mirror of
https://github.com/NixOS/nixpkgs.git
synced 2025-02-23 12:34:15 +00:00
nixos/sudo: Refactor option definitions
This commit is contained in:
nicoo
parent
19e1420e13
commit
77ed368b20
@ -30,41 +30,27 @@ in
|
|||||||
|
|
||||||
###### interface
|
###### interface
|
||||||
|
|
||||||
options = {
|
options.security.sudo = {
|
||||||
|
|
||||||
security.sudo.enable = mkOption {
|
enable = mkEnableOption (mdDoc ''
|
||||||
|
the {command}`sudo` command, which allows non-root users to execute commands as root.
|
||||||
|
'');
|
||||||
|
|
||||||
|
package = mkPackageOption pkgs "sudo" { };
|
||||||
|
|
||||||
|
wheelNeedsPassword = mkOption {
|
||||||
type = types.bool;
|
type = types.bool;
|
||||||
default = true;
|
default = true;
|
||||||
description =
|
description = mdDoc ''
|
||||||
lib.mdDoc ''
|
Whether users of the `wheel` group must
|
||||||
Whether to enable the {command}`sudo` command, which
|
provide a password to run commands as super user via {command}`sudo`.
|
||||||
allows non-root users to execute commands as root.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
security.sudo.package = mkOption {
|
|
||||||
type = types.package;
|
|
||||||
default = pkgs.sudo;
|
|
||||||
defaultText = literalExpression "pkgs.sudo";
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
Which package to use for `sudo`.
|
|
||||||
'';
|
'';
|
||||||
};
|
|
||||||
|
|
||||||
security.sudo.wheelNeedsPassword = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = true;
|
|
||||||
description =
|
|
||||||
lib.mdDoc ''
|
|
||||||
Whether users of the `wheel` group must
|
|
||||||
provide a password to run commands as super user via {command}`sudo`.
|
|
||||||
'';
|
|
||||||
};
|
};
|
||||||
|
|
||||||
security.sudo.execWheelOnly = mkOption {
|
execWheelOnly = mkOption {
|
||||||
type = types.bool;
|
type = types.bool;
|
||||||
default = false;
|
default = false;
|
||||||
description = lib.mdDoc ''
|
description = mdDoc ''
|
||||||
Only allow members of the `wheel` group to execute sudo by
|
Only allow members of the `wheel` group to execute sudo by
|
||||||
setting the executable's permissions accordingly.
|
setting the executable's permissions accordingly.
|
||||||
This prevents users that are not members of `wheel` from
|
This prevents users that are not members of `wheel` from
|
||||||
@ -72,19 +58,18 @@ in
|
|||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
security.sudo.configFile = mkOption {
|
configFile = mkOption {
|
||||||
type = types.lines;
|
type = types.lines;
|
||||||
# Note: if syntax errors are detected in this file, the NixOS
|
# Note: if syntax errors are detected in this file, the NixOS
|
||||||
# configuration will fail to build.
|
# configuration will fail to build.
|
||||||
description =
|
description = mdDoc ''
|
||||||
lib.mdDoc ''
|
This string contains the contents of the
|
||||||
This string contains the contents of the
|
{file}`sudoers` file.
|
||||||
{file}`sudoers` file.
|
'';
|
||||||
'';
|
|
||||||
};
|
};
|
||||||
|
|
||||||
security.sudo.extraRules = mkOption {
|
extraRules = mkOption {
|
||||||
description = lib.mdDoc ''
|
description = mdDoc ''
|
||||||
Define specific rules to be in the {file}`sudoers` file.
|
Define specific rules to be in the {file}`sudoers` file.
|
||||||
More specific rules should come after more general ones in order to
|
More specific rules should come after more general ones in order to
|
||||||
yield the expected behavior. You can use mkBefore/mkAfter to ensure
|
yield the expected behavior. You can use mkBefore/mkAfter to ensure
|
||||||
@ -114,7 +99,7 @@ in
|
|||||||
options = {
|
options = {
|
||||||
users = mkOption {
|
users = mkOption {
|
||||||
type = with types; listOf (either str int);
|
type = with types; listOf (either str int);
|
||||||
description = lib.mdDoc ''
|
description = mdDoc ''
|
||||||
The usernames / UIDs this rule should apply for.
|
The usernames / UIDs this rule should apply for.
