mirror of
https://github.com/NixOS/nixpkgs.git
synced 2025-07-13 21:50:33 +03:00
nixos/sudo: Handle root's default rule through extraRules
This makes things more uniform; moreover, users can now inject rules before this.
This commit is contained in:
nicoo
parent
097115485a
commit
93011e31bd
1 changed files with 31 additions and 24 deletions
|
|
@ -182,36 +182,43 @@ in
|
||||||
message = "The NixOS `sudo` module does not work with `sudo-rs` yet."; }
|
message = "The NixOS `sudo` module does not work with `sudo-rs` yet."; }
|
||||||
];
|
];
|
||||||
|
|
||||||
# We `mkOrder 600` so that the default rule shows up first, but there is
|
security.sudo.extraRules =
|
||||||
# still enough room for a user to `mkBefore` it.
|
let
|
||||||
security.sudo.extraRules = mkOrder 600 [
|
defaultRule = { users ? [], groups ? [], opts ? [] }: [ {
|
||||||
{ groups = [ "wheel" ];
|
inherit users groups;
|
||||||
commands = [ { command = "ALL"; options = (if cfg.wheelNeedsPassword then [ "SETENV" ] else [ "NOPASSWD" "SETENV" ]); } ];
|
commands = [ {
|
||||||
}
|
command = "ALL";
|
||||||
];
|
options = opts ++ [ "SETENV" ];
|
||||||
|
} ];
|
||||||
|
} ];
|
||||||
|
in mkMerge [
|
||||||
|
# This is ordered before users' `mkBefore` rules,
|
||||||
|
# so as not to introduce unexpected changes.
|
||||||
|
(mkOrder 400 (defaultRule { users = [ "root" ]; }))
|
||||||
|
|
||||||
|
# This is ordered to show before (most) other rules, but
|
||||||
|
# late-enough for a user to `mkBefore` it.
|
||||||
|
(mkOrder 600 (defaultRule {
|
||||||
|
groups = [ "wheel" ];
|
||||||
|
opts = (optional (!cfg.wheelNeedsPassword) "NOPASSWD");
|
||||||
|
}))
|
||||||
|
];
|
||||||
|
|
||||||
security.sudo.configFile = concatStringsSep "\n" (filter (s: s != "") [
|
security.sudo.configFile = concatStringsSep "\n" (filter (s: s != "") [
|
||||||
''
|
''
|
||||||
# Don't edit this file. Set the NixOS options ‘security.sudo.configFile’
|
# Don't edit this file. Set the NixOS options ‘security.sudo.configFile’
|
||||||
# or ‘security.sudo.extraRules’ instead.
|
# or ‘security.sudo.extraRules’ instead.
|
||||||
''
|
''
|
||||||
''
|
(concatStringsSep "\n" (
|
||||||
# "root" is allowed to do anything.
|
lists.flatten (
|
||||||
root ALL=(ALL:ALL) SETENV: ALL
|
map (
|
||||||
''
|
rule: optionals (length rule.commands != 0) [
|
||||||
(optionalString (cfg.extraRules != []) ''
|
(map (user: "${toUserString user} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.users)
|
||||||
# extraRules
|
(map (group: "${toGroupString group} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.groups)
|
||||||
${concatStringsSep "\n" (
|
]
|
||||||
lists.flatten (
|
) cfg.extraRules
|
||||||
map (
|
)
|
||||||
rule: optionals (length rule.commands != 0) [
|
) + "\n")
|
||||||
(map (user: "${toUserString user} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.users)
|
|
||||||
(map (group: "${toGroupString group} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.groups)
|
|
||||||
]
|
|
||||||
) cfg.extraRules
|
|
||||||
)
|
|
||||||
)}
|
|
||||||
'')
|
|
||||||
(optionalString (cfg.extraConfig != "") ''
|
(optionalString (cfg.extraConfig != "") ''
|
||||||
# extraConfig
|
# extraConfig
|
||||||
${cfg.extraConfig}
|
${cfg.extraConfig}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue