summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--tv/3modules/default.nix1
-rw-r--r--tv/3modules/org.freedesktop.machine1.host-shell.nix28
2 files changed, 29 insertions, 0 deletions
diff --git a/tv/3modules/default.nix b/tv/3modules/default.nix
index 9f2f8e606..b6b4faa51 100644
--- a/tv/3modules/default.nix
+++ b/tv/3modules/default.nix
@@ -8,6 +8,7 @@
./hw.nix
./im.nix
./iptables.nix
+ ./org.freedesktop.machine1.host-shell.nix
./slock.nix
./x0vncserver.nix
./Xresources.nix
diff --git a/tv/3modules/org.freedesktop.machine1.host-shell.nix b/tv/3modules/org.freedesktop.machine1.host-shell.nix
new file mode 100644
index 000000000..e1a5323d6
--- /dev/null
+++ b/tv/3modules/org.freedesktop.machine1.host-shell.nix
@@ -0,0 +1,28 @@
+{ config, ... }: let lib = import ../../lib; in {
+ options.org.freedesktop.machine1.host-shell.access = lib.mkOption {
+ default = {};
+ type =
+ lib.types.addCheck
+ (lib.types.attrsOf (lib.types.attrsOf lib.types.bool))
+ (x:
+ lib.all
+ lib.types.username.check
+ (lib.concatLists
+ (lib.mapAttrsToList
+ (name: value: [name] ++ lib.attrNames value)
+ x)));
+ };
+ config.security.polkit.extraConfig = let
+ cfg = config.org.freedesktop.machine1.host-shell;
+ enable = cfg.access != {};
+ in lib.optionalString enable /* js */ ''
+ polkit.addRule(function () {
+ var access = ${lib.toJSON cfg.access};
+ return function(action, subject) {
+ if (action.id === "org.freedesktop.machine1.host-shell"
+ && (access[subject.user]||{})[action.lookup("user")])
+ return polkit.Result.YES;
+ }
+ }());
+ '';
+}