changes proposed for 13-10 update

One feature change: polkit update 8d14c7ba

4 files changed, 48 insertions, 54 deletions

diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix
index 73134414138..0b4274b13e6 100644
--- a/nixos/modules/misc/ids.nix
+++ b/nixos/modules/misc/ids.nix
@@ -141,7 +141,7 @@
       tape = 25;
       video = 26;
       dialout = 27;
-      polkituser = 28;
+      #polkituser = 28; # currently unused, polkitd doesn't need a group
       utmp = 29;
       davfs2 = 31;
       privoxy = 32;
diff --git a/nixos/modules/misc/version.nix b/nixos/modules/misc/version.nix
index ae9fb5fb2a0..41f75483f95 100644
--- a/nixos/modules/misc/version.nix
+++ b/nixos/modules/misc/version.nix
@@ -33,7 +33,7 @@ with pkgs.lib;
     system.defaultChannel = mkOption {
       internal = true;
       type = types.str;
-      default = https://nixos.org/channels/nixos-unstable;
+      default = https://nixos.org/channels/nixos-13.10;
       description = "Default NixOS channel to which the root user is subscribed.";
     };
 
diff --git a/nixos/modules/security/polkit.nix b/nixos/modules/security/polkit.nix
index cafa9f82d5e..940e87e0b02 100644
--- a/nixos/modules/security/polkit.nix
+++ b/nixos/modules/security/polkit.nix
@@ -18,35 +18,17 @@ in
       description = "Whether to enable PolKit.";
     };
 
-    security.polkit.permissions = mkOption {
+    security.polkit.extraConfig = mkOption {
       type = types.lines;
       default = "";
       example =
         ''
-          [Disallow Users To Suspend]
-          Identity=unix-group:users
-          Action=org.freedesktop.upower.*
-          ResultAny=no
-          ResultInactive=no
-          ResultActive=no
-
-          [Allow Anybody To Eject Disks]
-          Identity=unix-user:*
-          Action=org.freedesktop.udisks.drive-eject
-          ResultAny=yes
-          ResultInactive=yes
-          ResultActive=yes
-
-          [Allow Alice To Mount Filesystems After Admin Authentication]
-          Identity=unix-user:alice
-          Action=org.freedesktop.udisks.filesystem-mount
-          ResultAny=auth_admin
-          ResultInactive=auth_admin
-          ResultActive=auth_admin
+          TODO
         '';
       description =
         ''
-          Allows the default permissions of privileged actions to be overridden.
+          Any polkit rules to be added to config (in JavaScript ;-). See:
+          http://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html#polkit-rules
         '';
     };
 
@@ -71,29 +53,23 @@ in
 
     environment.systemPackages = [ pkgs.polkit ];
 
-    # The polkit daemon reads action files
-    environment.pathsToLink = [ "/share/polkit-1/actions" ];
-
-    environment.etc =
-      [ # No idea what the "null backend" is, but it seems to need this.
-        { source = "${pkgs.polkit}/etc/polkit-1/nullbackend.conf.d";
-          target = "polkit-1/nullbackend.conf.d";
-        }
-
-        # This file determines what users are considered
-        # "administrators".
-        { source = pkgs.writeText "10-nixos.conf"
-            ''
-              [Configuration]
-              AdminIdentities=${cfg.adminIdentities}
-            '';
-          target = "polkit-1/localauthority.conf.d/10-nixos.conf";
-        }
-
-        { source = pkgs.writeText "org.nixos.pkla" cfg.permissions;
-          target = "polkit-1/localauthority/10-vendor.d/org.nixos.pkla";
-        }
-      ];
+    systemd.packages = [ pkgs.polkit ];
+
+    # The polkit daemon reads action/rule files
+    environment.pathsToLink = [ "/share/polkit-1" ];
+
+    # PolKit rules for NixOS
+    environment.etc = [ {
+      source = pkgs.writeText "10-nixos.conf"
+        ''
+          polkit.addAdminRule(function(action, subject) {
+            return ["${cfg.adminIdentities}"];
+          });
+
+          ${cfg.extraConfig}
+        ''; #TODO: validation on compilation (at least against typos)
+      target = "polkit-1/rules.d/10-nixos.conf";
+    } ];
 
     services.dbus.packages = [ pkgs.polkit ];
 
@@ -101,24 +77,31 @@ in
 
     security.setuidPrograms = [ "pkexec" ];
 
-    security.setuidOwners = singleton
+    security.setuidOwners = [
       { program = "polkit-agent-helper-1";
         owner = "root";
         group = "root";
         setuid = true;
-        source = "${pkgs.polkit}/libexec/polkit-1/polkit-agent-helper-1";
-      };
+        source = "${pkgs.polkit}/lib/polkit-1/polkit-agent-helper-1";
+      }
+    ];
 
     system.activationScripts.polkit =
       ''
-        mkdir -p /var/lib/polkit-1/localauthority
-        chmod 700 /var/lib/polkit-1{/localauthority,}
+        # Probably no more needed, clean up
+        rm -rf /var/lib/{polkit-1,PolicyKit}
 
         # Force polkitd to be restarted so that it reloads its
         # configuration.
         ${pkgs.procps}/bin/pkill -INT -u root -x polkitd
       '';
 
+    users.extraUsers.polkituser = {
+      description = "PolKit daemon";
+      uid = config.ids.uids.polkituser;
+    };
+
   };
 
 }
+
diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix
index ad6f9858aaf..2e8d17d872d 100644
--- a/nixos/modules/services/networking/networkmanager.nix
+++ b/nixos/modules/services/networking/networkmanager.nix
@@ -21,7 +21,7 @@ let
     level=WARN
   '';
 
-  polkitConf = ''
+  /*
     [network-manager]
     Identity=unix-group:networkmanager
     Action=org.freedesktop.NetworkManager.*
@@ -35,6 +35,17 @@ let
     ResultAny=yes
     ResultInactive=no
     ResultActive=yes
+  */
+  polkitConf = ''
+    polkit.addRule(function(action, subject) {
+      if (
+        subject.isInGroup("networkmanager")
+        && subject.active
+        && (action.id.indexOf("org.freedesktop.NetworkManager.") == 0
+            || action.id.indexOf("org.freedesktop.ModemManager.")  == 0
+        ))
+          { return polkit.Result.YES; }
+    });
   '';
 
   ipUpScript = writeScript "01nixos-ip-up" ''
@@ -179,7 +190,7 @@ in {
       systemctl restart NetworkManager
     '';
 
-    security.polkit.permissions = polkitConf;
+    security.polkit.extraConfig = polkitConf;
 
     # openvpn plugin has only dbus interface
     services.dbus.packages = cfg.packages ++ [