cafkafk/nixpkgs
cafkafk/nixpkgs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2

Merge pull request #265722 from nbraud/nixos/sudo-rs/btrbk

Browse source
This commit is contained in:
Maciej Krüger 2023-11-26 21:36:20 +01:00 committed by GitHub
commit cdd67575e7
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 18 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
nixos/modules/services/backup/btrbk.nix
View file

@ -47,8 +47,21 @@ let
then [ "${name} ${value}" ]
else concatLists (mapAttrsToList (genSection name) value);
sudoRule = {
users = [ "btrbk" ];
commands = [
{ command = "${pkgs.btrfs-progs}/bin/btrfs"; options = [ "NOPASSWD" ]; }
{ command = "${pkgs.coreutils}/bin/mkdir"; options = [ "NOPASSWD" ]; }
{ command = "${pkgs.coreutils}/bin/readlink"; options = [ "NOPASSWD" ]; }
# for ssh, they are not the same than the one hard coded in ${pkgs.btrbk}
{ command = "/run/current-system/sw/bin/btrfs"; options = [ "NOPASSWD" ]; }
{ command = "/run/current-system/sw/bin/mkdir"; options = [ "NOPASSWD" ]; }
{ command = "/run/current-system/sw/bin/readlink"; options = [ "NOPASSWD" ]; }
];
};
sudo_doas =
if config.security.sudo.enable then "sudo"
if config.security.sudo.enable || config.security.sudo-rs.enable then "sudo"
else if config.security.doas.enable then "doas"
else throw "The btrbk nixos module needs either sudo or doas enabled in the configuration";
@ -157,22 +170,10 @@ in
};
config = mkIf (sshEnabled || serviceEnabled) {
environment.systemPackages = [ pkgs.btrbk ] ++ cfg.extraPackages;
security.sudo = mkIf (sudo_doas == "sudo") {
extraRules = [
{
users = [ "btrbk" ];
commands = [
{ command = "${pkgs.btrfs-progs}/bin/btrfs"; options = [ "NOPASSWD" ]; }
{ command = "${pkgs.coreutils}/bin/mkdir"; options = [ "NOPASSWD" ]; }
{ command = "${pkgs.coreutils}/bin/readlink"; options = [ "NOPASSWD" ]; }
# for ssh, they are not the same than the one hard coded in ${pkgs.btrbk}
{ command = "/run/current-system/sw/bin/btrfs"; options = [ "NOPASSWD" ]; }
{ command = "/run/current-system/sw/bin/mkdir"; options = [ "NOPASSWD" ]; }
{ command = "/run/current-system/sw/bin/readlink"; options = [ "NOPASSWD" ]; }
];
}
];
};
security.sudo.extraRules = mkIf (sudo_doas == "sudo") [ sudoRule ];
security.sudo-rs.extraRules = mkIf (sudo_doas == "sudo") [ sudoRule ];
security.doas = mkIf (sudo_doas == "doas") {
extraRules = let
doasCmdNoPass = cmd: { users = [ "btrbk" ]; cmd = cmd; noPass = true; };