Ansible provisioning of macOS and Linux with security in mind
$ curl -s https://raw.githubusercontent.com/adrw/.files/master/get-bootstrap.sh | bash -s && ./bootstrap.sh
option
into Recovery parition on a USBMacintosh HD
and install latest macOS from bootable USB$ curl -s https://raw.githubusercontent.com/adrw/.files/master/get-bootstrap.sh | bash -s && ./bootstrap.sh
OR provision with command below including any custom arguments in Terminal
$ curl -s https://raw.githubusercontent.com/adrw/.files/master/get-bootstrap.sh | bash -s && ./bootstrap.sh <opts>
Run bootstrap.sh -h
for latest manual of options and arguments which include:
-b Change homebrew prefix / install path
-d Change where .files is installed
-g Detached Git Mode: Stashes all changes in .files directory and resets to origin/master
-i Ansible Inventory
-l Logging Level
-m Run macOS Full Customization Script
-n Run macOS No Animate Customization Script
-o Run macOS Homecall Script
-p Ansible Playbook
-r Run tasks that require Sudo permissions
-s Run secure network and hostname change script
-u Change username that the script is run under
-v Run tasks that include Ansible Vault
Change which is run with -p {play}
flag in the bootstrap.sh
script
mac_core
full mac setupmac_dev
includes mac_terminal
and installs dev related appsmac_dock
do dock customizationsmac_etchosts
only install /etc/hosts domain blockingmac_jekyll
minimum requirements to get-started-with-jekyllmac_second_account
smaller playbook since it assumes most apps have been installed from a primary macOS accountmac_secure
different security tasks to spoof MAC address, add custom blocked hosts, and start Privoxymac_terminal
setup custom terminal with themes, aliases, and functionsmac_vault
run ansible tasks that require Ansible Vault decryptionSystem Integrity Protection
csrutil status
csrutil enable
ansible/roles/ssh-keys/defaults/main.yml
and use ansible-vault create
to make new defaults/main.yml
with following declared string:
ssh_passphrase
generate id_rsa with a given passphrase then required on every id_rsa useid_rsa: "{ full path }"
full path to where you want the id_rsa
file generated (usually ~/.ssh/id_rsa
). Optional since it is in mac_core.yml by default for use in other roles.ansible-vault edit ansible/roles/ssh-keys/defaults/main.yml
pbcopy < ~/.ssh/id_rsa.pub
-> GitHub.com/settings/keysPrivoxy
not working? Check that proxy 127.0.0.1:8118
was added to HTTP and HTTPS sections in Airport and Ethernetadmin
privileges from a user?
chmod_admin {username}
found in .adrw-functions
which safely implements the steps below.admin
account and adding privileges back to another user.
GeneratedUID
of account with $ dscl . -read /Users/<username> GeneratedUID
$ sudo dscl . -delete /Groups/admin GroupMembers <GeneratedUID>
mv_user
found in .adrw-functions
which safely implements the steps below.$ sudo dscl . create /Users/hiddenuser IsHidden 1
$ sudo mv /Users/hiddenuser /var/hiddenuser
$ sudo dscl . -create /Users/hiddenuser NFSHomeDirectory /var/hiddenuser
$ sudo dscl . -delete "/SharePoints/Hidden User's Public Folder"
https://127.0.0.1:8384/
syncthing.plist
file to ~/Library/LaunchAgents
.launchctl load ~/Library/LaunchAgents/syncthing.plist
.Too many files
errors in applications?
ansible/roles/macos/files/limit.maxfiles.plist
to /Library/LaunchDaemons/
sudo launchctl load -w /Library/LaunchDaemons/limit.maxfiles.plist
launchctl limit maxfiles
ansible/roles/spoof-mac
.Antigen
and Antibody
zsh plugin manager. Well worth switching too after feeling the lag too often of oh-my-zsh
Dark-Solarized
theme, oh-my-zsh
, zsh-autosuggestions
and Powerlevel9kdockutil
)/etc/hosts
file. Find in ansible/roles/etchosts
.AutoDMG
image