depot/third_party/nixpkgs/nixos/modules/security/please.nix

123 lines
3.1 KiB
Nix
Raw Normal View History

{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.security.please;
ini = pkgs.formats.ini { };
in
{
options.security.please = {
enable = mkEnableOption (mdDoc ''
please, a Sudo clone which allows a users to execute a command or edit a
file as another user
'');
package = mkOption {
type = types.package;
default = pkgs.please;
defaultText = literalExpression "pkgs.please";
description = mdDoc ''
Which package to use for {command}`please`.
'';
};
wheelNeedsPassword = mkOption {
type = types.bool;
default = true;
description = lib.mdDoc ''
Whether users of the `wheel` group must provide a password to run
commands or edit files with {command}`please` and
{command}`pleaseedit` respectively.
'';
};
settings = mkOption {
type = ini.type;
default = { };
example = {
jim_run_any_as_root = {
name = "jim";
type = "run";
target = "root";
rule = ".*";
require_pass = false;
};
jim_edit_etc_hosts_as_root = {
name = "jim";
type = "edit";
target = "root";
rule = "/etc/hosts";
editmode = 644;
require_pass = true;
};
};
description = mdDoc ''
Please configuration. Refer to
<https://github.com/edneville/please/blob/master/please.ini.md> for
details.
'';
};
};
config = mkIf cfg.enable {
security.wrappers =
let
owner = "root";
group = "root";
setuid = true;
in
{
please = {
source = "${cfg.package}/bin/please";
inherit owner group setuid;
};
pleaseedit = {
source = "${cfg.package}/bin/pleaseedit";
inherit owner group setuid;
};
};
security.please.settings = rec {
# The "wheel" group is allowed to do anything by default but this can be
# overridden.
wheel_run_as_any = {
type = "run";
group = true;
name = "wheel";
target = ".*";
rule = ".*";
require_pass = cfg.wheelNeedsPassword;
};
wheel_edit_as_any = wheel_run_as_any // { type = "edit"; };
wheel_list_as_any = wheel_run_as_any // { type = "list"; };
};
environment = {
systemPackages = [ cfg.package ];
etc."please.ini".source = ini.generate "please.ini"
(cfg.settings // (rec {
# The "root" user is allowed to do anything by default and this cannot
# be overridden.
root_run_as_any = {
type = "run";
name = "root";
target = ".*";
rule = ".*";
require_pass = false;
};
root_edit_as_any = root_run_as_any // { type = "edit"; };
root_list_as_any = root_run_as_any // { type = "list"; };
}));
};
security.pam.services.please = {
sshAgentAuth = true;
usshAuth = true;
};
meta.maintainers = with maintainers; [ azahi ];
};
}