nixpkgs/system/sudo.nix

{pkgs, config, ...}:

###### interface
let
  inherit (pkgs.lib) mkOption;

  options = {
    security = {
      sudo = {

        enable = mkOption {
          default = true;
          description = "
            Whether to enable the <command>sudo</command> command, which
            allows non-root users to execute commands as root.
          ";
        };

        configFile = mkOption {
          default = "
# WARNING: do not edit this file directly or with \"visudo\".  Instead,
# edit the source file in /etc/nixos/nixos/etc/sudoers.

# \"root\" is allowed to do anything.
root        ALL=(ALL) SETENV: ALL

# Users in the \"wheel\" group can do anything.
%wheel      ALL=(ALL) SETENV: ALL
          ";
          description = "
            This string contains the contents of the
            <filename>sudoers</filename> file.
          ";
          # If syntax errors are detected in this file, the NixOS
          # configuration will fail to build.
        };

      };
    };
  };
in

###### implementation
let
  cfg = config.security.sudo;
  inherit (pkgs.lib) mkIf;
  inherit (pkgs) sudo;
in

mkIf cfg.enable {
  require = [
    options

    # config.environment.etc
    ../etc/default.nix

    # ? # config.environment.extraPackages
    # ? # config.security.extraSetuidPrograms
  ];

  security = {
    extraSetuidPrograms = [
      "sudo"
    ];
  };

  environment = {
    extraPackages = [ sudo ];

    etc = [
      {
        source = ../etc/pam.d/sudo;
        target = "pam.d/sudo";
      }
      {
        source = pkgs.runCommand "sudoers"
          { src = pkgs.writeText "sudoers-in" cfg.configFile; }
          # Make sure that the sudoers file is syntactically valid.
          # (currently disabled - NIXOS-66)
          #"${pkgs.sudo}/sbin/visudo -f $src -c && cp $src $out";
          "cp $src $out";
        target = "sudoers";
        mode = "0440";
      }
    ];
  };
}