dotfiles/Makefile at fedora · jasonBirchall/dotfiles · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
FLAKE ?= .#json0
DNF_PKGS_FILE ?= fedora/system-packages.txt
FLATPAK_FILE ?= fedora/flatpaks.txt

.PHONY: help
help:
	@echo "Targets:"
	@echo "  make dnf                Install Fedora system packages from $(DNF_PKGS_FILE)"
	@echo "  make flatpak            Install flatpaks from $(FLATPAK_FILE)"
	@echo "  make nix                Install Nix (if missing)"
	@echo "  make hm                 Apply Home Manager flake ($(FLAKE))"
	@echo "  make bootstrap          dnf + flatpak + nix + hm"
	@echo "  make nvidia             Install proprietary NVIDIA driver + suspend setup"
	@echo "  make xremap             Grant /dev/uinput access for xremap (udev rule + input group)"
	@echo "  make local-sync         Clone or update the private local-config repo + run its setup hook"
	@echo "  make audit              Report pending security updates (dnf), flatpak updates, nix flake input age"
	@echo "  make update             Apply routine updates across all channels (dnf, flatpak, flake, hm, uv)"
	@echo "  make drift-dnf          Show user-installed packages not in $(DNF_PKGS_FILE)"
	@echo "  make drift-flatpak      Show installed flatpaks not in $(FLATPAK_FILE)"
	@echo ""
	@echo "Recon (system inspection):"
	@echo "  make recon              Run all recon tools"
	@echo "  make recon-processes    Processes & services snapshot"
	@echo "  make recon-processes-bless  Accept current processes state as baseline"
	@echo "  make recon-listening    Listening sockets / open ports"
	@echo "  make recon-listening-bless  Accept current listening state as baseline"
	@echo "  make recon-outbound     Outbound traffic / DNS / connections"
	@echo "  make recon-autostart    systemd timers, cron, desktop autostart"
	@echo "  make recon-autostart-bless  Accept current autostart state as baseline"
	@echo "  make recon-new NAME=x   Scaffold a new recon tool at bin/recon/x/"
	@echo "  make recon-timers-install   Install + enable recon systemd --user timers"

.PHONY: dnf
dnf:
	test -f "$(DNF_PKGS_FILE)"
	@echo "Installing DNF packages from $(DNF_PKGS_FILE)…"
	sudo dnf install -y $$(grep -vE '^\s*#|^\s*$$' "$(DNF_PKGS_FILE)" | tr '\n' ' ')

.PHONY: nix
nix:
	@if command -v nix >/dev/null 2>&1; then \
	  echo "Nix already installed."; \
	else \
	  echo "Installing Nix…"; \
	  sh <(curl -L https://nixos.org/nix/install) --daemon; \
	fi

.PHONY: hm
hm:
	@echo "Applying Home Manager flake $(FLAKE)…"
	home-manager switch --flake "$(FLAKE)"

.PHONY: bootstrap
bootstrap: dnf flatpak nix local-sync hm suricata nvidia xremap recon-timers-install
	@echo "Bootstrap complete."

# Clones or updates the private local-config repo (sibling of dotfiles) and
# runs its setup hook. Must run before `hm` because home.nix references files
# under local-config.
.PHONY: local-sync
local-sync:
	@echo "Syncing local-config (private)…"
	@if [ -d "$(HOME)/Documents/workarea/local-config/.git" ]; then \
	  git -C "$(HOME)/Documents/workarea/local-config" pull --ff-only; \
	else \
	  git clone git@github.com:json0/local-config.git "$(HOME)/Documents/workarea/local-config"; \
	fi
	@if [ -x "$(HOME)/Documents/workarea/local-config/setup.sh" ]; then \
	  bash "$(HOME)/Documents/workarea/local-config/setup.sh"; \
	fi

.PHONY: xremap
xremap:
	@echo "Setting up xremap uinput access"
	bash fedora/setup-xremap.sh

.PHONY: nvidia
nvidia:
	@echo "Setting up NVIDIA proprietary driver + suspend"
	bash fedora/setup-nvidia.sh

# Reports what's pending across the three update channels so you can decide
# whether to apply now or leave for the next routine update.
# - dnf check-update --security exits 100 if updates are available (not an error)
# - flatpak remote-ls --updates lists every pending flatpak update (no severity tagging)
# - nix flake metadata shows how stale each input is so flake.lock churn is visible
.PHONY: audit
audit:
	@echo "=== DNF: pending security updates ==="
	@dnf check-update --security || true
	@echo
	@echo "=== Flatpak: pending updates ==="
	@flatpak remote-ls --updates || true
	@echo
	@echo "=== Nix flake input age ==="
	@nix flake metadata --json 2>/dev/null | jq -r '.locks.nodes | to_entries[] | select(.value.locked.lastModified) | "\(.key): \((now - .value.locked.lastModified) / 86400 | floor)d old"' || true
	@echo
	@echo "=== Python (bin/recon): vulnerabilities ==="
	@uvx pip-audit -r <(cd bin/recon && uv export --no-hashes 2>/dev/null) 2>&1 | grep -vE '^(Installed|Downloading|Downloaded| Installed)' || true

