Update README and simplify files for first time Fleet users (#38)

- Simplify files - Update default.yml
fleetdm · Jul 2, 2024 · e4b2020 · e4b2020
1 parent 4bc658c
commit e4b2020
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 130 deletions.
diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml
@@ -37,7 +37,6 @@ jobs:
         env:
           FLEET_URL: ${{ secrets.FLEET_URL }}
           FLEET_API_TOKEN: ${{ secrets.FLEET_API_TOKEN }}
-          FLEET_SSO_METADATA: ${{ secrets.FLEET_SSO_METADATA }}
           FLEET_GLOBAL_ENROLL_SECRET: ${{ secrets.FLEET_GLOBAL_ENROLL_SECRET }}
           FLEET_WORKSTATIONS_ENROLL_SECRET: ${{ secrets.FLEET_WORKSTATIONS_ENROLL_SECRET }}
           FLEET_WORKSTATIONS_CANARY_ENROLL_SECRET: ${{ secrets.FLEET_WORKSTATIONS_CANARY_ENROLL_SECRET }}
diff --git a/README.md b/README.md
@@ -1,12 +1,8 @@
 # Fleet GitOps
 
-> #### 🚧 Fleet GitOps is currently in beta.
->
-> In Fleet 4.45, Fleet GitOps was released in beta. The Fleet team is currently [dogfooding](https://en.wikipedia.org/wiki/Eating_your_own_dog_food) and documenting the feature. You can track the progress [here](https://github.com/fleetdm/fleet/issues/17043).
+This is the starter repository for using [Fleet](https://fleetdm.com) with a GitOps workflow.
 
-This folder illustrates the best practice for using Fleet with a GitOps workflow.
-
-How to set up a GitOps workflow to manage Fleet:
+How to set up your GitOps workflow:
 
 1. Clone this repository.
 
@@ -16,19 +12,10 @@ How to set up a GitOps workflow to manage Fleet:
 
 4. Create your own GitHub repository.
 
-5. Add `FLEET_URL` and `FLEET_API_TOKEN` to your GitHub repository secrets.
-
-6. Update the `env` section of your [.github/workflows/workflow.yml](https://github.com/fleetdm/fleet-gitops/blob/main/.github/workflows/workflow.yml) file for all the environment variables that are mentioned in your `default.yml` and `teams/*.yml` YAML files. For the environment variables that map to secrets, add the required secrets to your GitHub repository secrets.
-
-7. Push your cloned and modified code to your repo.
+5. Add `FLEET_URL` and `FLEET_API_TOKEN` secrets to your new repository's secrets. Learn how [here](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository). Set `FLEET_URL` to your Fleet instance's URL (ex. https://organization.fleet.com). Set `FLEET_API_TOKEN` to an API token for an API-only user in Fleet. Learn how [here](https://fleetdm.com/docs/using-fleet/fleetctl-cli#create-api-only-user).
 
-8. In GitHub, enable the `Apply latest configuration to Fleet` GitHub Actions workflow, and run workflow manually. Now, when anyone pushes a new commit, the action will run and update Fleet.
+6. Push your cloned and modified code to your repo.
 
-#### Structure:
+7. In GitHub, enable the `Apply latest configuration to Fleet` GitHub Actions workflow, and run workflow manually. Now, when anyone pushes a new commit, the action will run and update Fleet.
 
