From a1aca8a0d3080ceea139d44f96850dd1c97293a5 Mon Sep 17 00:00:00 2001 From: RGBCube Date: Mon, 15 Jan 2024 15:52:38 +0300 Subject: [PATCH] Upgrade sudo config --- modules/sudo.nix | 54 ++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 50 insertions(+), 4 deletions(-) diff --git a/modules/sudo.nix b/modules/sudo.nix index a1abbd5..f63aaf6 100644 --- a/modules/sudo.nix +++ b/modules/sudo.nix @@ -1,10 +1,56 @@ -{ ulib, ... }: with ulib; +{ lib, ulib, ... }: with ulib; merge -systemConfiguration { +(desktopSystemConfiguration { + security.sudo.wheelNeedsPassword = false; +}) + +(systemConfiguration { security.sudo = enabled { extraConfig = '' - Defaults timestamp_timeout=${if ulib.isDesktop then "-1" else "0"} + Defaults lecture = never + Defaults pwfeedback + Defaults env_keep += "DISPLAY EDITOR PATH" + ${lib.optionalString ulib.isServer '' + Defaults timestamp_timeout = 0 + ''} ''; execWheelOnly = true; + + extraRules = [{ + groups = [ "wheel" ]; + commands = let + system = "/run/current-system"; + store = "/nix/store"; + in [ + { + command = "${store}/*/bin/switch-to-configuration"; + options = [ "SETENV" "NOPASSWD" ]; + } + { + command = "${system}/sw/bin/nix system"; + options = [ "NOPASSWD" ]; + } + { + command = "${system}/sw/bin/nix-collect-garbage"; + options = [ "SETENV" "NOPASSWD" ]; + } + { + command = "${system}/sw/bin/nix-env"; + options = [ "SETENV" "NOPASSWD" ]; + } + { + command = "${system}/sw/bin/nix-store"; + options = [ "SETENV" "NOPASSWD" ]; + } + { + command = "${system}/sw/bin/nixos-rebuild"; + options = [ "NOPASSWD" ]; + } + { + command = "${system}/sw/bin/systemctl"; + options = [ "NOPASSWD" ]; + } + ]; + }]; }; -} +})