nixos/modules/security/sudo.nix at release-16.03-start · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / security / sudo.nix
at release-16.03-start 2.6 kB view raw
  1{ config, lib, pkgs, ... }:
  2
  3with lib;
  4
  5let
  6
  7  cfg = config.security.sudo;
  8
  9  inherit (pkgs) sudo;
 10
 11in
 12
 13{
 14
 15  ###### interface
 16
 17  options = {
 18
 19    security.sudo.enable = mkOption {
 20      type = types.bool;
 21      default = true;
 22      description =
 23        ''
 24          Whether to enable the <command>sudo</command> command, which
 25          allows non-root users to execute commands as root.
 26        '';
 27    };
 28
 29    security.sudo.wheelNeedsPassword = mkOption {
 30      type = types.bool;
 31      default = true;
 32      description =
 33        ''
 34          Whether users of the <code>wheel</code> group can execute
 35          commands as super user without entering a password.
 36        '';
 37      };
 38
 39    security.sudo.configFile = mkOption {
 40      type = types.lines;
 41      # Note: if syntax errors are detected in this file, the NixOS
 42      # configuration will fail to build.
 43      description =
 44        ''
 45          This string contains the contents of the
 46          <filename>sudoers</filename> file.
 47        '';
 48    };
 49
 50    security.sudo.extraConfig = mkOption {
 51      type = types.lines;
 52      default = "";
 53      description = ''
 54        Extra configuration text appended to <filename>sudoers</filename>.
 55      '';
 56    };
 57  };
 58
 59
 60  ###### implementation
 61
 62  config = mkIf cfg.enable {
 63
 64    security.sudo.configFile =
 65      ''
 66        # Don't edit this file. Set the NixOS options ‘security.sudo.configFile’
 67        # or ‘security.sudo.extraConfig’ instead.
 68
 69        # Environment variables to keep for root and %wheel.
 70        Defaults:root,%wheel env_keep+=TERMINFO_DIRS
 71        Defaults:root,%wheel env_keep+=TERMINFO
 72
 73        # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
 74        Defaults env_keep+=SSH_AUTH_SOCK
 75
 76        # "root" is allowed to do anything.
 77        root        ALL=(ALL) SETENV: ALL
 78
 79        # Users in the "wheel" group can do anything.
 80        %wheel      ALL=(ALL:ALL) ${if cfg.wheelNeedsPassword then "" else "NOPASSWD: ALL, "}SETENV: ALL
 81        ${cfg.extraConfig}
 82      '';
 83
 84    security.setuidPrograms = [ "sudo" "sudoedit" ];
 85
 86    environment.systemPackages = [ sudo ];
 87
 88    security.pam.services.sudo = { sshAgentAuth = true; };
 89
 90    environment.etc = singleton
 91      { source =
 92          pkgs.runCommand "sudoers"
 93          { src = pkgs.writeText "sudoers-in" cfg.configFile; }
 94          # Make sure that the sudoers file is syntactically valid.
 95          # (currently disabled - NIXOS-66)
 96          "${pkgs.sudo}/sbin/visudo -f $src -c && cp $src $out";
 97        target = "sudoers";
 98        mode = "0440";
 99      };
100
101  };
102
103}