diff options
| -rw-r--r-- | modules/org.freedesktop.machine1.host-shell.nix | 26 |
1 files changed, 14 insertions, 12 deletions
diff --git a/modules/org.freedesktop.machine1.host-shell.nix b/modules/org.freedesktop.machine1.host-shell.nix index 73825a5..1556ccf 100644 --- a/modules/org.freedesktop.machine1.host-shell.nix +++ b/modules/org.freedesktop.machine1.host-shell.nix @@ -1,4 +1,4 @@ -{ config, lib, mylib, ... }: { +{ config, lib, mylib, pkgs, ... }: { options.org.freedesktop.machine1.host-shell.access = lib.mkOption { default = {}; type = @@ -12,17 +12,19 @@ (name: value: [name] ++ lib.attrNames value) x))); }; - config.security.polkit.extraConfig = let + config.environment.etc."polkit-1/rules.d/30-hrm-access.rules" = let cfg = config.org.freedesktop.machine1.host-shell; + in { enable = cfg.access != {}; - in lib.optionalString enable /* js */ '' - polkit.addRule(function () { - const access = ${builtins.toJSON cfg.access}; - return function(action, subject) { - if (action.id === "org.freedesktop.machine1.host-shell" - && (access[subject.user]||{})[action.lookup("user")]) - return polkit.Result.YES; - } - }()); - ''; + source = pkgs.writePolkitRules "30-hrm-access.rules" /* js */ '' + polkit.addRule(function () { + const access = ${builtins.toJSON cfg.access}; + return function (action, subject) { + if (action.id === "org.freedesktop.machine1.host-shell" + && (access[subject.user]||{})[action.lookup("user")]) + return polkit.Result.YES; + } + }()); + ''; + }; } |