nixos/modules/security/polkit.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / security / polkit.nix
at 25.11-pre 3.4 kB view raw
  1{
  2  config,
  3  lib,
  4  pkgs,
  5  ...
  6}:
  7let
  8
  9  cfg = config.security.polkit;
 10
 11in
 12
 13{
 14
 15  options = {
 16
 17    security.polkit.enable = lib.mkEnableOption "polkit";
 18
 19    security.polkit.package = lib.mkPackageOption pkgs "polkit" { };
 20
 21    security.polkit.debug = lib.mkEnableOption "debug logs from polkit. This is required in order to see log messages from rule definitions";
 22
 23    security.polkit.extraConfig = lib.mkOption {
 24      type = lib.types.lines;
 25      default = "";
 26      example = ''
 27        /* Log authorization checks. */
 28        polkit.addRule(function(action, subject) {
 29          // Make sure to set { security.polkit.debug = true; } in configuration.nix
 30          polkit.log("user " +  subject.user + " is attempting action " + action.id + " from PID " + subject.pid);
 31        });
 32
 33        /* Allow any local user to do anything (dangerous!). */
 34        polkit.addRule(function(action, subject) {
 35          if (subject.local) return "yes";
 36        });
 37      '';
 38      description = ''
 39        Any polkit rules to be added to config (in JavaScript ;-). See:
 40        <https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html#polkit-rules>
 41      '';
 42    };
 43
 44    security.polkit.adminIdentities = lib.mkOption {
 45      type = lib.types.listOf lib.types.str;
 46      default = [ "unix-group:wheel" ];
 47      example = [
 48        "unix-user:alice"
 49        "unix-group:admin"
 50      ];
 51      description = ''
 52        Specifies which users are considered “administrators”, for those
 53        actions that require the user to authenticate as an
 54        administrator (i.e. have an `auth_admin`
 55        value).  By default, this is all users in the `wheel` group.
 56      '';
 57    };
 58
 59  };
 60
 61  config = lib.mkIf cfg.enable {
 62
 63    environment.systemPackages = [
 64      cfg.package.bin
 65      cfg.package.out
 66    ];
 67
 68    systemd.packages = [ cfg.package.out ];
 69
 70    systemd.services.polkit.serviceConfig.ExecStart = [
 71      ""
 72      "${cfg.package.out}/lib/polkit-1/polkitd ${lib.optionalString (!cfg.debug) "--no-debug"}"
 73    ];
 74
 75    systemd.services.polkit.restartTriggers = [ config.system.path ];
 76    systemd.services.polkit.stopIfChanged = false;
 77
 78    # The polkit daemon reads action/rule files
 79    environment.pathsToLink = [ "/share/polkit-1" ];
 80
 81    # PolKit rules for NixOS.
 82    environment.etc."polkit-1/rules.d/10-nixos.rules".text = ''
 83      polkit.addAdminRule(function(action, subject) {
 84        return [${lib.concatStringsSep ", " (map (i: "\"${i}\"") cfg.adminIdentities)}];
 85      });
 86
 87      ${cfg.extraConfig}
 88    ''; # TODO: validation on compilation (at least against typos)
 89
 90    services.dbus.packages = [ cfg.package.out ];
 91
 92    security.pam.services.polkit-1 = { };
 93
 94    security.wrappers = {
 95      pkexec = {
 96        setuid = true;
 97        owner = "root";
 98        group = "root";
 99        source = "${cfg.package.bin}/bin/pkexec";
100      };
101      polkit-agent-helper-1 = {
102        setuid = true;
103        owner = "root";
104        group = "root";
105        source = "${cfg.package.out}/lib/polkit-1/polkit-agent-helper-1";
106      };
107    };
108
109    systemd.tmpfiles.rules = [
110      # Probably no more needed, clean up
111      "R /var/lib/polkit-1"
112      "R /var/lib/PolicyKit"
113    ];
114
115    users.users.polkituser = {
116      description = "PolKit daemon";
117      uid = config.ids.uids.polkituser;
118      group = "polkituser";
119    };
120
121    users.groups.polkituser = { };
122  };
123
124}