diff options
| author | Maciej Krüger <mkg20001@gmail.com> | 2023-11-26 21:36:20 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-11-26 21:36:20 +0100 |
| commit | cdd67575e77412c3229df51522a3003300b5468f (patch) | |
| tree | 7b2f6ea27b924850be11af09d8169bc91e6f5c07 /nixos/modules/services/backup | |
| parent | 8d16f1e8fe89f1cbe8c3b62d2f93f7db1bea5971 (diff) | |
| parent | 19af28537bb59c849a666fce27e15d1f33fb03ee (diff) | |
Merge pull request #265722 from nbraud/nixos/sudo-rs/btrbk
Diffstat (limited to 'nixos/modules/services/backup')
| -rw-r--r-- | nixos/modules/services/backup/btrbk.nix | 35 |
1 files changed, 18 insertions, 17 deletions
diff --git a/nixos/modules/services/backup/btrbk.nix b/nixos/modules/services/backup/btrbk.nix index 9b7f1566eb1e..1e90ef54d33f 100644 --- a/nixos/modules/services/backup/btrbk.nix +++ b/nixos/modules/services/backup/btrbk.nix @@ -47,8 +47,21 @@ let then [ "${name} ${value}" ] else concatLists (mapAttrsToList (genSection name) value); + sudoRule = { + users = [ "btrbk" ]; + commands = [ + { command = "${pkgs.btrfs-progs}/bin/btrfs"; options = [ "NOPASSWD" ]; } + { command = "${pkgs.coreutils}/bin/mkdir"; options = [ "NOPASSWD" ]; } + { command = "${pkgs.coreutils}/bin/readlink"; options = [ "NOPASSWD" ]; } + # for ssh, they are not the same than the one hard coded in ${pkgs.btrbk} + { command = "/run/current-system/sw/bin/btrfs"; options = [ "NOPASSWD" ]; } + { command = "/run/current-system/sw/bin/mkdir"; options = [ "NOPASSWD" ]; } + { command = "/run/current-system/sw/bin/readlink"; options = [ "NOPASSWD" ]; } + ]; + }; + sudo_doas = - if config.security.sudo.enable then "sudo" + if config.security.sudo.enable || config.security.sudo-rs.enable then "sudo" else if config.security.doas.enable then "doas" else throw "The btrbk nixos module needs either sudo or doas enabled in the configuration"; @@ -157,22 +170,10 @@ in }; config = mkIf (sshEnabled || serviceEnabled) { environment.systemPackages = [ pkgs.btrbk ] ++ cfg.extraPackages; - security.sudo = mkIf (sudo_doas == "sudo") { - extraRules = [ - { - users = [ "btrbk" ]; - commands = [ - { command = "${pkgs.btrfs-progs}/bin/btrfs"; options = [ "NOPASSWD" ]; } - { command = "${pkgs.coreutils}/bin/mkdir"; options = [ "NOPASSWD" ]; } - { command = "${pkgs.coreutils}/bin/readlink"; options = [ "NOPASSWD" ]; } - # for ssh, they are not the same than the one hard coded in ${pkgs.btrbk} - { command = "/run/current-system/sw/bin/btrfs"; options = [ "NOPASSWD" ]; } - { command = "/run/current-system/sw/bin/mkdir"; options = [ "NOPASSWD" ]; } - { command = "/run/current-system/sw/bin/readlink"; options = [ "NOPASSWD" ]; } - ]; - } - ]; - }; + + security.sudo.extraRules = mkIf (sudo_doas == "sudo") [ sudoRule ]; + security.sudo-rs.extraRules = mkIf (sudo_doas == "sudo") [ sudoRule ]; + security.doas = mkIf (sudo_doas == "doas") { extraRules = let doasCmdNoPass = cmd: { users = [ "btrbk" ]; cmd = cmd; noPass = true; }; |