From c0cd145ef2b010caf0b2a12f9fa12b7b87fe9dfb Mon Sep 17 00:00:00 2001 From: Tim Keller Date: Sat, 13 Sep 2025 13:46:54 -0500 Subject: polkit and polkit_gnome support --- archetypes/collections/desktop/utilities.nix | 1 + archetypes/profiles/desktop/default.nix | 5 ++++ nixos/default.nix | 1 + nixos/doas.nix | 6 ++-- nixos/polkit.nix | 42 ++++++++++++++++++++++++++++ 5 files changed, 52 insertions(+), 3 deletions(-) create mode 100644 nixos/polkit.nix diff --git a/archetypes/collections/desktop/utilities.nix b/archetypes/collections/desktop/utilities.nix index 43d4973..51fed51 100644 --- a/archetypes/collections/desktop/utilities.nix +++ b/archetypes/collections/desktop/utilities.nix @@ -8,6 +8,7 @@ in { config = lib.mkIf cfg.enable { environment.systemPackages = with pkgs; [ arandr + dex # Execute .desktop files dmenu libnotify lowbat diff --git a/archetypes/profiles/desktop/default.nix b/archetypes/profiles/desktop/default.nix index dd2121e..188d205 100644 --- a/archetypes/profiles/desktop/default.nix +++ b/archetypes/profiles/desktop/default.nix @@ -19,6 +19,10 @@ security = { _doas.enable = mkDesktop true; + _polkit = { + enable = mkDesktop true; + gnome.enable = mkDesktop true; + }; }; programs = { @@ -77,6 +81,7 @@ services = { _redshift.enable = true; + #polkit-gnome.enable = mkDesktop true; # Doesn't work on X }; home._repos = { diff --git a/nixos/default.nix b/nixos/default.nix index 4a027e0..5074c06 100644 --- a/nixos/default.nix +++ b/nixos/default.nix @@ -16,6 +16,7 @@ ./net-iface-labels.nix ./nix.nix ./pipewire.nix + ./polkit.nix ./powerkeys.nix ./printing.nix ./secrets.nix diff --git a/nixos/doas.nix b/nixos/doas.nix index aeed170..e1fa994 100644 --- a/nixos/doas.nix +++ b/nixos/doas.nix @@ -9,9 +9,9 @@ in { security.doas = { enable = true; wheelNeedsPassword = false; - extraRules = [ - { keepEnv = true; } - ]; + extraRules = [{ + keepEnv = true; + }]; }; }; } diff --git a/nixos/polkit.nix b/nixos/polkit.nix new file mode 100644 index 0000000..d2ed5dc --- /dev/null +++ b/nixos/polkit.nix @@ -0,0 +1,42 @@ +{ lib, config, pkgs, ... }: let + cfg = config.security._polkit; + + # This authentication agent will only autostart in a select few environments (e.g. GNOME, XFCE) by default. + # This derivation will allow the polkit_gnome agent to start in any environment so long as it is enabled. + polkit_gnome-autostart = pkgs.stdenv.mkDerivation { + name = "polkit_gnome-autostart"; + priority = 5; + + # Copy the autostart desktop entry and replace OnlyShowIn with NotShowIn to invert the selection. + # The default one will still select the same environments, but this new one will select the inverse, + # e.g. any environment that is not listed in the stock desktop entry. + buildCommand = '' + mkdir -p $out/etc/xdg/autostart + cp ${cfg.gnome.package}/etc/xdg/autostart/polkit-gnome-authentication-agent-1.desktop $out/etc/xdg/autostart/polkit-gnome-authentication-agent-1-de-agnostic.desktop + substituteInPlace $out/etc/xdg/autostart/polkit-gnome-authentication-agent-1-de-agnostic.desktop \ + --replace-fail 'OnlyShowIn=' 'NotShowIn=' + ''; + }; +in { + options.security._polkit = { + enable = lib.mkEnableOption "enables polkit"; + gnome = { + enable = lib.mkEnableOption "enables polkit_gnome authentication agent"; + package = lib.mkPackageOption pkgs "polkit_gnome" { }; + }; + }; + + config = lib.mkIf cfg.enable { + security.polkit.enable = lib.mkDefault true; + + environment.systemPackages = lib.mkIf cfg.gnome.enable [ pkgs.polkit_gnome polkit_gnome-autostart ]; + + #security.polkit.extraConfig = '' + # polkit.addRule(function(action, subject) { + # if (subject.isInGroup("wheel")) { + # return polkit.Result.YES; + # } + # }); + #''; + }; +} -- cgit v1.2.3