-- `lib/` - folder for policies, queries, configuration profiles, scripts, and agent options. These files can be referenced in top level keys in the `default.yml` file and the files in the `teams/` folder.
-- `default.yml` - file that defines the queries, policies, controls, and agent options for all hosts. If you're using Fleet Premium, this file updates queries and policies that run on all hosts ("All teams"). Controls and agent options are defined for hosts on "No team."
-- `teams/` - folder for teams in Fleet. These `*.yml` files define the controls, queries, policies, and agent options for hosts assigned to the specified team.
-- `.github/workflows/workflow.yml` - the GitHub workflow file that applies the latest configuration to Fleet.
-- `.github/gitops-action/action.yml` - the GitHub action that runs `gitops.sh`. This action is used in the GitHub workflow file. It can also be used in other workflows.
-- `gitops.sh` - the bash script that applies the latest configuration to Fleet by executing `fleetctl gitops`. This script is used in the GitHub action file. It can be run standalone during development.
+For all configuration options, go to [GitOps reference](https://fleetdm.com/using-fleet/gitops) in the Fleet documentation.
diff --git a/default.yml b/default.yml
@@ -1,58 +1,16 @@
-# For Fleet Free, this file updates queries, policies, controls, and agent options for all hosts.
+# For Fleet Free, this file updates policies, queries, agent_options, and controls for all hosts.
 
-# For Fleet Premium, the default.yml file updates queries and policies that run on all hosts ("All teams"). Controls and agent options are updated for hosts on "No team."
+# For Fleet Premium, the default.yml file updates policies and queries that run on all hosts ("All teams"). Controls and agent options are updated for hosts on "No team."
 
-controls: # Controls added to "No team"
-  macos_settings:
-    custom_settings:
-      - path: ./lib/macos-password.mobileconfig
-      # - path: ../lib/macos-os-updates.ddm.json (DDM coming soon)
-  windows_enabled_and_configured: true
-  windows_settings:
-    custom_settings:
-      - path: ./lib/windows-screenlock.xml
-  scripts:
-    - path: ./lib/collect-fleetd-logs.sh
-queries:
-  - path: ./lib/collect-fleetd-update-channels.queries.yml
 policies:
+queries:
 agent_options:
   path: ./lib/agent-options.yml
+controls:
 org_settings:
   server_settings:
-    debug_host_ids:
-      - 1
-      - 3
-    enable_analytics: true
-    live_query_disabled: false
-    query_reports_disabled: false
-    scripts_disabled: false
-    server_url: https://dogfood.fleetdm.com
+    server_url: $FLEET_URL
   org_info:
-    contact_url: https://fleetdm.com/company/contact
-    org_logo_url: ""
-    org_logo_url_light_background: ""
-    org_name: Fleet Device Management
-  smtp_settings:
-  sso_settings:
-    enable_jit_provisioning: false
-    enable_jit_role_sync: false
-    enable_sso: true
-    enable_sso_idp_login: false
-    idp_name: Google Workspace
-    entity_id: dogfood.fleetdm.com
-    metadata: $FLEET_SSO_METADATA
-  integrations:
-  mdm:
-    apple_bm_default_team:
-  webhook_settings:
-    vulnerabilities_webhook:
-      enable_vulnerabilities_webhook: true
-      destination_url: https://example.tines.com/webhook
-  fleet_desktop: # Applies to Fleet Premium only
-    transparency_url: https://fleetdm.com/transparency
-  host_expiry_settings: # Applies to all teams
-    host_expiry_enabled: false
-  features: # Features added to all teams
-  secrets: # These secrets are used to enroll hosts to the "All teams" team
+    org_name: Fleet
+  secrets:
     - secret: "$FLEET_GLOBAL_ENROLL_SECRET"
diff --git a/teams/workstations-canary.yml b/teams/workstations-canary.yml
@@ -1,46 +1,23 @@
-# Only available in Fleet Premium. 
+# Teams are available in Fleet Premium. 
 
-#This file updates controls, queries, policies, and agent options for assigned to the "Workstations (canary)" team.
+# This file updates controls, queries, policies, and agent options for assigned to the "Workstations (canary)" team.
 
