sudo.nix: initial config

2024-08-22 21:41:20 +02:00 · 2024-08-22 21:41:20 +02:00 · 805d897927
commit 805d897927
parent 2862aa7aa9
6 changed files with 31 additions and 19 deletions
--- a/modules/system/default.nix
+++ b/modules/system/default.nix
@ -5,5 +5,6 @@ _: {
    ./hardware
    ./nix/module.nix
    ./os/networking/module.nix
+    ./os/security/module.nix
  ];
 }
--- a/modules/system/os/security/module.nix
+++ b/modules/system/os/security/module.nix
@ -0,0 +1,5 @@
+_: {
+  imports = [
+    ./sudo.nix
+  ];
+}
--- a/modules/system/os/security/sudo.nix
+++ b/modules/system/os/security/sudo.nix
@ -0,0 +1,21 @@
+{
+  lib,
+  pkgs,
+}: let
+  inherit (lib) mkForce mkDefault;
+in {
+  security = {
+    sudo-rs.enable = mkForce false;
+    sudo = {
+      enable = true;
+      # We use the default sudo package
+      package = pkgs.sudo;
+
+      # Wheel user should need the password to execute sudo commands
+      wheelNeedsPassword = mkDefault true;
+
+      # BUT, only wheel users should be able to use sudo.
+      execWheelOnly = mkForce true;
+    };
+  };
+}