From 3a0ea9c33895484aeadf3cb2c1815f4e2097fb38 Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Sat, 17 Jan 2026 03:59:55 +0900
Subject: [PATCH] base/polkit: default to username if in group `wheel`

---
 base/default.nix         |  1 +
 base/services/polkit.nix | 15 +++++++++++++++
 2 files changed, 16 insertions(+)
 create mode 100644 base/services/polkit.nix

diff --git a/base/default.nix b/base/default.nix
index 3975c38..53dbee1 100644
--- a/base/default.nix
+++ b/base/default.nix
@@ -24,6 +24,7 @@
     ./services/logrotate.nix
     ./services/nginx.nix
     ./services/openssh.nix
+    ./services/polkit.nix
     ./services/postfix.nix
     ./services/prometheus-node-exporter.nix
     ./services/prometheus-systemd-exporter.nix
diff --git a/base/services/polkit.nix b/base/services/polkit.nix
new file mode 100644
index 0000000..cd95516
--- /dev/null
+++ b/base/services/polkit.nix
@@ -0,0 +1,15 @@
+{ config, lib, ... }:
+let
+  cfg = config.security.polkit;
+in
+{
+  security.polkit.enable = true;
+
+  environment.etc."polkit-1/rules.d/9-nixos-overrides.rules".text = lib.mkIf cfg.enable ''
+    polkit.addAdminRule(function(action, subject) {
+        if(subject.isInGroup("wheel")) {
+            return ["unix-user:"+subject.user];
+        }
+    });
+  '';
+}