nixos/soteria: init module (#355924)

NixOS · Nov 15, 2024 · b90d2b4 · b90d2b4
2 parents dbf5ee0 + 3259761
commit b90d2b4
Show file tree

Hide file tree

Showing 3 changed files with 53 additions and 0 deletions.
diff --git a/nixos/doc/manual/release-notes/rl-2411.section.md b/nixos/doc/manual/release-notes/rl-2411.section.md
@@ -103,6 +103,8 @@
 
 - [Hatsu](https://github.com/importantimport/hatsu), a self-hosted bridge that interacts with Fediverse on behalf of your static site. Available as [services.hatsu](options.html#opt-services.hatsu.enable).
 
+- [Soteria](https://github.com/ImVaskel/soteria), a polkit authentication agent to handle elevated prompts for any desktop environment. Normally this should only be used on DEs or WMs that do not provide a graphical polkit frontend on their own. Available as [`security.soteria`](#opt-security.soteria.enable).
+
 - [Flood](https://flood.js.org/), a beautiful WebUI for various torrent clients. Available as [services.flood](options.html#opt-services.flood.enable).
 
 - [Niri](https://github.com/YaLTeR/niri), a scrollable-tiling Wayland compositor. Available as [programs.niri](options.html#opt-programs.niri.enable).

diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
@@ -362,6 +362,7 @@
   ./security/polkit.nix
   ./security/rngd.nix
   ./security/rtkit.nix
+  ./security/soteria.nix
   ./security/sudo.nix
   ./security/sudo-rs.nix
   ./security/systemd-confinement.nix

diff --git a/nixos/modules/security/soteria.nix b/nixos/modules/security/soteria.nix
@@ -0,0 +1,50 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+
+let
+  cfg = config.security.soteria;
+in
+{
+  options.security.soteria = {
+    enable = lib.mkEnableOption null // {
+      description = ''
+        Whether to enable Soteria, a Polkit authentication agent
+        for any desktop environment.
+
+        ::: {.note}
+        You should only enable this if you are on a Desktop Environment that
+        does not provide a graphical polkit authentication agent, or you are on
+        a standalone window manager or Wayland compositor.
+        :::
+      '';
+    };
+    package = lib.mkPackageOption pkgs "soteria" { };
+  };
+
+  config = lib.mkIf cfg.enable {
+    security.polkit.enable = true;
+    environment.systemPackages = [ cfg.package ];
+
+    systemd.user.services.polkit-soteria = {
+      description = "Soteria, Polkit authentication agent for any desktop environment";
+
+      wantedBy = [ "graphical-session.target" ];
+      wants = [ "graphical-session.target" ];
+      after = [ "graphical-session.target" ];
+
+      script = lib.getExe cfg.package;
+      serviceConfig = {
+        Type = "simple";
+        Restart = "on-failure";
+        RestartSec = 1;
+        TimeoutStopSec = 10;
+      };
+    };
+  };
+
+  meta.maintainers = with lib.maintainers; [ johnrtitor ];
+}