{pkgs, config, ...}: ###### interface let inherit (pkgs.lib) mkOption; options = { security = { sudo = { enable = mkOption { default = true; description = " Whether to enable the sudo command, which allows non-root users to execute commands as root. "; }; configFile = mkOption { default = " # WARNING: do not edit this file directly or with \"visudo\". Instead, # edit the source file in /etc/nixos/nixos/etc/sudoers. # \"root\" is allowed to do anything. root ALL=(ALL) SETENV: ALL # Users in the \"wheel\" group can do anything. %wheel ALL=(ALL) SETENV: ALL "; description = " This string contains the contents of the sudoers file. "; # If syntax errors are detected in this file, the NixOS # configuration will fail to build. }; }; }; }; in ###### implementation let cfg = config.security.sudo; inherit (pkgs.lib) mkIf; inherit (pkgs) sudo; in mkIf cfg.enable { require = [ options # config.environment.etc ../etc/default.nix # ? # config.environment.extraPackages # ? # config.security.extraSetuidPrograms ]; security = { extraSetuidPrograms = [ "sudo" ]; }; environment = { extraPackages = [ sudo ]; etc = [ { source = ../etc/pam.d/sudo; target = "pam.d/sudo"; } { source = pkgs.runCommand "sudoers" { src = pkgs.writeText "sudoers-in" cfg.configFile; } # Make sure that the sudoers file is syntactically valid. # (currently disabled - NIXOS-66) #"${pkgs.sudo}/sbin/visudo -f $src -c && cp $src $out"; "cp $src $out"; target = "sudoers"; mode = "0440"; } ]; }; }