For this section, log in as your administrator account.
You’ll need to allow your standard user access to run sudo
commands.
First, you’ll want to take note of your account name by viewing the folders
listed inside of the /Users/
folder - in this example, the account
name is username.
$ ls /Users/
username Shared fedadmin
Then, you’ll add your username to the /etc/sudoers
file using visudo
:
$ sudo visudo
...
##
# User specification
##
# root and users in group wheel can run anything on any machine as any user
root ALL = (ALL) ALL
%admin ALL = (ALL) ALL
username ALL = (ALL) ALL
Press Esc
followed by :wq
to save and quit visudo
.
Download XCode and accept the license agreement, then install the XCode command line tools.
sudo xcodebuild -license
xcode-select --install
Download the latest stable Docker for Mac.
Install it by double-clicking the downloaded dmg
file and dragging the
Docker application file to the Applications
folder.
To set up iTerm2 - a macOS terminal replacement with some nifty features -
visit the iTerm2 download page to
get the latest stable release. Install it by double-clicking the downloaded
zip
file and dragging the extracted iTerm
application file to the
Applications
folder.
Once installed, run the app and select the menu option
iTerm2 > Make iTerm2 Default Term
.
Note You may also
Make iTerm2 Default Term
on your standard user account.
Once you're set up with the lab (CAL) VPN connection, we recommend you set up split-tunneling. Instructions and a generator script are located in the vpn-config-gen repository.
For this section and following sections, log back in as your standard user.
Note If you installed iTerm2 above, run the iTerm2 app and select the menu option
iTerm2 > Make iTerm2 Default Term
to make it your default too.
NOTE (DEC 2022): The CISA laptop
script is out of date but still
functional.
To set up a dev environment via the CISA laptop
script, execute
the following in your terminal:
bash <(curl --silent https://raw.githubusercontent.com/cisagov/laptop/master/laptop)
This will curl
the current install files and script. You can specify
additional packages to install by creating a Brewfile.local
, as described in
the Readme for the laptop
repo where an example is provided.
Open Terminal and install brew
per the instructions from
Homebrew. You will probably have to do this with sudo
.
/bin/bash -c "$(curl --fail --silent --show-error --location https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"
After installing Brew, you'll want to install other useful
packages. We recommend installing all the packages specified in the
CISA laptop
script repository.
For portability between computers and environments, you may want to switch
from the usual dotfiles setup to using stow
to be able to use a personal
repository and then map your dotfiles to that directory. This makes it much
easier to sync and set up.
Using a stow
-based setup also allows for some nifty features like
subdirectories to split out useful files into a more modular approach.
These are automatically installed if you used the automatic package installation script above.
brew install figlet pinentry-mac s3cmd stow
Fork cisagov's .dotfiles
repo and
clone it as shown below. Then, stow all the packages from .dotfiles
into
your home directory per the .dotfiles
README.
cd ~
git clone [email protected]:<username>/.dotfiles.git
cd ~/.dotfiles
./deploy.sh
You'll want to make some changes, e.g. username/email should be set to your
own - you can do this by editing the files in your new ~/.dotfiles
folder.
Note You don't need to rerun
stow
ordeploy.sh
after this because your files are already symlinked.
- Install your favorite IDE and set up its preferences to your liking
- For Python development, please set up
black
for opinionated linting so your code formatting will match the rest of the codebase- Note: the pre-commit hooks will automatically run
black
on commit
- Note: the pre-commit hooks will automatically run
To allow access to the saved macOS Keychain credential for command line usage, run:
git config --global credential.helper osxkeychain
Generate a key to sign your git commits and add it to your ~/.gitconfig
:
gpg --gen-key
Follow the prompts for name and email address, using either your CISA or GWE email address. The output should look like:
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key EXAMPLE1234ABCDE marked as ultimately trusted
gpg: revocation certificate stored as '/Users/username/path/to/.gnupg'
public and secret key created and signed.
pub rsa3072 YYYY-MM-DD [SC] [expires: YYYY-MM-DD]
<fingerprint characters>
uid User Name <[email protected]>
sub rsa3072 YYYY-MM-DD [E] [expires: YYYY-MM-DD]
The alphanumeric string from the key generation output line that says
gpg: key EXAMPLE1234ABCDE marked as ultimately trusted
is used as
your signing key.
Now that your new key has been generated, add it to your ~/.gitconfig
:
- Fill your
name
andemail
, using the same values as above - Copy the alphanumeric string from the key generation output line that says
gpg: key EXAMPLE1234ABCDE marked as ultimately trusted
- Fill the alphanumeric signing key string in the
[user]
section:signingkey = EXAMPLE1234ABCDE
Next, export the public key via command line and add it to your GitHub account:
gpg --armor --export [email protected]
- Copy the output, starting from
-----BEGIN PGP PUBLIC KEY BLOCK-----
- Add a new PGP key to your GitHub keys page
- Paste the public key into the dialog and
Add GPG key
- Confirm your password to continue (if requested)
Lastly, enable the global configuration option for commit signing:
git config --global commit.gpgsign true
Reference: GitHub: Generating a new SSH key
Warning Use
ed25519
instead ofrsa
!
ssh-keygen -t ed25519
-
Save the generated key in the default location (e.g.
~/.ssh/id_ed25519
) -
Use a passphrase you'll remember and/or save in your keychain
-
Start the
ssh-agent
in the background and add your new credential:eval "$(ssh-agent -s)" ssh-add -K ~/.ssh/id_ed25519
Reference: GitHub: Adding a new SSH key to your GitHub account
Warning Use
ed25519
instead ofrsa
!
# Copy the contents of the id_ed25519.pub file to your clipboard
$ pbcopy < ~/.ssh/id_ed25519.pub
- Load your GitHub Settings page for adding an SSH key and paste the contents of your clipboard
- Give this device a descriptive name and
Add SSH key
- Confirm your password to continue (if requested)
There are some additional setup steps to access the COOL (Cloud-Optimized Operations Lab):
Note These steps are only necessary if you want to manually configure these vs. using the Jamf-pushed configuration.
- Install MIT Kerberos
- NOTE: If you chose Automatic Installation above, this step was already
performed by the
laptop
script
- NOTE: If you chose Automatic Installation above, this step was already
performed by the
- Configuring Kerberos for the COOL
- Configuring your browser for the COOL
After you have successfully completed the tasks above, follow these instructions to access Guacamole.
Note You will need to have been given access to one or more COOL environments to be able to access anything with Guacamole.