security.sudo-rs.extraRules

Define specific rules to be in the sudoers file. More specific rules should come after more general ones in order to yield the expected behavior. You can use lib.mkBefore/lib.mkAfter to ensure this is the case when configuration options are merged.

Type

list of (submodule)

Default

[ ]

Example

[
  # Allow execution of any command by all users in group sudo,
  # requiring a password.
  { groups = [ "sudo" ]; commands = [ "ALL" ]; }

  # Allow execution of "/home/root/secret.sh" by user `backup`, `database`
  # and the group with GID `1006` without a password.
  { users = [ "backup" "database" ]; groups = [ 1006 ];
    commands = [ { command = "/home/root/secret.sh"; options = [ "SETENV" "NOPASSWD" ]; } ]; }

  # Allow all users of group `bar` to run two executables as user `foo`
  # with arguments being pre-set.
  { groups = [ "bar" ]; runAs = "foo";
    commands =
      [ "/home/baz/cmd1.sh hello-sudo"
          { command = ''/home/baz/cmd2.sh ""''; options = [ "SETENV" ]; } ]; }
]

Declared

<nixpkgs/nixos/modules/security/sudo-rs.nix>