modules/org.freedesktop.machine1.host-shell.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

{ config, lib, mylib, pkgs, ... }: {
  options.org.freedesktop.machine1.host-shell.access = lib.mkOption {
    default = {};
    type =
      lib.types.addCheck
        (lib.types.attrsOf (lib.types.attrsOf lib.types.bool))
        (x:
          lib.all
            mylib.types.username.check
            (lib.concatLists
              (lib.mapAttrsToList
                (name: value: [name] ++ lib.attrNames value)
                x)));
  };
  config.environment.etc."polkit-1/rules.d/30-hrm-access.rules" = let
    cfg = config.org.freedesktop.machine1.host-shell;
  in {
    enable = cfg.access != {};
    source = pkgs.writePolkitRules "30-hrm-access.rules" /* js */ ''
      polkit.addRule(function () {
        const access = ${builtins.toJSON cfg.access};
        return function (action, subject) {
          if (action.id === "org.freedesktop.machine1.host-shell"
              && (access[subject.user]||{})[action.lookup("user")])
            return polkit.Result.YES;
        }
      }());
    '';
  };
}