From 6c8b85f04ca2f287ad4244bc911726739a1a212a Mon Sep 17 00:00:00 2001
From: Igor Pashev <pashev.igor@gmail.com>
Date: Sat, 25 Mar 2017 11:23:40 +0300
Subject: Add sysops group

The wheel group is allowed to do everything by default.
We need a separate group to really confine users.

For example:

$ sudo ls

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for pashev:
Sorry, user pashev is not allowed to execute '/run/current-system/sw/bin/ls --color=tty' as root on vbox-manul.
---
 modules/system/sysops.nix | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

(limited to 'modules/system')

diff --git a/modules/system/sysops.nix b/modules/system/sysops.nix
index ccf6d0b..54ff074 100644
--- a/modules/system/sysops.nix
+++ b/modules/system/sysops.nix
@@ -1,8 +1,7 @@
 { config, lib, ...}:
 let
 
-  inherit (lib) concatMapStringsSep concatStringsSep mkOption types;
-  inherit (types) str listOf;
+  inherit (lib) concatStringsSep genAttrs mkIf ;
 
   bindir = "/run/current-system/sw/bin";
 
@@ -27,9 +26,17 @@ let
 
 in {
 
-  config = {
+  config = mkIf ( [] != config.nixsap.system.users.sysops ) {
+    nixsap.system.groups = [ "sysops" ];
+
+    users.users = genAttrs config.nixsap.system.users.sysops (
+      name: {
+        extraGroups = [ "sysops" "systemd-journal" "proc" ];
+      }
+    );
+
     security.sudo.extraConfig = ''
-      %wheel ALL=(ALL) NOPASSWD: ${commands}
+      %sysops ALL=(ALL) NOPASSWD: ${commands}
     '';
   };
 }
-- 
cgit v1.2.3