bb8fc2646e
$ sed -i '/require =/ { :b; s,(import \([^)]*\)),\1,; /];/ { b e }; n; b b; :e }' *.nix svn path=/nixos/branches/modular-nixos/; revision=15660
88 lines
1.9 KiB
Nix
88 lines
1.9 KiB
Nix
{pkgs, config, ...}:
|
|
|
|
###### interface
|
|
let
|
|
inherit (pkgs.lib) mkOption;
|
|
|
|
options = {
|
|
security = {
|
|
sudo = {
|
|
|
|
enable = mkOption {
|
|
default = true;
|
|
description = "
|
|
Whether to enable the <command>sudo</command> command, which
|
|
allows non-root users to execute commands as root.
|
|
";
|
|
};
|
|
|
|
configFile = mkOption {
|
|
default = "
|
|
# WARNING: do not edit this file directly or with \"visudo\". Instead,
|
|
# edit the source file in /etc/nixos/nixos/etc/sudoers.
|
|
|
|
# \"root\" is allowed to do anything.
|
|
root ALL=(ALL) SETENV: ALL
|
|
|
|
# Users in the \"wheel\" group can do anything.
|
|
%wheel ALL=(ALL) SETENV: ALL
|
|
";
|
|
description = "
|
|
This string contains the contents of the
|
|
<filename>sudoers</filename> file.
|
|
";
|
|
# If syntax errors are detected in this file, the NixOS
|
|
# configuration will fail to build.
|
|
};
|
|
|
|
};
|
|
};
|
|
};
|
|
in
|
|
|
|
###### implementation
|
|
let
|
|
cfg = config.security.sudo;
|
|
inherit (pkgs.lib) mkIf;
|
|
inherit (pkgs) sudo;
|
|
in
|
|
|
|
mkIf cfg.enable {
|
|
require = [
|
|
options
|
|
|
|
# config.environment.etc
|
|
../etc/default.nix
|
|
|
|
# ? # config.environment.extraPackages
|
|
# ? # config.security.extraSetuidPrograms
|
|
];
|
|
|
|
security = {
|
|
extraSetuidPrograms = [
|
|
"sudo"
|
|
];
|
|
};
|
|
|
|
environment = {
|
|
extraPackages = [ sudo ];
|
|
|
|
etc = [
|
|
{
|
|
source = ../etc/pam.d/sudo;
|
|
target = "pam.d/sudo";
|
|
}
|
|
{
|
|
source = pkgs.runCommand "sudoers"
|
|
{ src = pkgs.writeText "sudoers-in" cfg.configFile; }
|
|
# Make sure that the sudoers file is syntactically valid.
|
|
# (currently disabled - NIXOS-66)
|
|
#"${pkgs.sudo}/sbin/visudo -f $src -c && cp $src $out";
|
|
"cp $src $out";
|
|
target = "sudoers";
|
|
mode = "0440";
|
|
}
|
|
];
|
|
};
|
|
}
|