diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..378eac2 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +build diff --git a/README.md b/README.md index 0f54427..68794a2 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,28 @@ -# dragonrat-admin-tweaks +# Dragonrat Admin Tweaks -Tweaks for administration of IT systems \ No newline at end of file +Tweaks for administration of IT systems + +## Background + +I needed to be able to set up polkit rules on atomic systems. +Mostly, this was so that regular users could apply updates +automatically without full admin rights. And basically the only +(read "Best") way to install custom files to the read-only +portion of OS is to use an RPM file. Thus, this repo is born. + +## Updater Role + +I wanted a way to allow non-tech users to update their system +automatically without them needing to intervene. And it needed +to be able to happen on laptops that are not always on or even +connected to the network. So something like Ansible was overly +complicated. These are family laptops, so they can be "brought in" +regularly. This feels like a happy middle ground. Updates can +be applied regularly (and automatically) through KDE's discover +app, which uses PackageKit on the backend. PackageKit uses +Polkit for authorization, so it just requires some polkit +rules in order to work for updater users. + +The updater role shouldn't require any sudo privileges because +it is designed for non-tech users. They shouldn't be using +the command line anyway. diff --git a/build.sh b/build.sh new file mode 100755 index 0000000..fa44555 --- /dev/null +++ b/build.sh @@ -0,0 +1,39 @@ +#!/bin/bash + + +SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) + +SOURCE_FILENAME=$(rpmspec -q --qf "%{name}-%{version}\n" "$SCRIPT_DIR/dragonrat-admin-tweaks.spec") + +OUTPUT_FILENAME=$(rpmspec -q "$SCRIPT_DIR/dragonrat-admin-tweaks.spec") + +SOURCE_FILE="${HOME}/rpmbuild/SOURCES/${SOURCE_FILENAME}.tar.gz" + +SPEC_FILE="${SCRIPT_DIR}/dragonrat-admin-tweaks.spec" + +INPUT_FILES=( + polkit-rules + sysusers +) + + +BUILD_DIR=${SCRIPT_DIR}/build/${SOURCE_FILENAME} + +if [[ -d "$BUILD_DIR" ]]; then + rm -r "$BUILD_DIR" +fi +mkdir -p "$BUILD_DIR" +cp -r ${INPUT_FILES[*]} "$BUILD_DIR" + + +pushd ${SCRIPT_DIR}/build > /dev/null +echo "Bundling sources into ${SOURCE_FILE}" +tar --create --gzip --verbose --file "$SOURCE_FILE" "$SOURCE_FILENAME" +popd > /dev/null + +echo "Building RPM" +rpmbuild -ba "$SPEC_FILE" + +echo "" +echo "$OUTPUT_FILENAME" + diff --git a/dragonrat-admin-tweaks.spec b/dragonrat-admin-tweaks.spec new file mode 100644 index 0000000..9351891 --- /dev/null +++ b/dragonrat-admin-tweaks.spec @@ -0,0 +1,35 @@ +Name: dragonrat-admin-tweaks +Version: 0.1 +Release: %autorelease +Summary: Tweaks for administration of IT systems +BuildArch: noarch + +License: MIT +URL: https://dragonrat.net/ +Source0: %{name}-%{version}.tar.gz + +Requires: polkit + +%description +Tweaks for administration of IT systems. Create new roles using +Polkit rules to allow updating without full administrator rightes + + +%prep +%setup + + +%install +rm -rf $RPM_BUILD_ROOT +install -p -m 644 -D -t $RPM_BUILD_ROOT/%{_datadir}/polkit-1/rules.d polkit-rules/admin-tweaks-updater.rules +install -p -m 644 -D -t $RPM_BUILD_ROOT/%{_libdir}/sysusers.d sysusers/admin-tweaks.conf + + +%files +%{_datadir}/polkit-1/rules.d/admin-tweaks-updater.rules +%{_libdir}/sysusers.d/admin-tweaks.conf + + +%changelog +* Mon May 26 2025 Wes Holland +- diff --git a/polkit-rules/admin-tweaks-updater.rules b/polkit-rules/admin-tweaks-updater.rules new file mode 100644 index 0000000..819e97a --- /dev/null +++ b/polkit-rules/admin-tweaks-updater.rules @@ -0,0 +1,22 @@ +// Dragonrat admin tweaks updater role +// +// DO NOT EDIT THIS FILE, it will be overwritten on update. +// +// Allow users in the updater role to update the system +// without being interrupted by a password dialog + + +polkit.addRule(function(action, subject) { if ( ( + action.id == "org.freedesktop.Flatpak.app-update" || + action.id == "org.freedesktop.Flatpak.app-install" || + action.id == "org.freedesktop.Flatpak.app-uninstall" || + action.id == "org.freedesktop.Flatpak.runtime-update" || + action.id == "org.freedesktop.Flatpak.runtime-install" || + action.id == "org.freedesktop.Flatpak.runtime-uninstall" || + action.id == "org.projectatomic.rpmostree1.rebase") && ( + subject.isInGroup("wheel") || subject.isInGroup("updater") + ) && subject.active) { + + return polkit.Result.YES; + } +}); diff --git a/sysusers/admin-tweaks.conf b/sysusers/admin-tweaks.conf new file mode 100644 index 0000000..f401668 --- /dev/null +++ b/sysusers/admin-tweaks.conf @@ -0,0 +1 @@ +g updater -