From 5e1a5c38e7ac0e38302435cec47145f804554748 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <pngwjpgh@users.noreply.github.com>
Date: Sat, 3 Dec 2016 01:00:36 +0100
Subject: Allow gitolite to control infinoted

---
 ymir.nix | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/ymir.nix b/ymir.nix
index e8837dcd..83fa823f 100644
--- a/ymir.nix
+++ b/ymir.nix
@@ -611,11 +611,30 @@ in rec {
   users.extraGroups."mladmin" = {
     members = [ "gkleen" ];
   };
+  
+  users.extraGroups."infinoted" = {
+    members = [ "infinoted gitolite" ];
+  };
 
   security.sudo.extraConfig = ''
     %mladmin ALL=(mlmmj) NOPASSWD: ALL
+    %infinoted ALL=(infinoted) NOPASSWD: ALL
   '';
 
+  security.polkit = {
+      enable = true;
+      extraConfig = ''
+        polkit.addRule(function(action, subject) {
+          if (    action.id == "org.freedesktop.systemd1.manage-units"
+               && action.lookup("unit") == "infinoted.service"
+               && subject.isInGroup("infinoted")
+             ) {
+              return polkit.Result.YES;
+          }
+        });
+      '';
+    };
+
   security.setuidPrograms = [ "newgrp" ];
 
   security.acme = {
-- 
cgit v1.2.3