2024-04-21

author: Azat Bahawi <azat@bahawi.net> 2024-04-21 02:15:42 +0300
committer: Azat Bahawi <azat@bahawi.net> 2024-04-21 02:15:42 +0300
commit: e6ed60548397627bf10f561f9438201dbba0a36e (patch)
tree: f9a84c5957d2cc4fcd148065ee9365a0c851ae1c /modules/common/security.nix
parent: 9ac64328603d44bd272175942d3ea3eaadcabd04 (diff)
1 files changed, 31 insertions, 0 deletions
diff --git a/modules/common/security.nix b/modules/common/security.nix
new file mode 100644
index 0000000..c635cdc
--- /dev/null
+++ b/modules/common/security.nix
@@ -0,0 +1,31 @@
+_: {
+  security = {
+    sudo = {
+      enable = true;
+      execWheelOnly = true;
+      wheelNeedsPassword = false;
+      extraConfig = ''
+        Defaults lecture=never
+      '';
+    };
+
+    polkit = {
+      enable = true;
+      extraConfig = ''
+        /*
+         * Allow members of the wheel group to execute any actions
+         * without password authentication, similar to "sudo NOPASSWD:".
+         *
+         * https://wiki.archlinux.org/title/Polkit#Bypass_password_prompt
+         */
+        polkit.addRule(function(action, subject) {
+          if (subject.isInGroup('wheel'))
+            return polkit.Result.YES;
+        });
+      '';
+    };
+
+    # Pretty much used only for PipeWire.
+    rtkit.enable = true;
+  };
+}
author	Azat Bahawi <azat@bahawi.net>	2024-04-21 02:15:42 +0300
committer	Azat Bahawi <azat@bahawi.net>	2024-04-21 02:15:42 +0300
commit	e6ed60548397627bf10f561f9438201dbba0a36e (patch)
tree	f9a84c5957d2cc4fcd148065ee9365a0c851ae1c /modules/common/security.nix
parent	9ac64328603d44bd272175942d3ea3eaadcabd04 (diff)