blahai/nyx
1
0
Fork 0
mirror of https://github.com/blahai/nyx.git synced 2025-02-23 16:25:10 +00:00
Code Issues Projects Releases Packages Wiki Activity
nyx/modules/nixos/security/sudo.nix

80 lines
2.3 KiB
Nix
Raw Normal View History

Security: sudo config
2025-01-27 16:08:10 +02:00
{lib, ...}: let
inherit (lib.modules) mkForce mkDefault;
in {
security = {
# sudo-rs is still a feature-incomplete sudo fork that can and will mess things up
sudo-rs.enable = mkForce false;
sudo = {
enable = true;
# wheelNeedsPassword = false means wheel group can execute commands without a password
# so just disable it, it only hurt security, BUT ... see below what commands can be run without password
wheelNeedsPassword = mkDefault false;
# only allow members of the wheel group to execute sudo
execWheelOnly = true;
# i dont like lectures
extraConfig = ''
Defaults lecture = never
Defaults pwfeedback
Defaults env_keep += "EDITOR PATH DISPLAY"
Defaults timestamp_timeout = 300
'';
extraRules = [
{
groups = ["wheel"];
commands = let
currentSystem = "/run/current-system/";
storePath = "/nix/store/";
in [
{
# why store and not current system?
# this is because we use switch-to-configuration on rebuild
command = "${storePath}/*/bin/switch-to-configuration";
options = [
"SETENV"
"NOPASSWD"
];
}
{
command = "${currentSystem}/sw/bin/nix-store";
options = [
"SETENV"
"NOPASSWD"
];
}
{
command = "${currentSystem}/sw/bin/nix-env";
options = [
"SETENV"
"NOPASSWD"
];
}
{
command = "${currentSystem}/sw/bin/nixos-rebuild";
options = ["NOPASSWD"];
}
{
# let wheel group collect garbage without password
command = "${currentSystem}/sw/bin/nix-collect-garbage";
options = [
"SETENV"
"NOPASSWD"
];
}
{
# let wheel group interact with systemd without password
command = "${currentSystem}/sw/bin/systemctl";
options = ["NOPASSWD"];
}
];
}
];
};
};
}
Reference in a new issue Copy permalink