1
1
Fork 0

security: separate sudo/polkit into modules

Signed-off-by: Myned <dev@bjork.tech>
This commit is contained in:
Myned 2024-12-23 14:45:36 -05:00
parent 4386de1eba
commit 5a7d93217e
Signed by: Myned
GPG key ID: C7224454F7881A34
6 changed files with 96 additions and 50 deletions

View file

@ -10,6 +10,7 @@ with lib; let
in {
options.custom.desktops.niri = {
enable = mkOption {default = false;};
polkit = mkOption {default = false;};
xwayland = mkOption {default = true;};
};
@ -34,7 +35,7 @@ in {
#!! Disabled bundled KDE polkit agent
# https://github.com/sodiboo/niri-flake?tab=readme-ov-file#additional-notes
systemd.user.services.niri-flake-polkit.enable = false;
systemd.user.services.niri-flake-polkit.enable = cfg.polkit;
# Enable rootless Xwayland
custom.services.xwayland-satellite.enable = cfg.xwayland;

View file

@ -17,7 +17,9 @@ with lib; {
nh.enable = true;
nix-index.enable = true;
nushell.enable = true;
polkit.enable = true;
ssh.enable = true;
sudo.enable = true;
tmux.enable = true;
})

View file

@ -0,0 +1,52 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
polkit-gnome-authentication-agent-1 = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
cfg = config.custom.programs.polkit;
in {
options.custom.programs.polkit = {
enable = mkOption {default = false;};
agent = mkOption {default = true;};
bypass = mkOption {default = false;};
};
config = mkIf cfg.enable {
# https://wiki.nixos.org/wiki/Polkit
#?? pkexec echo
security.polkit = {
enable = true;
# https://wiki.archlinux.org/title/Polkit#Bypass_password_prompt
extraConfig = mkIf cfg.bypass ''
polkit.addRule(function(action, subject) {
if (subject.isInGroup("wheel")) { return polkit.Result.YES; }
});
'';
};
# https://wiki.nixos.org/wiki/Polkit#Authentication_agents
systemd.user.services.polkit-gnome-authentication-agent-1 = mkIf cfg.agent {
enable = true;
wantedBy = ["graphical-session.target"];
unitConfig = {
Description = "polkit-gnome-authentication-agent-1";
After = ["graphical-session.target"];
Wants = ["graphical-session.target"];
};
serviceConfig = {
Type = "simple";
ExecStart = polkit-gnome-authentication-agent-1;
Restart = "on-failure";
RestartSec = 1;
TimeoutStopSec = 10;
};
};
};
}

View file

@ -0,0 +1,40 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.custom.programs.sudo;
in {
options.custom.programs.sudo = {
enable = mkOption {default = false;};
bypass = mkOption {default = true;};
confirm = mkOption {default = true;};
};
config = mkIf cfg.enable {
# https://wiki.nixos.org/wiki/Sudo
#?? sudo echo
security.sudo = {
enable = true;
wheelNeedsPassword = !cfg.bypass;
};
environment.shellAliases = mkIf cfg.confirm {
# Interactive confirmation prompt
sudo = pkgs.writeShellScript "sudo" ''
read -p "Execute as root? [Y/n] "
case "$REPLY" in
"" | [Yy])
command sudo "$@"
;;
*)
exit 1
;;
esac
'';
};
};
}

View file

@ -11,7 +11,6 @@ with lib; {
hardware.enable = true;
networking.enable = true;
packages.enable = true;
security.enable = true;
storage.enable = true;
users.enable = true;
})

View file

@ -1,48 +0,0 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.custom.settings.security;
in {
options.custom.settings.security.enable = mkOption {default = false;};
config = mkIf cfg.enable {
# Bypass password prompts
security = {
sudo = {
enable = true;
wheelNeedsPassword = false;
};
# https://wiki.nixos.org/wiki/Sway#Using_Home_Manager
# https://wiki.archlinux.org/title/Polkit#Bypass_password_prompt
polkit = {
enable = true;
extraConfig = ''
polkit.addRule(function(action, subject) {
if (subject.isInGroup("wheel")) { return polkit.Result.YES; }
});
'';
};
};
environment.shellAliases = {
# Sudo confirmation prompt
sudo = pkgs.writeShellScript "sudo" ''
read -p "Execute as root? [Y/n] "
case "$REPLY" in
"" | [Yy])
command sudo "$@"
;;
*)
exit 1
;;
esac
'';
};
};
}