sudo conf

2025-02-18 21:41:48 +02:00 · 2025-02-18 21:41:48 +02:00 · fbdcac9b5d
commit fbdcac9b5d
parent ffc1784f52
3 changed files with 85 additions and 0 deletions
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@ -4,6 +4,7 @@
    ./hardware
    ./misc
    ./networking
+    ./security

    ./remote-modules.nix
  ];
--- a/modules/nixos/security/default.nix
+++ b/modules/nixos/security/default.nix
@ -0,0 +1,5 @@
+{
+  imports = [
+    ./sudo.nix
+  ];
+}
--- a/modules/nixos/security/sudo.nix
+++ b/modules/nixos/security/sudo.nix
@ -0,0 +1,79 @@
+{lib, ...}: let
+  inherit (lib.modules) mkForce mkDefault;
+in {
+  security = {
+    # sudo-rs is still a feature-incomplete sudo fork that can and will mess things up
+    sudo-rs.enable = mkForce false;
+
+    sudo = {
+      enable = true;
+
+      # wheelNeedsPassword = false means wheel group can execute commands without a password
+      # so just disable it, it only hurt security, BUT ... see below what commands can be run without password
+      wheelNeedsPassword = mkDefault false;
+
+      # only allow members of the wheel group to execute sudo
+      execWheelOnly = true;
+
+      # i dont like lectures
+      extraConfig = ''
+        Defaults lecture = never
+        Defaults pwfeedback
+        Defaults env_keep += "EDITOR PATH DISPLAY"
+        Defaults timestamp_timeout = 300
+      '';
+
+      extraRules = [
+        {
+          groups = ["wheel"];
+
+          commands = let
+            currentSystem = "/run/current-system/";
+            storePath = "/nix/store/";
+          in [
+            {
+              # why store and not current system?
+              # this is because we use switch-to-configuration on rebuild
+              command = "${storePath}/*/bin/switch-to-configuration";
+              options = [
+                "SETENV"
+                "NOPASSWD"
+              ];
+            }
+            {
+              command = "${currentSystem}/sw/bin/nix-store";
+              options = [
+                "SETENV"
+                "NOPASSWD"
+              ];
+            }
+            {
+              command = "${currentSystem}/sw/bin/nix-env";
+              options = [
+                "SETENV"
+                "NOPASSWD"
+              ];
+            }
+            {
+              command = "${currentSystem}/sw/bin/nixos-rebuild";
+              options = ["NOPASSWD"];
+            }
+            {
+              # let wheel group collect garbage without password
+              command = "${currentSystem}/sw/bin/nix-collect-garbage";
+              options = [
+                "SETENV"
+                "NOPASSWD"
+              ];
+            }
+            {
+              # let wheel group interact with systemd without password
+              command = "${currentSystem}/sw/bin/systemctl";
+              options = ["NOPASSWD"];
+            }
+          ];
+        }
+      ];
+    };
+  };
+}