From 5eb821ab1bea5efd2f845115b3dbc31f4f475ca9 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Wed, 18 Jan 2023 17:13:30 +0100
Subject: tv.systemd.services.*.operators: init

---
 tv/3modules/systemd.nix | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)
 create mode 100644 tv/3modules/systemd.nix

(limited to 'tv/3modules/systemd.nix')

diff --git a/tv/3modules/systemd.nix b/tv/3modules/systemd.nix
new file mode 100644
index 00000000..bbbab063
--- /dev/null
+++ b/tv/3modules/systemd.nix
@@ -0,0 +1,46 @@
+with import ./lib;
+{ config, ... }: let
+  normalUsers = filterAttrs (_: getAttr "isNormalUser") config.users.users;
+in {
+  options = {
+    tv.systemd.services = mkOption {
+      type = types.attrsOf (types.submodule (self: {
+        options = {
+          operators = mkOption {
+            type = with types; listOf (enum (attrNames normalUsers));
+            default = [];
+          };
+        };
+      }));
+    };
+  };
+  config = {
+    security.polkit.extraConfig = let
+      access =
+        mapAttrs'
+          (name: cfg:
+            nameValuePair "${name}.service"
+                          (genAttrs cfg.operators (const true))
+          )
+          config.tv.systemd.services;
+    in optionalString (access != {}) /* js */ ''
+      polkit.addRule(function () {
+        const access = ${lib.toJSON access};
+        return function (action, subject) {
+          if (action.id === "org.freedesktop.systemd1.manage-units") {
+            const unit = action.lookup("unit");
+            if (
+              (access[unit]||{})[subject.user] ||
+              (
+                unit.includes("@") &&
+                (access[unit.replace(/@[^.]+/, "@")]||{})[subject.user]
+              )
+            ) {
+              return polkit.Result.YES;
+            }
+          }
+        }
+      }());
+    '';
+  };
+}
-- 
cgit v1.2.3


From 9a7e3bf96250d9f9090d4eebac18240f54167a84 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Wed, 18 Jan 2023 20:23:18 +0100
Subject: tv.systemd.services: add default value

---
 tv/3modules/systemd.nix | 1 +
 1 file changed, 1 insertion(+)

(limited to 'tv/3modules/systemd.nix')

diff --git a/tv/3modules/systemd.nix b/tv/3modules/systemd.nix
index bbbab063..db8a5199 100644
--- a/tv/3modules/systemd.nix
+++ b/tv/3modules/systemd.nix
@@ -12,6 +12,7 @@ in {
           };
         };
       }));
+      default = {};
     };
   };
   config = {
-- 
cgit v1.2.3