flake-nixinator/system/modules/polkit/default.nix

{
  config,
  nixosConfig,
  lib,
  mylib,
  pkgs,
  ...
}:
with lib;
with mylib.modules; let
  cfg = config.modules.polkit;
in {
  options.modules.polkit = import ./options.nix {inherit lib mylib;};

  config = mkIf cfg.enable {
    security.polkit.enable = true;

    # TODO: Don't hardcode subject.user == "christoph"
    security.polkit.extraConfig = let
      # Stuff that is non-negotiable
      always-predicates = [];

      mkServicePredicate = service: "action.lookup(\"unit\") == \"${service}\"";
      predicates = lib.pipe (cfg.allowed-system-services ++ always-predicates) [
        (builtins.map mkServicePredicate)
        (builtins.concatStringsSep " ||\n")
      ];
    in ''
      polkit.addRule(function(action, subject) {
          if (action.id == "org.freedesktop.systemd1.manage-units" && subject.user == "christoph" && (
              ${predicates}
          )) {
              return polkit.Result.YES;
          }
      });
    '';
  };
}