use doas instead of sudo
This commit is contained in:
parent
0d57369bb6
commit
ec2098fea4
@ -145,6 +145,7 @@
|
|||||||
outputsBuilder = channels: let
|
outputsBuilder = channels: let
|
||||||
pkgs = channels.unstable;
|
pkgs = channels.unstable;
|
||||||
pkgs-zfs = channels.unstable-zfs;
|
pkgs-zfs = channels.unstable-zfs;
|
||||||
|
# FIXME: nixos-rebuild with --flakes flag doesn't work with doas
|
||||||
rebuild = pkgs.writeShellScriptBin "rebuild" ''
|
rebuild = pkgs.writeShellScriptBin "rebuild" ''
|
||||||
if [[ -z $1 ]]; then
|
if [[ -z $1 ]]; then
|
||||||
echo "Usage: $(basename $0) {switch|boot|test}"
|
echo "Usage: $(basename $0) {switch|boot|test}"
|
||||||
@ -152,8 +153,8 @@
|
|||||||
shift
|
shift
|
||||||
nix build .#nixosConfigurations.Flakes-ISO.config.system.build.isoImage "$@"
|
nix build .#nixosConfigurations.Flakes-ISO.config.system.build.isoImage "$@"
|
||||||
else
|
else
|
||||||
arg=$1; shift;
|
# doas nix-shell -p git --run "nixos-rebuild --flake . $@"
|
||||||
sudo nixos-rebuild $arg --flake . "$@"
|
\sudo nixos-rebuild --flake . $@
|
||||||
fi
|
fi
|
||||||
'';
|
'';
|
||||||
update-vscode = pkgs.writeShellScriptBin "update-vscode" ''
|
update-vscode = pkgs.writeShellScriptBin "update-vscode" ''
|
||||||
|
@ -62,7 +62,7 @@ let
|
|||||||
} "${password-store}"
|
} "${password-store}"
|
||||||
fi
|
fi
|
||||||
cat ${password-store}/spotify.gpg | ${pkgs.gnupg}/bin/gpg --decrypt > /dev/null
|
cat ${password-store}/spotify.gpg | ${pkgs.gnupg}/bin/gpg --decrypt > /dev/null
|
||||||
[ ! -z "${allServices}" ] && sudo systemctl restart ${allServices}
|
[ ! -z "${allServices}" ] && doas systemctl restart ${allServices}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
decrypt = name: cfg:
|
decrypt = name: cfg:
|
||||||
@ -79,7 +79,7 @@ let
|
|||||||
'';
|
'';
|
||||||
|
|
||||||
script = ''
|
script = ''
|
||||||
if cat '${encrypted}' | /run/wrappers/bin/sudo -u ${user} ${cfg.decrypt} > '${decrypted}.tmp'; then
|
if cat '${encrypted}' | /run/wrappers/bin/doas -u ${user} ${cfg.decrypt} > '${decrypted}.tmp'; then
|
||||||
mv -f '${decrypted}.tmp' '${decrypted}'
|
mv -f '${decrypted}.tmp' '${decrypted}'
|
||||||
chown '${owner}' '${decrypted}'
|
chown '${owner}' '${decrypted}'
|
||||||
chmod '${permissions}' '${decrypted}'
|
chmod '${permissions}' '${decrypted}'
|
||||||
@ -112,10 +112,12 @@ let
|
|||||||
|
|
||||||
mkServices = name: cfg: [ (decrypt name cfg) (addDependencies name cfg) ];
|
mkServices = name: cfg: [ (decrypt name cfg) (addDependencies name cfg) ];
|
||||||
|
|
||||||
allServices = toString (map (name: "${name}-envsubst.service")
|
allServicesMap = (map (name: "${name}-envsubst.service")
|
||||||
(builtins.attrNames config.secrets-envsubst)
|
(builtins.attrNames config.secrets-envsubst)
|
||||||
++ map (name: "${name}-secrets.service")
|
++ map (name: "${name}-secrets.service")
|
||||||
(builtins.attrNames config.secrets));
|
(builtins.attrNames config.secrets));
|
||||||
|
|
||||||
|
allServices = toString allServicesMap;
|
||||||
in {
|
in {
|
||||||
options.secrets = lib.mkOption {
|
options.secrets = lib.mkOption {
|
||||||
type = attrsOf (submodule secret);
|
type = attrsOf (submodule secret);
|
||||||
@ -140,12 +142,12 @@ in {
|
|||||||
config.systemd.services =
|
config.systemd.services =
|
||||||
mkMerge (concatLists (mapAttrsToList mkServices config.secrets));
|
mkMerge (concatLists (mapAttrsToList mkServices config.secrets));
|
||||||
|
|
||||||
config.security.sudo.extraRules = [{
|
config.security.doas.extraRules = [{
|
||||||
users = [ "alukard" ];
|
users = [ "alukard" ];
|
||||||
commands = [{
|
noPass = true;
|
||||||
command = "/run/current-system/sw/bin/systemctl restart ${allServices}";
|
keepEnv = true;
|
||||||
options = [ "NOPASSWD" ];
|
cmd = "/run/current-system/sw/bin/systemctl ";
|
||||||
}];
|
args = [ "restart" ] ++ allServicesMap;
|
||||||
}];
|
}];
|
||||||
|
|
||||||
config.home-manager.users.alukard = {
|
config.home-manager.users.alukard = {
|
||||||
|
23
profiles/nix/doas.patch
Normal file
23
profiles/nix/doas.patch
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
From 012a913fbc861029a0f4b100cfd57d3b505a455f Mon Sep 17 00:00:00 2001
|
||||||
|
From: ForeverNooob <106961997+ForeverNooob@users.noreply.github.com>
|
||||||
|
Date: Sun, 30 Oct 2022 08:13:19 +0000
|
||||||
|
Subject: [PATCH] Add doas support to the installation script.
