ooks/ooknet
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor: inputs/ --> {sys,home}/

Browse source
This commit is contained in:
ooks-io 2024-05-26 14:57:35 +12:00
parent 8f22a24963
commit f77c627980
225 changed files with 77 additions and 88 deletions
Download patch file Download diff file Expand all files Collapse all files

60
sys/modules/base/security/sudo.nix Normal file
View file

@ -0,0 +1,60 @@
{ lib, ... }:
let
inherit (lib) mkDefault mkForce;
in
{
# nyx module
security = {
sudo-rs.enable = mkForce false; # we don't want the rust sudo fork
sudo = {
enable = true;
wheelNeedsPassword = mkDefault false; # only use false here if the extraRules below are enabled
execWheelOnly = mkForce true; # only allow wheel to execute sudo
extraConfig = /* shell */ ''
Defaults lecture = never # disable sudo lecture
Defaults pwfeedback # password feedback
Defaults env_keep += "EDITOR PATH DISPLAY" # variables to be passes to root
Defaults timestamp_timeout = 300 # asks for sudo password ever 300s
'';
extraRules = [
{
# allow wheel group to run nixos-rebuild without password
groups = ["wheel"];
commands = let
currentSystem = "/run/current-system/";
storePath = "/nix/store/";
in [
{
command = "${storePath}/*/bin/switch-to-configuration";
options = ["SETENV" "NOPASSWD"];
}
{
command = "${currentSystem}/sw/bin/nix-store";
options = ["SETENV" "NOPASSWD"];
}
{
command = "${currentSystem}/sw/bin/nix-env";
options = ["SETENV" "NOPASSWD"];
}
{
command = "${currentSystem}/sw/bin/nixos-rebuild";
options = ["NOPASSWD"];
}
{
# let wheel group collect garbage without password
command = "${currentSystem}/sw/bin/nix-collect-garbage";
options = ["SETENV" "NOPASSWD"];
}
{
# let wheel group interact with systemd without password
command = "${currentSystem}/sw/bin/systemctl";
options = ["NOPASSWD"];
}
];
}
];
};
};
}