tv.systemd.services.*.operators: init

tv/3modules/default.nix

@@ -10,6 +10,7 @@
     ./iptables.nix
     ./lidControl.nix
     ./org.freedesktop.machine1.host-shell.nix
+    ./systemd.nix
     ./slock.nix
     ./x0vncserver.nix
     ./Xresources.nix

tv/3modules/systemd.nix

@@ -0,0 +1,46 @@
+with import ./lib;
+{ config, ... }: let
+  normalUsers = filterAttrs (_: getAttr "isNormalUser") config.users.users;
+in {
+  options = {
+    tv.systemd.services = mkOption {
+      type = types.attrsOf (types.submodule (self: {
+        options = {
+          operators = mkOption {
+            type = with types; listOf (enum (attrNames normalUsers));
+            default = [];
+          };
+        };
+      }));
+    };
+  };
+  config = {
+    security.polkit.extraConfig = let
+      access =
+        mapAttrs'
+          (name: cfg:
+            nameValuePair "${name}.service"
+                          (genAttrs cfg.operators (const true))
+          )
+          config.tv.systemd.services;
+    in optionalString (access != {}) /* js */ ''
+      polkit.addRule(function () {
+        const access = ${lib.toJSON access};
+        return function (action, subject) {
+          if (action.id === "org.freedesktop.systemd1.manage-units") {
+            const unit = action.lookup("unit");
+            if (
+              (access[unit]||{})[subject.user] ||
+              (
+                unit.includes("@") &&
+                (access[unit.replace(/@[^.]+/, "@")]||{})[subject.user]
+              )
+            ) {
+              return polkit.Result.YES;
+            }
+          }
+        }
+      }());
+    '';
+  };
+}