base/polkit: default to username if in group wheel

base/default.nix

@@ -24,6 +24,7 @@
     ./services/logrotate.nix
     ./services/nginx.nix
     ./services/openssh.nix
+    ./services/polkit.nix
     ./services/postfix.nix
     ./services/prometheus-node-exporter.nix
     ./services/prometheus-systemd-exporter.nix

base/services/polkit.nix

@@ -0,0 +1,15 @@
+{ config, lib, ... }:
+let
+  cfg = config.security.polkit;
+in
+{
+  security.polkit.enable = true;
+
+  environment.etc."polkit-1/rules.d/9-nixos-overrides.rules".text = lib.mkIf cfg.enable ''
+    polkit.addAdminRule(function(action, subject) {
+        if(subject.isInGroup("wheel")) {
+            return ["unix-user:"+subject.user];
+        }
+    });
+  '';
+}