Add updater role and script to build RPM file

.gitignore

@@ -0,0 +1 @@
+build

README.md

@@ -1,3 +1,28 @@
-# dragonrat-admin-tweaks
+# Dragonrat Admin Tweaks
 
-Tweaks for administration of IT systems
+Tweaks for administration of IT systems
+
+## Background
+
+I needed to be able to set up polkit rules on atomic systems.
+Mostly, this was so that regular users could apply updates 
+automatically without full admin rights. And basically the only 
+(read "Best") way to install custom files to the read-only 
+portion of OS is to use an RPM file. Thus, this repo is born.
+
+## Updater Role
+
+I wanted a way to allow non-tech users to update their system 
+automatically without them needing to intervene. And it needed 
+to be able to happen on laptops that are not always on or even
+connected to the network. So something like Ansible was overly 
+complicated. These are family laptops, so they can be "brought in"
+regularly. This feels like a happy middle ground. Updates can 
+be applied regularly (and automatically) through KDE's discover
+app, which uses PackageKit on the backend. PackageKit uses 
+Polkit for authorization, so it just requires some polkit
+rules in order to work for updater users. 
+
+The updater role shouldn't require any sudo privileges because
+it is designed for non-tech users. They shouldn't be using
+the command line anyway. 

build.sh

@@ -0,0 +1,39 @@
+#!/bin/bash
+
+
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
+SOURCE_FILENAME=$(rpmspec -q --qf "%{name}-%{version}\n" "$SCRIPT_DIR/dragonrat-admin-tweaks.spec")
+
+OUTPUT_FILENAME=$(rpmspec -q "$SCRIPT_DIR/dragonrat-admin-tweaks.spec")
+
+SOURCE_FILE="${HOME}/rpmbuild/SOURCES/${SOURCE_FILENAME}.tar.gz"
+
+SPEC_FILE="${SCRIPT_DIR}/dragonrat-admin-tweaks.spec"
+
+INPUT_FILES=(
+	polkit-rules
+	sysusers
+)
+
+
+BUILD_DIR=${SCRIPT_DIR}/build/${SOURCE_FILENAME}
+
+if [[ -d "$BUILD_DIR" ]]; then
+	rm -r "$BUILD_DIR"
+fi
+mkdir -p "$BUILD_DIR"
+cp -r ${INPUT_FILES[*]} "$BUILD_DIR"
+
+
+pushd ${SCRIPT_DIR}/build > /dev/null
+echo "Bundling sources into ${SOURCE_FILE}"
+tar --create --gzip --verbose --file "$SOURCE_FILE" "$SOURCE_FILENAME"
+popd > /dev/null
+
+echo "Building RPM"
+rpmbuild -ba "$SPEC_FILE"
+
+echo ""
+echo "$OUTPUT_FILENAME"
+

dragonrat-admin-tweaks.spec

@@ -0,0 +1,35 @@
+Name:           dragonrat-admin-tweaks
+Version:        0.1
+Release:        %autorelease
+Summary:        Tweaks for administration of IT systems
+BuildArch:      noarch
+
+License:        MIT
+URL:            https://dragonrat.net/
+Source0:        %{name}-%{version}.tar.gz
+
+Requires:       polkit
+
+%description
+Tweaks for administration of IT systems. Create new roles using 
+Polkit rules to allow updating without full administrator rightes
+
+
+%prep
+%setup
+
+
+%install
+rm -rf $RPM_BUILD_ROOT
+install -p -m 644 -D -t $RPM_BUILD_ROOT/%{_datadir}/polkit-1/rules.d polkit-rules/admin-tweaks-updater.rules 
+install -p -m 644 -D -t $RPM_BUILD_ROOT/%{_libdir}/sysusers.d sysusers/admin-tweaks.conf 
+
+
+%files
+%{_datadir}/polkit-1/rules.d/admin-tweaks-updater.rules
+%{_libdir}/sysusers.d/admin-tweaks.conf
+
+
+%changelog
+* Mon May 26 2025 Wes Holland <wes@dragonrat.net>
+- 

polkit-rules/admin-tweaks-updater.rules

@@ -0,0 +1,22 @@
+// Dragonrat admin tweaks updater role
+//
+// DO NOT EDIT THIS FILE, it will be overwritten on update.
+//
+// Allow users in the updater role to update the system
+// without being interrupted by a password dialog
+
+
+polkit.addRule(function(action, subject) { if ( ( 
+	action.id == "org.freedesktop.Flatpak.app-update" || 
+	action.id == "org.freedesktop.Flatpak.app-install" || 
+	action.id == "org.freedesktop.Flatpak.app-uninstall" || 
+	action.id == "org.freedesktop.Flatpak.runtime-update" || 
+	action.id == "org.freedesktop.Flatpak.runtime-install" || 
+	action.id == "org.freedesktop.Flatpak.runtime-uninstall" ||
+	action.id == "org.projectatomic.rpmostree1.rebase") && (
+		subject.isInGroup("wheel") || subject.isInGroup("updater")
+	) && subject.active) {
+
+        return polkit.Result.YES;
+    }
+});

sysusers/admin-tweaks.conf

@@ -0,0 +1 @@
+g updater -