From 1996d32bef8a2d4454e680fb2d559d436e35b275 Mon Sep 17 00:00:00 2001 From: Tim Keller Date: Thu, 18 Jun 2026 21:40:11 -0500 Subject: polkit options fixed up and nopass by default --- archetypes/profiles/desktop/default.nix | 6 +++--- nixos/polkit.nix | 22 ++++++++++------------ users/timmy/default.nix | 5 ++++- 3 files changed, 17 insertions(+), 16 deletions(-) diff --git a/archetypes/profiles/desktop/default.nix b/archetypes/profiles/desktop/default.nix index eb10c21..6b2348d 100644 --- a/archetypes/profiles/desktop/default.nix +++ b/archetypes/profiles/desktop/default.nix @@ -21,10 +21,10 @@ }; security = { - _polkit = { + polkit = { enable = mkDesktop true; - gnome.enable = mkDesktop true; - allowUserPowerControls = mkDesktop true; + _gnome.enable = mkDesktop true; + _allowUserPowerControls = mkDesktop true; }; }; diff --git a/nixos/polkit.nix b/nixos/polkit.nix index 875b50a..d78130a 100644 --- a/nixos/polkit.nix +++ b/nixos/polkit.nix @@ -1,5 +1,5 @@ { lib, config, pkgs, ... }: let - cfg = config.security._polkit; + cfg = config.security.polkit; # This authentication agent will only autostart in a select few environments (e.g. GNOME, XFCE) by default. # This derivation will allow the polkit_gnome agent to start in any environment so long as it is enabled. @@ -12,37 +12,35 @@ # e.g. any environment that is not listed in the stock desktop entry. buildCommand = '' mkdir -p $out/etc/xdg/autostart - cp ${cfg.gnome.package}/etc/xdg/autostart/polkit-gnome-authentication-agent-1.desktop $out/etc/xdg/autostart/polkit-gnome-authentication-agent-1-de-agnostic.desktop + cp ${cfg._gnome.package}/etc/xdg/autostart/polkit-gnome-authentication-agent-1.desktop $out/etc/xdg/autostart/polkit-gnome-authentication-agent-1-de-agnostic.desktop substituteInPlace $out/etc/xdg/autostart/polkit-gnome-authentication-agent-1-de-agnostic.desktop \ --replace-fail 'OnlyShowIn=' 'NotShowIn=' ''; }; in { - options.security._polkit = { - enable = lib.mkEnableOption "enables polkit"; - gnome = { + options.security.polkit = { + _gnome = { enable = lib.mkEnableOption "enables polkit_gnome authentication agent"; package = lib.mkPackageOption pkgs "polkit_gnome" { }; }; - allowUserPowerControls = lib.mkEnableOption "allow users to control the power state of the machine using poweroff/reboot commands"; - wheelNoPass = lib.mkEnableOption "allow users in wheel group to execute all commands without password"; + _allowUserPowerControls = lib.mkEnableOption "allow users to control the power state of the machine using poweroff/reboot commands"; + _wheelNoPass = lib.mkEnableOption "allow users in wheel group to execute all commands without password"; }; config = lib.mkIf cfg.enable { - security.polkit.enable = lib.mkDefault true; - - environment.systemPackages = lib.mkIf cfg.gnome.enable [ pkgs.polkit_gnome polkit_gnome-autostart ]; + # Gnome + environment.systemPackages = lib.mkIf cfg._gnome.enable [ cfg._gnome.package polkit_gnome-autostart ]; # Optional rules environment.etc = let pkRulesD = "polkit-1/rules.d"; in { "${pkRulesD}/10-reboot-poweroff-users.rules" = { - enable = cfg.allowUserPowerControls; + enable = cfg._allowUserPowerControls; source = ./resources/polkit-1/rules.d/10-reboot-poweroff-users.rules; }; "${pkRulesD}/0-wheel-no-pass.rules" = { - enable = cfg.wheelNoPass; + enable = cfg._wheelNoPass; source = ./resources/polkit-1/rules.d/0-wheel-no-pass.rules; }; }; diff --git a/users/timmy/default.nix b/users/timmy/default.nix index cb8eb7b..c38cbb7 100644 --- a/users/timmy/default.nix +++ b/users/timmy/default.nix @@ -55,7 +55,7 @@ in { ]; }; - # Enable sudo and doas + # Enable sudo, doas, polkit nopass security.sudo = { enable = true; wheelNeedsPassword = false; @@ -65,6 +65,9 @@ in { wheelNeedsPassword = false; extraRules = [{ keepEnv = true; }]; }; + security.polkit = { + _wheelNoPass = true; + }; # Configure automatic login with getty services.getty = lib.mkIf cfg.autologin.enable { -- cgit v1.2.3