sudo conf
This commit is contained in:
parent
ffc1784f52
commit
fbdcac9b5d
SSH key fingerprint:
SHA256:ZfCryi+V64yG+vC1ZIIsqgvBCmA31tTi7RJ6M8CvpRc
3 changed files with 85 additions and 0 deletions
|
|
@ -4,6 +4,7 @@
|
||||||
./hardware
|
./hardware
|
||||||
./misc
|
./misc
|
||||||
./networking
|
./networking
|
||||||
|
./security
|
||||||
|
|
||||||
./remote-modules.nix
|
./remote-modules.nix
|
||||||
];
|
];
|
||||||
|
|
|
||||||
5
modules/nixos/security/default.nix
Normal file
5
modules/nixos/security/default.nix
Normal file
|
|
@ -0,0 +1,5 @@
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
./sudo.nix
|
||||||
|
];
|
||||||
|
}
|
||||||
79
modules/nixos/security/sudo.nix
Normal file
79
modules/nixos/security/sudo.nix
Normal file
|
|
@ -0,0 +1,79 @@
|
||||||
|
{lib, ...}: let
|
||||||
|
inherit (lib.modules) mkForce mkDefault;
|
||||||
|
in {
|
||||||
|
security = {
|
||||||
|
# sudo-rs is still a feature-incomplete sudo fork that can and will mess things up
|
||||||
|
sudo-rs.enable = mkForce false;
|
||||||
|
|
||||||
|
sudo = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
# wheelNeedsPassword = false means wheel group can execute commands without a password
|
||||||
|
# so just disable it, it only hurt security, BUT ... see below what commands can be run without password
|
||||||
|
wheelNeedsPassword = mkDefault false;
|
||||||
|
|
||||||
|
# only allow members of the wheel group to execute sudo
|
||||||
|
execWheelOnly = true;
|
||||||
|
|
||||||
|
# i dont like lectures
|
||||||
|
extraConfig = ''
|
||||||
|
Defaults lecture = never
|
||||||
|
Defaults pwfeedback
|
||||||
|
Defaults env_keep += "EDITOR PATH DISPLAY"
|
||||||
|
Defaults timestamp_timeout = 300
|
||||||
|
'';
|
||||||
|
|
||||||
|
extraRules = [
|
||||||
|
{
|
||||||
|
groups = ["wheel"];
|
||||||
|
|
||||||
|
commands = let
|
||||||
|
currentSystem = "/run/current-system/";
|
||||||
|
storePath = "/nix/store/";
|
||||||
|
in [
|
||||||
|
{
|
||||||
|
# why store and not current system?
|
||||||
|
# this is because we use switch-to-configuration on rebuild
|
||||||
|
command = "${storePath}/*/bin/switch-to-configuration";
|
||||||
|
options = [
|
||||||
|
"SETENV"
|
||||||
|
"NOPASSWD"
|
||||||
|
];
|
||||||
|
}
|
||||||
|
{
|
||||||
|
command = "${currentSystem}/sw/bin/nix-store";
|
||||||
|
options = [
|
||||||
|
"SETENV"
|
||||||
|
"NOPASSWD"
|
||||||
|
];
|
||||||
|
}
|
||||||
|
{
|
||||||
|
command = "${currentSystem}/sw/bin/nix-env";
|
||||||
|
options = [
|
||||||
|
"SETENV"
|
||||||
|
"NOPASSWD"
|
||||||
|
];
|
||||||
|
}
|
||||||
|
{
|
||||||
|
command = "${currentSystem}/sw/bin/nixos-rebuild";
|
||||||
|
options = ["NOPASSWD"];
|
||||||
|
}
|
||||||
|
{
|
||||||
|
# let wheel group collect garbage without password
|
||||||
|
command = "${currentSystem}/sw/bin/nix-collect-garbage";
|
||||||
|
options = [
|
||||||
|
"SETENV"
|
||||||
|
"NOPASSWD"
|
||||||
|
];
|
||||||
|
}
|
||||||
|
{
|
||||||
|
# let wheel group interact with systemd without password
|
||||||
|
command = "${currentSystem}/sw/bin/systemctl";
|
||||||
|
options = ["NOPASSWD"];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
Loading…
Add table
Reference in a new issue