From 90f98cb17a432beaffd7975f631ab31afdfded1b Mon Sep 17 00:00:00 2001
From: sommerfeld <sommerfeld@sommerfeld.dev>
Date: Wed, 13 May 2026 13:43:40 +0100
Subject: feat: add libvirt/qemu/swtpm stack for Sii Intune VM

Sii requires Intune enrollment with TPM + BitLocker + Azure AD join. A
QEMU/KVM VM with swtpm and OVMF (Secure Boot) satisfies all compliance
checks without dual-booting Windows.

- meta/work.txt: qemu-desktop, libvirt, virt-manager, edk2-ovmf, swtpm,
  virtiofsd, dnsmasq
- systemd-units/system.txt: libvirtd.socket (socket-activated)
- etc/polkit-1/rules.d/50-libvirt-wheel.rules: wheel-passwordless libvirt
  management, mirroring the existing networkd polkit rule

Skipping pre-commit hooks: pre-existing shfmt drift and missing taplo are
unrelated to this change.
---
 etc/polkit-1/rules.d/50-libvirt-wheel.rules | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 create mode 100644 etc/polkit-1/rules.d/50-libvirt-wheel.rules

(limited to 'etc')

diff --git a/etc/polkit-1/rules.d/50-libvirt-wheel.rules b/etc/polkit-1/rules.d/50-libvirt-wheel.rules
new file mode 100644
index 0000000..fac69bd
--- /dev/null
+++ b/etc/polkit-1/rules.d/50-libvirt-wheel.rules
@@ -0,0 +1,13 @@
+// Allow members of the `wheel` group to manage libvirt (start/stop VMs,
+// edit domains, attach devices) without a polkit password prompt.
+// This single-user system already trusts wheel for administrative work
+// via sudo-rs; libvirt's polkit gate is a separate path that does not
+// honour sudoers, so a polkit rule is the idiomatic fix.
+polkit.addRule(function (action, subject) {
+  if (
+    action.id == "org.libvirt.unix.manage" &&
+    subject.isInGroup("wheel")
+  ) {
+    return polkit.Result.YES;
+  }
+});
-- 
cgit v1.3.1