tv.systemd.services.*.operators: init

2023-01-18 17:13:30 +01:00 · 2023-01-18 17:13:30 +01:00 · 5eb821ab1b
parent ab43821bb1
commit 5eb821ab1b
2 changed files with 47 additions and 0 deletions
--- a/tv/3modules/default.nix
+++ b/tv/3modules/default.nix
@ -10,6 +10,7 @@
    ./iptables.nix
    ./lidControl.nix
    ./org.freedesktop.machine1.host-shell.nix
+    ./systemd.nix
    ./slock.nix
    ./x0vncserver.nix
    ./Xresources.nix
--- a/tv/3modules/systemd.nix
+++ b/tv/3modules/systemd.nix
@ -0,0 +1,46 @@
+with import ./lib;
+{ config, ... }: let
+  normalUsers = filterAttrs (_: getAttr "isNormalUser") config.users.users;
+in {
+  options = {
+    tv.systemd.services = mkOption {
+      type = types.attrsOf (types.submodule (self: {
+        options = {
+          operators = mkOption {
+            type = with types; listOf (enum (attrNames normalUsers));
+            default = [];
+          };
+        };
+      }));
+    };
+  };
+  config = {
+    security.polkit.extraConfig = let
+      access =
+        mapAttrs'
+          (name: cfg:
+            nameValuePair "${name}.service"
+                          (genAttrs cfg.operators (const true))
+          )
+          config.tv.systemd.services;
+    in optionalString (access != {}) /* js */ ''
+      polkit.addRule(function () {
+        const access = ${lib.toJSON access};
+        return function (action, subject) {
+          if (action.id === "org.freedesktop.systemd1.manage-units") {
+            const unit = action.lookup("unit");
+            if (
+              (access[unit]||{})[subject.user] ||
+              (
+                unit.includes("@") &&
+                (access[unit.replace(/@[^.]+/, "@")]||{})[subject.user]
+              )
+            ) {
+              return polkit.Result.YES;
+            }
+          }
+        }
+      }());
+    '';
+  };
+}