nixos/sudo-rs: align sudo and sudo-rs config (#386423)

Author: SuperSandro2000

nixos/modules/config/terminfo.nix

@@ -76,12 +76,18 @@
       export TERM=$TERM
     '';
 
-    security.sudo.extraConfig = lib.mkIf config.security.sudo.keepTerminfo ''
-
-      # Keep terminfo database for root and %wheel.
-      Defaults:root,%wheel env_keep+=TERMINFO_DIRS
-      Defaults:root,%wheel env_keep+=TERMINFO
-    '';
+    security =
+      let
+        extraConfig = ''
 
+          # Keep terminfo database for root and %wheel.
+          Defaults:root,%wheel env_keep+=TERMINFO_DIRS
+          Defaults:root,%wheel env_keep+=TERMINFO
+        '';
+      in
+      lib.mkIf config.security.sudo.keepTerminfo {
+        sudo = { inherit extraConfig; };
+        sudo-rs = { inherit extraConfig; };
+      };
   };
 }

nixos/modules/security/sudo-rs.nix

@@ -36,7 +36,7 @@ in
 
     defaultOptions = lib.mkOption {
       type = with lib.types; listOf str;
-      default = [ ];
+      default = [ "SETENV" ];
       description = ''
         Options used for the default rules, granting `root` and the
         `wheel` group permission to run any command as any user.

nixos/tests/all-tests.nix

@@ -1052,7 +1052,7 @@ in {
   stub-ld = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./stub-ld.nix {};
   stunnel = handleTest ./stunnel.nix {};
   sudo = handleTest ./sudo.nix {};
-  sudo-rs = handleTest ./sudo-rs.nix {};
+  sudo-rs = runTest ./sudo-rs.nix;
   sunshine = handleTest ./sunshine.nix {};
   suricata = handleTest ./suricata.nix {};
   suwayomi-server = handleTest ./suwayomi-server.nix {};

nixos/tests/sudo-rs.nix

@@ -1,140 +1,138 @@
 # Some tests to ensure sudo is working properly.
 { pkgs, ... }:
 let
-  inherit (pkgs.lib) mkIf optionalString;
   password = "helloworld";
 in
-import ./make-test-python.nix (
-  { lib, pkgs, ... }:
-  {
-    name = "sudo-rs";
-    meta.maintainers = pkgs.sudo-rs.meta.maintainers;
-
-    nodes.machine =
-      { lib, ... }:
-      {
-        environment.systemPackages = [ pkgs.faketty ];
-        users.groups = {
-          foobar = { };
-          barfoo = { };
-          baz = {
-            gid = 1337;
-          };
+{
+  name = "sudo-rs";
+  meta.maintainers = pkgs.sudo-rs.meta.maintainers;
+
+  nodes.machine =
+    { lib, ... }:
+    {
+      environment.systemPackages = [ pkgs.faketty ];
+      users.groups = {
+        foobar = { };
+        barfoo = { };
+        baz = {
+          gid = 1337;
         };
-        users.users = {
-          test0 = {
-            isNormalUser = true;
-            extraGroups = [ "wheel" ];
-          };
-          test1 = {
-            isNormalUser = true;
-            password = password;
-          };
-          test2 = {
-            isNormalUser = true;
-            extraGroups = [ "foobar" ];
-            password = password;
-          };
-          test3 = {
-            isNormalUser = true;
-            extraGroups = [ "barfoo" ];
-          };
-          test4 = {
-            isNormalUser = true;
-            extraGroups = [ "baz" ];
-          };
-          test5 = {
-            isNormalUser = true;
-          };
+      };
+      users.users = {
+        test0 = {
+          isNormalUser = true;
+          extraGroups = [ "wheel" ];
         };
-
-        security.sudo-rs = {
-          enable = true;
-          wheelNeedsPassword = false;
-
-          extraRules = [
-            # SUDOERS SYNTAX CHECK (Test whether the module produces a valid output;
-            # errors being detected by the visudo checks.
-
-            # These should not create any entries
-            {
-              users = [ "notest1" ];
-              commands = [ ];
-            }
-            {
-              commands = [
-                {
-                  command = "ALL";
-                  options = [ ];
-                }
-              ];
-            }
-
-            # Test defining commands with the options syntax, though not setting any options
-            {
-              users = [ "notest2" ];
-              commands = [
-                {
-                  command = "ALL";
-                  options = [ ];
-                }
-              ];
-            }
-
-            # CONFIGURATION FOR TEST CASES
-            {
-              users = [ "test1" ];
-              groups = [ "foobar" ];
-              commands = [ "ALL" ];
-            }
-            {
-              groups = [
-                "barfoo"
-                1337
-              ];
-              commands = [
-                {
-                  command = "ALL";
-                  options = [ "NOPASSWD" ];
-                }
-              ];
-            }
-            {
-              users = [ "test5" ];
-              commands = [
-                {
-                  command = "ALL";
-                  options = [ "NOPASSWD" ];
-                }
-              ];
-              runAs = "test1:barfoo";
-            }
-          ];
+        test1 = {
+          isNormalUser = true;
+          password = password;
+        };
+        test2 = {
+          isNormalUser = true;
+          extraGroups = [ "foobar" ];
+          password = password;
+        };
+        test3 = {
+          isNormalUser = true;
+          extraGroups = [ "barfoo" ];
+        };
+        test4 = {
+          isNormalUser = true;
+          extraGroups = [ "baz" ];
+        };
+        test5 = {
+          isNormalUser = true;
         };
       };
 
