diff options
| author | Tim Keller <tjk@tjkeller.xyz> | 2025-09-16 23:20:04 -0500 |
|---|---|---|
| committer | Tim Keller <tjk@tjkeller.xyz> | 2025-09-16 23:20:04 -0500 |
| commit | e1b6de4b027f3eaeb9addcf65bb8af6e13463524 (patch) | |
| tree | b149ae277370af4b5f59857e71f8f9a5ca0b093d | |
| parent | b65bdee6c95ae9a17f932775b41662aa5e65e9b6 (diff) | |
| download | nixos-e1b6de4b027f3eaeb9addcf65bb8af6e13463524.tar.xz nixos-e1b6de4b027f3eaeb9addcf65bb8af6e13463524.zip | |
polkit rules for reboot and wheel nopass
| -rw-r--r-- | archetypes/profiles/desktop/default.nix | 1 | ||||
| -rw-r--r-- | nixos/polkit.nix | 22 | ||||
| -rw-r--r-- | nixos/resources/polkit-1/rules.d/0-wheel-no-pass.rules | 5 | ||||
| -rw-r--r-- | nixos/resources/polkit-1/rules.d/10-reboot-poweroff-users.rules | 13 |
4 files changed, 34 insertions, 7 deletions
diff --git a/archetypes/profiles/desktop/default.nix b/archetypes/profiles/desktop/default.nix index 8156953..0e68b84 100644 --- a/archetypes/profiles/desktop/default.nix +++ b/archetypes/profiles/desktop/default.nix @@ -22,6 +22,7 @@ _polkit = { enable = mkDesktop true; gnome.enable = mkDesktop true; + allowUserPowerControls = mkDesktop true; }; }; diff --git a/nixos/polkit.nix b/nixos/polkit.nix index d2ed5dc..875b50a 100644 --- a/nixos/polkit.nix +++ b/nixos/polkit.nix @@ -24,6 +24,8 @@ in { enable = lib.mkEnableOption "enables polkit_gnome authentication agent"; package = lib.mkPackageOption pkgs "polkit_gnome" { }; }; + allowUserPowerControls = lib.mkEnableOption "allow users to control the power state of the machine using poweroff/reboot commands"; + wheelNoPass = lib.mkEnableOption "allow users in wheel group to execute all commands without password"; }; config = lib.mkIf cfg.enable { @@ -31,12 +33,18 @@ in { environment.systemPackages = lib.mkIf cfg.gnome.enable [ pkgs.polkit_gnome polkit_gnome-autostart ]; - #security.polkit.extraConfig = '' - # polkit.addRule(function(action, subject) { - # if (subject.isInGroup("wheel")) { - # return polkit.Result.YES; - # } - # }); - #''; + # Optional rules + environment.etc = let + pkRulesD = "polkit-1/rules.d"; + in { + "${pkRulesD}/10-reboot-poweroff-users.rules" = { + enable = cfg.allowUserPowerControls; + source = ./resources/polkit-1/rules.d/10-reboot-poweroff-users.rules; + }; + "${pkRulesD}/0-wheel-no-pass.rules" = { + enable = cfg.wheelNoPass; + source = ./resources/polkit-1/rules.d/0-wheel-no-pass.rules; + }; + }; }; } diff --git a/nixos/resources/polkit-1/rules.d/0-wheel-no-pass.rules b/nixos/resources/polkit-1/rules.d/0-wheel-no-pass.rules new file mode 100644 index 0000000..93abf0d --- /dev/null +++ b/nixos/resources/polkit-1/rules.d/0-wheel-no-pass.rules @@ -0,0 +1,5 @@ +polkit.addRule(function(action, subject) { + if (subject.isInGroup("wheel")) { + return polkit.Result.YES; + } +}); diff --git a/nixos/resources/polkit-1/rules.d/10-reboot-poweroff-users.rules b/nixos/resources/polkit-1/rules.d/10-reboot-poweroff-users.rules new file mode 100644 index 0000000..6b1cffb --- /dev/null +++ b/nixos/resources/polkit-1/rules.d/10-reboot-poweroff-users.rules @@ -0,0 +1,13 @@ +polkit.addRule(function (action, subject) { + if ( + subject.isInGroup("users") && + [ + "org.freedesktop.login1.reboot", + "org.freedesktop.login1.reboot-multiple-sessions", + "org.freedesktop.login1.power-off", + "org.freedesktop.login1.power-off-multiple-sessions", + ].indexOf(action.id) !== -1 + ) { + return polkit.Result.YES; + } +}); |