Bootstrap script for my testing...

bootstrap.sh

#!/usr/bin/env bash
set -e

### User Config Variables Start ###
REMOTE_REPO="https://[email protected]/mlrobinson/infra-macbook-configuration.git"

# Exported for use in ensup and other scripts for finding our repo's home
export ANSIBLE_CONFIG_DIR="$HOME/.ansible.d"

### User Config Variables End ###


# Keep sudo timestamp updated while Strap is running.
if [ "$1" = "--sudo-wait" ]; then
  while true; do
    mkdir -p "/var/db/sudo/$SUDO_USER"
    touch "/var/db/sudo/$SUDO_USER"
    sleep 1
  done
  exit 0
fi

[ "$1" = "--debug" ] && STRAP_DEBUG="1"
STRAP_SUCCESS=""

cleanup() {
  set +e
  if [ -n "$STRAP_SUDO_WAIT_PID" ]; then
    sudo kill "$STRAP_SUDO_WAIT_PID"
  fi
  sudo -k
  rm -f "$CLT_PLACEHOLDER"
  if [ -z "$STRAP_SUCCESS" ]; then
    if [ -n "$STRAP_STEP" ]; then
      echo "!!! $STRAP_STEP FAILED" >&2
    else
      echo "!!! FAILED" >&2
    fi
    if [ -z "$STRAP_DEBUG" ]; then
      echo "!!! Run '$0 --debug' for debugging output." >&2
    fi
  fi
}

trap "cleanup" EXIT

if [ -n "$STRAP_DEBUG" ]; then
  set -x
else
  STRAP_QUIET_FLAG="-q"
  Q="$STRAP_QUIET_FLAG"
fi

STDIN_FILE_DESCRIPTOR="0"
[ -t "$STDIN_FILE_DESCRIPTOR" ] && STRAP_INTERACTIVE="1"

STRAP_FULL_PATH="$(cd "$(dirname "$0")" && pwd)/$(basename "$0")"

abort() { STRAP_STEP="";   echo "!!! $*" >&2; exit 1; }
log()   { STRAP_STEP="$*"; echo "--> $*"; }
logn()  { STRAP_STEP="$*"; printf -- "--> $* "; }
logk()  { STRAP_STEP="";   echo "OK"; }

sw_vers -productVersion | grep $Q -E "^10.(9|10|11)" || {
  abort "Run Strap on Mac OS X 10.9/10/11."
}

[ "$USER" = "root" ] && abort "Run Strap as yourself, not root."
groups | grep $Q admin || abort "Add $USER to the admin group."

# Initialise sudo now to save prompting later.
log "Enter your password (for sudo access):"
sudo -k
sudo /usr/bin/true
[ -f "$STRAP_FULL_PATH" ]
sudo bash "$STRAP_FULL_PATH" --sudo-wait &
STRAP_SUDO_WAIT_PID="$!"
ps -p "$STRAP_SUDO_WAIT_PID" &>/dev/null
logk


# Install the Xcode Command Line Tools if Xcode isn't installed.
DEVELOPER_DIR=$("xcode-select" -print-path 2>/dev/null || true)
[ -z "$DEVELOPER_DIR" ] || ! [ -f "$DEVELOPER_DIR/usr/bin/git" ] && {
  log "Installing the Xcode Command Line Tools:"
  CLT_PLACEHOLDER="/tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress"
  sudo touch "$CLT_PLACEHOLDER"
  CLT_PACKAGE=$(softwareupdate -l | \
                grep -B 1 -E "Command Line (Developer|Tools)" | \
                awk -F"*" '/^ +\*/ {print $2}' | sed 's/^ *//' | head -n1)
  sudo softwareupdate -i "$CLT_PACKAGE"
  sudo rm -f "$CLT_PLACEHOLDER"
  logk
}