|
||||||
|
|
||||||
|
Previously the install errored out and told you to manually add `/nix/` and set the perms if you had `doas` installed instead of `sudo`. Well, not any more!
|
||||||
|
---
|
||||||
|
scripts/install-nix-from-closure.sh | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/scripts/install-nix-from-closure.sh b/scripts/install-nix-from-closure.sh
|
||||||
|
index d4eed2efe80..d8931e97015 100644
|
||||||
|
--- a/scripts/install-nix-from-closure.sh
|
||||||
|
+++ b/scripts/install-nix-from-closure.sh
|
||||||
|
@@ -137,7 +137,7 @@ echo "performing a single-user installation of Nix..." >&2
|
||||||
|
if ! [ -e "$dest" ]; then
|
||||||
|
cmd="mkdir -m 0755 $dest && chown $USER $dest"
|
||||||
|
echo "directory $dest does not exist; creating it by running '$cmd' using sudo" >&2
|
||||||
|
- if ! sudo sh -c "$cmd"; then
|
||||||
|
+ if ! (sudo sh -c "$cmd" || doas sh -c "$cmd") ; then
|
||||||
|
echo "$0: please manually run '$cmd' as root to create $dest" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
@ -68,7 +68,7 @@ with lib; {
|
|||||||
|
|
||||||
nix = inputs.nix.packages.${system}.default.overrideAttrs (oa: {
|
nix = inputs.nix.packages.${system}.default.overrideAttrs (oa: {
|
||||||
doInstallCheck = false;
|
doInstallCheck = false;
|
||||||
patches = [ ./nix/nix.patch ] ++ oa.patches or [ ];
|
patches = [ ./nix/nix.patch ./nix/doas.patch ] ++ oa.patches or [ ];
|
||||||
});
|
});
|
||||||
|
|
||||||
nix-direnv = inputs.nix-direnv.packages.${system}.default.override { pkgs = final; };
|
nix-direnv = inputs.nix-direnv.packages.${system}.default.override { pkgs = final; };
|
||||||
|
@ -10,7 +10,6 @@ with config.deviceSpecific; {
|
|||||||
"audio"
|
"audio"
|
||||||
"cdrom"
|
"cdrom"
|
||||||
"corectrl"
|
"corectrl"
|
||||||
"dbus"
|
|
||||||
"dialout"
|
"dialout"
|
||||||
"disk"
|
"disk"
|
||||||
"docker"
|
"docker"
|
||||||
@ -20,41 +19,69 @@ with config.deviceSpecific; {
|
|||||||
"lp"
|
"lp"
|
||||||
"lxd"
|
"lxd"
|
||||||
"networkmanager"
|
"networkmanager"
|
||||||
"pulse"
|
"podman"
|
||||||
|
"qemu-libvirtd"
|
||||||
"scanner"
|
"scanner"
|
||||||
"smbuser"
|
"smbuser"
|
||||||
"sound"
|
|
||||||
"sudo"
|
|
||||||
"vboxusers"
|
|
||||||
"video"
|
"video"
|
||||||
"wheel"
