nichts/modules/system/os/security/sudo.nix

{
  lib,
  pkgs,
  ...
}: let
  inherit (lib.modules) mkForce mkDefault;
in {
  security = {
    sudo-rs.enable = mkForce false;
    sudo = {
      enable = true;
      # We use the default sudo package, but with insults if we
      # fail to provide the correct password
      package = pkgs.sudo.override {withInsults = true;};

      # Wheel user should need the password to execute sudo commands
      wheelNeedsPassword = mkDefault true;

      # BUT, only wheel users should be able to use sudo.
      execWheelOnly = mkForce true;
    };
  };
}
sudo.nix: initial config 2024-08-22 21:41:20 +02:00			`{`
			`lib,`
			`pkgs,`
sudo.nix: added override withInsults 2024-08-22 21:46:18 +02:00			`...`
sudo.nix: initial config 2024-08-22 21:41:20 +02:00			`}: let`
flake: inherit explicitly from parts of lib Instead of doing `inherit (lib) <something>``, all inherits now use `inherit (lib.<subsystem>) <something>`, which is much nicer. 2025-04-09 15:31:18 +02:00			`inherit (lib.modules) mkForce mkDefault;`
sudo.nix: initial config 2024-08-22 21:41:20 +02:00			`in {`
			`security = {`
			`sudo-rs.enable = mkForce false;`
			`sudo = {`
			`enable = true;`
sudo.nix: added override withInsults 2024-08-22 21:46:18 +02:00			`# We use the default sudo package, but with insults if we`
			`# fail to provide the correct password`
			`package = pkgs.sudo.override {withInsults = true;};`
sudo.nix: initial config 2024-08-22 21:41:20 +02:00
			`# Wheel user should need the password to execute sudo commands`
			`wheelNeedsPassword = mkDefault true;`

			`# BUT, only wheel users should be able to use sudo.`
			`execWheelOnly = mkForce true;`
			`};`
			`};`
			`}`