Loading nixos/modules/services/backup/btrbk.nix +18 −17 Original line number Diff line number Diff line Loading @@ -47,8 +47,21 @@ let then [ "${name} ${value}" ] else concatLists (mapAttrsToList (genSection name) value); sudoRule = { users = [ "btrbk" ]; commands = [ { command = "${pkgs.btrfs-progs}/bin/btrfs"; options = [ "NOPASSWD" ]; } { command = "${pkgs.coreutils}/bin/mkdir"; options = [ "NOPASSWD" ]; } { command = "${pkgs.coreutils}/bin/readlink"; options = [ "NOPASSWD" ]; } # for ssh, they are not the same than the one hard coded in ${pkgs.btrbk} { command = "/run/current-system/sw/bin/btrfs"; options = [ "NOPASSWD" ]; } { command = "/run/current-system/sw/bin/mkdir"; options = [ "NOPASSWD" ]; } { command = "/run/current-system/sw/bin/readlink"; options = [ "NOPASSWD" ]; } ]; }; sudo_doas = if config.security.sudo.enable then "sudo" if config.security.sudo.enable || config.security.sudo-rs.enable then "sudo" else if config.security.doas.enable then "doas" else throw "The btrbk nixos module needs either sudo or doas enabled in the configuration"; Loading Loading @@ -157,22 +170,10 @@ in }; config = mkIf (sshEnabled || serviceEnabled) { environment.systemPackages = [ pkgs.btrbk ] ++ cfg.extraPackages; security.sudo = mkIf (sudo_doas == "sudo") { extraRules = [ { users = [ "btrbk" ]; commands = [ { command = "${pkgs.btrfs-progs}/bin/btrfs"; options = [ "NOPASSWD" ]; } { command = "${pkgs.coreutils}/bin/mkdir"; options = [ "NOPASSWD" ]; } { command = "${pkgs.coreutils}/bin/readlink"; options = [ "NOPASSWD" ]; } # for ssh, they are not the same than the one hard coded in ${pkgs.btrbk} { command = "/run/current-system/sw/bin/btrfs"; options = [ "NOPASSWD" ]; } { command = "/run/current-system/sw/bin/mkdir"; options = [ "NOPASSWD" ]; } { command = "/run/current-system/sw/bin/readlink"; options = [ "NOPASSWD" ]; } ]; } ]; }; security.sudo.extraRules = mkIf (sudo_doas == "sudo") [ sudoRule ]; security.sudo-rs.extraRules = mkIf (sudo_doas == "sudo") [ sudoRule ]; security.doas = mkIf (sudo_doas == "doas") { extraRules = let doasCmdNoPass = cmd: { users = [ "btrbk" ]; cmd = cmd; noPass = true; }; Loading Loading
nixos/modules/services/backup/btrbk.nix +18 −17 Original line number Diff line number Diff line Loading @@ -47,8 +47,21 @@ let then [ "${name} ${value}" ] else concatLists (mapAttrsToList (genSection name) value); sudoRule = { users = [ "btrbk" ]; commands = [ { command = "${pkgs.btrfs-progs}/bin/btrfs"; options = [ "NOPASSWD" ]; } { command = "${pkgs.coreutils}/bin/mkdir"; options = [ "NOPASSWD" ]; } { command = "${pkgs.coreutils}/bin/readlink"; options = [ "NOPASSWD" ]; } # for ssh, they are not the same than the one hard coded in ${pkgs.btrbk} { command = "/run/current-system/sw/bin/btrfs"; options = [ "NOPASSWD" ]; } { command = "/run/current-system/sw/bin/mkdir"; options = [ "NOPASSWD" ]; } { command = "/run/current-system/sw/bin/readlink"; options = [ "NOPASSWD" ]; } ]; }; sudo_doas = if config.security.sudo.enable then "sudo" if config.security.sudo.enable || config.security.sudo-rs.enable then "sudo" else if config.security.doas.enable then "doas" else throw "The btrbk nixos module needs either sudo or doas enabled in the configuration"; Loading Loading @@ -157,22 +170,10 @@ in }; config = mkIf (sshEnabled || serviceEnabled) { environment.systemPackages = [ pkgs.btrbk ] ++ cfg.extraPackages; security.sudo = mkIf (sudo_doas == "sudo") { extraRules = [ { users = [ "btrbk" ]; commands = [ { command = "${pkgs.btrfs-progs}/bin/btrfs"; options = [ "NOPASSWD" ]; } { command = "${pkgs.coreutils}/bin/mkdir"; options = [ "NOPASSWD" ]; } { command = "${pkgs.coreutils}/bin/readlink"; options = [ "NOPASSWD" ]; } # for ssh, they are not the same than the one hard coded in ${pkgs.btrbk} { command = "/run/current-system/sw/bin/btrfs"; options = [ "NOPASSWD" ]; } { command = "/run/current-system/sw/bin/mkdir"; options = [ "NOPASSWD" ]; } { command = "/run/current-system/sw/bin/readlink"; options = [ "NOPASSWD" ]; } ]; } ]; }; security.sudo.extraRules = mkIf (sudo_doas == "sudo") [ sudoRule ]; security.sudo-rs.extraRules = mkIf (sudo_doas == "sudo") [ sudoRule ]; security.doas = mkIf (sudo_doas == "doas") { extraRules = let doasCmdNoPass = cmd: { users = [ "btrbk" ]; cmd = cmd; noPass = true; }; Loading
