doas: refactor config generation
According to Ted Unangst, since doas evaluates rules in a last matched manner, it is prudent to have the "permit root to do everything without a password at the end of the file. Source: https://flak.tedunangst.com/post/doas-mastery
This commit is contained in:
parent
c23e8da50f
commit
4177ddcfd6
@ -75,7 +75,9 @@ in
|
||||
{file}`/etc/doas.conf` file. More specific rules should
|
||||
come after more general ones in order to yield the expected behavior.
|
||||
You can use `mkBefore` and/or `mkAfter` to ensure
|
||||
this is the case when configuration options are merged.
|
||||
this is the case when configuration options are merged. Be aware that
|
||||
this option cannot be used to override the behaviour allowing
|
||||
passwordless operation for root.
|
||||
'';
|
||||
example = literalExpression ''
|
||||
[
|
||||
@ -224,7 +226,9 @@ in
|
||||
type = with types; lines;
|
||||
default = "";
|
||||
description = lib.mdDoc ''
|
||||
Extra configuration text appended to {file}`doas.conf`.
|
||||
Extra configuration text appended to {file}`doas.conf`. Be aware that
|
||||
this option cannot be used to override the behaviour allowing
|
||||
passwordless operation for root.
|
||||
'';
|
||||
};
|
||||
};
|
||||
@ -266,14 +270,14 @@ in
|
||||
# completely replace the contents of this file, use
|
||||
# `environment.etc."doas.conf"`.
|
||||
|
||||
# "root" is allowed to do anything.
|
||||
permit nopass keepenv root
|
||||
|
||||
# extraRules
|
||||
${concatStringsSep "\n" (lists.flatten (map mkRule cfg.extraRules))}
|
||||
|
||||
# extraConfig
|
||||
${cfg.extraConfig}
|
||||
|
||||
# "root" is allowed to do anything.
|
||||
permit nopass keepenv root
|
||||
'';
|
||||
preferLocalBuild = true;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user