modules: improve settings to configure nopasswd commands

This commit is contained in:
Dmitriy Pleshevskiy 2024-09-29 00:15:11 +03:00
parent 390f54b1f5
commit a501f2ea16
Signed by: pleshevskiy
GPG key ID: 17041163DA10A9A2
6 changed files with 43 additions and 10 deletions

View file

@ -36,14 +36,4 @@
local.programs.pass.enable = lib.mkDefault true; local.programs.pass.enable = lib.mkDefault true;
local.programs.browsers.librewolf.enable = lib.mkDefault true; local.programs.browsers.librewolf.enable = lib.mkDefault true;
security.sudo.extraRules = [{
commands = [
{
command = "/run/current-system/sw/bin/nixos-container";
options = [ "NOPASSWD" ];
}
];
groups = [ "wheel" ];
}];
} }

View file

@ -5,6 +5,7 @@
./fonts.nix ./fonts.nix
./keyboard.nix ./keyboard.nix
./nix.nix ./nix.nix
./security.nix
./sound.nix ./sound.nix
./system.nix ./system.nix
./yubikey.nix ./yubikey.nix

View file

@ -0,0 +1,36 @@
{ config, lib, ... }:
let
cfg = config.local.security.sudo;
in
{
options.local.security.sudo = with lib; {
nopasswd = mkOption {
type = types.listOf (types.submodule {
options = {
commands = mkOption {
type = listOf (types.either types.str types.package);
};
groups = mkOption {
type = types.listOf types.str;
default = [ "wheel" ];
};
};
});
default = [ ];
};
};
config = cfg.nopasswd != [ ] {
security.sudo.extraRules = lib.flip map cfg.nopasswd (rule: {
inherit (rule) groups;
commands = lib.flip map rule.commands (cmd: [
{
command = "${cmd}";
options = [ "NOPASSWD" ];
}
]);
});
};
}

View file

@ -39,6 +39,8 @@ in
config = lib.mkIf isEnable { config = lib.mkIf isEnable {
environment.systemPackages = hostPackages; environment.systemPackages = hostPackages;
local.security.sudo.nopasswd = [{ commands = hostPackages; }];
local.sound.systemWide = true; local.sound.systemWide = true;
containers.browsers = { containers.browsers = {

View file

@ -27,6 +27,8 @@ in
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
environment.systemPackages = [ hostSkype ]; environment.systemPackages = [ hostSkype ];
local.security.sudo.nopasswd = [{ commands = [ hostSkype ]; }];
local.sound.systemWide = true; local.sound.systemWide = true;
containers.skype = { containers.skype = {

View file

@ -27,6 +27,8 @@ in
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
environment.systemPackages = [ hostTelegram ]; environment.systemPackages = [ hostTelegram ];
local.security.sudo.nopasswd = [{ commands = [ hostTelegram ]; }];
local.sound.systemWide = true; local.sound.systemWide = true;
containers.telegram = { containers.telegram = {