From 0b79642f7ed979ced00446733c46599b8534f153 Mon Sep 17 00:00:00 2001 From: Ranomier <> Date: Wed, 4 Jun 2025 22:42:23 +0200 Subject: [PATCH] wip: let olivetin access specific things --- modules/game/server/luanti/olivetin.nix | 57 ++++++++++++++++++++++--- 1 file changed, 51 insertions(+), 6 deletions(-) diff --git a/modules/game/server/luanti/olivetin.nix b/modules/game/server/luanti/olivetin.nix index a1c989e..e84a9c3 100644 --- a/modules/game/server/luanti/olivetin.nix +++ b/modules/game/server/luanti/olivetin.nix @@ -1,19 +1,64 @@ -{ pkgs, ... }: { +{ pkgs, lib, ... }: let + _pull = pkgs.writeShellScript "pull" '' + export GIT_SSH_COMMAND='ssh -i /var/lib/minetest/.ssh/id_ed25519_temp -o IdentitiesOnly=yes' + git -C /var/lib/minetest/.minetest/games/EinsDreiDreiSieben pull + ''; + pull = _pull.outPath; + + _restart = pkgs.writeShellScript "restart" '' + echo "before" + systemctl restart minetest-server.service + echo "after" + ''; + restart = _restart.outPath; + +in { + users.users."minetest".linger = true; services.olivetin = { enable = true; settings = { actions = [ { - title = "Hello world!"; - shell = "echo 'Hello World!'"; + title = "puuuull!"; + shell = "/run/wrappers/bin/sudo -u minetest - ${pull}"; popupOnStart = "execution-dialog-stdout-only"; + icon = "⬇"; + } + { + title = "restart"; + shell = "/run/wrappers/bin/sudo -u minetest - ${restart}"; + popupOnStart = "execution-dialog-stdout-only"; + icon = "⬇"; } ]; }; - path = with pkgs; [ - bash - git + path = [ + pkgs.git + pkgs.openssh ]; }; + security.sudo-rs.extraRules = [ + { + users = [ "olivetin" ]; + runAs = "minetest"; + commands = [ + { + command = pull; + options = [ "NOPASSWD" ]; + } + ]; + } + { + + users = [ "olivetin" ]; + runAs = "root"; + commands = [ + { + command = restart; + options = [ "NOPASSWD" ]; + } + ]; + } + ]; }