jacobpascual/nix-bitcoin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

services: use doas if enabled

Browse Source 
- Remove sudo from recurring-donations path because it's not used by
  the service

- Use doas instead of sudo in secure-node.nix
This commit is contained in:
nixbitcoin
2021-01-30 23:08:43 +01:00
parent ce2b445777
commit 2ca92a34a5
7 changed files with 31 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
modules/operator.nix
View File

@@ -22,7 +22,7 @@ in {
default = [];
description = "Extra groups.";
};
sudoUsers = mkOption {
allowRunAsUsers = mkOption {
type = with types; listOf str;
default = [];
description = "Users as which the operator is allowed to run commands.";
@@ -38,10 +38,14 @@ in {
] ++ cfg.groups;
};
security.sudo.extraConfig = mkIf (cfg.sudoUsers != []) (let
users = builtins.concatStringsSep "," cfg.sudoUsers;
in ''
${cfg.name} ALL=(${users}) NOPASSWD: ALL
'');
security = mkIf (cfg.allowRunAsUsers != []) {
# Use doas instead of sudo if enabled
doas.extraConfig = mkIf config.security.doas.enable ''
${lib.concatMapStrings (user: "permit nopass ${cfg.name} as ${user}\n") cfg.allowRunAsUsers}
'';
sudo.extraConfig = mkIf (!config.security.doas.enable) ''
${cfg.name} ALL=(${builtins.concatStringsSep "," cfg.allowRunAsUsers}) NOPASSWD: ALL
'';
};
};
}