diff options
author | piegames <git@piegames.de> | 2022-03-05 14:48:35 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-03-05 14:48:35 +0100 |
commit | cd7e516b266b96519b378c1751cd105401755232 (patch) | |
tree | 13856bd38fb1a61bdb56a0d16a5a8b01b7b30d42 | |
parent | 36812feb85dc046a42d0818e0885767f267dc726 (diff) | |
parent | 8a95d9fede1dd191228af37b8a75d706b88fa481 (diff) | |
download | nixpkgs-cd7e516b266b96519b378c1751cd105401755232.tar nixpkgs-cd7e516b266b96519b378c1751cd105401755232.tar.gz nixpkgs-cd7e516b266b96519b378c1751cd105401755232.tar.bz2 nixpkgs-cd7e516b266b96519b378c1751cd105401755232.tar.lz nixpkgs-cd7e516b266b96519b378c1751cd105401755232.tar.xz nixpkgs-cd7e516b266b96519b378c1751cd105401755232.tar.zst nixpkgs-cd7e516b266b96519b378c1751cd105401755232.zip |
Merge pull request #156858: nixos/polkit: don't enable by default
-rw-r--r-- | nixos/doc/manual/from_md/release-notes/rl-2205.section.xml | 8 | ||||
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2205.section.md | 2 | ||||
-rw-r--r-- | nixos/modules/programs/sway.nix | 1 | ||||
-rw-r--r-- | nixos/modules/security/polkit.nix | 6 | ||||
-rw-r--r-- | nixos/modules/services/desktops/flatpak.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/hardware/udisks2.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/networking/networkmanager.nix | 1 | ||||
-rw-r--r-- | nixos/modules/services/wayland/cage.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/x11/display-managers/lightdm.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/x11/xserver.nix | 3 | ||||
-rw-r--r-- | nixos/tests/tinywl.nix | 1 |
11 files changed, 22 insertions, 8 deletions
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 2bcfc86b432..2d8279725ff 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -1185,6 +1185,14 @@ <literal>tmux</literal>. </para> </listitem> + <listitem> + <para> + The polkit service, available at + <literal>security.polkit.enable</literal>, is now disabled by + default. It will automatically be enabled through services and + desktop environments as needed. + </para> + </listitem> </itemizedlist> </section> </section> diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index 650ace8d9d2..51d7f009606 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -380,4 +380,6 @@ In addition to numerous new and upgraded packages, this release has the followin - `programs.tmux` has a new option `plugins` that accepts a list of packages from the `tmuxPlugins` group. The specified packages are added to the system and loaded by `tmux`. +- The polkit service, available at `security.polkit.enable`, is now disabled by default. It will automatically be enabled through services and desktop environments as needed. + <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> diff --git a/nixos/modules/programs/sway.nix b/nixos/modules/programs/sway.nix index bb9904d1956..01b04728134 100644 --- a/nixos/modules/programs/sway.nix +++ b/nixos/modules/programs/sway.nix @@ -134,6 +134,7 @@ in { ''; }; }; + security.polkit.enable = true; security.pam.services.swaylock = {}; hardware.opengl.enable = mkDefault true; fonts.enableDefaultFonts = mkDefault true; diff --git a/nixos/modules/security/polkit.nix b/nixos/modules/security/polkit.nix index d9c58152f1f..1ba149745c6 100644 --- a/nixos/modules/security/polkit.nix +++ b/nixos/modules/security/polkit.nix @@ -12,11 +12,7 @@ in options = { - security.polkit.enable = mkOption { - type = types.bool; - default = true; - description = "Whether to enable PolKit."; - }; + security.polkit.enable = mkEnableOption "polkit"; security.polkit.extraConfig = mkOption { type = types.lines; diff --git a/nixos/modules/services/desktops/flatpak.nix b/nixos/modules/services/desktops/flatpak.nix index 7da92cc9f26..5fecc64b4f7 100644 --- a/nixos/modules/services/desktops/flatpak.nix +++ b/nixos/modules/services/desktops/flatpak.nix @@ -30,6 +30,8 @@ in { environment.systemPackages = [ pkgs.flatpak ]; + security.polkit.enable = true; + services.dbus.packages = [ pkgs.flatpak ]; systemd.packages = [ pkgs.flatpak ]; diff --git a/nixos/modules/services/hardware/udisks2.nix b/nixos/modules/services/hardware/udisks2.nix index e898f326058..6be23f39754 100644 --- a/nixos/modules/services/hardware/udisks2.nix +++ b/nixos/modules/services/hardware/udisks2.nix @@ -32,6 +32,8 @@ with lib; environment.systemPackages = [ pkgs.udisks2 ]; + security.polkit.enable = true; + services.dbus.packages = [ pkgs.udisks2 ]; systemd.tmpfiles.rules = [ "d /var/lib/udisks2 0755 root root -" ]; diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix index a9801036b00..7a9d9e5428a 100644 --- a/nixos/modules/services/networking/networkmanager.nix +++ b/nixos/modules/services/networking/networkmanager.nix @@ -556,6 +556,7 @@ in { boot.kernelModules = [ "ctr" ]; + security.polkit.enable = true; security.polkit.extraConfig = polkitConf; services.dbus.packages = cfg.packages diff --git a/nixos/modules/services/wayland/cage.nix b/nixos/modules/services/wayland/cage.nix index d2bbc4fc057..a32b81a916f 100644 --- a/nixos/modules/services/wayland/cage.nix +++ b/nixos/modules/services/wayland/cage.nix @@ -81,6 +81,8 @@ in { }; }; + security.polkit.enable = true; + security.pam.services.cage.text = '' auth required pam_unix.so nullok account required pam_unix.so diff --git a/nixos/modules/services/x11/display-managers/lightdm.nix b/nixos/modules/services/x11/display-managers/lightdm.nix index 84b75c83aea..27dfed3cc14 100644 --- a/nixos/modules/services/x11/display-managers/lightdm.nix +++ b/nixos/modules/services/x11/display-managers/lightdm.nix @@ -267,6 +267,8 @@ in # Enable the accounts daemon to find lightdm's dbus interface environment.systemPackages = [ lightdm ]; + security.polkit.enable = true; + security.pam.services.lightdm.text = '' auth substack login account include login diff --git a/nixos/modules/services/x11/xserver.nix b/nixos/modules/services/x11/xserver.nix index ec6d86d59bd..0c50d82b23b 100644 --- a/nixos/modules/services/x11/xserver.nix +++ b/nixos/modules/services/x11/xserver.nix @@ -620,9 +620,6 @@ in in optional (driver != null) ({ inherit name; modules = []; driverName = name; display = true; } // driver)); assertions = [ - { assertion = config.security.polkit.enable; - message = "X11 requires Polkit to be enabled (‘security.polkit.enable = true’)."; - } (let primaryHeads = filter (x: x.primary) cfg.xrandrHeads; in { assertion = length primaryHeads < 2; message = "Only one head is allowed to be primary in " diff --git a/nixos/tests/tinywl.nix b/nixos/tests/tinywl.nix index b286cab7794..8fb87b53330 100644 --- a/nixos/tests/tinywl.nix +++ b/nixos/tests/tinywl.nix @@ -10,6 +10,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: # Automatically login on tty1 as a normal user: imports = [ ./common/user-account.nix ]; services.getty.autologinUser = "alice"; + security.polkit.enable = true; environment = { systemPackages = with pkgs; [ tinywl foot wayland-utils ]; |