From f8d750f864aef25ae54293bbfde10dc3183c9e6b Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Fri, 18 Jul 2025 15:04:21 +0200
Subject: org.freedesktop.machine1.host-shell: use writePolkitRules

---
 modules/org.freedesktop.machine1.host-shell.nix | 26 +++++++++++++------------
 1 file changed, 14 insertions(+), 12 deletions(-)

(limited to 'modules/org.freedesktop.machine1.host-shell.nix')

diff --git a/modules/org.freedesktop.machine1.host-shell.nix b/modules/org.freedesktop.machine1.host-shell.nix
index 73825a5..1556ccf 100644
--- a/modules/org.freedesktop.machine1.host-shell.nix
+++ b/modules/org.freedesktop.machine1.host-shell.nix
@@ -1,4 +1,4 @@
-{ config, lib, mylib, ... }: {
+{ config, lib, mylib, pkgs, ... }: {
   options.org.freedesktop.machine1.host-shell.access = lib.mkOption {
     default = {};
     type =
@@ -12,17 +12,19 @@
                 (name: value: [name] ++ lib.attrNames value)
                 x)));
   };
-  config.security.polkit.extraConfig = let
+  config.environment.etc."polkit-1/rules.d/30-hrm-access.rules" = let
     cfg = config.org.freedesktop.machine1.host-shell;
+  in {
     enable = cfg.access != {};
-  in lib.optionalString enable /* js */ ''
-    polkit.addRule(function () {
-      const access = ${builtins.toJSON cfg.access};
-      return function(action, subject) {
-        if (action.id === "org.freedesktop.machine1.host-shell"
-            && (access[subject.user]||{})[action.lookup("user")])
-          return polkit.Result.YES;
-      }
-    }());
-  '';
+    source = pkgs.writePolkitRules "30-hrm-access.rules" /* js */ ''
+      polkit.addRule(function () {
+        const access = ${builtins.toJSON cfg.access};
+        return function (action, subject) {
+          if (action.id === "org.freedesktop.machine1.host-shell"
+              && (access[subject.user]||{})[action.lookup("user")])
+            return polkit.Result.YES;
+        }
+      }());
+    '';
+  };
 }
-- 
cgit v1.2.3