From 408406c2ff06f30c52106dc2a6b93ab6ca691d1e Mon Sep 17 00:00:00 2001
From: Victor Engmark <victor@engmark.name>
Date: Tue, 4 Jun 2024 20:04:49 +1200
Subject: [PATCH] nixos/ydotool: Make group configurable

Allows users to refer to `config.programs.ydotool.group` rather than
hard-coding "ydotool".

Allows users to override the group name for whatever reason.

This closes #317013.

Co-authored-by: Cosima Neidahl <opna2608@protonmail.com>
---
 nixos/modules/programs/ydotool.nix | 15 ++++++++---
 nixos/tests/ydotool.nix            | 43 ++++++++++++++++++++++++++++++
 2 files changed, 54 insertions(+), 4 deletions(-)

diff --git a/nixos/modules/programs/ydotool.nix b/nixos/modules/programs/ydotool.nix
index 2abf3ec96e09..643a5d369f3f 100644
--- a/nixos/modules/programs/ydotool.nix
+++ b/nixos/modules/programs/ydotool.nix
@@ -14,22 +14,29 @@ in
 
   options.programs.ydotool = {
     enable = lib.mkEnableOption ''
-      ydotoold system service and install ydotool.
-      Add yourself to the 'ydotool' group to be able to use it.
+      ydotoold system service and {command}`ydotool` for members of
+      {option}`programs.ydotool.group`.
     '';
+    group = lib.mkOption {
+      type = lib.types.str;
+      default = "ydotool";
+      description = ''
+        Group which users must be in to use {command}`ydotool`.
+      '';
+    };
   };
 
   config = let
     runtimeDirectory = "ydotoold";
   in lib.mkIf cfg.enable {
-    users.groups.ydotool = { };
+    users.groups."${config.programs.ydotool.group}" = { };
 
     systemd.services.ydotoold = {
       description = "ydotoold - backend for ydotool";
       wantedBy = [ "multi-user.target" ];
       partOf = [ "multi-user.target" ];
       serviceConfig = {
-        Group = "ydotool";
+        Group = config.programs.ydotool.group;
         RuntimeDirectory = runtimeDirectory;
         RuntimeDirectoryMode = "0750";
         ExecStart = "${lib.getExe' pkgs.ydotool "ydotoold"} --socket-path=${config.environment.variables.YDOTOOL_SOCKET} --socket-perm=0660";
diff --git a/nixos/tests/ydotool.nix b/nixos/tests/ydotool.nix
index b7ee7aced2b7..45e3d27adeb4 100644
--- a/nixos/tests/ydotool.nix
+++ b/nixos/tests/ydotool.nix
@@ -138,4 +138,47 @@ in
       quantenzitrone
     ];
   };
+
+  customGroup =
+    let
+      name = "customGroup";
+      nodeName = "${name}Node";
+      insideGroupUsername = "ydotool-user";
+      outsideGroupUsername = "other-user";
+      groupName = "custom-group";
+    in
+    makeTest {
+      inherit name;
+
+      nodes."${nodeName}" = {
+        programs.ydotool = {
+          enable = true;
+          group = groupName;
+        };
+
+        users.users = {
+          "${insideGroupUsername}" = {
+            isNormalUser = true;
+            extraGroups = [ groupName ];
+          };
+          "${outsideGroupUsername}".isNormalUser = true;
+        };
+      };
+
+      testScript = ''
+        start_all()
+
+        # Wait for service to start
+        ${nodeName}.wait_for_unit("multi-user.target")
+        ${nodeName}.wait_for_unit("ydotoold.service")
+
+        # Verify that user with the configured group can use the service
+        ${nodeName}.succeed("sudo --login --user=${insideGroupUsername} ydotool type 'Hello, World!'")
+
+        # Verify that user without the configured group can't use the service
+        ${nodeName}.fail("sudo --login --user=${outsideGroupUsername} ydotool type 'Hello, World!'")
+      '';
+
+      meta.maintainers = with lib.maintainers; [ l0b0 ];
+    };
 }