diff options
author | Zhaofeng Li <hello@zhaofeng.li> | 2022-03-22 15:35:38 -0700 |
---|---|---|
committer | Zhaofeng Li <hello@zhaofeng.li> | 2022-03-22 15:35:38 -0700 |
commit | 0527ccaca79691e9f8782ec049597e5a7004ae49 (patch) | |
tree | 107f0263aedb3a902704f61db25369ec277f76d7 /nixos/modules | |
parent | 787aaea68e25e64e61e76bb75a8075be8919afbe (diff) | |
download | nixlib-0527ccaca79691e9f8782ec049597e5a7004ae49.tar nixlib-0527ccaca79691e9f8782ec049597e5a7004ae49.tar.gz nixlib-0527ccaca79691e9f8782ec049597e5a7004ae49.tar.bz2 nixlib-0527ccaca79691e9f8782ec049597e5a7004ae49.tar.lz nixlib-0527ccaca79691e9f8782ec049597e5a7004ae49.tar.xz nixlib-0527ccaca79691e9f8782ec049597e5a7004ae49.tar.zst nixlib-0527ccaca79691e9f8782ec049597e5a7004ae49.zip |
nixos/moonraker: Grant polkit permissions for system-level operations
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/services/misc/moonraker.nix | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/nixos/modules/services/misc/moonraker.nix b/nixos/modules/services/misc/moonraker.nix index 195aedb5f861..b75227effa04 100644 --- a/nixos/modules/services/misc/moonraker.nix +++ b/nixos/modules/services/misc/moonraker.nix @@ -79,6 +79,19 @@ in { for supported values. ''; }; + + allowSystemControl = mkOption { + type = types.bool; + default = false; + description = '' + Whether to allow Moonraker to perform system-level operations. + + Moonraker exposes APIs to perform system-level operations, such as + reboot, shutdown, and management of systemd units. See the + <link xlink:href="https://moonraker.readthedocs.io/en/latest/web_api/#machine-commands">documentation</link> + for details on what clients are able to do. + ''; + }; }; }; @@ -86,6 +99,13 @@ in { warnings = optional (cfg.settings ? update_manager) ''Enabling update_manager is not supported on NixOS and will lead to non-removable warnings in some clients.''; + assertions = [ + { + assertion = cfg.allowSystemControl -> config.security.polkit.enable; + message = "services.moonraker.allowSystemControl requires polkit to be enabled (security.polkit.enable)."; + } + ]; + users.users = optionalAttrs (cfg.user == "moonraker") { moonraker = { group = cfg.group; @@ -137,5 +157,22 @@ in { User = cfg.user; }; }; + + security.polkit.extraConfig = lib.optionalString cfg.allowSystemControl '' + // nixos/moonraker: Allow Moonraker to perform system-level operations + // + // This was enabled via services.moonraker.allowSystemControl. + polkit.addRule(function(action, subject) { + if ((action.id == "org.freedesktop.systemd1.manage-units" || + action.id == "org.freedesktop.login1.power-off" || + action.id == "org.freedesktop.login1.power-off-multiple-sessions" || + action.id == "org.freedesktop.login1.reboot" || + action.id == "org.freedesktop.login1.reboot-multiple-sessions" || + action.id.startsWith("org.freedesktop.packagekit.")) && + subject.user == "${cfg.user}") { + return polkit.Result.YES; + } + }); + ''; }; } |