a README.md in the darwin folder.

We want to be able to maintain a single set of firewall profiles and then just have ChatGPT convert the profiles that are digestible by ufw and macOS (for incoming connections).

This is not high priority but I figured it would interesting to see ChatGPT working in practice. The gpt-engineer package might be helpful for this or the assistant-cli --- both of which are in the software.yml file.

👍 Can you contribute?

No response

💡 Feature/Idea

All of the scripts in the home/.chezmoiscripts/ folder need a detailed description added to the top of the file. I added an example description to the home/.chezmoiscripts/universal/run_onchange_after_40-firefox.tmpl script. It looks like this:

# @file run_onchange_after_40-firefox.tmpl
# @brief This script configures system-wide settings, sets up Firefox Profile Switcher, creates various profiles from different sources, and installs a configurable list of Firefox Add-Ons.
# @description
#     The Firefox setup script performs a handful of tasks that automate the setup of Firefox as well as
#     useful utilities that will benefit Firefox power-users. The script also performs the same logic on
#     [LibreWolf](https://librewolf.net/) installations. The features that are included are:
#
#     * Installs and sets up [Firefox Profile Switcher](https://github.com/null-dev/firefox-profile-switcher)
#     * Sets up system-wide enterprise settings (with configurations found in `~/.local/share/firefox`)
#     * Sets up a handful of default profiles to use with the Firefox Profile Switcher
#     * Automatically installs the plugins defined in the firefoxAddOns key of [`home/.chezmoidata.yaml`](https://github.com/megabyte-labs/install.doctor/blob/master/home/.chezmoidata.yaml) to the Standard and Private profiles
#     * Configures the default profile to clone its settings from the profile stored in firefoxPublicProfile of `home/.chezmoidata.yaml`
#     * Optionally, if the Chezmoi encryption key is present, then the default profile will be set to the contents of an encrypted `.tar.gz` that must be stored in the cloud somewhere (with the firefoxPrivateProfile key in `home/.chezmoidata.yaml` defining the URL of the encrypted `.tar.gz`)
#
#     ## Profiles
#
#     The script sets up numerous profiles for user flexibility. They can be switched by using the Firefox Profile Switcher
#     that this script sets up. The map of the profiles is generated by using the template file stored in `~/.local/share/firefox/profiles.ini`.
#     The following details the features of each profile:
#
#     | Name             | Description                                                                                 |
#     |------------------|---------------------------------------------------------------------------------------------|
#     | Factory          | Default browser settings (system-wide configurations still apply)                           |
#     | default-release  | Same as Factory (unmodified and generated by headlessly opening Firefox / LibreWolf)        |
#     | Git (Public)     | Pre-configured profile with address stored in `firefoxPublicProfile`                        |
#     | Standard         | Cloned from the profile above with `firefoxAddOns` also installed                           |
#     | Miscellaneous    | Cloned from the Factory profile (with the user.js found in `~/.config/firefox` applied)     |
#     | Development      | Same as Miscellaneous                                                                       |
#     | Automation       | Same as Miscellaneous                                                                       |
#     | Private          | Populated from an encrypted profile stored in the cloud (also installs `firefoxAddOns`)     |
#
#     ## Notes
#
#     * The Firefox Profile Switcher is only compatible with Firefox and not LibreWolf
#     * This script is only designed to properly provision profiles on a fresh installation (so it does not mess around with pre-existing / already configured profiles)
#
#     ## Links
#
#     * [Script on GitHub](https://github.com/megabyte-labs/install.doctor/blob/master/home/.chezmoiscripts/universal/run_onchange_after_40-firefox.tmpl)
#     * [System-wide configurations](https://github.com/megabyte-labs/install.doctor/tree/master/home/dot_local/share/firefox) as well as the location of the `profile.ini` and some other configurations
#     * [User-specific configurations](https://github.com/megabyte-labs/install.doctor/blob/master/home/dot_config/firefox/user.js) added to all profiles except Factory

Running the file through shdoc (https://github.com/reconquest/shdoc) gives us a nice markdown file. By implementing documentation like this, we can include documentation in the code as well as in the documentation portal.

Be sure to check out the shdoc documentation to get an idea of how else we can incorporate its functionality. For instance, I added all the documentation to the top but it could be improved a little bit by adding the nitty gritty details as @sections inside the code.

This needs to be done for all the scripts. It will also be a good way of getting comfortable with all the scripts (and possibly finding issues with them).

NOTE: The example I made is for a rather lengthy script. The other scripts will be shorter and their documentation should be shorter as well.

👍 Can you contribute?

