{pkgs, config, ...}:
###### interface
let
inherit (pkgs.lib) mkOption;
options = {
security = {
sudo = {
enable = mkOption {
default = true;
description = "
Whether to enable the sudo command, which
allows non-root users to execute commands as root.
";
};
configFile = mkOption {
default = "
# WARNING: do not edit this file directly or with \"visudo\". Instead,
# edit the source file in /etc/nixos/nixos/etc/sudoers.
# \"root\" is allowed to do anything.
root ALL=(ALL) SETENV: ALL
# Users in the \"wheel\" group can do anything.
%wheel ALL=(ALL) SETENV: ALL
";
description = "
This string contains the contents of the
sudoers file.
";
# If syntax errors are detected in this file, the NixOS
# configuration will fail to build.
};
};
};
};
in
###### implementation
let
cfg = config.security.sudo;
inherit (pkgs.lib) mkIf;
inherit (pkgs) sudo;
in
mkIf cfg.enable {
require = [
options
# config.environment.etc
# ../etc/default.nix
# ? # config.environment.extraPackages
# ? # config.security.extraSetuidPrograms
];
security = {
extraSetuidPrograms = [
"sudo"
];
};
environment = {
extraPackages = [ sudo ];
etc = [
{
source = ./sudo.pam;
target = "pam.d/sudo";
}
{
source = pkgs.runCommand "sudoers"
{ src = pkgs.writeText "sudoers-in" cfg.configFile; }
# Make sure that the sudoers file is syntactically valid.
# (currently disabled - NIXOS-66)
#"${pkgs.sudo}/sbin/visudo -f $src -c && cp $src $out";
"cp $src $out";
target = "sudoers";
mode = "0440";
}
];
};
}