blob: db8a51994ba63b28baefdba478365542578c54e1 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
with import ./lib;
{ config, ... }: let
normalUsers = filterAttrs (_: getAttr "isNormalUser") config.users.users;
in {
options = {
tv.systemd.services = mkOption {
type = types.attrsOf (types.submodule (self: {
options = {
operators = mkOption {
type = with types; listOf (enum (attrNames normalUsers));
default = [];
};
};
}));
default = {};
};
};
config = {
security.polkit.extraConfig = let
access =
mapAttrs'
(name: cfg:
nameValuePair "${name}.service"
(genAttrs cfg.operators (const true))
)
config.tv.systemd.services;
in optionalString (access != {}) /* js */ ''
polkit.addRule(function () {
const access = ${lib.toJSON access};
return function (action, subject) {
if (action.id === "org.freedesktop.systemd1.manage-units") {
const unit = action.lookup("unit");
if (
(access[unit]||{})[subject.user] ||
(
unit.includes("@") &&
(access[unit.replace(/@[^.]+/, "@")]||{})[subject.user]
)
) {
return polkit.Result.YES;
}
}
}
}());
'';
};
}
|