diff --git a/default.nix b/default.nix index 66c7508..c5bf6e5 100644 --- a/default.nix +++ b/default.nix @@ -35,6 +35,7 @@ let ./modules/nix/nixpkgs.nix ./modules/environment ./modules/launchd + ./modules/security ./modules/services/activate-system.nix ./modules/services/khd.nix ./modules/services/kwm.nix diff --git a/modules/security/default.nix b/modules/security/default.nix new file mode 100644 index 0000000..01c74c3 --- /dev/null +++ b/modules/security/default.nix @@ -0,0 +1,36 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.security; + + runSQL = sql: ''/usr/bin/sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "${sql}"''; + + allowAccess = client: runSQL ''INSERT or REPLACE INTO access VALUES ('kTCCServiceAccessibility','${client}',1,1,1,NULL,NULL)''; + revokeAccess = clients: runSQL ''DELETE FROM access WHERE client LIKE '/nix/store/%' AND client NOT IN (${concatMapStringsSep "," (s: "'${s}'") clients})''; + +in + +{ + options = { + security.accessibilityPrograms = mkOption { + type = types.listOf types.path; + default = []; + description = "List of nix programs that are allowed control through the accessibility APIs."; + }; + }; + + config = { + + system.activationScripts.accessibility.text = '' + # Set up programs that require accessibility permissions + echo "setting up accessibility programs..." >&2 + + ${revokeAccess cfg.accessibilityPrograms} + ${concatMapStringsSep "\n" allowAccess cfg.accessibilityPrograms} + ''; + + }; +} diff --git a/modules/system/activation-scripts.nix b/modules/system/activation-scripts.nix index 0f14e91..47e0ed4 100644 --- a/modules/system/activation-scripts.nix +++ b/modules/system/activation-scripts.nix @@ -55,6 +55,7 @@ in ${cfg.activationScripts.nix-daemon.text} ${cfg.activationScripts.nix.text} + ${cfg.activationScripts.accessibility.text} ${cfg.activationScripts.etc.text} ${cfg.activationScripts.launchd.text} ${cfg.activationScripts.time.text}