diff options
author | lassulus <lassulus@lassul.us> | 2023-01-19 14:11:01 +0100 |
---|---|---|
committer | lassulus <lassulus@lassul.us> | 2023-01-19 14:11:01 +0100 |
commit | b51998cfae7b6fe892f9f0f9a2c0ffcfeeded0ba (patch) | |
tree | ca76ec46d32a99edacfd2d0be19a7f1ef410fe76 /tv/3modules/systemd.nix | |
parent | 347bb9ae00f8f1b6942f94d4c983593052a5c227 (diff) | |
parent | 57abca263fe86259807e5597d1c8f11c3c3acd44 (diff) |
Merge remote-tracking branch 'ni/master'
Diffstat (limited to 'tv/3modules/systemd.nix')
-rw-r--r-- | tv/3modules/systemd.nix | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/tv/3modules/systemd.nix b/tv/3modules/systemd.nix new file mode 100644 index 000000000..db8a51994 --- /dev/null +++ b/tv/3modules/systemd.nix @@ -0,0 +1,47 @@ +with import ./lib; +{ config, ... }: let + normalUsers = filterAttrs (_: getAttr "isNormalUser") config.users.users; +in { + options = { + tv.systemd.services = mkOption { + type = types.attrsOf (types.submodule (self: { + options = { + operators = mkOption { + type = with types; listOf (enum (attrNames normalUsers)); + default = []; + }; + }; + })); + default = {}; + }; + }; + config = { + security.polkit.extraConfig = let + access = + mapAttrs' + (name: cfg: + nameValuePair "${name}.service" + (genAttrs cfg.operators (const true)) + ) + config.tv.systemd.services; + in optionalString (access != {}) /* js */ '' + polkit.addRule(function () { + const access = ${lib.toJSON access}; + return function (action, subject) { + if (action.id === "org.freedesktop.systemd1.manage-units") { + const unit = action.lookup("unit"); + if ( + (access[unit]||{})[subject.user] || + ( + unit.includes("@") && + (access[unit.replace(/@[^.]+/, "@")]||{})[subject.user] + ) + ) { + return polkit.Result.YES; + } + } + } + }()); + ''; + }; +} |