From e6ed60548397627bf10f561f9438201dbba0a36e Mon Sep 17 00:00:00 2001
From: Azat Bahawi <azat@bahawi.net>
Date: Sun, 21 Apr 2024 02:15:42 +0300
Subject: 2024-04-21

---
 modules/common/security.nix | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 modules/common/security.nix

(limited to 'modules/common/security.nix')

diff --git a/modules/common/security.nix b/modules/common/security.nix
new file mode 100644
index 0000000..c635cdc
--- /dev/null
+++ b/modules/common/security.nix
@@ -0,0 +1,31 @@
+_: {
+  security = {
+    sudo = {
+      enable = true;
+      execWheelOnly = true;
+      wheelNeedsPassword = false;
+      extraConfig = ''
+        Defaults lecture=never
+      '';
+    };
+
+    polkit = {
+      enable = true;
+      extraConfig = ''
+        /*
+         * Allow members of the wheel group to execute any actions
+         * without password authentication, similar to "sudo NOPASSWD:".
+         *
+         * https://wiki.archlinux.org/title/Polkit#Bypass_password_prompt
+         */
+        polkit.addRule(function(action, subject) {
+          if (subject.isInGroup('wheel'))
+            return polkit.Result.YES;
+        });
+      '';
+    };
+
+    # Pretty much used only for PipeWire.
+    rtkit.enable = true;
+  };
+}
-- 
cgit v1.2.3