Merge pull request #265722 from nbraud/nixos/sudo-rs/btrbk
This commit is contained in:
commit
cdd67575e7
@ -47,8 +47,21 @@ let
|
|||||||
then [ "${name} ${value}" ]
|
then [ "${name} ${value}" ]
|
||||||
else concatLists (mapAttrsToList (genSection name) value);
|
else concatLists (mapAttrsToList (genSection name) value);
|
||||||
|
|
||||||
|
sudoRule = {
|
||||||
|
users = [ "btrbk" ];
|
||||||
|
commands = [
|
||||||
|
{ command = "${pkgs.btrfs-progs}/bin/btrfs"; options = [ "NOPASSWD" ]; }
|
||||||
|
{ command = "${pkgs.coreutils}/bin/mkdir"; options = [ "NOPASSWD" ]; }
|
||||||
|
{ command = "${pkgs.coreutils}/bin/readlink"; options = [ "NOPASSWD" ]; }
|
||||||
|
# for ssh, they are not the same than the one hard coded in ${pkgs.btrbk}
|
||||||
|
{ command = "/run/current-system/sw/bin/btrfs"; options = [ "NOPASSWD" ]; }
|
||||||
|
{ command = "/run/current-system/sw/bin/mkdir"; options = [ "NOPASSWD" ]; }
|
||||||
|
{ command = "/run/current-system/sw/bin/readlink"; options = [ "NOPASSWD" ]; }
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
sudo_doas =
|
sudo_doas =
|
||||||
if config.security.sudo.enable then "sudo"
|
if config.security.sudo.enable || config.security.sudo-rs.enable then "sudo"
|
||||||
else if config.security.doas.enable then "doas"
|
else if config.security.doas.enable then "doas"
|
||||||
else throw "The btrbk nixos module needs either sudo or doas enabled in the configuration";
|
else throw "The btrbk nixos module needs either sudo or doas enabled in the configuration";
|
||||||
|
|
||||||
@ -157,22 +170,10 @@ in
|
|||||||
};
|
};
|
||||||
config = mkIf (sshEnabled || serviceEnabled) {
|
config = mkIf (sshEnabled || serviceEnabled) {
|
||||||
environment.systemPackages = [ pkgs.btrbk ] ++ cfg.extraPackages;
|
environment.systemPackages = [ pkgs.btrbk ] ++ cfg.extraPackages;
|
||||||
security.sudo = mkIf (sudo_doas == "sudo") {
|
|
||||||
extraRules = [
|
security.sudo.extraRules = mkIf (sudo_doas == "sudo") [ sudoRule ];
|
||||||
{
|
security.sudo-rs.extraRules = mkIf (sudo_doas == "sudo") [ sudoRule ];
|
||||||
users = [ "btrbk" ];
|
|
||||||
commands = [
|
|
||||||
{ command = "${pkgs.btrfs-progs}/bin/btrfs"; options = [ "NOPASSWD" ]; }
|
|
||||||
{ command = "${pkgs.coreutils}/bin/mkdir"; options = [ "NOPASSWD" ]; }
|
|
||||||
{ command = "${pkgs.coreutils}/bin/readlink"; options = [ "NOPASSWD" ]; }
|
|
||||||
# for ssh, they are not the same than the one hard coded in ${pkgs.btrbk}
|
|
||||||
{ command = "/run/current-system/sw/bin/btrfs"; options = [ "NOPASSWD" ]; }
|
|
||||||
{ command = "/run/current-system/sw/bin/mkdir"; options = [ "NOPASSWD" ]; }
|
|
||||||
{ command = "/run/current-system/sw/bin/readlink"; options = [ "NOPASSWD" ]; }
|
|
||||||
];
|
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
|
||||||
security.doas = mkIf (sudo_doas == "doas") {
|
security.doas = mkIf (sudo_doas == "doas") {
|
||||||
extraRules = let
|
extraRules = let
|
||||||
doasCmdNoPass = cmd: { users = [ "btrbk" ]; cmd = cmd; noPass = true; };
|
doasCmdNoPass = cmd: { users = [ "btrbk" ]; cmd = cmd; noPass = true; };
|
||||||
|
Loading…
Reference in New Issue
Block a user