From 3e35210e4b26b5c18bb4f001d329c80355103f91 Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Thu, 13 Jun 2024 01:30:18 +0000
Subject: [PATCH] systemd: allow `wheel` users to start/stop any service

---
 hosts/common/systemd.nix | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/hosts/common/systemd.nix b/hosts/common/systemd.nix
index 6fa981f1..8b7d6bf0 100644
--- a/hosts/common/systemd.nix
+++ b/hosts/common/systemd.nix
@@ -7,9 +7,12 @@ let
   haltTimeout = 10;
 in
 {
-  # allow ordinary users to `reboot` or `shutdown`.
-  # source: <https://nixos.wiki/wiki/Polkit>
   security.polkit.extraConfig = ''
+    /* allow ordinary users to:
+     * - reboot
+     * - shutdown
+     * source: <https://nixos.wiki/wiki/Polkit>
+     */
     polkit.addRule(function(action, subject) {
       if (
         subject.isInGroup("users")
@@ -24,6 +27,19 @@ in
         return polkit.Result.YES;
       }
     })
+
+    /* allow members of wheel to:
+     * - systemctl daemon-reload
+     * - systemctl stop|start|restart SERVICE
+     */
+    polkit.addRule(function(action, subject) {
+      if (subject.isInGroup("wheel") && (
+        action.id == "org.freedesktop.systemd1.reload-daemon" ||
+        action.id == "org.freedesktop.systemd1.manage-units"
+      )) {
+        return polkit.Result.YES;
+      }
+    })
   '';
 
   services.journald.extraConfig = ''