Merge pull request #156858: nixos/polkit: don't enable by default

author: piegames <git@piegames.de> 2022-03-05 14:48:35 +0100
committer: GitHub <noreply@github.com> 2022-03-05 14:48:35 +0100
commit: cd7e516b266b96519b378c1751cd105401755232 (patch)
tree: 13856bd38fb1a61bdb56a0d16a5a8b01b7b30d42
parent: 36812feb85dc046a42d0818e0885767f267dc726 (diff)
parent: 8a95d9fede1dd191228af37b8a75d706b88fa481 (diff)
download: nixpkgs-cd7e516b266b96519b378c1751cd105401755232.tar
nixpkgs-cd7e516b266b96519b378c1751cd105401755232.tar.gz
nixpkgs-cd7e516b266b96519b378c1751cd105401755232.tar.bz2
nixpkgs-cd7e516b266b96519b378c1751cd105401755232.tar.lz
nixpkgs-cd7e516b266b96519b378c1751cd105401755232.tar.xz
nixpkgs-cd7e516b266b96519b378c1751cd105401755232.tar.zst
nixpkgs-cd7e516b266b96519b378c1751cd105401755232.zip
11 files changed, 22 insertions, 8 deletions
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
index 2bcfc86b432..2d8279725ff 100644
--- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
@@ -1185,6 +1185,14 @@
           <literal>tmux</literal>.
         </para>
       </listitem>
+      <listitem>
+        <para>
+          The polkit service, available at
+          <literal>security.polkit.enable</literal>, is now disabled by
+          default. It will automatically be enabled through services and
+          desktop environments as needed.
+        </para>
+      </listitem>
     </itemizedlist>
   </section>
 </section>
diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md
index 650ace8d9d2..51d7f009606 100644
--- a/nixos/doc/manual/release-notes/rl-2205.section.md
+++ b/nixos/doc/manual/release-notes/rl-2205.section.md
@@ -380,4 +380,6 @@ In addition to numerous new and upgraded packages, this release has the followin
 
 - `programs.tmux` has a new option `plugins` that accepts a list of packages from the `tmuxPlugins` group. The specified packages are added to the system and loaded by `tmux`.
 
+- The polkit service, available at `security.polkit.enable`, is now disabled by default. It will automatically be enabled through services and desktop environments as needed.
+
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
diff --git a/nixos/modules/programs/sway.nix b/nixos/modules/programs/sway.nix
index bb9904d1956..01b04728134 100644
--- a/nixos/modules/programs/sway.nix
+++ b/nixos/modules/programs/sway.nix
@@ -134,6 +134,7 @@ in {
         '';
       };
     };
+    security.polkit.enable = true;
     security.pam.services.swaylock = {};
     hardware.opengl.enable = mkDefault true;
     fonts.enableDefaultFonts = mkDefault true;
diff --git a/nixos/modules/security/polkit.nix b/nixos/modules/security/polkit.nix
index d9c58152f1f..1ba149745c6 100644
--- a/nixos/modules/security/polkit.nix
+++ b/nixos/modules/security/polkit.nix
@@ -12,11 +12,7 @@ in
 
   options = {
 
-    security.polkit.enable = mkOption {
-      type = types.bool;
-      default = true;
-      description = "Whether to enable PolKit.";
-    };
+    security.polkit.enable = mkEnableOption "polkit";
 
     security.polkit.extraConfig = mkOption {
       type = types.lines;
diff --git a/nixos/modules/services/desktops/flatpak.nix b/nixos/modules/services/desktops/flatpak.nix
index 7da92cc9f26..5fecc64b4f7 100644
--- a/nixos/modules/services/desktops/flatpak.nix
+++ b/nixos/modules/services/desktops/flatpak.nix
@@ -30,6 +30,8 @@ in {
 
     environment.systemPackages = [ pkgs.flatpak ];
 
+    security.polkit.enable = true;
+
     services.dbus.packages = [ pkgs.flatpak ];
 
     systemd.packages = [ pkgs.flatpak ];
diff --git a/nixos/modules/services/hardware/udisks2.nix b/nixos/modules/services/hardware/udisks2.nix
index e898f326058..6be23f39754 100644
--- a/nixos/modules/services/hardware/udisks2.nix
+++ b/nixos/modules/services/hardware/udisks2.nix
@@ -32,6 +32,8 @@ with lib;
 
     environment.systemPackages = [ pkgs.udisks2 ];
 
