Polkit configuration being ignored

I’m on unstable. I am trying to allow my USB redirection to work in either gnome-boxes or virt-manager. I’m getting an error in virt-manager “Error setting USB device node ACL: Error setting facl: Operation not permitted”

Relevant sections of my config are below:

  security.polkit.enable = true;
  security.polkit.debug = true;
  security.polkit.adminIdentities = [
    "unix-user:mbd777"
    "unix-group:wheel"
  ];

Looking through the journal I see this:

journal/016d08adc1ef428a818ec406be3687f1/system@98b86729580b4b2b869275d5df0de02f-00000000000b3d69-000615ee5328ca1a.journal:SYSLOG_IDENTIFIER=polkitd
journal/016d08adc1ef428a818ec406be3687f1/system@98b86729580b4b2b869275d5df0de02f-00000000000b3d69-000615ee5328ca1a.journal:MESSAGE=Started polkitd version 123
journal/016d08adc1ef428a818ec406be3687f1/system@98b86729580b4b2b869275d5df0de02f-00000000000b3d69-000615ee5328ca1a.journal:_COMM=polkitd
journal/016d08adc1ef428a818ec406be3687f1/system@98b86729580b4b2b869275d5df0de02f-00000000000b3d69-000615ee5328ca1a.journal:_EXE=/nix/store/zrvqzsn2q0101i395igwcxqk9413r0dh-polkit-123/lib/polkit-1/polkitd
journal/016d08adc1ef428a818ec406be3687f1/system@98b86729580b4b2b869275d5df0de02f-00000000000b3d69-000615ee5328ca1a.journal:_CMDLINE=/nix/store/zrvqzsn2q0101i395igwcxqk9413r0dh-polkit-123/lib/polkit-1/polkitd --no-debug
journal/016d08adc1ef428a818ec406be3687f1/system@98b86729580b4b2b869275d5df0de02f-00000000000b3d69-000615ee5328ca1a.journal:_SYSTEMD_CGROUP=/system.slice/polkit.service
journal/016d08adc1ef428a818ec406be3687f1/system@98b86729580b4b2b869275d5df0de02f-00000000000b3d69-000615ee5328ca1a.journal:_SYSTEMD_UNIT=polkit.service
journal/016d08adc1ef428a818ec406be3687f1/system@98b86729580b4b2b869275d5df0de02f-00000000000b3d69-000615ee5328ca1a.journal:MESSAGE=Loading rules from directory /etc/polkit-1/rules.d
journal/016d08adc1ef428a818ec406be3687f1/system@98b86729580b4b2b869275d5df0de02f-00000000000b3d69-000615ee5328ca1a.journal:MESSAGE=Loading rules from directory /run/current-system/sw/share/polkit-1/rules.d

It’s still showing --no-debug being called despite me enabling debug. And the settings I’ve added don’t show in any of the rules in either:
/etc/polkit-1/rules.d
/run/current-system/sw/share/polkit-1/rules.d

I’ve even added a dummy rule to try to allow anything from a local user:

  security.polkit.extraConfig = ''
    polkit.addRule(function(action, subject) {
    if (subject.local) return "yes";
  });
  '';

The rebuild reports no errors but I’m not seeing where any changes to polkit (other than enabling it).

Am I missing something?

Ignoring the manual polkit config stuff, because … well, idk:

I think this might be your golden ticket:

    virtualisation.spiceUSBRedirection.enable = true;

• (ref: my libvirt config where I looked this up)
• and the nixos search page for that option

I appreciate the fix. That definitely did it. Weird that the polkit rules weren’t being deployed but your fix got me to my end goal. Thanks for the help