nixos/sudo: Refactor option definitions

This commit is contained in:
nicoo 2023-09-07 11:57:20 +00:00
parent 19e1420e13
commit 77ed368b20

View file

@ -30,41 +30,27 @@ in
###### interface
options = {
options.security.sudo = {
security.sudo.enable = mkOption {
enable = mkEnableOption (mdDoc ''
the {command}`sudo` command, which allows non-root users to execute commands as root.
'');
package = mkPackageOption pkgs "sudo" { };
wheelNeedsPassword = mkOption {
type = types.bool;
default = true;
description =
lib.mdDoc ''
Whether to enable the {command}`sudo` command, which
allows non-root users to execute commands as root.
'';
};
security.sudo.package = mkOption {
type = types.package;
default = pkgs.sudo;
defaultText = literalExpression "pkgs.sudo";
description = lib.mdDoc ''
Which package to use for `sudo`.
'';
};
security.sudo.wheelNeedsPassword = mkOption {
type = types.bool;
default = true;
description =
lib.mdDoc ''
description = mdDoc ''
Whether users of the `wheel` group must
provide a password to run commands as super user via {command}`sudo`.
'';
};
security.sudo.execWheelOnly = mkOption {
execWheelOnly = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc ''
description = mdDoc ''
Only allow members of the `wheel` group to execute sudo by
setting the executable's permissions accordingly.
This prevents users that are not members of `wheel` from
@ -72,19 +58,18 @@ in
'';
};
security.sudo.configFile = mkOption {
configFile = mkOption {
type = types.lines;
# Note: if syntax errors are detected in this file, the NixOS
# configuration will fail to build.
description =
lib.mdDoc ''
description = mdDoc ''
This string contains the contents of the
{file}`sudoers` file.
'';
};
security.sudo.extraRules = mkOption {
description = lib.mdDoc ''
extraRules = mkOption {
description = mdDoc ''
Define specific rules to be in the {file}`sudoers` file.
More specific rules should come after more general ones in order to
yield the expected behavior. You can use mkBefore/mkAfter to ensure
@ -114,7 +99,7 @@ in
options = {
users = mkOption {
type = with types; listOf (either str int);
description = lib.mdDoc ''
description = mdDoc ''
The usernames / UIDs this rule should apply for.
'';
default = [];
@ -122,7 +107,7 @@ in
groups = mkOption {
type = with types; listOf (either str int);
description = lib.mdDoc ''
description = mdDoc ''
The groups / GIDs this rule should apply for.
'';
default = [];
@ -131,7 +116,7 @@ in
host = mkOption {
type = types.str;
default = "ALL";
description = lib.mdDoc ''
description = mdDoc ''
For what host this rule should apply.
'';
};
@ -139,7 +124,7 @@ in
runAs = mkOption {
type = with types; str;
default = "ALL:ALL";
description = lib.mdDoc ''
description = mdDoc ''
Under which user/group the specified command is allowed to run.
A user can be specified using just the username: `"foo"`.
@ -149,7 +134,7 @@ in
};
commands = mkOption {
description = lib.mdDoc ''
description = mdDoc ''
The commands for which the rule should apply.
'';
type = with types; listOf (either str (submodule {
@ -157,7 +142,7 @@ in
options = {
command = mkOption {
type = with types; str;
description = lib.mdDoc ''
description = mdDoc ''
A command being either just a path to a binary to allow any arguments,
the full command with arguments pre-set or with `""` used as the argument,
not allowing arguments to the command at all.
@ -166,7 +151,7 @@ in
options = mkOption {
type = with types; listOf (enum [ "NOPASSWD" "PASSWD" "NOEXEC" "EXEC" "SETENV" "NOSETENV" "LOG_INPUT" "NOLOG_INPUT" "LOG_OUTPUT" "NOLOG_OUTPUT" ]);
description = lib.mdDoc ''
description = mdDoc ''
Options for running the command. Refer to the [sudo manual](https://www.sudo.ws/man/1.7.10/sudoers.man.html).
'';
default = [];
@ -179,10 +164,10 @@ in
});
};
security.sudo.extraConfig = mkOption {
extraConfig = mkOption {
type = types.lines;
default = "";
description = lib.mdDoc ''
description = mdDoc ''
Extra configuration text appended to {file}`sudoers`.
'';
};