From 5a7d93217e61caa5a1d885a161368d4507e093e4 Mon Sep 17 00:00:00 2001 From: Myned Date: Mon, 23 Dec 2024 14:45:36 -0500 Subject: [PATCH] security: separate sudo/polkit into modules Signed-off-by: Myned --- options/custom/desktops/niri/default.nix | 3 +- options/custom/programs/default.nix | 2 + options/custom/programs/polkit.nix | 52 ++++++++++++++++++++++++ options/custom/programs/sudo.nix | 40 ++++++++++++++++++ options/custom/settings/default.nix | 1 - options/custom/settings/security.nix | 48 ---------------------- 6 files changed, 96 insertions(+), 50 deletions(-) create mode 100644 options/custom/programs/polkit.nix create mode 100644 options/custom/programs/sudo.nix delete mode 100644 options/custom/settings/security.nix diff --git a/options/custom/desktops/niri/default.nix b/options/custom/desktops/niri/default.nix index a04fb0e..73b0388 100644 --- a/options/custom/desktops/niri/default.nix +++ b/options/custom/desktops/niri/default.nix @@ -10,6 +10,7 @@ with lib; let in { options.custom.desktops.niri = { enable = mkOption {default = false;}; + polkit = mkOption {default = false;}; xwayland = mkOption {default = true;}; }; @@ -34,7 +35,7 @@ in { #!! Disabled bundled KDE polkit agent # https://github.com/sodiboo/niri-flake?tab=readme-ov-file#additional-notes - systemd.user.services.niri-flake-polkit.enable = false; + systemd.user.services.niri-flake-polkit.enable = cfg.polkit; # Enable rootless Xwayland custom.services.xwayland-satellite.enable = cfg.xwayland; diff --git a/options/custom/programs/default.nix b/options/custom/programs/default.nix index d60c33f..3e2bc2b 100644 --- a/options/custom/programs/default.nix +++ b/options/custom/programs/default.nix @@ -17,7 +17,9 @@ with lib; { nh.enable = true; nix-index.enable = true; nushell.enable = true; + polkit.enable = true; ssh.enable = true; + sudo.enable = true; tmux.enable = true; }) diff --git a/options/custom/programs/polkit.nix b/options/custom/programs/polkit.nix new file mode 100644 index 0000000..bd1419e --- /dev/null +++ b/options/custom/programs/polkit.nix @@ -0,0 +1,52 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + polkit-gnome-authentication-agent-1 = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1"; + + cfg = config.custom.programs.polkit; +in { + options.custom.programs.polkit = { + enable = mkOption {default = false;}; + agent = mkOption {default = true;}; + bypass = mkOption {default = false;}; + }; + + config = mkIf cfg.enable { + # https://wiki.nixos.org/wiki/Polkit + #?? pkexec echo + security.polkit = { + enable = true; + + # https://wiki.archlinux.org/title/Polkit#Bypass_password_prompt + extraConfig = mkIf cfg.bypass '' + polkit.addRule(function(action, subject) { + if (subject.isInGroup("wheel")) { return polkit.Result.YES; } + }); + ''; + }; + + # https://wiki.nixos.org/wiki/Polkit#Authentication_agents + systemd.user.services.polkit-gnome-authentication-agent-1 = mkIf cfg.agent { + enable = true; + wantedBy = ["graphical-session.target"]; + + unitConfig = { + Description = "polkit-gnome-authentication-agent-1"; + After = ["graphical-session.target"]; + Wants = ["graphical-session.target"]; + }; + + serviceConfig = { + Type = "simple"; + ExecStart = polkit-gnome-authentication-agent-1; + Restart = "on-failure"; + RestartSec = 1; + TimeoutStopSec = 10; + }; + }; + }; +} diff --git a/options/custom/programs/sudo.nix b/options/custom/programs/sudo.nix new file mode 100644 index 0000000..10dcfc0 --- /dev/null +++ b/options/custom/programs/sudo.nix @@ -0,0 +1,40 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.custom.programs.sudo; +in { + options.custom.programs.sudo = { + enable = mkOption {default = false;}; + bypass = mkOption {default = true;}; + confirm = mkOption {default = true;}; + }; + + config = mkIf cfg.enable { + # https://wiki.nixos.org/wiki/Sudo + #?? sudo echo + security.sudo = { + enable = true; + wheelNeedsPassword = !cfg.bypass; + }; + + environment.shellAliases = mkIf cfg.confirm { + # Interactive confirmation prompt + sudo = pkgs.writeShellScript "sudo" '' + read -p "Execute as root? [Y/n] " + + case "$REPLY" in + "" | [Yy]) + command sudo "$@" + ;; + *) + exit 1 + ;; + esac + ''; + }; + }; +} diff --git a/options/custom/settings/default.nix b/options/custom/settings/default.nix index abd1bb6..39726d1 100644 --- a/options/custom/settings/default.nix +++ b/options/custom/settings/default.nix @@ -11,7 +11,6 @@ with lib; { hardware.enable = true; networking.enable = true; packages.enable = true; - security.enable = true; storage.enable = true; users.enable = true; }) diff --git a/options/custom/settings/security.nix b/options/custom/settings/security.nix deleted file mode 100644 index da4c9ef..0000000 --- a/options/custom/settings/security.nix +++ /dev/null @@ -1,48 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: -with lib; let - cfg = config.custom.settings.security; -in { - options.custom.settings.security.enable = mkOption {default = false;}; - - config = mkIf cfg.enable { - # Bypass password prompts - security = { - sudo = { - enable = true; - wheelNeedsPassword = false; - }; - - # https://wiki.nixos.org/wiki/Sway#Using_Home_Manager - # https://wiki.archlinux.org/title/Polkit#Bypass_password_prompt - polkit = { - enable = true; - extraConfig = '' - polkit.addRule(function(action, subject) { - if (subject.isInGroup("wheel")) { return polkit.Result.YES; } - }); - ''; - }; - }; - - environment.shellAliases = { - # Sudo confirmation prompt - sudo = pkgs.writeShellScript "sudo" '' - read -p "Execute as root? [Y/n] " - - case "$REPLY" in - "" | [Yy]) - command sudo "$@" - ;; - *) - exit 1 - ;; - esac - ''; - }; - }; -}