# Routine cadence update across all four package channels.
# Order matters: flake update must come before `home-manager switch`, otherwise
# you'd apply an old flake.lock. uv tool upgrade is last because the companion
# tools depend on nothing else.
# Run weekly or biweekly. A kernel update may land here — reboot afterwards if so.
.PHONY: update
update:
	@echo "=== DNF: system upgrade ==="
	sudo dnf upgrade --refresh -y
	@echo
	@echo "=== Flatpak: update ==="
	flatpak update -y
	@echo
	@echo "=== Nix flake: update flake.lock ==="
	nix flake update
	@echo
	@echo "=== Home Manager: apply new generation ==="
	home-manager switch --flake "$(FLAKE)"
	@echo
	@echo "=== uv: upgrade tools ==="
	uv tool upgrade --all
	@echo
	@echo "=== uv: refresh bin/recon lockfile ==="
	cd bin/recon && uv lock --upgrade
	@echo
	@echo "Update complete. If the kernel was updated, reboot to apply."

.PHONY: drift-dnf
drift-dnf:
	@echo "DNF drift (installed but not tracked in $(DNF_PKGS_FILE)):"
	comm -23 \
	  <(dnf repoquery --userinstalled | sort) \
	  <(grep -vE '^\s*#|^\s*$$' "$(DNF_PKGS_FILE)" | sort) || true

.PHONY: flatpak
flatpak:
	test -f "$(FLATPAK_FILE)"
	@echo "Ensuring Flathub remote is configured…"
	sudo flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo
	@echo "Installing flatpaks from $(FLATPAK_FILE)…"
	@grep -vE '^\s*#|^\s*$$' "$(FLATPAK_FILE)" | while read -r remote app; do \
	  echo "  $$remote $$app"; \
	  sudo flatpak install -y --noninteractive "$$remote" "$$app"; \
	done
	@echo "Reloading session DBus so new app services are activatable now…"
	@gdbus call --session --dest org.freedesktop.DBus \
	  --object-path /org/freedesktop/DBus \
	  --method org.freedesktop.DBus.ReloadConfig >/dev/null 2>&1 || true

.PHONY: drift-flatpak
drift-flatpak:
	@echo "Flatpak drift (installed but not tracked in $(FLATPAK_FILE)):"
	@comm -23 \
	  <(flatpak list --app --columns=origin,application | tr '\t' ' ' | sort) \
	  <(grep -vE '^\s*#|^\s*$$' "$(FLATPAK_FILE)" | tr -s ' \t' ' ' | sort) || true

.PHONY: suricata
suricata:
	@echo "Setting up suricata"
	bash suricata/setup-suricata.sh

.PHONY: suricata-update
suricata-update:
	@echo "Updating suricata rules"
	sudo systemctl restart suricata

RECON_TOOLS := processes listening outbound autostart

.PHONY: recon recon-processes recon-processes-bless recon-listening recon-listening-bless recon-outbound recon-autostart recon-autostart-bless recon-new

recon: recon-processes recon-listening recon-outbound recon-autostart

recon-processes:
	@echo "=== recon: processes ==="
	@uv run --directory bin/recon python -m processes.processes

recon-processes-bless:
	@uv run --directory bin/recon python -m processes.processes --bless

recon-listening:
	@echo "=== recon: listening ==="
	@uv run --directory bin/recon python -m listening.listening

recon-listening-bless:
	@uv run --directory bin/recon python -m listening.listening --bless

recon-outbound:
	@echo "=== recon: outbound ==="
	@bin/recon/outbound/outbound.sh

recon-autostart:
	@echo "=== recon: autostart ==="
	@uv run --directory bin/recon python -m autostart.autostart

recon-autostart-bless:
	@uv run --directory bin/recon python -m autostart.autostart --bless

.PHONY: recon-timers-install
recon-timers-install:
	bash bin/recon/setup-recon-timers.sh

recon-new:
	@test -n "$(NAME)" || (echo "usage: make recon-new NAME=<tool>"; exit 1)
	@test ! -d "bin/recon/$(NAME)" || (echo "bin/recon/$(NAME) already exists"; exit 1)
	mkdir -p "bin/recon/$(NAME)"
	@printf '#!/usr/bin/env bash\nset -euo pipefail\n\n# TODO: describe what this tool answers\n\necho "TODO: implement $(NAME) recon"\n' > "bin/recon/$(NAME)/$(NAME).sh"
	chmod +x "bin/recon/$(NAME)/$(NAME).sh"
	@echo "Created bin/recon/$(NAME)/$(NAME).sh"
	@echo "Add '$(NAME)' to RECON_TOOLS in the Makefile to wire it into 'make recon'."