pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / security / sudo.nix
at 17.09-beta 2.5 kB view raw
1{ config, lib, pkgs, ... }: 2 3with lib; 4 5let 6 7 cfg = config.security.sudo; 8 9 inherit (pkgs) sudo; 10 11in 12 13{ 14 15 ###### interface 16 17 options = { 18 19 security.sudo.enable = mkOption { 20 type = types.bool; 21 default = true; 22 description = 23 '' 24 Whether to enable the <command>sudo</command> command, which 25 allows non-root users to execute commands as root. 26 ''; 27 }; 28 29 security.sudo.wheelNeedsPassword = mkOption { 30 type = types.bool; 31 default = true; 32 description = 33 '' 34 Whether users of the <code>wheel</code> group can execute 35 commands as super user without entering a password. 36 ''; 37 }; 38 39 security.sudo.configFile = mkOption { 40 type = types.lines; 41 # Note: if syntax errors are detected in this file, the NixOS 42 # configuration will fail to build. 43 description = 44 '' 45 This string contains the contents of the 46 <filename>sudoers</filename> file. 47 ''; 48 }; 49 50 security.sudo.extraConfig = mkOption { 51 type = types.lines; 52 default = ""; 53 description = '' 54 Extra configuration text appended to <filename>sudoers</filename>. 55 ''; 56 }; 57 }; 58 59 60 ###### implementation 61 62 config = mkIf cfg.enable { 63 64 security.sudo.configFile = 65 '' 66 # Don't edit this file. Set the NixOS options security.sudo.configFile 67 # or security.sudo.extraConfig instead. 68 69 # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic. 70 Defaults env_keep+=SSH_AUTH_SOCK 71 72 # "root" is allowed to do anything. 73 root ALL=(ALL:ALL) SETENV: ALL 74 75 # Users in the "wheel" group can do anything. 76 %wheel ALL=(ALL:ALL) ${if cfg.wheelNeedsPassword then "" else "NOPASSWD: ALL, "}SETENV: ALL 77 ${cfg.extraConfig} 78 ''; 79 80 security.wrappers = { 81 sudo.source = "${pkgs.sudo.out}/bin/sudo"; 82 sudoedit.source = "${pkgs.sudo.out}/bin/sudoedit"; 83 }; 84 85 environment.systemPackages = [ sudo ]; 86 87 security.pam.services.sudo = { sshAgentAuth = true; }; 88 89 environment.etc = singleton 90 { source = 91 pkgs.runCommand "sudoers" 92 { src = pkgs.writeText "sudoers-in" cfg.configFile; } 93 # Make sure that the sudoers file is syntactically valid. 94 # (currently disabled - NIXOS-66) 95 "${pkgs.sudo}/sbin/visudo -f $src -c && cp $src $out"; 96 target = "sudoers"; 97 mode = "0440"; 98 }; 99 100 }; 101 102}