···
1
+
{ config, lib, pkgs, ... }:
5
+
cfg = config.security.doas;
9
+
mkUsrString = user: toString user;
11
+
mkGrpString = group: ":${toString group}";
13
+
mkOpts = rule: concatStringsSep " " [
14
+
(optionalString rule.noPass "nopass")
15
+
(optionalString rule.persist "persist")
16
+
(optionalString rule.keepEnv "keepenv")
17
+
"setenv { SSH_AUTH_SOCK ${concatStringsSep " " rule.setEnv} }"
21
+
if (isNull rule.args) then ""
22
+
else if (length rule.args == 0) then "args"
23
+
else "args ${concatStringsSep " " rule.args}";
29
+
as = optionalString (!isNull rule.runAs) "as ${rule.runAs}";
31
+
cmd = optionalString (!isNull rule.cmd) "cmd ${rule.cmd}";
35
+
optionals (length cfg.extraRules > 0) [
37
+
optionalString (length rule.users > 0)
38
+
(map (usr: "permit ${opts} ${mkUsrString usr} ${as} ${cmd} ${args}") rule.users)
41
+
optionalString (length rule.groups > 0)
42
+
(map (grp: "permit ${opts} ${mkGrpString grp} ${as} ${cmd} ${args}") rule.groups)
50
+
options.security.doas = {
53
+
type = with types; bool;
56
+
Whether to enable the <command>doas</command> command, which allows
57
+
non-root users to execute commands as root.
61
+
wheelNeedsPassword = mkOption {
62
+
type = with types; bool;
65
+
Whether users of the <code>wheel</code> group must provide a password to
66
+
run commands as super user via <command>doas</command>.
70
+
extraRules = mkOption {
73
+
Define specific rules to be set in the
74
+
<filename>/etc/doas.conf</filename> file. More specific rules should
75
+
come after more general ones in order to yield the expected behavior.
76
+
You can use <code>mkBefore</code> and/or <code>mkAfter</code> to ensure
77
+
this is the case when configuration options are merged.
79
+
example = literalExample ''
81
+
# Allow execution of any command by any user in group doas, requiring
82
+
# a password and keeping any previously-defined environment variables.
83
+
{ groups = [ "doas" ]; noPass = false; keepEnv = true; }
85
+
# Allow execution of "/home/root/secret.sh" by user `backup` OR user
86
+
# `database` OR any member of the group with GID `1006`, without a
88
+
{ users = [ "backup" "database" ]; groups = [ 1006 ];
89
+
cmd = "/home/root/secret.sh"; noPass = true; }
91
+
# Allow any member of group `bar` to run `/home/baz/cmd1.sh` as user
92
+
# `foo` with argument `hello-doas`.
93
+
{ groups = [ "bar" ]; runAs = "foo";
94
+
cmd = "/home/baz/cmd1.sh"; args = [ "hello-doas" ]; }
96
+
# Allow any member of group `bar` to run `/home/baz/cmd2.sh` as user
97
+
# `foo` with no arguments.
98
+
{ groups = [ "bar" ]; runAs = "foo";
99
+
cmd = "/home/baz/cmd2.sh"; args = [ ]; }
101
+
# Allow user `abusers` to execute "nano" and unset the value of
102
+
# SSH_AUTH_SOCK, override the value of ALPHA to 1, and inherit the
103
+
# value of BETA from the current environment.
104
+
{ users = [ "abusers" ]; cmd = "nano";
105
+
setEnv = [ "-SSH_AUTH_SOCK" "ALPHA=1" "BETA" ]; }
108
+
type = with types; listOf (
112
+
noPass = mkOption {
113
+
type = with types; bool;
116
+
If <code>true</code>, the user is not required to enter a
121
+
persist = mkOption {
122
+
type = with types; bool;
125
+
If <code>true</code>, do not ask for a password again for some
126
+
time after the user successfully authenticates.
130
+
keepEnv = mkOption {
131
+
type = with types; bool;
134
+
If <code>true</code>, environment variables other than those
136
+
<citerefentry><refentrytitle>doas</refentrytitle><manvolnum>1</manvolnum></citerefentry>
137
+
are kept when creating the environment for the new process.
141
+
setEnv = mkOption {
142
+
type = with types; listOf str;
145
+
Keep or set the specified variables. Variables may also be
146
+
removed with a leading '-' or set using
147
+
<code>variable=value</code>. If the first character of
148
+
<code>value</code> is a '$', the value to be set is taken from
149
+
the existing environment variable of the indicated name. This
150
+
option is processed after the default environment has been
153
+
NOTE: All rules have <code>setenv { SSH_AUTH_SOCK }</code> by
154
+
default. To prevent <code>SSH_AUTH_SOCK</code> from being
155
+
inherited, add <code>"-SSH_AUTH_SOCK"</code> anywhere in this
161
+
type = with types; listOf (either str int);
163
+
description = "The usernames / UIDs this rule should apply for.";
166
+
groups = mkOption {
167
+
type = with types; listOf (either str int);
169
+
description = "The groups / GIDs this rule should apply for.";
173
+
type = with types; nullOr str;
176
+
Which user or group the specified command is allowed to run as.
177
+
When set to <code>null</code> (the default), all users are
180
+
A user can be specified using just the username:
181
+
<code>"foo"</code>. It is also possible to only allow running as
182
+
a specific group with <code>":bar"</code>.
187
+
type = with types; nullOr str;
190
+
The command the user is allowed to run. When set to
191
+
<code>null</code> (the default), all commands are allowed.
193
+
NOTE: It is best practice to specify absolute paths. If a
194
+
relative path is specified, only a restricted PATH will be
200
+
type = with types; nullOr (listOf str);
203
+
Arguments that must be provided to the command. When set to
204
+
<code>[]</code>, the command must be run without any arguments.
212
+
extraConfig = mkOption {
213
+
type = with types; lines;
216
+
Extra configuration text appended to <filename>doas.conf</filename>.
222
+
###### implementation
224
+
config = mkIf cfg.enable {
226
+
security.doas.extraRules = [
228
+
groups = [ "wheel" ];
229
+
noPass = !cfg.wheelNeedsPassword;
233
+
security.wrappers = {
234
+
doas.source = "${doas}/bin/doas";
237
+
environment.systemPackages = [
241
+
security.pam.services.doas = {
242
+
allowNullPassword = true;
243
+
sshAgentAuth = true;
246
+
environment.etc."doas.conf" = {
247
+
source = pkgs.runCommand "doas-conf"
249
+
src = pkgs.writeText "doas-conf-in" ''
250
+
# To modify this file, set the NixOS options
251
+
# `security.doas.extraRules` or `security.doas.extraConfig`. To
252
+
# completely replace the contents of this file, use
253
+
# `environment.etc."doas.conf"`.
255
+
# "root" is allowed to do anything.
256
+
permit nopass keepenv root
259
+
${concatStringsSep "\n" (lists.flatten (map mkRule cfg.extraRules))}
264
+
preferLocalBuild = true;
266
+
# Make sure that the doas.conf file is syntactically valid.
267
+
"${pkgs.buildPackages.doas}/bin/doas -C $src && cp $src $out";
273
+
meta.maintainers = with maintainers; [ cole-h ];
pyrox.dev
helbling.dev