|
# "wheel" # remove?
|
||||||
];
|
];
|
||||||
description = "AtaraxiaDev";
|
description = "AtaraxiaDev";
|
||||||
uid = 1000;
|
uid = 1000;
|
||||||
hashedPassword = "$6$kDBGyd99tto$9LjQwixa7NYB9Kaey002MD94zHob1MmNbVz9kx3yX6Q4AmVgsFMGUyNuHozXprxyuXHIbOlTcf8nd4rK8MWfI/";
|
hashedPassword = "$6$kDBGyd99tto$9LjQwixa7NYB9Kaey002MD94zHob1MmNbVz9kx3yX6Q4AmVgsFMGUyNuHozXprxyuXHIbOlTcf8nd4rK8MWfI/";
|
||||||
shell = pkgs.zsh;
|
shell = pkgs.zsh;
|
||||||
};
|
};
|
||||||
|
# Safe, because we using doas
|
||||||
|
users.allowNoPasswordLogin = true;
|
||||||
|
# FIXME
|
||||||
security.sudo = {
|
security.sudo = {
|
||||||
enable = true;
|
enable = true;
|
||||||
extraConfig = lib.concatStrings [''
|
extraRules = [{
|
||||||
alukard ALL = (root) NOPASSWD: /run/current-system/sw/bin/btrfs fi usage /
|
users = [ "alukard" ];
|
||||||
''
|
commands = [{
|
||||||
(if (isLaptop) then ''
|
command = "/run/current-system/sw/bin/nixos-rebuild";
|
||||||
alukard ALL = (root) NOPASSWD: /run/current-system/sw/bin/tlp-stat
|
options = [ "SETENV" "NOPASSWD" ];
|
||||||
alukard ALL = (root) NOPASSWD: /run/current-system/sw/bin/tlp ac
|
} {
|
||||||
alukard ALL = (root) NOPASSWD: /run/current-system/sw/bin/tlp bat
|
command = "/run/current-system/sw/bin/nix";
|
||||||
'' else "")
|
options = [ "SETENV" "NOPASSWD" ];
|
||||||
];
|
} {
|
||||||
|
command = "/run/current-system/sw/bin/nix-shell";
|
||||||
|
options = [ "SETENV" "NOPASSWD" ];
|
||||||
|
}];
|
||||||
|
}];
|
||||||
|
# extraConfig = lib.concatStrings [''
|
||||||
|
# alukard ALL = (root) NOPASSWD: /run/current-system/sw/bin/btrfs fi usage /
|
||||||
|
# ''
|
||||||
|
# (if (isLaptop) then ''
|
||||||
|
# alukard ALL = (root) NOPASSWD: /run/current-system/sw/bin/tlp-stat
|
||||||
|
# alukard ALL = (root) NOPASSWD: /run/current-system/sw/bin/tlp ac
|
||||||
|
# alukard ALL = (root) NOPASSWD: /run/current-system/sw/bin/tlp bat
|
||||||
|
# '' else "")
|
||||||
|
# ];
|
||||||
};
|
};
|
||||||
home-manager.users.alukard = {
|
security.doas = {
|
||||||
systemd.user.services.polkit-agent = lib.mkIf (!isServer) {
|
enable = true;
|
||||||
Unit = {
|
extraRules = [{
|
||||||
Description = "Run polkit authentication agent";
|
users = [ "alukard" ];
|
||||||
X-RestartIfChanged = true;
|
keepEnv = true;
|
||||||
};
|
persist = true;
|
||||||
Install.WantedBy = [ "sway-session.target" ];
|
} {
|
||||||
Service = { ExecStart = "${pkgs.mate.mate-polkit}/libexec/polkit-mate-authentication-agent-1"; };
|
users = [ "alukard" ];
|
||||||
};
|
noPass = true;
|
||||||
|
keepEnv = true;
|
||||||
|
cmd = "/run/current-system/sw/bin/btrfs";
|
||||||
|
args = [ "fi" "usage" "/" ];
|
||||||
|
}] ++ lib.optionals isLaptop [{
|
||||||
|
users = [ "alukard" ];
|
||||||
|
noPass = true;
|
||||||
|
keepEnv = true;
|
||||||
|
cmd = "/run/current-system/sw/bin/tlp";
|
||||||
|
} {
|
||||||
|
users = [ "alukard" ];
|
||||||
|
noPass = true;
|
||||||
|
keepEnv = true;
|
||||||
|
cmd = "/run/current-system/sw/bin/tlp-stat";
|
||||||
|
}];
|
||||||
};
|
};
|
||||||
systemd.services."user@" = { serviceConfig = { Restart = "always"; }; };
|
systemd.services."user@" = { serviceConfig = { Restart = "always"; }; };
|
||||||
services.getty.autologinUser = "alukard";
|
services.getty.autologinUser = "alukard";
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
{ iconfont, ... }: ''
|
{ iconfont, ... }: ''
|
||||||
#!/usr/bin/env bash
|
#!/usr/bin/env bash
|
||||||
echo '<span font="${iconfont} Solid"></span>' `(sudo btrfs fi usage / | head -n7 | tail -n1 | awk '{print $3}')`
|
echo '<span font="${iconfont} Solid"></span>' `(doas btrfs fi usage / | head -n7 | tail -n1 | awk '{print $3}')`
|
||||||
''
|
''
|
||||||
|
@ -53,6 +53,7 @@
|
|||||||
'';
|
'';
|
||||||
|
|
||||||
shellAliases = {
|
shellAliases = {
|
||||||
|
"_" = "doas";
|
||||||
"clr" = "clear";
|
"clr" = "clear";
|
||||||
"weather" = "curl wttr.in/Volzhskiy";
|
"weather" = "curl wttr.in/Volzhskiy";
|
||||||
"rede" = "systemctl --user start gammastep.service &";
|
"rede" = "systemctl --user start gammastep.service &";
|
||||||
|
Loading…
x
Reference in New Issue
Block a user