Merge remote-tracking branch 'lass/master'

1 files changed, 47 insertions, 0 deletions

diff --git a/tv/3modules/systemd.nix b/tv/3modules/systemd.nix
new file mode 100644
index 00000000..db8a5199
--- /dev/null
+++ b/tv/3modules/systemd.nix
@@ -0,0 +1,47 @@
+with import ./lib;
+{ config, ... }: let
+  normalUsers = filterAttrs (_: getAttr "isNormalUser") config.users.users;
+in {
+  options = {
+    tv.systemd.services = mkOption {
+      type = types.attrsOf (types.submodule (self: {
+        options = {
+          operators = mkOption {
+            type = with types; listOf (enum (attrNames normalUsers));
+            default = [];
+          };
+        };
+      }));
+      default = {};
+    };
+  };
+  config = {
+    security.polkit.extraConfig = let
+      access =
+        mapAttrs'
+          (name: cfg:
+            nameValuePair "${name}.service"
+                          (genAttrs cfg.operators (const true))
+          )
+          config.tv.systemd.services;
+    in optionalString (access != {}) /* js */ ''
+      polkit.addRule(function () {
+        const access = ${lib.toJSON access};
+        return function (action, subject) {
+          if (action.id === "org.freedesktop.systemd1.manage-units") {
+            const unit = action.lookup("unit");
+            if (
+              (access[unit]||{})[subject.user] ||
+              (
+                unit.includes("@") &&
+                (access[unit.replace(/@[^.]+/, "@")]||{})[subject.user]
+              )
+            ) {
+              return polkit.Result.YES;
+            }
+          }
+        }
+      }());
+    '';
+  };
+}