nixpkgs/modules/security/sudo.nix
Mathijs Kwik b609ff4fcf allow out-of-tree nixos modules
The environment variable "NIXOS_EXTRA_MODULES" is now checked to
contain a path to a file similar to modules/module-list.nix.

This gives the ability to include nixos modules that are not in the
nixos source tree.

This can be useful for modules that are still experimental, or which
aren't useful for other nixos users. Of course, this was already
possible to do this using a forked nixos tree, but with this
functionality, you can just rely on the nixos channel, easing things a
lot.
2012-07-21 17:35:50 +02:00

81 lines
1.9 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{pkgs, config, ...}:
with pkgs.lib;
let
cfg = config.security.sudo;
inherit (pkgs) sudo;
in
{
###### interface
options = {
security.sudo.enable = mkOption {
default = true;
description =
''
Whether to enable the <command>sudo</command> command, which
allows non-root users to execute commands as root.
'';
};
security.sudo.configFile = mkOption {
# Note: if syntax errors are detected in this file, the NixOS
# configuration will fail to build.
default =
''
# Don't edit this file. Set the NixOS option security.sudo.configFile instead.
# Environment variables to keep for root and %wheel.
Defaults:root,%wheel env_keep+=LOCALE_ARCHIVE
Defaults:root,%wheel env_keep+=NIX_PATH
Defaults:root,%wheel env_keep+=NIXOS_EXTRA_MODULES
Defaults:root,%wheel env_keep+=TERMINFO_DIRS
# Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
Defaults env_keep+=SSH_AUTH_SOCK
# "root" is allowed to do anything.
root ALL=(ALL) SETENV: ALL
# Users in the "wheel" group can do anything.
%wheel ALL=(ALL) SETENV: ALL
'';
description =
''
This string contains the contents of the
<filename>sudoers</filename> file.
'';
};
};
###### implementation
config = mkIf cfg.enable {
security.setuidPrograms = [ "sudo" ];
environment.systemPackages = [ sudo ];
security.pam.services = [ { name = "sudo"; sshAgentAuth = true; } ];
environment.etc = singleton
{ source = pkgs.writeText "sudoers-in" cfg.configFile;
# Make sure that the sudoers file is syntactically valid.
# (currently disabled - NIXOS-66)
#"${pkgs.sudo}/sbin/visudo -f $src -c && cp $src $out";
target = "sudoers";
mode = "0440";
};
};
}