Commit 4177ddcf authored by Savyasachee Jha's avatar Savyasachee Jha Committed by Cole Helbling
Browse files

doas: refactor config generation 

According to Ted Unangst, since doas evaluates rules in a last
matched manner, it is prudent to have the "permit root to do everything
without a password at the end of the file.

Source: https://flak.tedunangst.com/post/doas-mastery
parent c23e8da5

nixos/modules/security/doas.nix

+9 −5
Original line number Diff line number Diff line
@@ -75,7 +75,9 @@ in 
        {file}`/etc/doas.conf` file. More specific rules should

        come after more general ones in order to yield the expected behavior.

        You can use `mkBefore` and/or `mkAfter` to ensure

        this is the case when configuration options are merged.

        this is the case when configuration options are merged. Be aware that

        this option cannot be used to override the behaviour allowing

        passwordless operation for root.

      '';

      example = literalExpression ''

        [
@@ -224,7 +226,9 @@ in 
      type = with types; lines;

      default = "";

      description = lib.mdDoc ''

        Extra configuration text appended to {file}`doas.conf`.

        Extra configuration text appended to {file}`doas.conf`. Be aware that

        this option cannot be used to override the behaviour allowing

        passwordless operation for root.

      '';

    };

  };
@@ -266,14 +270,14 @@ in 
            # completely replace the contents of this file, use

            # `environment.etc."doas.conf"`.



            # "root" is allowed to do anything.

            permit nopass keepenv root



            # extraRules

            ${concatStringsSep "\n" (lists.flatten (map mkRule cfg.extraRules))}



            # extraConfig

            ${cfg.extraConfig}



            # "root" is allowed to do anything.

            permit nopass keepenv root

          '';

          preferLocalBuild = true;

        }