nixos/pmount: init module

nixos/doc/manual/release-notes/rl-2511.section.md

@@ -124,6 +124,8 @@
 
 - [Prometheus Storagebox Exporter](https://github.com/fleaz/prometheus-storagebox-exporter), a Prometheus exporter for Hetzner storage boxes.
 
+- [pmount](https://salsa.debian.org/debian/pmount), a tool that allows normal users to mount removable devices without requiring root privileges Available at [programs.pmount](#opt-programs.pmount.enable).
+
 - [lemurs](https://github.com/coastalwhite/lemurs), a customizable TUI display/login manager. Available at [services.displayManager.lemurs](#opt-services.displayManager.lemurs.enable).
 
 - [paisa](https://github.com/ananthakumaran/paisa), a personal finance tracker and dashboard. Available as [services.paisa](#opt-services.paisa.enable).

nixos/modules/module-list.nix

@@ -288,6 +288,7 @@
   ./programs/partition-manager.nix
   ./programs/pay-respects.nix
   ./programs/plotinus.nix
+  ./programs/pmount.nix
   ./programs/pqos-wrapper.nix
   ./programs/projecteur.nix
   ./programs/proxychains.nix

nixos/modules/programs/pmount.nix

@@ -0,0 +1,44 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  inherit (lib.options) mkEnableOption mkPackageOption;
+  inherit (lib.modules) mkIf;
+  inherit (lib.meta) getExe';
+
+  cfg = config.programs.pmount;
+
+  mkSetuidWrapper = package: command: {
+    setuid = true;
+    owner = "root";
+    group = "root";
+    source = getExe' package command;
+  };
+in
+{
+  options.programs.pmount = {
+    enable = mkEnableOption ''
+      pmount, a tool that allows normal users to mount removable devices
+      without requiring root privileges
+    '';
+
+    package = mkPackageOption pkgs "pmount" { };
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = [ cfg.package ];
+
+    security.wrappers = {
+      pmount = mkSetuidWrapper cfg.package "pmount";
+      pumount = mkSetuidWrapper cfg.package "pumount";
+    };
+
+    systemd.tmpfiles.rules = [
+      "d /media - root root - -"
+    ];
+  };
+}