doas -> sudo

This commit is contained in:
2026-06-06 21:07:01 +08:00
parent be6c838f19
commit 2f90d7f0d0
3 changed files with 5 additions and 57 deletions
+3 -55
View File
@@ -39,67 +39,15 @@ in
};
users.users.root.hashedPasswordFile = lib.mkDefault config.sops.secrets.imxyy-nix-hashed-password.path;
security.sudo.enable = false;
security.doas = {
security.sudo = {
enable = true;
extraRules = [
{
users = [ username ];
noPass = hostname == "imxyy-nix";
keepEnv = true;
users = [ "imxyy" ];
commands = [ "ALL" ] ++ (lib.optionals (hostname == "imxyy-nix") [ "NOPASSWD" ]);
}
];
};
environment.shellAliases = {
sudoedit = "doasedit";
};
environment.systemPackages = [
(pkgs.writeShellScriptBin "sudo" ''exec doas "$@"'')
(pkgs.writeShellScriptBin "doasedit" ''
if [ -n "''${2}" ]; then
printf 'Expected only one argument\n'
exit 1
elif [ -z "''${1}" ]; then
printf 'No file path provided\n'
exit 1
elif [ "$(id -u)" -eq 0 ]; then
printf 'Cannot be run as root\n'
exit 1
fi
set -eu
tempdir="$(mktemp -d)"
trap 'rm -rf $tempdir' EXIT
srcfile="$(doas realpath "$1")"
if doas [ -f "$srcfile" ]; then
doas cp -a "$srcfile" "$tempdir"/file
doas cp -a "$tempdir"/file "$tempdir"/edit
# make sure that the file is editable by user
doas chown "$USER":"$USER" "$tempdir"/edit
chmod 600 "$tempdir"/edit
else
# create file with "regular" system permissions (root:root 644)
touch "$tempdir"/file
doas chown root:root "$tempdir"/file
fi
$EDITOR "$tempdir"/edit
doas tee "$tempdir"/file 1>/dev/null < "$tempdir"/edit
if doas cmp -s "$tempdir/file" "$srcfile"; then
printf 'Skipping write; no changes.\n'
exit 0
else
doas mv -f "$tempdir"/file "$srcfile"
exit 0
fi
'')
];
nix.settings.trusted-users = [
"root"