-# To create and update another team, create another file in the teams/ directory and copy and paste the contents from this file.
+# To add another team, create a new file in the teams/ directory and copy and paste the contents from this file.
 
 name: Workstations (canary)
-controls:
-  enable_disk_encryption: true
-  macos_updates:
-    deadline: "2023-08-11"
-    minimum_version: "13.5"
-  windows_updates:
-    deadline_days: 5
-    grace_period_days: 2
-  macos_settings:
-    custom_settings:
-      # - path: ../lib/macos-os-updates.ddm.json (DDM coming soon)
-      - path: ../lib/macos-password.mobileconfig
-  windows_settings:
-    custom_settings:
-      - path: ../lib/windows-screenlock.xml
-  macos_setup:
-    # bootstrap_package: https://github.com/organinzation/repository/bootstrap-package.pkg (Example URL)
-    # enable_end_user_authentication: true
-    macos_setup_assistant: ../lib/automatic-enrollment.dep.json
-  scripts:
-    - path: ../lib/remove-zoom-artifacts.script.sh
-    - path: ../lib/set-timezone.script.sh
-queries:
-  - path: ../lib/collect-usb-devices.queries.yml
-  - path: ../lib/collect-failed-login-attempts.queries.yml
-  - name: Collect fleetd update channels
-    description: "Collects the update channels for all fleetd components: osquery, Orbit, and Fleet Desktop. To see which version number each channel is on, ask in #help-engineering."
-    query: SELECT desktop_channel, orbit_channel, osqueryd_channel FROM orbit_info;
-    interval: 300
-    observer_can_run: true
-    automations_enabled: false
 policies:
   - path: ../lib/macos-device-health.policies.yml
   - path: ../lib/windows-device-health.policies.yml
+  - path: ../lib/linux-device-health.policies.yml
+queries:
+  - path: ../lib/collect-usb-devices.queries.yml
+  - path: ../lib/collect-failed-login-attempts.queries.yml
 agent_options:
   path: ../lib/agent-options.yml
+controls:
+  scripts:
+    - path: ../lib/remove-zoom-artifacts.script.sh
+    - path: ../lib/set-timezone.script.sh
 team_settings:
   secrets:
     - secret: "$FLEET_WORKSTATIONS_CANARY_ENROLL_SECRET"
diff --git a/teams/workstations.yml b/teams/workstations.yml
@@ -1,40 +1,23 @@
 # Only available in Fleet Premium. 
 
-#This file updates controls, queries, policies, and agent options for assigned to the "Workstations" team.
+# This file updates policies, queries, agent options, and controls for assigned to the "Workstations" team.
 
-# To create and update another team, create another file in the teams/ directory and copy and paste the contents from this file.
+# To add another team, create a new file in the teams/ directory and copy and paste the contents from this file.
 
 name: Workstations
-controls:
-  enable_disk_encryption: true
-  macos_updates:
-    deadline: "2023-08-11"
-    minimum_version: "13.5"
-  windows_updates:
-    deadline_days: 5
-    grace_period_days: 2
-  macos_settings:
-    custom_settings:
-      # - path: ../lib/macos-os-updates.ddm.json (DDM coming soon)
-      - path: ../lib/macos-password.mobileconfig
-  windows_settings:
-    custom_settings:
-    - path: ../lib/windows-screenlock.xml
-  macos_setup:
-      # bootstrap_package: https://github.com/organinzation/repository/bootstrap-package.pkg (example URL)
-      # enable_end_user_authentication: true
-      macos_setup_assistant: ../lib/automatic-enrollment.dep.json
-  scripts:
-    - path: ../lib/remove-zoom-artifacts.script.sh
-    - path: ../lib/set-timezone.script.sh
-queries:
-  - path: ../lib/collect-usb-devices.queries.yml
-  - path: ../lib/collect-failed-login-attempts.queries.yml
 policies:
   - path: ../lib/macos-device-health.policies.yml
   - path: ../lib/windows-device-health.policies.yml
+  - path: ../lib/linux-device-health.policies.yml
+queries:
+  - path: ../lib/collect-usb-devices.queries.yml
+  - path: ../lib/collect-failed-login-attempts.queries.yml
 agent_options:
   path: ../lib/agent-options.yml
+controls:
+  scripts:
+    - path: ../lib/remove-zoom-artifacts.script.sh
+    - path: ../lib/set-timezone.script.sh
 team_settings:
   secrets:
     - secret: "$FLEET_WORKSTATIONS_ENROLL_SECRET"