# Check if the Xcode license is agreed to and agree if not.
xcode_license() {
  if /usr/bin/xcrun clang 2>&1 | grep $Q license; then
    if [ -n "$STRAP_INTERACTIVE" ]; then
      logn "Asking for Xcode license confirmation:"
      sudo xcodebuild -license
      logk
    else
      abort "Run 'sudo xcodebuild -license' to agree to the Xcode license."
    fi
  fi
}
xcode_license


# Install Homebrew
if [[ ! -x $(which brew) ]]; then
    # Setup Homebrew directories and permissions.
    logn "Installing Homebrew:"
    HOMEBREW_PREFIX="/usr/local"
    HOMEBREW_CACHE="/Library/Caches/Homebrew"
    for dir in "$HOMEBREW_PREFIX" "$HOMEBREW_CACHE"; do
      [ -d "$dir" ] || sudo mkdir -p "$dir"
      sudo chown -R "$USER:admin" "$dir"
    done

    # Download Homebrew.
    export GIT_DIR="$HOMEBREW_PREFIX/.git" GIT_WORK_TREE="$HOMEBREW_PREFIX"
    git init $Q
    git config remote.origin.url "https://github.com/Homebrew/homebrew"
    git config remote.origin.fetch "+refs/heads/*:refs/remotes/origin/*"
    git rev-parse --verify --quiet origin/master >/dev/null || {
      git fetch $Q origin master:refs/remotes/origin/master --no-tags --depth=1
      git reset $Q --hard origin/master
    }
    sudo chmod g+rwx "$HOMEBREW_PREFIX"/* "$HOMEBREW_PREFIX"/.??*
    unset GIT_DIR GIT_WORK_TREE
    logk

    # Update Homebrew.
    export PATH="$HOMEBREW_PREFIX/bin:$PATH"
    log "Updating Homebrew:"
    brew update
    logk

    # Install Homebrew Bundle, Cask, Services and Versions tap.
    log "Installing Homebrew taps and extensions:"
    brew bundle --file=- <<EOF
tap 'caskroom/cask'
tap 'homebrew/services'
tap 'homebrew/versions'
EOF
    logk
fi

# Install Ansible
if [[ ! -x $(which ansible) ]]; then
    log "Install Ansible"
    brew install ansible
    logk
fi


# Check and install any remaining software updates.
logn "Checking for software updates:"
if softwareupdate -l 2>&1 | grep $Q "No new software available."; then
  logk
else
  echo
  log "Installing software updates:"
  if [ -z "$STRAP_CI" ]; then
    sudo softwareupdate --install --all
    xcode_license
  else
    echo "Skipping software updates for CI"
  fi
  logk
fi

# Modify the PATH
export PATH=/usr/local/bin:$PATH

# Clone down the Ansible repo, or update it
if [[ ! -d $ANSIBLE_CONFIG_DIR ]]; then
    log "Clone Full Repo"
    git clone -b split_bootstrap "$REMOTE_REPO" "$ANSIBLE_CONFIG_DIR"
    logk
else
    log "Update Local Repo"
    git -C "$ANSIBLE_CONFIG_DIR" pull
    logk
fi

# Apply Security Settings
logn "Configuring security settings:"
source "$ANSIBLE_CONFIG_DIR/lockdown.sh"
logk

# Check and enable full-disk encryption.
logn "Checking full-disk encryption status:"
if fdesetup status | grep $Q -E "FileVault is (On|Off, but will be enabled after the next restart)."; then
  logk
elif [ -n "$STRAP_CI" ]; then
  echo
  logn "Skipping full-disk encryption for CI"
elif [ -n "$STRAP_INTERACTIVE" ]; then
  echo
  logn "Enabling full-disk encryption on next reboot:"
  sudo fdesetup enable -user "$USER" \
    | tee ~/Desktop/"FileVault Recovery Key.txt"
  logk
else
  echo
  abort "Run 'sudo fdesetup enable -user \"$USER\"' to enable full-disk encryption."
fi

# Provision the box
$ANSIBLE_CONFIG_DIR/bin/ensup all

# Mark the run as successful
STRAP_SUCCESS="1"