security: separate sudo/polkit into modules
Signed-off-by: Myned <dev@bjork.tech>
This commit is contained in:
parent
4386de1eba
commit
5a7d93217e
6 changed files with 96 additions and 50 deletions
|
@ -10,6 +10,7 @@ with lib; let
|
|||
in {
|
||||
options.custom.desktops.niri = {
|
||||
enable = mkOption {default = false;};
|
||||
polkit = mkOption {default = false;};
|
||||
xwayland = mkOption {default = true;};
|
||||
};
|
||||
|
||||
|
@ -34,7 +35,7 @@ in {
|
|||
|
||||
#!! Disabled bundled KDE polkit agent
|
||||
# https://github.com/sodiboo/niri-flake?tab=readme-ov-file#additional-notes
|
||||
systemd.user.services.niri-flake-polkit.enable = false;
|
||||
systemd.user.services.niri-flake-polkit.enable = cfg.polkit;
|
||||
|
||||
# Enable rootless Xwayland
|
||||
custom.services.xwayland-satellite.enable = cfg.xwayland;
|
||||
|
|
|
@ -17,7 +17,9 @@ with lib; {
|
|||
nh.enable = true;
|
||||
nix-index.enable = true;
|
||||
nushell.enable = true;
|
||||
polkit.enable = true;
|
||||
ssh.enable = true;
|
||||
sudo.enable = true;
|
||||
tmux.enable = true;
|
||||
})
|
||||
|
||||
|
|
52
options/custom/programs/polkit.nix
Normal file
52
options/custom/programs/polkit.nix
Normal file
|
@ -0,0 +1,52 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
with lib; let
|
||||
polkit-gnome-authentication-agent-1 = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
|
||||
|
||||
cfg = config.custom.programs.polkit;
|
||||
in {
|
||||
options.custom.programs.polkit = {
|
||||
enable = mkOption {default = false;};
|
||||
agent = mkOption {default = true;};
|
||||
bypass = mkOption {default = false;};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
# https://wiki.nixos.org/wiki/Polkit
|
||||
#?? pkexec echo
|
||||
security.polkit = {
|
||||
enable = true;
|
||||
|
||||
# https://wiki.archlinux.org/title/Polkit#Bypass_password_prompt
|
||||
extraConfig = mkIf cfg.bypass ''
|
||||
polkit.addRule(function(action, subject) {
|
||||
if (subject.isInGroup("wheel")) { return polkit.Result.YES; }
|
||||
});
|
||||
'';
|
||||
};
|
||||
|
||||
# https://wiki.nixos.org/wiki/Polkit#Authentication_agents
|
||||
systemd.user.services.polkit-gnome-authentication-agent-1 = mkIf cfg.agent {
|
||||
enable = true;
|
||||
wantedBy = ["graphical-session.target"];
|
||||
|
||||
unitConfig = {
|
||||
Description = "polkit-gnome-authentication-agent-1";
|
||||
After = ["graphical-session.target"];
|
||||
Wants = ["graphical-session.target"];
|
||||
};
|
||||
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
ExecStart = polkit-gnome-authentication-agent-1;
|
||||
Restart = "on-failure";
|
||||
RestartSec = 1;
|
||||
TimeoutStopSec = 10;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
40
options/custom/programs/sudo.nix
Normal file
40
options/custom/programs/sudo.nix
Normal file
|
@ -0,0 +1,40 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
with lib; let
|
||||
cfg = config.custom.programs.sudo;
|
||||
in {
|
||||
options.custom.programs.sudo = {
|
||||
enable = mkOption {default = false;};
|
||||
bypass = mkOption {default = true;};
|
||||
confirm = mkOption {default = true;};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
# https://wiki.nixos.org/wiki/Sudo
|
||||
#?? sudo echo
|
||||
security.sudo = {
|
||||
enable = true;
|
||||
wheelNeedsPassword = !cfg.bypass;
|
||||
};
|
||||
|
||||
environment.shellAliases = mkIf cfg.confirm {
|
||||
# Interactive confirmation prompt
|
||||
sudo = pkgs.writeShellScript "sudo" ''
|
||||
read -p "Execute as root? [Y/n] "
|
||||
|
||||
case "$REPLY" in
|
||||
"" | [Yy])
|
||||
command sudo "$@"
|
||||
;;
|
||||
*)
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
|
@ -11,7 +11,6 @@ with lib; {
|
|||
hardware.enable = true;
|
||||
networking.enable = true;
|
||||
packages.enable = true;
|
||||
security.enable = true;
|
||||
storage.enable = true;
|
||||
users.enable = true;
|
||||
})
|
||||
|
|
|
@ -1,48 +0,0 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
with lib; let
|
||||
cfg = config.custom.settings.security;
|
||||
in {
|
||||
options.custom.settings.security.enable = mkOption {default = false;};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
# Bypass password prompts
|
||||
security = {
|
||||
sudo = {
|
||||
enable = true;
|
||||
wheelNeedsPassword = false;
|
||||
};
|
||||
|
||||
# https://wiki.nixos.org/wiki/Sway#Using_Home_Manager
|
||||
# https://wiki.archlinux.org/title/Polkit#Bypass_password_prompt
|
||||
polkit = {
|
||||
enable = true;
|
||||
extraConfig = ''
|
||||
polkit.addRule(function(action, subject) {
|
||||
if (subject.isInGroup("wheel")) { return polkit.Result.YES; }
|
||||
});
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
environment.shellAliases = {
|
||||
# Sudo confirmation prompt
|
||||
sudo = pkgs.writeShellScript "sudo" ''
|
||||
read -p "Execute as root? [Y/n] "
|
||||
|
||||
case "$REPLY" in
|
||||
"" | [Yy])
|
||||
command sudo "$@"
|
||||
;;
|
||||
*)
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
Loading…
Reference in a new issue