2023-11-26 21:34:56 -08:00
|
|
|
#!/usr/bin/env bash
|
|
|
|
# @file macOS Security Settings
|
|
|
|
# @brief Prompts user for various security prompts as early as possible (to make headless automation more manageable)
|
|
|
|
# @description
|
|
|
|
# This script performs various tasks on macOS that have required manual security prompts so that the
|
|
|
|
# user can run the installation process as headlessly as possible. This script only runs when the `HEADLESS_INSTALL` variable
|
|
|
|
# is set. The various tasks include:
|
|
|
|
#
|
|
|
|
# 1. Add the `$HOME/.local/etc/ssl/cloudflare/Cloudflare_CA.crt` to the `System.keychain` for CloudFlare Zero Trust / WARP
|
|
|
|
# 2. Configure system VNC service to allow connections via the `USER` with the `VNC_PASSWORD`
|
|
|
|
|
|
|
|
{{ includeTemplate "universal/profile" }}
|
|
|
|
{{ includeTemplate "universal/logg" }}
|
|
|
|
|
|
|
|
if [ -n "$HEADLESS_INSTALL" ] && [ -z "$SSH_CONNECTION" ] && [ -d /System ] && [ -d /Applications ]; then
|
|
|
|
### Ensure certificate is installed
|
|
|
|
# Source: https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.crt
|
|
|
|
# Source: https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.pem
|
|
|
|
### Ensure certificate installed on macOS
|
|
|
|
logg info '**macOS Manual Security Permission** Requesting security authorization for Cloudflare trusted certificate'
|
2023-12-05 23:44:44 -08:00
|
|
|
CRT_TMP="$(mktemp)"
|
|
|
|
curl -sSL https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.crt > "$CRT_TMP"
|
|
|
|
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "$CRT_TMP" && logg success 'Successfully imported Cloudflare_CA.crt into System.keychain'
|
|
|
|
rm -f "$CRT_TMP"
|
2023-11-26 21:34:56 -08:00
|
|
|
# Source: https://apple.stackexchange.com/questions/30238/how-to-enable-os-x-screen-sharing-vnc-through-ssh
|
|
|
|
# To disable, run: sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -configure -access -off
|
|
|
|
# Only enable when computer is not a corporate / work computer
|
|
|
|
logg info '**macOS Manual Security Permission** Enabling VNC using the VNC_PASSWORD variable which is vncpass when nothing is specified'
|
|
|
|
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -allowAccessFor -specifiedUsers -clientopts -setreqperm -reqperm yes -setvnclegacy -vnclegacy yes -setvncpw -vncpw "{{- if and (stat (joinPath .host.home ".config" "age" "chezmoi.txt")) (stat (joinPath .chezmoi.sourceDir ".chezmoitemplates" "secrets" "VNC_PASSWORD")) }}{{ includeTemplate "secrets/VNC_PASSWORD" | decrypt | trim }}{{ else }}{{ default "vncpass" (env "VNC_PASSWORD") }}{{ end }}" -restart -agent -privs -all -users "$USER" && logg success 'Finished running the macOS Remote Management kickstart executable'
|
|
|
|
fi
|