No response

💡 Feature/Idea

In the home/.chezmoi.yaml.tmpl file, one of the questions that is prompted asks if the computer is a "Managed" computer or a WORK_ENVIRONMENT. We can automate this question on macOS by running the following:

sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
Firewall settings cannot be modified from command line on managed Mac computers.

If the response of the command contains the string, then the WORK_ENVIRONMENT should be set to true without prompting the user.

👍 Can you contribute?

No response

❔ What are you experiencing an issue with?

Latest Release

❔ Version

Current

🐞 Description

After installing clamav on macOS with Homebrew, the package definition is configured to run freshclam after installing. This command leads to the following error:

❯ freshclam
ERROR: Please edit the example config file /usr/local/etc/clamav/freshclam.conf
ERROR: Can't open/parse the config file /usr/local/etc/clamav/freshclam.conf

We should house this config in ~/.config/clamav/freshclam.conf and then copy it over to the /usr/local/etc/clamav/ location before running freshclam. We should craft the config that we store in our dotfiles with optimal settings as well.

Here's the config:

##
## Example config file for freshclam
## Please read the freshclam.conf(5) manual before editing this file.
##


# Comment or remove the line below.
Example

# Path to the database directory.
# WARNING: It must match clamd.conf's directive!
# Default: hardcoded (depends on installation options)
#DatabaseDirectory /var/lib/clamav

# Path to the log file (make sure it has proper permissions)
# Default: disabled
#UpdateLogFile /var/log/freshclam.log

# Maximum size of the log file.
# Value of 0 disables the limit.
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes).
# in bytes just don't use modifiers. If LogFileMaxSize is enabled,
# log rotation (the LogRotate option) will always be enabled.
# Default: 1M
#LogFileMaxSize 2M

# Log time with each message.
# Default: no
#LogTime yes

# Enable verbose logging.
# Default: no
#LogVerbose yes

# Use system logger (can work together with UpdateLogFile).
# Default: no
#LogSyslog yes

# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
# Default: LOG_LOCAL6
#LogFacility LOG_MAIL

# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
# Default: no
#LogRotate yes

# This option allows you to save the process identifier of the daemon
# This file will be owned by root, as long as freshclam was started by root.
# It is recommended that the directory where this file is stored is
# also owned by root to keep other users from tampering with it.
# Default: disabled
#PidFile /var/run/freshclam.pid

# By default when started freshclam drops privileges and switches to the
# "clamav" user. This directive allows you to change the database owner.
# Default: clamav (may depend on installation options)
#DatabaseOwner clamav

# Use DNS to verify virus database version. FreshClam uses DNS TXT records
# to verify database and software versions. With this directive you can change
# the database verification domain.
# WARNING: Do not touch it unless you're configuring freshclam to use your
# own database verification domain.
# Default: current.cvd.clamav.net
#DNSDatabaseInfo current.cvd.clamav.net

# database.clamav.net is now the primary domain name to be used world-wide.
# Now that CloudFlare is being used as our Content Delivery Network (CDN),
# this one domain name works world-wide to direct freshclam to the closest
# geographic endpoint.
# If the old db.XY.clamav.net domains are set, freshclam will automatically
# use database.clamav.net instead.
DatabaseMirror database.clamav.net

# How many attempts to make before giving up.
# Default: 3 (per mirror)
#MaxAttempts 5

# With this option you can control scripted updates. It's highly recommended
# to keep it enabled.
# Default: yes
#ScriptedUpdates yes

# By default freshclam will keep the local databases (.cld) uncompressed to
# make their handling faster. With this option you can enable the compression;
# the change will take effect with the next database update.
# Default: no
#CompressLocalDatabase no

# With this option you can provide custom sources for database files.
# This option can be used multiple times. Support for:
#   http(s)://, ftp(s)://, or file://
# Default: no custom URLs
#DatabaseCustomURL http://myserver.example.com/mysigs.ndb
#DatabaseCustomURL https://myserver.example.com/mysigs.ndb
#DatabaseCustomURL https://myserver.example.com:4567/allow_list.wdb
#DatabaseCustomURL ftp://myserver.example.com/example.ldb
#DatabaseCustomURL ftps://myserver.example.com:4567/example.ndb
#DatabaseCustomURL file:///mnt/nfs/local.hdb

# This option allows you to easily point freshclam to private mirrors.
# If PrivateMirror is set, freshclam does not attempt to use DNS
# to determine whether its databases are out-of-date, instead it will
# use the If-Modified-Since request or directly check the headers of the
# remote database files. For each database, freshclam first attempts
# to download the CLD file. If that fails, it tries to download the
# CVD file. This option overrides DatabaseMirror, DNSDatabaseInfo
# and ScriptedUpdates. It can be used multiple times to provide
# fall-back mirrors.
# Default: disabled
#PrivateMirror mirror1.example.com
#PrivateMirror mirror2.example.com

