Remove sudo

2021-01-27 16:57:07 +01:00 · 2021-01-27 16:57:07 +01:00 · ad71bb0318
commit ad71bb0318
parent ef572c20bc
5 changed files with 27 additions and 6 deletions
--- a/containers/data-access/config.nix
+++ b/containers/data-access/config.nix
@ -11,6 +11,7 @@
    uid = 1000;
    group = "users";
  };
+  security.sudo.enable = false;
  services.openssh = {
    enable = true;
    permitRootLogin = "no";
--- a/modules/accentor.nix
+++ b/modules/accentor.nix
@ -70,6 +70,14 @@ in
      '')
    ];

+    security.doas.extraRules = [{
+      users = [ "charlotte" ];
+      noPass = true;
+      cmd = "accentor-console";
+      runAs = "accentor";
+      setEnv = [ "RAILS_MASTER_KEY" ];
+    }];
+
    services.postgresql = {
      enable = true;
      dataDir = "${config.chvp.dataPrefix}/var/lib/postgresql/${config.services.postgresql.package.psqlSchema}";
--- a/modules/default.nix
+++ b/modules/default.nix
@ -89,6 +89,19 @@
      externalInterface = "eno3";
    };

+    security.sudo.enable = false;
+    security.doas = {
+      enable = true;
+      extraRules = [
+        {
+          users = [ "charlotte" ];
+          noPass = true;
+          cmd = "nix-collect-garbage";
+          runAs = "root";
+        }
+      ];
+    };
+
    users = {
      mutableUsers = false;
      defaultUserShell = pkgs.zsh;
@ -97,7 +110,7 @@
          isNormalUser = true;
          home = "/home/charlotte";
          description = "Charlotte Van Petegem";
-          extraGroups = [ "wheel" "systemd-journal" ] ++ lib.optionals config.chvp.graphical [ "input" "video" ];
+          extraGroups = [ "systemd-journal" ] ++ lib.optionals config.chvp.graphical [ "input" "video" ];
        };
      };
    };
--- a/modules/zsh.nix
+++ b/modules/zsh.nix
@ -30,7 +30,6 @@
              "extract"
              "history-substring-search"
              "git"
-              "sudo"
              "systemd"
              "tmux"
            ];
--- a/update.sh
+++ b/update.sh
@ -15,7 +15,7 @@ nix flake update --recreate-lock-file

 if [ -z "${OVERRIDE:-}" ]
 then
-    sudo nixos-rebuild --flake . switch
+    su -c "nixos-rebuild --flake . switch"
 else
-    sudo nixos-rebuild --flake . --override-input nixpkgs ../nixpkgs --no-write-lock-file switch
+    su -c "nixos-rebuild --flake . --override-input nixpkgs ../nixpkgs --no-write-lock-file switch"
 fi