blob: 54ff074f606e0f93210b3e191ee289132cadcd4e (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
|
{ config, lib, ...}:
let
inherit (lib) concatStringsSep genAttrs mkIf ;
bindir = "/run/current-system/sw/bin";
commands = concatStringsSep ", " (
[
"${bindir}/du *"
"${bindir}/iftop"
"${bindir}/iotop"
"${bindir}/ip6tables -L*"
"${bindir}/ipsec *"
"${bindir}/iptables -L*"
"${bindir}/journalctl *"
"${bindir}/lsof *"
"${bindir}/mtr *"
"${bindir}/nix-collect-garbage *"
"${bindir}/nmap *"
"${bindir}/tcpdump *"
"${bindir}/traceroute *"
] ++ map (c: "${bindir}/systemctl ${c} *")
[ "kill" "reload" "restart" "start" "status" "stop" ]
);
in {
config = mkIf ( [] != config.nixsap.system.users.sysops ) {
nixsap.system.groups = [ "sysops" ];
users.users = genAttrs config.nixsap.system.users.sysops (
name: {
extraGroups = [ "sysops" "systemd-journal" "proc" ];
}
);
security.sudo.extraConfig = ''
%sysops ALL=(ALL) NOPASSWD: ${commands}
'';
};
}
|