diff options
Diffstat (limited to 'nixos/modules/security/polkit.nix')
-rw-r--r-- | nixos/modules/security/polkit.nix | 124 |
1 files changed, 124 insertions, 0 deletions
diff --git a/nixos/modules/security/polkit.nix b/nixos/modules/security/polkit.nix new file mode 100644 index 000000000000..cafa9f82d5e4 --- /dev/null +++ b/nixos/modules/security/polkit.nix @@ -0,0 +1,124 @@ +{ config, pkgs, ... }: + +with pkgs.lib; + +let + + cfg = config.security.polkit; + +in + +{ + + options = { + + security.polkit.enable = mkOption { + type = types.bool; + default = true; + description = "Whether to enable PolKit."; + }; + + security.polkit.permissions = mkOption { + type = types.lines; + default = ""; + example = + '' + [Disallow Users To Suspend] + Identity=unix-group:users + Action=org.freedesktop.upower.* + ResultAny=no + ResultInactive=no + ResultActive=no + + [Allow Anybody To Eject Disks] + Identity=unix-user:* + Action=org.freedesktop.udisks.drive-eject + ResultAny=yes + ResultInactive=yes + ResultActive=yes + + [Allow Alice To Mount Filesystems After Admin Authentication] + Identity=unix-user:alice + Action=org.freedesktop.udisks.filesystem-mount + ResultAny=auth_admin + ResultInactive=auth_admin + ResultActive=auth_admin + ''; + description = + '' + Allows the default permissions of privileged actions to be overridden. + ''; + }; + + security.polkit.adminIdentities = mkOption { + type = types.str; + default = "unix-user:0;unix-group:wheel"; + example = ""; + description = + '' + Specifies which users are considered “administrators”, for those + actions that require the user to authenticate as an + administrator (i.e. have an <literal>auth_admin</literal> + value). By default, this is the <literal>root</literal> + user and all users in the <literal>wheel</literal> group. + ''; + }; + + }; + + + config = mkIf cfg.enable { + + environment.systemPackages = [ pkgs.polkit ]; + + # The polkit daemon reads action files + environment.pathsToLink = [ "/share/polkit-1/actions" ]; + + environment.etc = + [ # No idea what the "null backend" is, but it seems to need this. + { source = "${pkgs.polkit}/etc/polkit-1/nullbackend.conf.d"; + target = "polkit-1/nullbackend.conf.d"; + } + + # This file determines what users are considered + # "administrators". + { source = pkgs.writeText "10-nixos.conf" + '' + [Configuration] + AdminIdentities=${cfg.adminIdentities} + ''; + target = "polkit-1/localauthority.conf.d/10-nixos.conf"; + } + + { source = pkgs.writeText "org.nixos.pkla" cfg.permissions; + target = "polkit-1/localauthority/10-vendor.d/org.nixos.pkla"; + } + ]; + + services.dbus.packages = [ pkgs.polkit ]; + + security.pam.services.polkit-1 = {}; + + security.setuidPrograms = [ "pkexec" ]; + + security.setuidOwners = singleton + { program = "polkit-agent-helper-1"; + owner = "root"; + group = "root"; + setuid = true; + source = "${pkgs.polkit}/libexec/polkit-1/polkit-agent-helper-1"; + }; + + system.activationScripts.polkit = + '' + mkdir -p /var/lib/polkit-1/localauthority + chmod 700 /var/lib/polkit-1{/localauthority,} + + # Force polkitd to be restarted so that it reloads its + # configuration. + ${pkgs.procps}/bin/pkill -INT -u root -x polkitd + ''; + + }; + +} |