Unstable polkit in stable environment caching issues

Fluff · May 13, 2026, 11:36pm

I’ve been trying to get polkit version 127 working on my system so that run0 can cache authorization but am thus far unsuccessful. With my current best attempt, pkcheck --version returns 127 and etc/polkit-1/rules.d/10-nixos.rules is as expected, but run0 still asks for re-authorization every time it is run.

I’ve tried to get things working via overlays, but have only gotten confusing errors for my troubles.

config excerpts

# pins.nix
{ config, pkgs, lib, uPkgs, ... }:

let
  sources = import ./npins;
in {
  nix.channel.enable = false;
  nix.nixPath = lib.mapAttrsToList (k: v: "${k}=${v}") sources;

  # unstable repository
  _module.args.uPkgs = import <nixos-unstable> {
    config = config.nixpkgs.config;
  };

  nixpkgs.overlays = [
    (final: prev: {
      # overlay attempt 1
      # kdePackages.polkit-qt-1 = prev.kdePackages.polkit-qt-1.override {polkit = uPkgs.polkit; };
      # overlay attempt 2
      # polkit = uPkgs.polkit
    })
  ];

}

# configuration.nix
{ config, pkgs, lib, uPkgs, ... }:

{
  imports = [
...
    ./pins.nix
  ];

...

  security.polkit = {
    enable = true;
    package = uPkgs.polkit;
    extraConfig = ''
      polkit.addRule(function(action, subject) {
      if (
        action.id == "org.freedesktop.systemd1.manage-units" &&
      (
        subject.isInGroup("wheel") ||
        subject.isInGroup("users")
      )
      ) {
        return polkit.Result.AUTH_ADMIN_KEEP;
      }
      });
    '';
  };

  services.displayManager.sddm.enable = true;
  services.desktopManager.plasma6.enable = true;

...

overlay attempt 1 error

error:
       … while calling the 'head' builtin
         at /nix/store/1k8m24kpk74wcbs2x4nxbd9dnc9lvd6j-source/lib/attrsets.nix:1696:13:
         1695|           if length values == 1 || pred here (elemAt values 1) (head values) then
         1696|             head values
             |             ^
         1697|           else

       … while evaluating the attribute 'value'
         at /nix/store/1k8m24kpk74wcbs2x4nxbd9dnc9lvd6j-source/lib/modules.nix:1118:7:
         1117|     // {
         1118|       value = addErrorContext "while evaluating the option `${showOption loc}':" value;
             |       ^
         1119|       inherit (res.defsFinal') highestPrio;

       … while evaluating the option `system.build.toplevel':

       … while evaluating definitions from `/nix/store/1k8m24kpk74wcbs2x4nxbd9dnc9lvd6j-source/nixos/modules/system/activation/top-level.nix':

       … while evaluating the option `xdg.portal.extraPortals':

       … while evaluating definitions from `/nix/store/1k8m24kpk74wcbs2x4nxbd9dnc9lvd6j-source/nixos/modules/services/desktop-managers/plasma6.nix':

       (stack trace truncated; use '--show-trace' to show the full, detailed trace)

       error: attribute 'kwallet' missing
       at /nix/store/1k8m24kpk74wcbs2x4nxbd9dnc9lvd6j-source/nixos/modules/services/desktop-managers/plasma6.nix:289:7:
          288|     xdg.portal.extraPortals = [
          289|       kdePackages.kwallet
             |       ^
          290|       kdePackages.xdg-desktop-portal-kde
Command 'nix-build '<nixpkgs/nixos>' --attr config.system.build.toplevel --dry-run' returned non-zero exit status 1.

Attempt 2 didn’t error on dry-run, but required rebuilding 274 derivations, which seems excessive. After trying it regardless and waiting out the process of them getting rebuilt, it ultimately ended in an error which I unfortunately neglected to save. If the error is needed, I can go through that tedious build again, but ideally I would only be building the things required for run0 to work with polkit 127 if it comes to that.

TLATER · May 14, 2026, 3:05am

That’s not surprising. Pretty much everything depends on polkit, changing its version with an overlay will cause a cascading rebuild of pretty much everything.

I don’t know how tightly coupled applications are to the polkit API, so this may result in a nonfunctional system, but if you don’t want to apply the version change to everything then simply don’t use an overlay:

{ uPkgs, ... }: {
  security.polkit.package = uPkgs.polkit;
}

Systemd appears to pick up polkit at runtime, so that should be all you need.

in general, avoid overlays, they’re a footgun if you don’t understand what you’re doing - as you’ve seen - and usually unnecessary. Their constant use is a holdover from old docs when modules didn’t generally have .package options.

All that said, if you wait 2-3 weeks, NixOS 26.05 will just fix this for you.

Fluff · May 14, 2026, 1:05pm

That was my fist attempt. I have that in my configuration.nix as package = uPkgs.polkit; inside security.polkit =. It does appear to work for changing the version since pkexec --version returns pkexec version 127, but either something isn’t connecting or my extraConfig rules have an error since caching is still not working.

Edit:
After doing some more testing, I think the issue may be that polkit is straight up not seeing the rules in /etc/polkit-1/rules.d/10-nixos.rules. On version 126, the default rules should allow changing timezone and managing networking. However, attempting those in system settings error and prompt for root password respectively,

TLATER · May 14, 2026, 1:15pm

It’s possible you also need to update systemd to make use of that cache, but these services are so core to NixOS that I probably would just wait for the release.

Fluff · May 14, 2026, 2:36pm

After poking around some more, trying to see if I can persuade anything into working, I have to admit that waiting isn’t so bad. Thinking about it, rather than re-entering my password every time with run0, I can instead use run0 -u to have a shell with my wheel account, and then use sudo for further privledge escalation. It’s at least better security-wise than having a root shell open for nix config editing out of frustration.

TLATER · May 14, 2026, 2:49pm

Another alternative to this is to move the /etc/nixos directory into your home directory, and change the location of configuration.nix like so:

nixos-rebuild boot -I "nixos-config=$HOME/my-nixos-config/configuration.nix"

This lets you use your user’s editor to edit configuration.nix, too, which is likely much more ergonomic. If you’re paranoid about keeping that file editable in your home directory, I suggest keeping it in git and glancing at the git status before deploying to make sure no random process is subbing in changes without you noticing.

Fluff · May 17, 2026, 11:21pm

Sorry for not responding sooner. Thanks for the tip. I’ve now implemented it on my system.