wip: let olivetin access specific things

modules/game/server/luanti/olivetin.nix

@@ -1,19 +1,64 @@
-{ pkgs, ... }: {
+{ pkgs, lib, ... }: let
+  _pull = pkgs.writeShellScript "pull" ''
+    export GIT_SSH_COMMAND='ssh -i /var/lib/minetest/.ssh/id_ed25519_temp -o IdentitiesOnly=yes'
+    git -C /var/lib/minetest/.minetest/games/EinsDreiDreiSieben pull
+  '';
+  pull = _pull.outPath;
+
+  _restart = pkgs.writeShellScript "restart" ''
+    echo "before"
+    systemctl restart minetest-server.service
+    echo "after"
+  '';
+  restart = _restart.outPath;
+
+in {
+  users.users."minetest".linger = true;
   services.olivetin = {
     enable = true;
     settings = {
       actions = [
         {
-          title = "Hello world!";
+          title = "puuuull!";
-          shell = "echo 'Hello World!'";
+          shell = "/run/wrappers/bin/sudo -u minetest - ${pull}";
           popupOnStart = "execution-dialog-stdout-only";
+          icon = "⬇";
+        }
+        {
+          title = "restart";
+          shell = "/run/wrappers/bin/sudo -u minetest - ${restart}";
+          popupOnStart = "execution-dialog-stdout-only";
+          icon = "⬇";
         }
       ];
     };
 
-    path = with pkgs; [
+    path = [
-      bash
+      pkgs.git
-      git
+      pkgs.openssh
     ];
   };
+  security.sudo-rs.extraRules = [
+    {
+      users = [ "olivetin" ];
+      runAs = "minetest";
+      commands = [
+        {
+          command = pull;
+          options = [ "NOPASSWD" ];
+        }
+      ];
+    }
+    {
+
+      users = [ "olivetin" ];
+      runAs = "root";
+      commands = [
+        {
+          command = restart;
+          options = [ "NOPASSWD" ];
+        }
+      ];
+    }
+  ];
 }