[nix] Rework doas config to use proper rules instead of config + add Gulasch

2021-11-01 17:25:07 +01:00 · 2021-11-01 17:25:07 +01:00 · 53ce197917
parent f24d923980
commit 53ce197917
1 changed files with 25 additions and 4 deletions
--- a/dot_config/nixos/configuration.nix
+++ b/dot_config/nixos/configuration.nix
@ -50,11 +50,32 @@
  };

  security.doas.enable = true;
-  security.doas.extraConfig = "permit nopass bascht as root cmd /run/current-system/sw/bin/openvpn";
+
  security.doas.extraRules = [{
-    users = [ "bascht" ];
-    keepEnv = true;
-    persist = true;
+      users = [ "bascht" ];
+      keepEnv = true;
+      persist = true;
+    }{
+      users = [ "bascht" ];
+      keepEnv = true;
+      noPass = true;
+      cmd = "/run/current-system/sw/bin/openvpn";
+    }{
+    }{
+      users = [ "bascht" ];
+      keepEnv = true;
+      noPass = true;
+      cmd = "/run/current-system/sw/bin/cryptsetup";
+    }{
+      users = [ "bascht" ];
+      noPass = true;
+      cmd = "/run/current-system/sw/bin/cryptsetup";
+      args = ["luksOpen" "/dev/disk/by-partlabel/Gulasch" "Gulasch"];
+    }{
+      users = [ "bascht" ];
+      noPass = true;
+      cmd = "/run/wrappers/bin/mount";
+      args = ["/dev/mapper/Gulasch" "/mnt/Gulasch"];
  }];
  security.pam.loginLimits = [
    { domain = "@users"; item = "nofile"; type = "soft"; value = "4096"; }