doas: refactor config generation

According to Ted Unangst, since doas evaluates rules in a last
matched manner, it is prudent to have the "permit root to do everything
without a password at the end of the file.

Source: https://flak.tedunangst.com/post/doas-mastery
This commit is contained in:
Savyasachee Jha 2023-03-17 16:16:47 +05:30 committed by Cole Helbling
parent c23e8da50f
commit 4177ddcfd6

View File

@ -75,7 +75,9 @@ in
{file}`/etc/doas.conf` file. More specific rules should
come after more general ones in order to yield the expected behavior.
You can use `mkBefore` and/or `mkAfter` to ensure
this is the case when configuration options are merged.
this is the case when configuration options are merged. Be aware that
this option cannot be used to override the behaviour allowing
passwordless operation for root.
'';
example = literalExpression ''
[
@ -224,7 +226,9 @@ in
type = with types; lines;
default = "";
description = lib.mdDoc ''
Extra configuration text appended to {file}`doas.conf`.
Extra configuration text appended to {file}`doas.conf`. Be aware that
this option cannot be used to override the behaviour allowing
passwordless operation for root.
'';
};
};
@ -266,14 +270,14 @@ in
# completely replace the contents of this file, use
# `environment.etc."doas.conf"`.
# "root" is allowed to do anything.
permit nopass keepenv root
# extraRules
${concatStringsSep "\n" (lists.flatten (map mkRule cfg.extraRules))}
# extraConfig
${cfg.extraConfig}
# "root" is allowed to do anything.
permit nopass keepenv root
'';
preferLocalBuild = true;
}