dunkirk.sh / dots
Kieran's opinionated (and probably slightly dumb) nix config
fork atom

feat: add polkit rule for battleship-arena systemd sandboxing

dunkirk.sh d572c4ef 2b289411

verified
options
unified split
Changed files
+13 -3
flake.lock
modules
nixos
services
battleship-arena.nix
+3 -3
flake.lock 
···

       
44

       
44

       
 

       
        ]


     

       
45

       
45

       
 

       
      },


     

       
46

       
46

       
 

       
      "locked": {


     

       
47

       

       
-

       
        "lastModified": 1764978362,


     

       
48

       

       
-

       
        "narHash": "sha256-iTJDq41XwBTCbs5+eLVU4rFEcujzeXv17MZWW0qwEWQ=",


     

       

       
47

       
+

       
        "lastModified": 1764979146,


     

       

       
48

       
+

       
        "narHash": "sha256-Cs9JvUD5p+Dfd2o3vCNEjSOy/DaBKKqt0mIri6mfWQA=",


     

       
49

       
49

       
 

       
        "owner": "taciturnaxolotl",


     

       
50

       
50

       
 

       
        "repo": "battleship-arena",


     

       
51

       

       
-

       
        "rev": "072949ae291feeafd5d19c598bf7526d909f94b0",


     

       

       
51

       
+

       
        "rev": "e4a5d2409503d77bc31d2a4b3b27211ae837ea06",


     

       
52

       
52

       
 

       
        "type": "github"


     

       
53

       
53

       
 

       
      },


     

       
54

       
54

       
 

       
      "original": {
+10
modules/nixos/services/battleship-arena.nix 
···

       
128

       
128

       
 

       
      '';


     

       
129

       
129

       
 

       
    };


     

       
130

       
130

       
 

       



     

       

       
131

       
+

       
    # Allow battleship-arena user to create transient systemd units for sandboxing


     

       

       
132

       
+

       
    security.polkit.extraConfig = ''


     

       

       
133

       
+

       
      polkit.addRule(function(action, subject) {


     

       

       
134

       
+

       
        if (action.id == "org.freedesktop.systemd1.manage-units" &&


     

       

       
135

       
+

       
            subject.user == "battleship-arena") {


     

       

       
136

       
+

       
          return polkit.Result.YES;


     

       

       
137

       
+

       
        }


     

       

       
138

       
+

       
      });


     

       

       
139

       
+

       
    '';


     

       

       
140

       
+

       



     

       
131

       
141

       
 

       
    networking.firewall.allowedTCPPorts = [ cfg.sshPort ];


     

       
132

       
142

       
 

       
  };


     

       
133

       
143

       
 

       
}