nixos/sudo: Handle root's default rule through extraRules

This makes things more uniform; moreover, users can now inject rules before this.
2025-07-13 21:50:33 +03:00 · 2023-09-07 12:46:04 +00:00 · 2023-09-07 12:46:04 +00:00 · 93011e31bd
commit 93011e31bd
parent 097115485a
1 changed files with 31 additions and 24 deletions
--- a/nixos/modules/security/sudo.nix
+++ b/nixos/modules/security/sudo.nix
@ -182,12 +182,26 @@ in
        message = "The NixOS `sudo` module does not work with `sudo-rs` yet."; }
    ];

-    # We `mkOrder 600` so that the default rule shows up first, but there is
-    # still enough room for a user to `mkBefore` it.
-    security.sudo.extraRules = mkOrder 600 [
-      { groups = [ "wheel" ];
-        commands = [ { command = "ALL"; options = (if cfg.wheelNeedsPassword then [ "SETENV" ] else [ "NOPASSWD" "SETENV" ]); } ];
-      }
+    security.sudo.extraRules =
+      let
+        defaultRule = { users ? [], groups ? [], opts ? [] }: [ {
+          inherit users groups;
+          commands = [ {
+            command = "ALL";
+            options = opts ++ [ "SETENV" ];
+	  } ];
+        } ];
+      in mkMerge [
+        # This is ordered before users' `mkBefore` rules,
+        # so as not to introduce unexpected changes.
+        (mkOrder 400 (defaultRule { users = [ "root" ]; }))
+
+        # This is ordered to show before (most) other rules, but
+        # late-enough for a user to `mkBefore` it.
+        (mkOrder 600 (defaultRule {
+          groups = [ "wheel" ];
+          opts = (optional (!cfg.wheelNeedsPassword) "NOPASSWD");
+        }))
      ];

    security.sudo.configFile = concatStringsSep "\n" (filter (s: s != "") [
@ -195,13 +209,7 @@ in
        # Don't edit this file. Set the NixOS options ‘security.sudo.configFile’
        # or ‘security.sudo.extraRules’ instead.
      ''
-      ''
-        # "root" is allowed to do anything.
-        root        ALL=(ALL:ALL) SETENV: ALL
-      ''
-      (optionalString (cfg.extraRules != []) ''
-        # extraRules
-        ${concatStringsSep "\n" (
+      (concatStringsSep "\n" (
        lists.flatten (
          map (
            rule: optionals (length rule.commands != 0) [
@ -210,8 +218,7 @@ in
            ]
          ) cfg.extraRules
        )
-        )}
-      '')
+      ) + "\n")
      (optionalString (cfg.extraConfig != "") ''
        # extraConfig
        ${cfg.extraConfig}