summaryrefslogtreecommitdiffstats
path: root/tv/3modules/systemd.nix
diff options
context:
space:
mode:
authorlassulus <lassulus@lassul.us>2023-01-19 14:11:01 +0100
committerlassulus <lassulus@lassul.us>2023-01-19 14:11:01 +0100
commitb51998cfae7b6fe892f9f0f9a2c0ffcfeeded0ba (patch)
treeca76ec46d32a99edacfd2d0be19a7f1ef410fe76 /tv/3modules/systemd.nix
parent347bb9ae00f8f1b6942f94d4c983593052a5c227 (diff)
parent57abca263fe86259807e5597d1c8f11c3c3acd44 (diff)
Merge remote-tracking branch 'ni/master'
Diffstat (limited to 'tv/3modules/systemd.nix')
-rw-r--r--tv/3modules/systemd.nix47
1 files changed, 47 insertions, 0 deletions
diff --git a/tv/3modules/systemd.nix b/tv/3modules/systemd.nix
new file mode 100644
index 000000000..db8a51994
--- /dev/null
+++ b/tv/3modules/systemd.nix
@@ -0,0 +1,47 @@
+with import ./lib;
+{ config, ... }: let
+ normalUsers = filterAttrs (_: getAttr "isNormalUser") config.users.users;
+in {
+ options = {
+ tv.systemd.services = mkOption {
+ type = types.attrsOf (types.submodule (self: {
+ options = {
+ operators = mkOption {
+ type = with types; listOf (enum (attrNames normalUsers));
+ default = [];
+ };
+ };
+ }));
+ default = {};
+ };
+ };
+ config = {
+ security.polkit.extraConfig = let
+ access =
+ mapAttrs'
+ (name: cfg:
+ nameValuePair "${name}.service"
+ (genAttrs cfg.operators (const true))
+ )
+ config.tv.systemd.services;
+ in optionalString (access != {}) /* js */ ''
+ polkit.addRule(function () {
+ const access = ${lib.toJSON access};
+ return function (action, subject) {
+ if (action.id === "org.freedesktop.systemd1.manage-units") {
+ const unit = action.lookup("unit");
+ if (
+ (access[unit]||{})[subject.user] ||
+ (
+ unit.includes("@") &&
+ (access[unit.replace(/@[^.]+/, "@")]||{})[subject.user]
+ )
+ ) {
+ return polkit.Result.YES;
+ }
+ }
+ }
+ }());
+ '';
+ };
+}