Merge remote-tracking branch 'ni/master'

1 files changed, 28 insertions, 0 deletions

diff --git a/tv/3modules/org.freedesktop.machine1.host-shell.nix b/tv/3modules/org.freedesktop.machine1.host-shell.nix
new file mode 100644
index 000000000..e1a5323d6
--- /dev/null
+++ b/tv/3modules/org.freedesktop.machine1.host-shell.nix
@@ -0,0 +1,28 @@
+{ config, ... }: let lib = import ../../lib; in {
+  options.org.freedesktop.machine1.host-shell.access = lib.mkOption {
+    default = {};
+    type =
+      lib.types.addCheck
+        (lib.types.attrsOf (lib.types.attrsOf lib.types.bool))
+        (x:
+          lib.all
+            lib.types.username.check
+            (lib.concatLists
+              (lib.mapAttrsToList
+                (name: value: [name] ++ lib.attrNames value)
+                x)));
+  };
+  config.security.polkit.extraConfig = let
+    cfg = config.org.freedesktop.machine1.host-shell;
+    enable = cfg.access != {};
+  in lib.optionalString enable /* js */ ''
+    polkit.addRule(function () {
+      var access = ${lib.toJSON cfg.access};
+      return function(action, subject) {
+        if (action.id === "org.freedesktop.machine1.host-shell"
+            && (access[subject.user]||{})[action.lookup("user")])
+          return polkit.Result.YES;
+      }
+    }());
+  '';
+}