+    security.polkit.enable = true;
+
     services.dbus.packages = [ pkgs.udisks2 ];
 
     systemd.tmpfiles.rules = [ "d /var/lib/udisks2 0755 root root -" ];
diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix
index a9801036b00..7a9d9e5428a 100644
--- a/nixos/modules/services/networking/networkmanager.nix
+++ b/nixos/modules/services/networking/networkmanager.nix
@@ -556,6 +556,7 @@ in {
 
     boot.kernelModules = [ "ctr" ];
 
+    security.polkit.enable = true;
     security.polkit.extraConfig = polkitConf;
 
     services.dbus.packages = cfg.packages
diff --git a/nixos/modules/services/wayland/cage.nix b/nixos/modules/services/wayland/cage.nix
index d2bbc4fc057..a32b81a916f 100644
--- a/nixos/modules/services/wayland/cage.nix
+++ b/nixos/modules/services/wayland/cage.nix
@@ -81,6 +81,8 @@ in {
       };
     };
 
+    security.polkit.enable = true;
+
     security.pam.services.cage.text = ''
       auth    required pam_unix.so nullok
       account required pam_unix.so
diff --git a/nixos/modules/services/x11/display-managers/lightdm.nix b/nixos/modules/services/x11/display-managers/lightdm.nix
index 84b75c83aea..27dfed3cc14 100644
--- a/nixos/modules/services/x11/display-managers/lightdm.nix
+++ b/nixos/modules/services/x11/display-managers/lightdm.nix
@@ -267,6 +267,8 @@ in
     # Enable the accounts daemon to find lightdm's dbus interface
     environment.systemPackages = [ lightdm ];
 
+    security.polkit.enable = true;
+
     security.pam.services.lightdm.text = ''
         auth      substack      login
         account   include       login
diff --git a/nixos/modules/services/x11/xserver.nix b/nixos/modules/services/x11/xserver.nix
index ec6d86d59bd..0c50d82b23b 100644
--- a/nixos/modules/services/x11/xserver.nix
+++ b/nixos/modules/services/x11/xserver.nix
@@ -620,9 +620,6 @@ in
       in optional (driver != null) ({ inherit name; modules = []; driverName = name; display = true; } // driver));
 
     assertions = [
-      { assertion = config.security.polkit.enable;
-        message = "X11 requires Polkit to be enabled (‘security.polkit.enable = true’).";
-      }
       (let primaryHeads = filter (x: x.primary) cfg.xrandrHeads; in {
         assertion = length primaryHeads < 2;
         message = "Only one head is allowed to be primary in "
diff --git a/nixos/tests/tinywl.nix b/nixos/tests/tinywl.nix
index b286cab7794..8fb87b53330 100644
--- a/nixos/tests/tinywl.nix
+++ b/nixos/tests/tinywl.nix
@@ -10,6 +10,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }:
       # Automatically login on tty1 as a normal user:
       imports = [ ./common/user-account.nix ];
       services.getty.autologinUser = "alice";
+      security.polkit.enable = true;
 
       environment = {
         systemPackages = with pkgs; [ tinywl foot wayland-utils ];
author	piegames <git@piegames.de>	2022-03-05 14:48:35 +0100
committer	GitHub <noreply@github.com>	2022-03-05 14:48:35 +0100
commit	cd7e516b266b96519b378c1751cd105401755232 (patch)
tree	13856bd38fb1a61bdb56a0d16a5a8b01b7b30d42
parent	36812feb85dc046a42d0818e0885767f267dc726 (diff)
parent	8a95d9fede1dd191228af37b8a75d706b88fa481 (diff)
download	nixpkgs-cd7e516b266b96519b378c1751cd105401755232.tar nixpkgs-cd7e516b266b96519b378c1751cd105401755232.tar.gz nixpkgs-cd7e516b266b96519b378c1751cd105401755232.tar.bz2 nixpkgs-cd7e516b266b96519b378c1751cd105401755232.tar.lz nixpkgs-cd7e516b266b96519b378c1751cd105401755232.tar.xz nixpkgs-cd7e516b266b96519b378c1751cd105401755232.tar.zst nixpkgs-cd7e516b266b96519b378c1751cd105401755232.zip