-    nodes.strict =
-      { ... }:
-      {
-        environment.systemPackages = [ pkgs.faketty ];
-        users.users = {
-          admin = {
-            isNormalUser = true;
-            extraGroups = [ "wheel" ];
-          };
-          noadmin = {
-            isNormalUser = true;
-          };
+      security.sudo-rs = {
+        enable = true;
+        wheelNeedsPassword = false;
+
+        extraRules = [
+          # SUDOERS SYNTAX CHECK (Test whether the module produces a valid output;
+          # errors being detected by the visudo checks.
+
+          # These should not create any entries
+          {
+            users = [ "notest1" ];
+            commands = [ ];
+          }
+          {
+            commands = [
+              {
+                command = "ALL";
+                options = [ ];
+              }
+            ];
+          }
+
+          # Test defining commands with the options syntax, though not setting any options
+          {
+            users = [ "notest2" ];
+            commands = [
+              {
+                command = "ALL";
+                options = [ ];
+              }
+            ];
+          }
+
+          # CONFIGURATION FOR TEST CASES
+          {
+            users = [ "test1" ];
+            groups = [ "foobar" ];
+            commands = [ "ALL" ];
+          }
+          {
+            groups = [
+              "barfoo"
+              1337
+            ];
+            commands = [
+              {
+                command = "ALL";
+                options = [ "NOPASSWD" ];
+              }
+            ];
+          }
+          {
+            users = [ "test5" ];
+            commands = [
+              {
+                command = "ALL";
+                options = [ "NOPASSWD" ];
+              }
+            ];
+            runAs = "test1:barfoo";
+          }
+        ];
+      };
+    };
+
+  nodes.strict =
+    { ... }:
+    {
+      environment.systemPackages = [ pkgs.faketty ];
+      users.users = {
+        admin = {
+          isNormalUser = true;
+          extraGroups = [ "wheel" ];
         };
-
-        security.sudo-rs = {
-          enable = true;
-          wheelNeedsPassword = false;
-          execWheelOnly = true;
+        noadmin = {
+          isNormalUser = true;
         };
       };
 
-    testScript = ''
+      security.sudo-rs = {
+        enable = true;
+        wheelNeedsPassword = false;
+        execWheelOnly = true;
+      };
+    };
+
+  testScript = # python
+    ''
       with subtest("users in wheel group should have passwordless sudo"):
           machine.succeed('faketty -- su - test0 -c "sudo -u root true"')
 
@@ -165,5 +163,4 @@ import ./make-test-python.nix (
       with subtest("non-wheel users should be unable to run sudo thanks to execWheelOnly"):
           strict.fail('faketty -- su - noadmin -c "sudo --help"')
     '';
-  }
-)
+}