nixos/modules/security/polkit.nix at 22.05-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / security / polkit.nix
at 22.05-pre 3.1 kB view raw
  1{ config, lib, pkgs, ... }:
  2
  3with lib;
  4
  5let
  6
  7  cfg = config.security.polkit;
  8
  9in
 10
 11{
 12
 13  options = {
 14
 15    security.polkit.enable = mkOption {
 16      type = types.bool;
 17      default = true;
 18      description = "Whether to enable PolKit.";
 19    };
 20
 21    security.polkit.extraConfig = mkOption {
 22      type = types.lines;
 23      default = "";
 24      example =
 25        ''
 26          /* Log authorization checks. */
 27          polkit.addRule(function(action, subject) {
 28            polkit.log("user " +  subject.user + " is attempting action " + action.id + " from PID " + subject.pid);
 29          });
 30
 31          /* Allow any local user to do anything (dangerous!). */
 32          polkit.addRule(function(action, subject) {
 33            if (subject.local) return "yes";
 34          });
 35        '';
 36      description =
 37        ''
 38          Any polkit rules to be added to config (in JavaScript ;-). See:
 39          http://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html#polkit-rules
 40        '';
 41    };
 42
 43    security.polkit.adminIdentities = mkOption {
 44      type = types.listOf types.str;
 45      default = [ "unix-group:wheel" ];
 46      example = [ "unix-user:alice" "unix-group:admin" ];
 47      description =
 48        ''
 49          Specifies which users are considered “administrators”, for those
 50          actions that require the user to authenticate as an
 51          administrator (i.e. have an <literal>auth_admin</literal>
 52          value).  By default, this is all users in the <literal>wheel</literal> group.
 53        '';
 54    };
 55
 56  };
 57
 58
 59  config = mkIf cfg.enable {
 60
 61    environment.systemPackages = [ pkgs.polkit.bin pkgs.polkit.out ];
 62
 63    systemd.packages = [ pkgs.polkit.out ];
 64
 65    systemd.services.polkit.restartTriggers = [ config.system.path ];
 66    systemd.services.polkit.stopIfChanged = false;
 67
 68    # The polkit daemon reads action/rule files
 69    environment.pathsToLink = [ "/share/polkit-1" ];
 70
 71    # PolKit rules for NixOS.
 72    environment.etc."polkit-1/rules.d/10-nixos.rules".text =
 73      ''
 74        polkit.addAdminRule(function(action, subject) {
 75          return [${concatStringsSep ", " (map (i: "\"${i}\"") cfg.adminIdentities)}];
 76        });
 77
 78        ${cfg.extraConfig}
 79      ''; #TODO: validation on compilation (at least against typos)
 80
 81    services.dbus.packages = [ pkgs.polkit.out ];
 82
 83    security.pam.services.polkit-1 = {};
 84
 85    security.wrappers = {
 86      pkexec =
 87        { setuid = true;
 88          owner = "root";
 89          group = "root";
 90          source = "${pkgs.polkit.bin}/bin/pkexec";
 91        };
 92      polkit-agent-helper-1 =
 93        { setuid = true;
 94          owner = "root";
 95          group = "root";
 96          source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1";
 97        };
 98    };
 99
100    systemd.tmpfiles.rules = [
101      # Probably no more needed, clean up
102      "R /var/lib/polkit-1"
103      "R /var/lib/PolicyKit"
104    ];
105
106    users.users.polkituser = {
107      description = "PolKit daemon";
108      uid = config.ids.uids.polkituser;
109      group = "polkituser";
110    };
111
112    users.groups.polkituser = {};
113  };
114
115}
116