60 lines
1.9 KiB
Nix
60 lines
1.9 KiB
Nix
{lib, ...}: let
|
|
inherit (lib) mkDefault mkForce;
|
|
in {
|
|
# nyx module
|
|
security = {
|
|
sudo-rs.enable = mkForce false; # we don't want the rust sudo fork
|
|
sudo = {
|
|
enable = true;
|
|
wheelNeedsPassword = mkDefault false; # only use false here if the extraRules below are enabled
|
|
execWheelOnly = mkForce true; # only allow wheel to execute sudo
|
|
extraConfig =
|
|
/*
|
|
shell
|
|
*/
|
|
''
|
|
Defaults lecture = never # disable sudo lecture
|
|
Defaults pwfeedback # password feedback
|
|
Defaults env_keep += "EDITOR PATH DISPLAY" # variables to be passes to root
|
|
Defaults timestamp_timeout = 300 # asks for sudo password ever 300s
|
|
'';
|
|
extraRules = [
|
|
{
|
|
# allow wheel group to run nixos-rebuild without password
|
|
groups = ["wheel"];
|
|
commands = let
|
|
currentSystem = "/run/current-system/";
|
|
storePath = "/nix/store/";
|
|
in [
|
|
{
|
|
command = "${storePath}/*/bin/switch-to-configuration";
|
|
options = ["SETENV" "NOPASSWD"];
|
|
}
|
|
{
|
|
command = "${currentSystem}/sw/bin/nix-store";
|
|
options = ["SETENV" "NOPASSWD"];
|
|
}
|
|
{
|
|
command = "${currentSystem}/sw/bin/nix-env";
|
|
options = ["SETENV" "NOPASSWD"];
|
|
}
|
|
{
|
|
command = "${currentSystem}/sw/bin/nixos-rebuild";
|
|
options = ["NOPASSWD"];
|
|
}
|
|
{
|
|
# let wheel group collect garbage without password
|
|
command = "${currentSystem}/sw/bin/nix-collect-garbage";
|
|
options = ["SETENV" "NOPASSWD"];
|
|
}
|
|
{
|
|
# let wheel group interact with systemd without password
|
|
command = "${currentSystem}/sw/bin/systemctl";
|
|
options = ["NOPASSWD"];
|
|
}
|
|
];
|
|
}
|
|
];
|
|
};
|
|
};
|
|
}
|