blob: f7ee4f0068dde17d3028b3fcc1d1e1aec4bfe9b4 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
|
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.security.polkit;
in
{
options = {
security.polkit.enable = mkEnableOption "polkit";
security.polkit.debug = mkEnableOption "debug logs from polkit. This is required in order to see log messages from rule definitions";
security.polkit.extraConfig = mkOption {
type = types.lines;
default = "";
example =
''
/* Log authorization checks. */
polkit.addRule(function(action, subject) {
// Make sure to set { security.polkit.debug = true; } in configuration.nix
polkit.log("user " + subject.user + " is attempting action " + action.id + " from PID " + subject.pid);
});
/* Allow any local user to do anything (dangerous!). */
polkit.addRule(function(action, subject) {
if (subject.local) return "yes";
});
'';
description =
''
Any polkit rules to be added to config (in JavaScript ;-). See:
<https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html#polkit-rules>
'';
};
security.polkit.adminIdentities = mkOption {
type = types.listOf types.str;
default = [ "unix-group:wheel" ];
example = [ "unix-user:alice" "unix-group:admin" ];
description =
''
Specifies which users are considered “administrators”, for those
actions that require the user to authenticate as an
administrator (i.e. have an `auth_admin`
value). By default, this is all users in the `wheel` group.
'';
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.polkit.bin pkgs.polkit.out ];
systemd.packages = [ pkgs.polkit.out ];
systemd.services.polkit.serviceConfig.ExecStart = [
""
"${pkgs.polkit.out}/lib/polkit-1/polkitd ${optionalString (!cfg.debug) "--no-debug"}"
];
systemd.services.polkit.restartTriggers = [ config.system.path ];
systemd.services.polkit.stopIfChanged = false;
# The polkit daemon reads action/rule files
environment.pathsToLink = [ "/share/polkit-1" ];
# PolKit rules for NixOS.
environment.etc."polkit-1/rules.d/10-nixos.rules".text =
''
polkit.addAdminRule(function(action, subject) {
return [${concatStringsSep ", " (map (i: "\"${i}\"") cfg.adminIdentities)}];
});
${cfg.extraConfig}
''; #TODO: validation on compilation (at least against typos)
services.dbus.packages = [ pkgs.polkit.out ];
security.pam.services.polkit-1 = {};
security.wrappers = {
pkexec =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.polkit.bin}/bin/pkexec";
};
polkit-agent-helper-1 =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1";
};
};
systemd.tmpfiles.rules = [
# Probably no more needed, clean up
"R /var/lib/polkit-1"
"R /var/lib/PolicyKit"
];
users.users.polkituser = {
description = "PolKit daemon";
uid = config.ids.uids.polkituser;
group = "polkituser";
};
users.groups.polkituser = {};
};
}
|