# Number of database checks per day.
# Default: 12 (every two hours)
#Checks 24

# Proxy settings
# The HTTPProxyServer may be prefixed with [scheme]:// to specify which kind
# of proxy is used.
#   http://     HTTP Proxy. Default when no scheme or proxy type is specified.
#   https://    HTTPS Proxy. (Added in 7.52.0 for OpenSSL, GnuTLS and NSS)
#   socks4://   SOCKS4 Proxy.
#   socks4a://  SOCKS4a Proxy. Proxy resolves URL hostname.
#   socks5://   SOCKS5 Proxy.
#   socks5h://  SOCKS5 Proxy. Proxy resolves URL hostname.
# Default: disabled
#HTTPProxyServer https://proxy.example.com
#HTTPProxyPort 1234
#HTTPProxyUsername myusername
#HTTPProxyPassword mypass

# If your servers are behind a firewall/proxy which applies User-Agent
# filtering you can use this option to force the use of a different
# User-Agent header.
# As of ClamAV 0.103.3, this setting may not be used when updating from the
# clamav.net CDN and can only be used when updating from a private mirror.
# Default: clamav/version_number (OS: ..., ARCH: ..., CPU: ..., UUID: ...)
#HTTPUserAgent SomeUserAgentIdString

# Use aaa.bbb.ccc.ddd as client address for downloading databases. Useful for
# multi-homed systems.
# Default: Use OS'es default outgoing IP address.
#LocalIPAddress aaa.bbb.ccc.ddd

# Send the RELOAD command to clamd.
# Default: no
NotifyClamd /usr/local/etc/clamav/clamd.conf

# Run command after successful database update.
# Use EXIT_1 to return 1 after successful database update.
# Default: disabled
#OnUpdateExecute command

# Run command when database update process fails.
# Default: disabled
#OnErrorExecute command

# Run command when freshclam reports outdated version.
# In the command string %v will be replaced by the new version number.
# Default: disabled
#OnOutdatedExecute command

# Don't fork into background.
# Default: no
#Foreground yes

# Enable debug messages in libclamav.
# Default: no
#Debug yes

# Timeout in seconds when connecting to database server.
# Default: 30
#ConnectTimeout 60

# Timeout in seconds when reading from database server. 0 means no timeout.
# Default: 60
#ReceiveTimeout 300

# With this option enabled, freshclam will attempt to load new databases into
# memory to make sure they are properly handled by libclamav before replacing
# the old ones.
# Tip: This feature uses a lot of RAM. If your system has limited RAM and you
# are actively running ClamD or ClamScan during the update, then you may need
# to set `TestDatabases no`.
# Default: yes
#TestDatabases no

# This option enables downloading of bytecode.cvd, which includes additional
# detection mechanisms and improvements to the ClamAV engine.
# Default: yes
#Bytecode no

# Include an optional signature databases (opt-in).
# This option can be used multiple times.
#ExtraDatabase dbname1
#ExtraDatabase dbname2

# Exclude a standard signature database (opt-out).
# This option can be used multiple times.
#ExcludeDatabase dbname1
#ExcludeDatabase dbname2

You can store that in ~/.config/clamav/ (be sure to remove the Example part it talks about). Also, spend a little time figuring out if there is anything we can do to optimize the configuration.

Finally, ensure that the config ends up in the right place on different systems (i.e. the /usr/local/etc/clamav/freshclam.conf location might be different on a Linux system, for instance).

The script that moves the clamav config should be added to the software.yml file alongside the clamav definition under the appropriate _post hook.

⏺️ Steps To Reproduce

No response

📒 Relevant Log Output

No response

💡 Possible Solution

No response

💡 Feature/Idea

Create a new script in home/.chezmoiscripts/universal that checks if gitlab-runner is installed and then auto-joins the GitLab runners so it is available for CI/CD purposes. Store secrets in the appropriate place (see documentation for details). Any non-secret IDs like the cluster ID can be stored in home/.chezmoi.yaml.tmpl

👍 Can you contribute?

No response

💡 Feature/Idea

In home/.chezmoi.yaml.tmpl there is a section that determines whether the environment is a desktop or laptop (or other like WSL).

The following line needs to be completed to set the variable equal to either laptop or desktop based on the system properties:

{{-     $chassisType = "todo-get-from-hostnamectl" }}

👍 Can you contribute?

