System: Rename system/modules to system/systemmodules

2026-01-18 15:34:46 +01:00
parent d12b247368
commit 25ae0f4b85
27 changed files with 0 additions and 0 deletions
--- a/system/systemmodules/polkit/default.nix
+++ b/system/systemmodules/polkit/default.nix
@ -0,0 +1,79 @@
+{
+  config,
+  lib,
+  mylib,
+  username,
+  ...
+}:
+with lib;
+with mylib.modules; let
+  cfg = config.modules.polkit;
+in {
+  options.modules.polkit = import ./options.nix {inherit lib mylib;};
+
+  config = mkIf cfg.enable {
+    security.polkit.enable = true;
+
+    # NOTE: Polkit stuff:
+    #       - subject.active: The subject is part of the currently active session
+    #       - subject.local: The subject is spawned from a local seat/session
+    #       - subject.user == ${username}: Only unlock stuff for the user defined by this config
+    security.polkit.extraConfig = let
+      # Services that should always get a rule
+      always-services = [];
+
+      mkServicePredicate = service: "action.lookup(\"unit\") == \"${service}\"";
+      servicePredicates =
+        (cfg.allowedSystemServices ++ always-services)
+        |> builtins.map mkServicePredicate
+        |> builtins.concatStringsSep " ||\n";
+
+      # Actions that should always be allowed
+      always-actions = [];
+
+      mkActionPredicate = action: "action.id == \"${action}\"";
+      actionPredicates =
+        (cfg.allowedActions ++ always-actions)
+        |> builtins.map mkActionPredicate
+        |> builtins.concatStringsSep " ||\n";
+    in
+      lib.concatStrings [
+        ''
+          // NixOS PolKit Rules Start
+        ''
+
+        # Only add this ruleset if (len servicePredicates) > 0
+        (lib.optionalString (builtins.lessThan 0 (builtins.length cfg.allowedSystemServices)) ''
+          polkit.addRule(function(action, subject) {
+            if (
+              action.id == "org.freedesktop.systemd1.manage-units" &&
+              subject.user == "${username}" &&
+              subject.local &&
+              subject.active &&
+              (${servicePredicates})
+            ) {
+              return polkit.Result.YES;
+            }
+          });
+        '')
+
+        # Only add this ruleset if (len actionPredicates) > 0
+        (lib.optionalString (builtins.lessThan 0 (builtins.length cfg.allowedActions)) ''
+          polkit.addRule(function(action, subject) {
+            if (
+              subject.user == "${username}" &&
+              subject.local &&
+              subject.active &&
+              (${actionPredicates})
+            ) {
+              return polkit.Result.YES;
+            }
+          });
+        '')
+
+        ''
+          // NixOS PolKit Rules End
+        ''
+      ];
+  };
+}
--- a/system/systemmodules/polkit/options.nix
+++ b/system/systemmodules/polkit/options.nix
@ -0,0 +1,32 @@
+{
+  lib,
+  mylib,
+  ...
+}:
+with lib;
+with mylib.modules; {
+  enable = mkEnableOption "Polkit";
+
+  allowedActions = mkOption {
+    type = types.listOf types.str;
+    description = "Actions that should be manageable by a User without Root Password";
+    example = ''
+      [
+        "org.freedesktop.NetworkManager.settings.modify.system"
+      ]
+    '';
+    default = [];
+  };
+
+  allowedSystemServices = mkOption {
+    type = types.listOf types.str;
+    description = "System Services that should be manageable by a User without Root Password";
+    example = ''
+      [
+        "jellyfin"
+        "stablediffusion"
+      ]
+    '';
+    default = [];
+  };
+}