systemd: allow wheel users to start/stop any service

2024-06-13 01:30:18 +00:00 · 2024-06-13 01:30:18 +00:00 · 3e35210e4b
commit 3e35210e4b
parent 04f4d330a8
1 changed files with 18 additions and 2 deletions
--- a/hosts/common/systemd.nix
+++ b/hosts/common/systemd.nix
@ -7,9 +7,12 @@ let
  haltTimeout = 10;
 in
 {
-  # allow ordinary users to `reboot` or `shutdown`.
-  # source: <https://nixos.wiki/wiki/Polkit>
  security.polkit.extraConfig = ''
+    /* allow ordinary users to:
+     * - reboot
+     * - shutdown
+     * source: <https://nixos.wiki/wiki/Polkit>
+     */
    polkit.addRule(function(action, subject) {
      if (
        subject.isInGroup("users")
@ -24,6 +27,19 @@ in
        return polkit.Result.YES;
      }
    })
+
+    /* allow members of wheel to:
+     * - systemctl daemon-reload
+     * - systemctl stop|start|restart SERVICE
+     */
+    polkit.addRule(function(action, subject) {
+      if (subject.isInGroup("wheel") && (
+        action.id == "org.freedesktop.systemd1.reload-daemon" ||
+        action.id == "org.freedesktop.systemd1.manage-units"
+      )) {
+        return polkit.Result.YES;
+      }
+    })
  '';

  services.journald.extraConfig = ''