From ec20ffc9bdad2d467ec0f7e76f1b7f7a92580eff Mon Sep 17 00:00:00 2001
From: Andy Wingo <wingo@pobox.com>
Date: Tue, 18 Aug 2015 11:57:15 +0200
Subject: [PATCH 5/7] gnu: Add polkit service.

* gnu/services/desktop.scm (polkit-service): New function.
  (%desktop-services): Add polkit service.
---
 gnu/services/desktop.scm | 51 +++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 46 insertions(+), 5 deletions(-)

diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm
index 764954c..500933c 100644
--- a/gnu/services/desktop.scm
+++ b/gnu/services/desktop.scm
@@ -24,12 +24,14 @@
   #:use-module (gnu services xorg)
   #:use-module (gnu services networking)
   #:use-module (gnu system shadow)
+  #:use-module (gnu system linux) ; unix-pam-service
   #:use-module (gnu packages glib)
   #:use-module (gnu packages admin)
   #:use-module (gnu packages freedesktop)
   #:use-module (gnu packages gnome)
   #:use-module (gnu packages avahi)
   #:use-module (gnu packages wicd)
+  #:use-module (gnu packages polkit)
   #:use-module (guix monads)
   #:use-module (guix store)
   #:use-module (guix gexp)
@@ -40,6 +42,7 @@
             geoclue-application
             %standard-geoclue-applications
             geoclue-service
+            polkit-service
             elogind-service
             %desktop-services))
 
@@ -376,6 +379,42 @@ site} for more information."
 
 
 ;;;
+;;; Polkit privilege management service.
+;;;
+
+(define* (polkit-service #:key (polkit polkit))
+  "Return a service that runs the @command{polkit} privilege management
+service.  By querying the @command{polkit} service, a privileged system
+component can know when it should grant additional capabilities to ordinary
+users.  For example, an ordinary user can be granted the capability to suspend
+the system if the user is logged in locally."
+  (with-monad %store-monad
+    (return
+     (service
+      (documentation "Run the polkit privilege management service.")
+      (provision '(polkit-daemon))
+      (requirement '(dbus-system))
+
+      (start #~(make-forkexec-constructor
+                (list (string-append #$polkit "/lib/polkit-1/polkitd"))))
+      (stop #~(make-kill-destructor))
+
+      (user-groups (list (user-group
+                          (name "polkitd")
+                          (system? #t))))
+      (user-accounts (list (user-account
+                            (name "polkitd")
+                            (group "polkitd")
+                            (system? #t)
+                            (comment "Polkit daemon user")
+                            (home-directory "/var/empty")
+                            (shell
+                             "/run/current-system/profile/sbin/nologin"))))
+
+      (pam-services (list (unix-pam-service "polkit-1")))))))
+
+
+;;;
 ;;; Elogind login and seat management service.
 ;;;
 
@@ -552,14 +591,16 @@ when they log out."
          (avahi-service)
          (wicd-service)
          (upower-service)
-         ;; FIXME: The colord and geoclue services could all be bus-activated
-         ;; by default, so they don't run at program startup.  However, user
-         ;; creation and /var/lib.colord creation happen at service activation
-         ;; time, so we currently add them to the set of default services.
+         ;; FIXME: The colord, geoclue, and polkit services could all be
+         ;; bus-activated by default, so they don't run at program startup.
+         ;; However, user creation and /var/lib/colord creation happen at
+         ;; service activation time, so we currently add them to the set of
+         ;; default services.
          (colord-service)
          (geoclue-service)
+         (polkit-service)
          (elogind-service)
-         (dbus-service (list avahi wicd upower colord geoclue elogind))
+         (dbus-service (list avahi wicd upower colord geoclue polkit elogind))
 
          (ntp-service)
 
-- 
2.4.3