diff options
author | Bernardo Meurer <bernardo@meurer.org> | 2022-03-23 10:33:10 -0700 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-03-23 10:33:10 -0700 |
commit | 25d1efa97e4a5c02769825ac47a371854cee73e0 (patch) | |
tree | 237fbaa38b25da63a284f90f301b5fbc46a3e1ad /nixos/modules | |
parent | 3bcfdb0e15c3a7f1959bd05b04fa8b292b010662 (diff) | |
parent | b1431381d0f43804dc340cd891679345a2fe7a3e (diff) | |
download | nixlib-25d1efa97e4a5c02769825ac47a371854cee73e0.tar nixlib-25d1efa97e4a5c02769825ac47a371854cee73e0.tar.gz nixlib-25d1efa97e4a5c02769825ac47a371854cee73e0.tar.bz2 nixlib-25d1efa97e4a5c02769825ac47a371854cee73e0.tar.lz nixlib-25d1efa97e4a5c02769825ac47a371854cee73e0.tar.xz nixlib-25d1efa97e4a5c02769825ac47a371854cee73e0.tar.zst nixlib-25d1efa97e4a5c02769825ac47a371854cee73e0.zip |
Merge pull request #165386 from zhaofengli/moonraker-2022-03-10
moonraker: unstable-2021-12-05 -> unstable-2022-03-10
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/services/misc/moonraker.nix | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/nixos/modules/services/misc/moonraker.nix b/nixos/modules/services/misc/moonraker.nix index ae57aaa6d479..b75227effa04 100644 --- a/nixos/modules/services/misc/moonraker.nix +++ b/nixos/modules/services/misc/moonraker.nix @@ -79,6 +79,19 @@ in { for supported values. ''; }; + + allowSystemControl = mkOption { + type = types.bool; + default = false; + description = '' + Whether to allow Moonraker to perform system-level operations. + + Moonraker exposes APIs to perform system-level operations, such as + reboot, shutdown, and management of systemd units. See the + <link xlink:href="https://moonraker.readthedocs.io/en/latest/web_api/#machine-commands">documentation</link> + for details on what clients are able to do. + ''; + }; }; }; @@ -86,6 +99,13 @@ in { warnings = optional (cfg.settings ? update_manager) ''Enabling update_manager is not supported on NixOS and will lead to non-removable warnings in some clients.''; + assertions = [ + { + assertion = cfg.allowSystemControl -> config.security.polkit.enable; + message = "services.moonraker.allowSystemControl requires polkit to be enabled (security.polkit.enable)."; + } + ]; + users.users = optionalAttrs (cfg.user == "moonraker") { moonraker = { group = cfg.group; @@ -128,11 +148,31 @@ in { exec ${pkg}/bin/moonraker -c ${cfg.configDir}/moonraker-temp.cfg ''; + # Needs `ip` command + path = [ pkgs.iproute2 ]; + serviceConfig = { WorkingDirectory = cfg.stateDir; Group = cfg.group; User = cfg.user; }; }; + + security.polkit.extraConfig = lib.optionalString cfg.allowSystemControl '' + // nixos/moonraker: Allow Moonraker to perform system-level operations + // + // This was enabled via services.moonraker.allowSystemControl. + polkit.addRule(function(action, subject) { + if ((action.id == "org.freedesktop.systemd1.manage-units" || + action.id == "org.freedesktop.login1.power-off" || + action.id == "org.freedesktop.login1.power-off-multiple-sessions" || + action.id == "org.freedesktop.login1.reboot" || + action.id == "org.freedesktop.login1.reboot-multiple-sessions" || + action.id.startsWith("org.freedesktop.packagekit.")) && + subject.user == "${cfg.user}") { + return polkit.Result.YES; + } + }); + ''; }; } |