diff options
Diffstat (limited to 'nixpkgs/nixos/modules/security/polkit.nix')
-rw-r--r-- | nixpkgs/nixos/modules/security/polkit.nix | 105 |
1 files changed, 105 insertions, 0 deletions
diff --git a/nixpkgs/nixos/modules/security/polkit.nix b/nixpkgs/nixos/modules/security/polkit.nix new file mode 100644 index 000000000000..7f1de81d5b70 --- /dev/null +++ b/nixpkgs/nixos/modules/security/polkit.nix @@ -0,0 +1,105 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.security.polkit; + +in + +{ + + options = { + + security.polkit.enable = mkOption { + type = types.bool; + default = true; + description = "Whether to enable PolKit."; + }; + + security.polkit.extraConfig = mkOption { + type = types.lines; + default = ""; + example = + '' + /* Log authorization checks. */ + polkit.addRule(function(action, subject) { + polkit.log("user " + subject.user + " is attempting action " + action.id + " from PID " + subject.pid); + }); + + /* Allow any local user to do anything (dangerous!). */ + polkit.addRule(function(action, subject) { + if (subject.local) return "yes"; + }); + ''; + description = + '' + Any polkit rules to be added to config (in JavaScript ;-). See: + http://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html#polkit-rules + ''; + }; + + security.polkit.adminIdentities = mkOption { + type = types.listOf types.str; + default = [ "unix-user:0" "unix-group:wheel" ]; + example = [ "unix-user:alice" "unix-group:admin" ]; + description = + '' + Specifies which users are considered “administrators”, for those + actions that require the user to authenticate as an + administrator (i.e. have an <literal>auth_admin</literal> + value). By default, this is the <literal>root</literal> + user and all users in the <literal>wheel</literal> group. + ''; + }; + + }; + + + config = mkIf cfg.enable { + + environment.systemPackages = [ pkgs.polkit.bin pkgs.polkit.out ]; + + systemd.packages = [ pkgs.polkit.out ]; + + systemd.services.polkit.restartTriggers = [ config.system.path ]; + systemd.services.polkit.stopIfChanged = false; + + # The polkit daemon reads action/rule files + environment.pathsToLink = [ "/share/polkit-1" ]; + + # PolKit rules for NixOS. + environment.etc."polkit-1/rules.d/10-nixos.rules".text = + '' + polkit.addAdminRule(function(action, subject) { + return [${concatStringsSep ", " (map (i: "\"${i}\"") cfg.adminIdentities)}]; + }); + + ${cfg.extraConfig} + ''; #TODO: validation on compilation (at least against typos) + + services.dbus.packages = [ pkgs.polkit.out ]; + + security.pam.services.polkit-1 = {}; + + security.wrappers = { + pkexec.source = "${pkgs.polkit.bin}/bin/pkexec"; + "polkit-agent-helper-1".source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1"; + }; + + systemd.tmpfiles.rules = [ + # Probably no more needed, clean up + "R /var/lib/polkit-1" + "R /var/lib/PolicyKit" + ]; + + users.users.polkituser = { + description = "PolKit daemon"; + uid = config.ids.uids.polkituser; + }; + + }; + +} + |