From 2f90d7f0d094565cf35f398fc650cbb6f0e7136b Mon Sep 17 00:00:00 2001 From: imxyy_soope_ Date: Sat, 6 Jun 2026 21:07:01 +0800 Subject: [PATCH] doas -> sudo --- modules/cli/shell/fish.nix | 2 +- modules/cli/shell/zsh.nix | 2 +- modules/core/user.nix | 58 ++------------------------------------ 3 files changed, 5 insertions(+), 57 deletions(-) diff --git a/modules/cli/shell/fish.nix b/modules/cli/shell/fish.nix index 5569f9f..fa414c2 100644 --- a/modules/cli/shell/fish.nix +++ b/modules/cli/shell/fish.nix @@ -32,7 +32,7 @@ in shellAliases = { la = "lsd -lah"; ls = "lsd"; - svim = "doasedit"; + svim = "sudoedit"; nf = "fastfetch"; }; interactiveShellInit = lib.mkBefore '' diff --git a/modules/cli/shell/zsh.nix b/modules/cli/shell/zsh.nix index e515411..3eff5ce 100644 --- a/modules/cli/shell/zsh.nix +++ b/modules/cli/shell/zsh.nix @@ -51,7 +51,7 @@ in }; shellAliases = { ls = "lsd"; - svim = "doasedit"; + svim = "sudoedit"; nf = "fastfetch"; }; }; diff --git a/modules/core/user.nix b/modules/core/user.nix index fe0e289..5d531e9 100644 --- a/modules/core/user.nix +++ b/modules/core/user.nix @@ -39,67 +39,15 @@ in }; users.users.root.hashedPasswordFile = lib.mkDefault config.sops.secrets.imxyy-nix-hashed-password.path; - security.sudo.enable = false; - security.doas = { + security.sudo = { enable = true; extraRules = [ { - users = [ username ]; - noPass = hostname == "imxyy-nix"; - keepEnv = true; + users = [ "imxyy" ]; + commands = [ "ALL" ] ++ (lib.optionals (hostname == "imxyy-nix") [ "NOPASSWD" ]); } ]; }; - environment.shellAliases = { - sudoedit = "doasedit"; - }; - environment.systemPackages = [ - (pkgs.writeShellScriptBin "sudo" ''exec doas "$@"'') - (pkgs.writeShellScriptBin "doasedit" '' - if [ -n "''${2}" ]; then - printf 'Expected only one argument\n' - exit 1 - elif [ -z "''${1}" ]; then - printf 'No file path provided\n' - exit 1 - elif [ "$(id -u)" -eq 0 ]; then - printf 'Cannot be run as root\n' - exit 1 - fi - - set -eu - - tempdir="$(mktemp -d)" - - trap 'rm -rf $tempdir' EXIT - srcfile="$(doas realpath "$1")" - - if doas [ -f "$srcfile" ]; then - doas cp -a "$srcfile" "$tempdir"/file - doas cp -a "$tempdir"/file "$tempdir"/edit - - # make sure that the file is editable by user - doas chown "$USER":"$USER" "$tempdir"/edit - chmod 600 "$tempdir"/edit - else - # create file with "regular" system permissions (root:root 644) - touch "$tempdir"/file - doas chown root:root "$tempdir"/file - fi - - $EDITOR "$tempdir"/edit - - doas tee "$tempdir"/file 1>/dev/null < "$tempdir"/edit - - if doas cmp -s "$tempdir/file" "$srcfile"; then - printf 'Skipping write; no changes.\n' - exit 0 - else - doas mv -f "$tempdir"/file "$srcfile" - exit 0 - fi - '') - ]; nix.settings.trusted-users = [ "root"