No response

💡 Feature/Idea

There is a list of programs that don't use the system-installed certificates that CloudFlare WARP installs here: https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert/

Please go through the list and add the logic that the documentation lays out in terms of adding the CloudFlare certificate to the application-specific certificate stores. Include the logic in the home/.chezmoiscripts/*warp*.tmpl shell script.

If you come across any other applications that are using private certificate stores, please post them here.

👍 Can you contribute?

No response

💡 Feature/Idea

KasmVNC provides enhanced VNC features when coupled alongside Kasm Workspaces which is what the project is currently evolving towards. See: https://kasmweb.com/

We are currently installing TigerVNC which is configured in the /workspaces/install.doctor/home/.chezmoiscripts/universal/run_onchange_after_16-vnc.sh.tmpl file.

KasmVNC has no easy way of getting installed I believe. We could hardcode each of the .deb and .rpm files and add them to software.yml. So that's the first thing that needs to be done.

Next, when both TigerVNC and KasmVNC are installed, we need to ensure that the vncserver and all the other related programs like vncconfig point to KasmVNC. I started adding logic to the run_onchange_ file for KasmVNC which should give you a better idea on how to detect when they are installed.

Testing: Next, we need to ensure that we can connect to KasmVNC with a regular VNC client. It should work just like TigerVNC and then upgrade to the extra Kasm-related features if available (which should happen automatically).

Finally, we need to ensure the systemd files in the dot_config/vnc/etc folder is compatible for both KasmVNC and TigerVNC.

Basically, it would be awesome if we could replace TigerVNC with KasmVNC but that's not possible yet because KasmVNC only supports a limited number of Linux machines.

👍 Can you contribute?

No response

💡 Feature/Idea

Include a script under home/.chezmoiscripts/universal/ that installs KubeSphere on as many distros as possible. This might be possible if we leverage the minikube install target: https://kubesphere.io/docs/v3.3/installing-on-linux/on-premises/installing-kubesphere-on-minikube/. The goal is to be able to combine Kubernetes clusters across multiple computers and clouds with KubeSphere.

I tried doing this myself on Fedora 36 in Parallels but was getting this error: error: Current user is parallels. Please use root!

I installed KubeKey using brew install kubekey. I assume it's because of the firewall because when I run kk as root I get this error:

01:44:47 EST [GreetingsModule] Greetings
01:44:47 EST failed: [fedora]
error: Pipeline[CreateClusterPipeline] execute failed: Module[GreetingsModule] exec failed: 
failed: [fedora] failed to connect to 10.211.55.21: could not establish connection to 10.211.55.21:22: dial tcp 10.211.55.21:22: connect: connection refused

We will no longer be using ufw - instead we'll be using firewalld which is compatible with Cockpit. Ideally, the configurations should be created in Cockpit and then stored in the git.

👍 Can you contribute?

No response

💡 Feature/Idea

Many applications include the use of user profiles. Browsers save all the settings, history, passwords, etc. into these profile folders. However, applications other than browsers save settings to these backup profiles.

Using Restic / Rclone, we can backup private profiles to S3 using Restic for encryption. The logic to do this is already in place here: https://github.com/megabyte-labs/install.doctor/blob/master/home/dot_config/task/Taskfile.yml

For the browser profile examples provided in the Taskfile.yml, I only added profile backups for the locations on macOS. We need to add additional tasks to each backup definition that saves the profiles for each possible location on Linux and Windows.

Please add the details for all the possible locations of the browser profiles to the Taskfile.yml and add it to the initial PR.

After the browser profiles are taken care of, we should also identify the profile settings folders for additional apps. If you are on macOS, for instance, run the Install Doctor provisioning script and select the "Full Installation". After it is installed, open up all the various /Applications/*.app applications, modify some settings, and use your best judgement to determine whether we can backup the settings similar to the way we are backing up the browser settings.

👍 Can you contribute?

No response

💡 Feature/Idea

Add logic that joins each device provisioned with etcd. This should be similar to the glusterfs logic. It should check if etcd is installed and then auto-join to the cluster.

etcd will be used to have a shared key-value database and trigger scripts off of changes to the state.

👍 Can you contribute?

No response

💡 Feature/Idea

We need to come up with a generic approach to applying Firejail profiles to all the software we install. We should come up with a base profile that incorporates the minimum necessary permissions for most apps to run. Then, for instance in the case of apps that need access to the ~/.ssh folder, we can add that permission for that exact app.

We can manage this by defining a new attribute in the software.yml file that is called _firejail. For an app that only needs access to the SSH keys, we would define the permissions as:

ssh-vault:
  _firejail:
    - ssh

Write a script that scans for every executable in the PATH and then add a new entry to the PATH with the same executable name that calls the original with the addition of a Firejail profile.

