sudo.nix: initial config

2024-08-22 21:41:20 +02:00 · 2024-08-22 21:41:20 +02:00 · 805d897927
commit 805d897927
parent 2862aa7aa9
6 changed files with 31 additions and 19 deletions
--- a/flake.lock
+++ b/flake.lock
@ -786,22 +786,6 @@
        "type": "github"
      }
    },
-    "nixos-hardware": {
-      "locked": {
-        "lastModified": 1724067415,
-        "narHash": "sha256-WJBAEFXAtA41RMpK8mvw0cQ62CJkNMBtzcEeNIJV7b0=",
-        "owner": "NixOS",
-        "repo": "nixos-hardware",
-        "rev": "b09c46430ffcf18d575acf5c339b38ac4e1db5d2",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "master",
-        "repo": "nixos-hardware",
-        "type": "github"
-      }
-    },
    "nixpak": {
      "inputs": {
        "flake-parts": "flake-parts_3",
@ -2624,7 +2608,6 @@
        "hyprland-plugins": "hyprland-plugins",
        "lix-module": "lix-module",
        "neovim-flake": "neovim-flake",
-        "nixos-hardware": "nixos-hardware",
        "nixpak": "nixpak",
        "nixpkgs": "nixpkgs_5",
        "schizofox": "schizofox",
--- a/hosts/vali/hermit/configuration.nix
+++ b/hosts/vali/hermit/configuration.nix
@ -1,6 +1,7 @@
 {
-  pkgs,
  config,
+  lib,
+  pkgs,
  ...
 }: {
  # Time Zone
@ -14,6 +15,7 @@
  programs.dconf.enable = true;
  boot.kernelPackages = pkgs.linuxPackages_xanmod_latest;
  services.thermald.enable = true;
+  services.fstrim.enable = lib.mkDefault true;

  modules = {
    system = {
--- a/modules/other/system.nix
+++ b/modules/other/system.nix
@ -28,7 +28,7 @@ in {

    users.users.${cfg.username} = {
      isNormalUser = true;
-      extraGroups = ["wheel"];
+      extraGroups = ["wheel" "networking"];
    };
  };
 }
--- a/modules/system/default.nix
+++ b/modules/system/default.nix
@ -5,5 +5,6 @@ _: {
    ./hardware
    ./nix/module.nix
    ./os/networking/module.nix
+    ./os/security/module.nix
  ];
 }
--- a/modules/system/os/security/module.nix
+++ b/modules/system/os/security/module.nix
@ -0,0 +1,5 @@
+_: {
+  imports = [
+    ./sudo.nix
+  ];
+}
--- a/modules/system/os/security/sudo.nix
+++ b/modules/system/os/security/sudo.nix
@ -0,0 +1,21 @@
+{
+  lib,
+  pkgs,
+}: let
+  inherit (lib) mkForce mkDefault;
+in {
+  security = {
+    sudo-rs.enable = mkForce false;
+    sudo = {
+      enable = true;
+      # We use the default sudo package
+      package = pkgs.sudo;
+
+      # Wheel user should need the password to execute sudo commands
+      wheelNeedsPassword = mkDefault true;
+
+      # BUT, only wheel users should be able to use sudo.
+      execWheelOnly = mkForce true;
+    };
+  };
+}