fix: passwordless sudo only for yule

2023-10-26 14:09:11 +02:00 · 2023-10-26 14:09:11 +02:00 · 615ef9a856
parent 9995e15760
commit 615ef9a856
3 changed files with 18 additions and 11 deletions
--- a/modules/core/default.nix
+++ b/modules/core/default.nix
@ -29,17 +29,6 @@ in {

  # Limit the use of sudo to the group wheel
  security.sudo.execWheelOnly = true;
-  security.sudo.extraRules = [
-    {
-      users = ["${psCfg.user.name}"];
-      commands = [
-        {
-          command = "ALL";
-          options = ["NOPASSWD"];
-        }
-      ];
-    }
-  ];

  # Remove the complete default environment of packages like
  # nano, perl and rsync
--- a/modules/user/default.nix
+++ b/modules/user/default.nix
@ -28,6 +28,11 @@ with lib; {
        type = types.nullOr types.str;
        default = null;
      };
+      passwordlessSudo = mkOption {
+        description = "Whether this user can use sudo without entering a password";
+        type = types.bool;
+        default = false;
+      };
      publicKeys = mkOption {
        description = "User SSH public keys";
        type = types.listOf types.str;
@ -81,5 +86,17 @@ with lib; {
          else [];
      };
    };
+
+    security.sudo.extraRules = mkIf psCfg.user.passwordlessSudo [
+      {
+        users = ["${psCfg.user.name}"];
+        commands = [
+          {
+            command = "ALL";
+            options = ["NOPASSWD"];
+          }
+        ];
+      }
+    ];
  };
 }
--- a/users/yule/default.nix
+++ b/users/yule/default.nix
@ -15,6 +15,7 @@ in {
        name = "yule";
        description = "b12f";
        password = "$y$j9T$x1nyqcXw/1iYKo3054cdB1$0TOuyE5t5ZV6z9Gzl9zIrmZGADBxupnwcUMTcMtMa73";
+        passwordlessSudo = true;
        fullName = "Benjamin Bädorf";
        email = "hello@benjaminbaedorf.eu";
        gpgKeyId = "4406E80E13CD656C";