polkit and polkit_gnome support

5 files changed, 52 insertions, 3 deletions

diff --git a/archetypes/collections/desktop/utilities.nix b/archetypes/collections/desktop/utilities.nix
index 43d4973..51fed51 100644
--- a/archetypes/collections/desktop/utilities.nix
+++ b/archetypes/collections/desktop/utilities.nix
@@ -8,6 +8,7 @@ in {
 	config = lib.mkIf cfg.enable {
 		environment.systemPackages = with pkgs; [
 			arandr
+			dex  # Execute .desktop files
 			dmenu
 			libnotify
 			lowbat
diff --git a/archetypes/profiles/desktop/default.nix b/archetypes/profiles/desktop/default.nix
index dd2121e..188d205 100644
--- a/archetypes/profiles/desktop/default.nix
+++ b/archetypes/profiles/desktop/default.nix
@@ -19,6 +19,10 @@
 
 		security = {
 			_doas.enable = mkDesktop true;
+			_polkit = {
+				enable = mkDesktop true;
+				gnome.enable = mkDesktop true;
+			};
 		};
 
 		programs = {
@@ -77,6 +81,7 @@
 
 		services = {
 			_redshift.enable = true;
+			#polkit-gnome.enable = mkDesktop true;  # Doesn't work on X
 		};
 
 		home._repos = {
diff --git a/nixos/default.nix b/nixos/default.nix
index 4a027e0..5074c06 100644
--- a/nixos/default.nix
+++ b/nixos/default.nix
@@ -16,6 +16,7 @@
 		./net-iface-labels.nix
 		./nix.nix
 		./pipewire.nix
+		./polkit.nix
 		./powerkeys.nix
 		./printing.nix
 		./secrets.nix
diff --git a/nixos/doas.nix b/nixos/doas.nix
index aeed170..e1fa994 100644
--- a/nixos/doas.nix
+++ b/nixos/doas.nix
@@ -9,9 +9,9 @@ in {
 		security.doas = {
 			enable = true;
 			wheelNeedsPassword = false;
-			extraRules = [
-				{ keepEnv = true; }
-			];
+			extraRules = [{
+				keepEnv = true;
+			}];
 		};
 	};
 }
diff --git a/nixos/polkit.nix b/nixos/polkit.nix
new file mode 100644
index 0000000..d2ed5dc
--- /dev/null
+++ b/nixos/polkit.nix
@@ -0,0 +1,42 @@
+{ lib, config, pkgs, ... }: let
+	cfg = config.security._polkit;
+
+	# This authentication agent will only autostart in a select few environments (e.g. GNOME, XFCE) by default.
+	# This derivation will allow the polkit_gnome agent to start in any environment so long as it is enabled.
+	polkit_gnome-autostart = pkgs.stdenv.mkDerivation {
+		name = "polkit_gnome-autostart";
+		priority = 5;
+
+		# Copy the autostart desktop entry and replace OnlyShowIn with NotShowIn to invert the selection.
+		# The default one will still select the same environments, but this new one will select the inverse,
+		# e.g. any environment that is not listed in the stock desktop entry.
+		buildCommand = ''
+			mkdir -p $out/etc/xdg/autostart
+			cp ${cfg.gnome.package}/etc/xdg/autostart/polkit-gnome-authentication-agent-1.desktop $out/etc/xdg/autostart/polkit-gnome-authentication-agent-1-de-agnostic.desktop
+			substituteInPlace $out/etc/xdg/autostart/polkit-gnome-authentication-agent-1-de-agnostic.desktop \
+				--replace-fail 'OnlyShowIn=' 'NotShowIn='
+		'';
+	};
+in {
+	options.security._polkit = {
+		enable = lib.mkEnableOption "enables polkit";
+		gnome = {
+			enable = lib.mkEnableOption "enables polkit_gnome authentication agent";
+			package = lib.mkPackageOption pkgs "polkit_gnome" { };
+		};
+	};
+
+	config = lib.mkIf cfg.enable {
+		security.polkit.enable = lib.mkDefault true;
+
+		environment.systemPackages = lib.mkIf cfg.gnome.enable [ pkgs.polkit_gnome polkit_gnome-autostart ];
+
+		#security.polkit.extraConfig = ''
+		#	polkit.addRule(function(action, subject) {
+		#			if (subject.isInGroup("wheel")) {
+		#					return polkit.Result.YES;
+		#			}
+		#	});
+		#'';
+	};
+}