common/polkit: apply chroot

2025-11-05 09:19:02 +09:00
parent 31c4434627
commit 4d516b7bab
2 changed files with 21 additions and 0 deletions
--- a/hosts/common/default.nix
+++ b/hosts/common/default.nix
@@ -31,6 +31,7 @@ in {
    ./services/openssh.nix
    ./services/pcscd.nix
    ./services/pipewire.nix
+    ./services/polkit.nix
    ./services/printing.nix
    ./services/resolved.nix
    ./services/smartd.nix
--- a/hosts/common/services/polkit.nix
+++ b/hosts/common/services/polkit.nix
@@ -0,0 +1,20 @@
+{ config, lib, ... }:
+let
+  cfg = config.security.polkit;
+in
+{
+  systemd.services.polkit.serviceConfig = lib.mkIf cfg.enable {
+    RuntimeDirectory = [
+      "polkit-1"
+      "polkit-1/root-mnt"
+    ];
+    RootDirectory = "/run/polkit-1/root-mnt";
+    BindPaths = [ "/run/dbus/system_bus_socket" ];
+    BindReadOnlyPaths = [
+      builtins.storeDir
+      "/etc"
+      "/run/systemd"
+      "/run/current-system/sw/share/polkit-1"
+    ];
+  };
+}