The main idea behind this is to get enough done so that we can begin testing it as we are developing the system.

The goal is to add a layer of security, not necessarily create the perfect permissions for everything right at the start.

👍 Can you contribute?

No response

💡 Feature/Idea

Add logic to the run_onchange_after_57-netdata.sh.tmpl script that incorporates the following projects:

• https://github.com/netdata/go.d.plugin
• https://github.com/netdata/netdata-grafana-datasource-plugin
• https://github.com/ohthehugemanatee/netdata-speedtest

Also, I really liked that you included the vulnerability scan for Debian. Is it possible to bring this feature to the other operating systems?

Also, what kind of other security-related scans can we include? Ideally, there should be a cron that scans the entire OS and reports vulnerabilities --- IDK if Netdata is the best for that so we might want to consider other alternatives as well.

👍 Can you contribute?

No response

❔ What are you experiencing an issue with?

Latest Release

❔ Version

N/A

🐞 Description

Somewhere in the provisioning process there's an issue with a script that is causing a file named 1 to appear in the $HOME directory. We should find out where this is coming from in case there's a feature that isn't working.

⏺️ Steps To Reproduce

No response

📒 Relevant Log Output

No response

💡 Possible Solution

No response

💡 Feature/Idea

Add a script to home/.chezmoiscripts/universal that adds nodes to the GlusterFS pool. There may be Ansible logic we can recycle for this one.

👍 Can you contribute?

No response

💡 Feature/Idea

sftpgo (https://github.com/drakkan/sftpgo) seems like it would be an improvement to regular SFTP offered by SSH clients. Please do some research on how / why / if sftpgo could be a good inclusion into our devices. I'm imagining it as being a way we can mount various data sources into the user's home directory with a single config file.

I'd like to be able to mount various servers with regular SFTP, S3 buckets, and possibly other sources like Google Drive from a single config. I also think we should replace the OpenSSH subsystem for FTP with this program since it seems to support a lot of extra features that might be beneficial down the road (like file system change event pub-sub models).

For now, to close this issue - create a basic configuration based on the default configuration and store it in $HOME/.config/sftpgo/config.yml and make OpenSSH use it as its backend for SFTP.

👍 Can you contribute?

No response

❔ What are you experiencing an issue with?

Latest Release

❔ Version

Latest

🐞 Description

On macOS, the .viminfo is showing up in the user's home directory. This should be stored in the vim cache folder or wherever makes the most sense. Main point is to keep the $HOME directory clear of spammy dotfiles.

⏺️ Steps To Reproduce

No response

📒 Relevant Log Output

No response

💡 Possible Solution

No response

❔ What are you experiencing an issue with?

Latest Release

❔ Version

Current

🐞 Description

The Samba setup role in home/.chezmoiscripts/universal/*samba*.tmpl needs to be fixed on macOS. Not sure if we can use the system or we have to rely on a Homebrew library but the feature goal is to automatically setup Samba shares on macOS too. However, I do not believe the configuration can be applied to the /etc/samba/config referenced in the script (that only works for Linux) so we need to come up with an alternative for enabling Samba on macOS and applying all the logic outlined in the default Samba config we are applying on Linux machines.

⏺️ Steps To Reproduce

No response

📒 Relevant Log Output

No response

💡 Possible Solution

No response

❔ What are you experiencing an issue with?

Latest Release

❔ Version

Latest

🐞 Description

On macOS, the ZX installer script (home/dot_local/bin/install-program) includes logic to add users / groups to macOS when packages in the software.yml have _groups defined. Anything defined in _groups should be added as a user and a group, and then the current user should also get that group added.

The ZX script needs to be updated with commands that actually make a system user / group. Here's what I tried fiddling with on the command line (which did not work and is what the script is currently using):

❯ sudo chown privoxy:privoxy config
chown: invalid user: ‘privoxy:privoxy’
❯ sudo chown privoxy config
chown: invalid user: ‘privoxy’
❯ sudo dscl . -create /Users/privoxy
❯ sudo dscl . -create /Groups/privoxy
❯ sudo dscl . -append /Groups/privoxy GroupMembership privoxy
❯ sudo chown privoxy config
chown: invalid user: ‘privoxy’
❯ sudo chown privoxy:privoxy config
chown: invalid user: ‘privoxy:privoxy’
❯ sudo sysadminctl -addUser privoxy
2023-03-27 02:17:35.914 sysadminctl[15945:6207548] User named 'privoxy' already exists.
❯ sudo chown privoxy config
chown: invalid user: ‘privoxy’

⏺️ Steps To Reproduce

No response

📒 Relevant Log Output

No response

💡 Possible Solution

No response