From fbdcac9b5db8c73656dcc8ba90dab17f74acb7fa Mon Sep 17 00:00:00 2001
From: blahai <github@blahai.gay>
Date: Tue, 18 Feb 2025 21:41:48 +0200
Subject: [PATCH] sudo conf

---
 modules/nixos/default.nix          |  1 +
 modules/nixos/security/default.nix |  5 ++
 modules/nixos/security/sudo.nix    | 79 ++++++++++++++++++++++++++++++
 3 files changed, 85 insertions(+)
 create mode 100644 modules/nixos/security/default.nix
 create mode 100644 modules/nixos/security/sudo.nix

diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix
index e154aad..0f20541 100644
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@@ -4,6 +4,7 @@
     ./hardware
     ./misc
     ./networking
+    ./security
 
     ./remote-modules.nix
   ];
diff --git a/modules/nixos/security/default.nix b/modules/nixos/security/default.nix
new file mode 100644
index 0000000..44b7b76
--- /dev/null
+++ b/modules/nixos/security/default.nix
@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./sudo.nix
+  ];
+}
diff --git a/modules/nixos/security/sudo.nix b/modules/nixos/security/sudo.nix
new file mode 100644
index 0000000..d1e2145
--- /dev/null
+++ b/modules/nixos/security/sudo.nix
@@ -0,0 +1,79 @@
+{lib, ...}: let
+  inherit (lib.modules) mkForce mkDefault;
+in {
+  security = {
+    # sudo-rs is still a feature-incomplete sudo fork that can and will mess things up
+    sudo-rs.enable = mkForce false;
+
+    sudo = {
+      enable = true;
+
+      # wheelNeedsPassword = false means wheel group can execute commands without a password
+      # so just disable it, it only hurt security, BUT ... see below what commands can be run without password
+      wheelNeedsPassword = mkDefault false;
+
+      # only allow members of the wheel group to execute sudo
+      execWheelOnly = true;
+
+      # i dont like lectures
+      extraConfig = ''
+        Defaults lecture = never
+        Defaults pwfeedback
+        Defaults env_keep += "EDITOR PATH DISPLAY"
+        Defaults timestamp_timeout = 300
+      '';
+
+      extraRules = [
+        {
+          groups = ["wheel"];
+
+          commands = let
+            currentSystem = "/run/current-system/";
+            storePath = "/nix/store/";
+          in [
+            {
+              # why store and not current system?
+              # this is because we use switch-to-configuration on rebuild
+              command = "${storePath}/*/bin/switch-to-configuration";
+              options = [
+                "SETENV"
+                "NOPASSWD"
+              ];
+            }
+            {
+              command = "${currentSystem}/sw/bin/nix-store";
+              options = [
+                "SETENV"
+                "NOPASSWD"
+              ];
+            }
+            {
+              command = "${currentSystem}/sw/bin/nix-env";
+              options = [
+                "SETENV"
+                "NOPASSWD"
+              ];
+            }
+            {
+              command = "${currentSystem}/sw/bin/nixos-rebuild";
+              options = ["NOPASSWD"];
+            }
+            {
+              # let wheel group collect garbage without password
+              command = "${currentSystem}/sw/bin/nix-collect-garbage";
+              options = [
+                "SETENV"
+                "NOPASSWD"
+              ];
+            }
+            {
+              # let wheel group interact with systemd without password
+              command = "${currentSystem}/sw/bin/systemctl";
+              options = ["NOPASSWD"];
+            }
+          ];
+        }
+      ];
+    };
+  };
+}