|
||||||
'';
|
'';
|
||||||
default = [];
|
default = [];
|
||||||
@ -122,7 +107,7 @@ in
|
|||||||
|
|
||||||
groups = mkOption {
|
groups = mkOption {
|
||||||
type = with types; listOf (either str int);
|
type = with types; listOf (either str int);
|
||||||
description = lib.mdDoc ''
|
description = mdDoc ''
|
||||||
The groups / GIDs this rule should apply for.
|
The groups / GIDs this rule should apply for.
|
||||||
'';
|
'';
|
||||||
default = [];
|
default = [];
|
||||||
@ -131,7 +116,7 @@ in
|
|||||||
host = mkOption {
|
host = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
default = "ALL";
|
default = "ALL";
|
||||||
description = lib.mdDoc ''
|
description = mdDoc ''
|
||||||
For what host this rule should apply.
|
For what host this rule should apply.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
@ -139,7 +124,7 @@ in
|
|||||||
runAs = mkOption {
|
runAs = mkOption {
|
||||||
type = with types; str;
|
type = with types; str;
|
||||||
default = "ALL:ALL";
|
default = "ALL:ALL";
|
||||||
description = lib.mdDoc ''
|
description = mdDoc ''
|
||||||
Under which user/group the specified command is allowed to run.
|
Under which user/group the specified command is allowed to run.
|
||||||
|
|
||||||
A user can be specified using just the username: `"foo"`.
|
A user can be specified using just the username: `"foo"`.
|
||||||
@ -149,7 +134,7 @@ in
|
|||||||
};
|
};
|
||||||
|
|
||||||
commands = mkOption {
|
commands = mkOption {
|
||||||
description = lib.mdDoc ''
|
description = mdDoc ''
|
||||||
The commands for which the rule should apply.
|
The commands for which the rule should apply.
|
||||||
'';
|
'';
|
||||||
type = with types; listOf (either str (submodule {
|
type = with types; listOf (either str (submodule {
|
||||||
@ -157,7 +142,7 @@ in
|
|||||||
options = {
|
options = {
|
||||||
command = mkOption {
|
command = mkOption {
|
||||||
type = with types; str;
|
type = with types; str;
|
||||||
description = lib.mdDoc ''
|
description = mdDoc ''
|
||||||
A command being either just a path to a binary to allow any arguments,
|
A command being either just a path to a binary to allow any arguments,
|
||||||
the full command with arguments pre-set or with `""` used as the argument,
|
the full command with arguments pre-set or with `""` used as the argument,
|
||||||
not allowing arguments to the command at all.
|
not allowing arguments to the command at all.
|
||||||
@ -166,7 +151,7 @@ in
|
|||||||
|
|
||||||
options = mkOption {
|
options = mkOption {
|
||||||
type = with types; listOf (enum [ "NOPASSWD" "PASSWD" "NOEXEC" "EXEC" "SETENV" "NOSETENV" "LOG_INPUT" "NOLOG_INPUT" "LOG_OUTPUT" "NOLOG_OUTPUT" ]);
|
type = with types; listOf (enum [ "NOPASSWD" "PASSWD" "NOEXEC" "EXEC" "SETENV" "NOSETENV" "LOG_INPUT" "NOLOG_INPUT" "LOG_OUTPUT" "NOLOG_OUTPUT" ]);
|
||||||
description = lib.mdDoc ''
|
description = mdDoc ''
|
||||||
Options for running the command. Refer to the [sudo manual](https://www.sudo.ws/man/1.7.10/sudoers.man.html).
|
Options for running the command. Refer to the [sudo manual](https://www.sudo.ws/man/1.7.10/sudoers.man.html).
|
||||||
'';
|
'';
|
||||||
default = [];
|
default = [];
|
||||||
@ -179,10 +164,10 @@ in
|
|||||||
});
|
});
|
||||||
};
|
};
|
||||||
|
|
||||||
security.sudo.extraConfig = mkOption {
|
extraConfig = mkOption {
|
||||||
type = types.lines;
|
type = types.lines;
|
||||||
default = "";
|
default = "";
|
||||||
description = lib.mdDoc ''
|
description = mdDoc ''
|
||||||
Extra configuration text appended to {file}`sudoers`.
|
Extra configuration text appended to {file}`sudoers`.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user