nixpkgs/nixos/modules/security/polkit.nix
Eelco Dolstra 29027fd1e1 Rewrite ‘with pkgs.lib’ -> ‘with lib’
Using pkgs.lib on the spine of module evaluation is problematic
because the pkgs argument depends on the result of module
evaluation. To prevent an infinite recursion, pkgs and some of the
modules are evaluated twice, which is inefficient. Using ‘with lib’
prevents this problem.
2014-04-14 16:26:48 +02:00

112 lines
2.9 KiB
Nix

{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.security.polkit;
in
{
options = {
security.polkit.enable = mkOption {
type = types.bool;
default = true;
description = "Whether to enable PolKit.";
};
security.polkit.extraConfig = mkOption {
type = types.lines;
default = "";
example =
''
/* Log authorization checks. */
polkit.addRule(function(action, subject) {
polkit.log("user " + subject.user + " is attempting action " + action.id + " from PID " + subject.pid);
});
/* Allow any local user to do anything (dangerous!). */
polkit.addRule(function(action, subject) {
if (subject.local) return "yes";
});
'';
description =
''
Any polkit rules to be added to config (in JavaScript ;-). See:
http://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html#polkit-rules
'';
};
security.polkit.adminIdentities = mkOption {
type = types.listOf types.str;
default = [ "unix-user:0" "unix-group:wheel" ];
example = [ "unix-user:alice" "unix-group:admin" ];
description =
''
Specifies which users are considered administrators, for those
actions that require the user to authenticate as an
administrator (i.e. have an <literal>auth_admin</literal>
value). By default, this is the <literal>root</literal>
user and all users in the <literal>wheel</literal> group.
'';
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.polkit ];
systemd.packages = [ pkgs.polkit ];
# The polkit daemon reads action/rule files
environment.pathsToLink = [ "/share/polkit-1" ];
# PolKit rules for NixOS.
environment.etc."polkit-1/rules.d/10-nixos.rules".text =
''
polkit.addAdminRule(function(action, subject) {
return [${concatStringsSep ", " (map (i: "\"${i}\"") cfg.adminIdentities)}];
});
${cfg.extraConfig}
''; #TODO: validation on compilation (at least against typos)
services.dbus.packages = [ pkgs.polkit ];
security.pam.services.polkit-1 = {};
security.setuidPrograms = [ "pkexec" ];
security.setuidOwners = [
{ program = "polkit-agent-helper-1";
owner = "root";
group = "root";
setuid = true;
source = "${pkgs.polkit}/lib/polkit-1/polkit-agent-helper-1";
}
];
system.activationScripts.polkit =
''
# Probably no more needed, clean up
rm -rf /var/lib/{polkit-1,PolicyKit}
# Force polkitd to be restarted so that it reloads its
# configuration.
${pkgs.procps}/bin/pkill -INT -u root -x polkitd
'';
users.extraUsers.polkituser = {
description = "PolKit daemon";
uid = config.ids.uids.polkituser;
};
};
}