From 7c8b8bd3e43a93c3c8e3d2e0ba1839538d37ca2d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maciej=20Kr=C3=BCger?= <mkg20001@gmail.com>
Date: Thu, 21 Sep 2023 14:58:59 +0200
Subject: [PATCH] nixos/sudo-rs: init

adds a new sudo-rs module that contains sudo-rs changes removed from sudo module
---
 nixos/modules/module-list.nix      |  1 +
 nixos/modules/security/sudo-rs.nix | 18 +++++++++---------
 2 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index e17d430e59b6..22724138d5dd 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -311,6 +311,7 @@
   ./security/rngd.nix
   ./security/rtkit.nix
   ./security/sudo.nix
+  ./security/sudo-rs.nix
   ./security/systemd-confinement.nix
   ./security/tpm2.nix
   ./security/wrappers/default.nix
diff --git a/nixos/modules/security/sudo-rs.nix b/nixos/modules/security/sudo-rs.nix
index 4bdbe9671e6d..83bef3bbf91c 100644
--- a/nixos/modules/security/sudo-rs.nix
+++ b/nixos/modules/security/sudo-rs.nix
@@ -6,7 +6,7 @@ let
 
   inherit (pkgs) sudo sudo-rs;
 
-  cfg = config.security.sudo;
+  cfg = config.security.sudo-rs;
 
   enableSSHAgentAuth =
     with config.security;
@@ -37,7 +37,7 @@ in
 
   ###### interface
 
-  options.security.sudo = {
+  options.security.sudo-rs = {
 
     defaultOptions = mkOption {
       type = with types; listOf str;
@@ -53,7 +53,7 @@ in
 
     enable = mkOption {
       type = types.bool;
-      default = true;
+      default = false;
       description = mdDoc ''
         Whether to enable the {command}`sudo` command, which
         allows non-root users to execute commands as root.
@@ -62,8 +62,8 @@ in
 
     package = mkOption {
       type = types.package;
-      default = pkgs.sudo;
-      defaultText = literalExpression "pkgs.sudo";
+      default = pkgs.sudo-rs;
+      defaultText = literalExpression "pkgs.sudo-rs";
       description = mdDoc ''
         Which package to use for `sudo`.
       '';
@@ -208,7 +208,7 @@ in
   ###### implementation
 
   config = mkIf cfg.enable {
-    security.sudo.extraRules =
+    security.sudo-rs.extraRules =
       let
         defaultRule = { users ? [], groups ? [], opts ? [] }: [ {
           inherit users groups;
@@ -230,10 +230,10 @@ in
         }))
       ];
 
-    security.sudo.configFile = concatStringsSep "\n" (filter (s: s != "") [
+    security.sudo-rs.configFile = concatStringsSep "\n" (filter (s: s != "") [
       ''
-        # Don't edit this file. Set the NixOS options ‘security.sudo.configFile’
-        # or ‘security.sudo.extraRules’ instead.
+        # Don't edit this file. Set the NixOS options ‘security.sudo-rs.configFile’
+        # or ‘security.sudo-rs.extraRules’ instead.
       ''
       (optionalString enableSSHAgentAuth ''
         # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.