From 6c8b85f04ca2f287ad4244bc911726739a1a212a Mon Sep 17 00:00:00 2001 From: Igor Pashev Date: Sat, 25 Mar 2017 11:23:40 +0300 Subject: Add sysops group The wheel group is allowed to do everything by default. We need a separate group to really confine users. For example: $ sudo ls We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for pashev: Sorry, user pashev is not allowed to execute '/run/current-system/sw/bin/ls --color=tty' as root on vbox-manul. --- modules/system/sysops.nix | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) (limited to 'modules') diff --git a/modules/system/sysops.nix b/modules/system/sysops.nix index ccf6d0b..54ff074 100644 --- a/modules/system/sysops.nix +++ b/modules/system/sysops.nix @@ -1,8 +1,7 @@ { config, lib, ...}: let - inherit (lib) concatMapStringsSep concatStringsSep mkOption types; - inherit (types) str listOf; + inherit (lib) concatStringsSep genAttrs mkIf ; bindir = "/run/current-system/sw/bin"; @@ -27,9 +26,17 @@ let in { - config = { + config = mkIf ( [] != config.nixsap.system.users.sysops ) { + nixsap.system.groups = [ "sysops" ]; + + users.users = genAttrs config.nixsap.system.users.sysops ( + name: { + extraGroups = [ "sysops" "systemd-journal" "proc" ]; + } + ); + security.sudo.extraConfig = '' - %wheel ALL=(ALL) NOPASSWD: ${commands} + %sysops ALL=(ALL) NOPASSWD: ${commands} ''; }; } -- cgit v1.2.3