summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authortv <tv@krebsco.de>2023-01-18 17:13:30 +0100
committertv <tv@krebsco.de>2023-01-18 17:23:38 +0100
commit5eb821ab1bea5efd2f845115b3dbc31f4f475ca9 (patch)
treea09662ac9e17dcb9416ba7fd7008a33e7d381678
parentab43821bb1b084228146c47eb5f529415e617392 (diff)
tv.systemd.services.*.operators: init
-rw-r--r--tv/3modules/default.nix1
-rw-r--r--tv/3modules/systemd.nix46
2 files changed, 47 insertions, 0 deletions
diff --git a/tv/3modules/default.nix b/tv/3modules/default.nix
index ea3efbcca..c49f1582f 100644
--- a/tv/3modules/default.nix
+++ b/tv/3modules/default.nix
@@ -10,6 +10,7 @@
./iptables.nix
./lidControl.nix
./org.freedesktop.machine1.host-shell.nix
+ ./systemd.nix
./slock.nix
./x0vncserver.nix
./Xresources.nix
diff --git a/tv/3modules/systemd.nix b/tv/3modules/systemd.nix
new file mode 100644
index 000000000..bbbab0632
--- /dev/null
+++ b/tv/3modules/systemd.nix
@@ -0,0 +1,46 @@
+with import ./lib;
+{ config, ... }: let
+ normalUsers = filterAttrs (_: getAttr "isNormalUser") config.users.users;
+in {
+ options = {
+ tv.systemd.services = mkOption {
+ type = types.attrsOf (types.submodule (self: {
+ options = {
+ operators = mkOption {
+ type = with types; listOf (enum (attrNames normalUsers));
+ default = [];
+ };
+ };
+ }));
+ };
+ };
+ config = {
+ security.polkit.extraConfig = let
+ access =
+ mapAttrs'
+ (name: cfg:
+ nameValuePair "${name}.service"
+ (genAttrs cfg.operators (const true))
+ )
+ config.tv.systemd.services;
+ in optionalString (access != {}) /* js */ ''
+ polkit.addRule(function () {
+ const access = ${lib.toJSON access};
+ return function (action, subject) {
+ if (action.id === "org.freedesktop.systemd1.manage-units") {
+ const unit = action.lookup("unit");
+ if (
+ (access[unit]||{})[subject.user] ||
+ (
+ unit.includes("@") &&
+ (access[unit.replace(/@[^.]+/, "@")]||{})[subject.user]
+ )
+ ) {
+ return polkit.Result.YES;
+ }
+ }
+ }
+ }());
+ '';
+ };
+}