Wes Holland
8 months ago
parent
39570560f1
commit
93ceef3d93
@ -0,0 +1 @@
|
|||||||
|
build
|
||||||
@ -1,3 +1,28 @@
|
|||||||
# dragonrat-admin-tweaks
|
# Dragonrat Admin Tweaks
|
||||||
|
|
||||||
Tweaks for administration of IT systems
|
Tweaks for administration of IT systems
|
||||||
|
|
||||||
|
## Background
|
||||||
|
|
||||||
|
I needed to be able to set up polkit rules on atomic systems.
|
||||||
|
Mostly, this was so that regular users could apply updates
|
||||||
|
automatically without full admin rights. And basically the only
|
||||||
|
(read "Best") way to install custom files to the read-only
|
||||||
|
portion of OS is to use an RPM file. Thus, this repo is born.
|
||||||
|
|
||||||
|
## Updater Role
|
||||||
|
|
||||||
|
I wanted a way to allow non-tech users to update their system
|
||||||
|
automatically without them needing to intervene. And it needed
|
||||||
|
to be able to happen on laptops that are not always on or even
|
||||||
|
connected to the network. So something like Ansible was overly
|
||||||
|
complicated. These are family laptops, so they can be "brought in"
|
||||||
|
regularly. This feels like a happy middle ground. Updates can
|
||||||
|
be applied regularly (and automatically) through KDE's discover
|
||||||
|
app, which uses PackageKit on the backend. PackageKit uses
|
||||||
|
Polkit for authorization, so it just requires some polkit
|
||||||
|
rules in order to work for updater users.
|
||||||
|
|
||||||
|
The updater role shouldn't require any sudo privileges because
|
||||||
|
it is designed for non-tech users. They shouldn't be using
|
||||||
|
the command line anyway.
|
||||||
|
|||||||
@ -0,0 +1,39 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
|
||||||
|
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
|
||||||
|
|
||||||
|
SOURCE_FILENAME=$(rpmspec -q --qf "%{name}-%{version}\n" "$SCRIPT_DIR/dragonrat-admin-tweaks.spec")
|
||||||
|
|
||||||
|
OUTPUT_FILENAME=$(rpmspec -q "$SCRIPT_DIR/dragonrat-admin-tweaks.spec")
|
||||||
|
|
||||||
|
SOURCE_FILE="${HOME}/rpmbuild/SOURCES/${SOURCE_FILENAME}.tar.gz"
|
||||||
|
|
||||||
|
SPEC_FILE="${SCRIPT_DIR}/dragonrat-admin-tweaks.spec"
|
||||||
|
|
||||||
|
INPUT_FILES=(
|
||||||
|
polkit-rules
|
||||||
|
sysusers
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
BUILD_DIR=${SCRIPT_DIR}/build/${SOURCE_FILENAME}
|
||||||
|
|
||||||
|
if [[ -d "$BUILD_DIR" ]]; then
|
||||||
|
rm -r "$BUILD_DIR"
|
||||||
|
fi
|
||||||
|
mkdir -p "$BUILD_DIR"
|
||||||
|
cp -r ${INPUT_FILES[*]} "$BUILD_DIR"
|
||||||
|
|
||||||
|
|
||||||
|
pushd ${SCRIPT_DIR}/build > /dev/null
|
||||||
|
echo "Bundling sources into ${SOURCE_FILE}"
|
||||||
|
tar --create --gzip --verbose --file "$SOURCE_FILE" "$SOURCE_FILENAME"
|
||||||
|
popd > /dev/null
|
||||||
|
|
||||||
|
echo "Building RPM"
|
||||||
|
rpmbuild -ba "$SPEC_FILE"
|
||||||
|
|
||||||
|
echo ""
|
||||||
|
echo "$OUTPUT_FILENAME"
|
||||||
|
|
||||||
@ -0,0 +1,35 @@
|
|||||||
|
Name: dragonrat-admin-tweaks
|
||||||
|
Version: 0.1
|
||||||
|
Release: %autorelease
|
||||||
|
Summary: Tweaks for administration of IT systems
|
||||||
|
BuildArch: noarch
|
||||||
|
|
||||||
|
License: MIT
|
||||||
|
URL: https://dragonrat.net/
|
||||||
|
Source0: %{name}-%{version}.tar.gz
|
||||||
|
|
||||||
|
Requires: polkit
|
||||||
|
|
||||||
|
%description
|
||||||
|
Tweaks for administration of IT systems. Create new roles using
|
||||||
|
Polkit rules to allow updating without full administrator rightes
|
||||||
|
|
||||||
|
|
||||||
|
%prep
|
||||||
|
%setup
|
||||||
|
|
||||||
|
|
||||||
|
%install
|
||||||
|
rm -rf $RPM_BUILD_ROOT
|
||||||
|
install -p -m 644 -D -t $RPM_BUILD_ROOT/%{_datadir}/polkit-1/rules.d polkit-rules/admin-tweaks-updater.rules
|
||||||
|
install -p -m 644 -D -t $RPM_BUILD_ROOT/%{_libdir}/sysusers.d sysusers/admin-tweaks.conf
|
||||||
|
|
||||||
|
|
||||||
|
%files
|
||||||
|
%{_datadir}/polkit-1/rules.d/admin-tweaks-updater.rules
|
||||||
|
%{_libdir}/sysusers.d/admin-tweaks.conf
|
||||||
|
|
||||||
|
|
||||||
|
%changelog
|
||||||
|
* Mon May 26 2025 Wes Holland <wes@dragonrat.net>
|
||||||
|
-
|
||||||
@ -0,0 +1,22 @@
|
|||||||
|
// Dragonrat admin tweaks updater role
|
||||||
|
//
|
||||||
|
// DO NOT EDIT THIS FILE, it will be overwritten on update.
|
||||||
|
//
|
||||||
|
// Allow users in the updater role to update the system
|
||||||
|
// without being interrupted by a password dialog
|
||||||
|
|
||||||
|
|
||||||
|
polkit.addRule(function(action, subject) { if ( (
|
||||||
|
action.id == "org.freedesktop.Flatpak.app-update" ||
|
||||||
|
action.id == "org.freedesktop.Flatpak.app-install" ||
|
||||||
|
action.id == "org.freedesktop.Flatpak.app-uninstall" ||
|
||||||
|
action.id == "org.freedesktop.Flatpak.runtime-update" ||
|
||||||
|
action.id == "org.freedesktop.Flatpak.runtime-install" ||
|
||||||
|
action.id == "org.freedesktop.Flatpak.runtime-uninstall" ||
|
||||||
|
action.id == "org.projectatomic.rpmostree1.rebase") && (
|
||||||
|
subject.isInGroup("wheel") || subject.isInGroup("updater")
|
||||||
|
) && subject.active) {
|
||||||
|
|
||||||
|
return polkit.Result.YES;
|
||||||
|
}
|
||||||
|
});
|
||||||
@ -0,0 +1 @@
|
|||||||
|
g updater -
|
||||||
Loading…
Reference in new issue