nixos/openrazer: Add a users option

2021-07-22 16:04:57 +03:00 · 2021-07-22 16:04:57 +03:00 · 465c9269dd
commit 465c9269dd
parent 42c6771744
3 changed files with 18 additions and 6 deletions
--- a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml
@ -656,8 +656,11 @@
          no longer need be granted the entire set of
          <literal>plugdev</literal> group permissions, which can
          include permissions other than those required by
-          <literal>openrazer</literal>. This can be desirable from a
-          security point of view.
+          <literal>openrazer</literal>. This is desirable from a
+          security point of view. The setting
+          <link xlink:href="options.html#opt-services.hardware.openrazer.users"><literal>harware.openrazer.users</literal></link>
+          can be used to add users to the <literal>openrazer</literal>
+          group.
        </para>
      </listitem>
    </itemizedlist>
--- a/nixos/doc/manual/release-notes/rl-2111.section.md
+++ b/nixos/doc/manual/release-notes/rl-2111.section.md
@ -164,7 +164,7 @@ pt-services.clipcat.enable).

 - `programs.neovim.runtime` switched to a `linkFarm` internally, making it impossible to use wildcards in the `source` argument.

- The `openrazer` and `openrazer-daemon` packages as well as the `hardware.openrazer` module now require users to be members of the `openrazer` group instead of `plugdev`. With this change, users no longer need be granted the entire set of `plugdev` group permissions, which can include permissions other than those required by `openrazer`. This can be desirable from a security point of view.
+- The `openrazer` and `openrazer-daemon` packages as well as the `hardware.openrazer` module now require users to be members of the `openrazer` group instead of `plugdev`. With this change, users no longer need be granted the entire set of `plugdev` group permissions, which can include permissions other than those required by `openrazer`. This is desirable from a security point of view. The setting [`harware.openrazer.users`](options.html#opt-services.hardware.openrazer.users) can be used to add users to the `openrazer` group.

 ## Other Notable Changes {#sec-release-21.11-notable-changes}

--- a/nixos/modules/hardware/openrazer.nix
+++ b/nixos/modules/hardware/openrazer.nix
@ -51,8 +51,6 @@ in
    hardware.openrazer = {
      enable = mkEnableOption ''
        OpenRazer drivers and userspace daemon.
-        Any users that wish to make use of the daemon need to be
-        members of the "openrazer" group.
      '';

      verboseLogging = mkOption {
@ -96,6 +94,15 @@ in
          generate a heatmap.
        '';
      };
+
+      users = mkOption {
+        type = with types; listOf str;
+        default = [];
+        description = ''
+          Usernames to be added to the "openrazer" group, so that they
+          can start and interact with the OpenRazer userspace daemon.
+        '';
+      };
    };
  };

@ -113,7 +120,9 @@ in
    # A user must be a member of the openrazer group in order to start
    # the openrazer-daemon. Therefore we make sure that the group
    # exists.
-    users.groups.openrazer = {};
+    users.groups.openrazer = {
+      members = cfg.users;
+    };

    systemd.user.services.openrazer-daemon = {
      description = "Daemon to manage razer devices in userspace";