nixpkgs/modules/security/polkit.nix

{ config, pkgs, ... }:

with pkgs.lib;

let
  pkWrapper = pkgs.stdenv.mkDerivation {
    name = "polkit-wrapper";
    helper = "libexec/polkit-1/polkit-agent-helper-1";
    buildInputs = [ pkgs.xorg.lndir ];

    builder = pkgs.writeScript "pkwrap-builder" ''
      source $stdenv/setup

      mkdir -pv $out
      lndir ${pkgs.polkit} $out

      rm $out/$helper
      ln -sv ${config.security.wrapperDir}/polkit-agent-helper-1 $out/$helper
      '';
  };
in

{

  config = {

    environment = {
      systemPackages = [ pkWrapper ];
      pathsToLink = [ "/share/polkit-1" "/etc/polkit-1" ];
      etc = [
        {
          source = "${config.system.path}/etc/polkit-1";
          target = "polkit-1";
        }
      ];
    };

    services.dbus.packages = [ pkWrapper ];

    security = {
      pam.services = [ { name = "polkit-1"; } ];
      setuidPrograms = [ "pkexec" ];

      setuidOwners = [
        {
          program = "polkit-agent-helper-1";
          owner = "root";
          group = "root";
          setuid = true;
          source = pkgs.polkit + "/" + pkWrapper.helper;
        }
      ];
    };

    system.activationScripts.polikit = pkgs.stringsWithDeps.noDepEntry
      ''
        mkdir -p /var/lib/polkit-1/localauthority
        chmod 700 /var/lib/polkit-1{/localauthority,}
      '';
  };

}