Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nixos/doas: init #86488

Merged
merged 2 commits into from May 10, 2020
Merged

nixos/doas: init #86488

merged 2 commits into from May 10, 2020

Conversation

@cole-h
Copy link
Member

cole-h commented May 1, 2020

Motivation for this change

I noticed that #74184 was both unmerged and behind by a patch version, so I wanted to update it. Then I read the comment that there was no suid wrapper for it, and thus began my journey into making my very first NixOS module. Most of the work is based off of the existing sudo module (including the test).

Closes #74184. Version bump was picked into master.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

This is a draft because, although I've tested this in a NixOS VM, I haven't used it for any real length of time. It definitely gets suid and can run commands as root, but that's really the extent of my testing. More testing is welcome, suggestions on what to improve, etc.

@cole-h
Copy link
Member Author

cole-h commented May 1, 2020

@ofborg test doas

nixos/tests/all-tests.nix Outdated Show resolved Hide resolved
@adisbladis adisbladis force-pushed the cole-h:doas branch from aec1dff to 9d0660d May 2, 2020
@adisbladis
Copy link
Member

adisbladis commented May 2, 2020

@cole-h I took the liberty of getting the version bump on master so the scope of this PR is now only the module.

@adisbladis adisbladis changed the title [WIP] doas: 6.0 -> 6.6.1, nixos/doas: init [WIP] nixos/doas: init May 2, 2020
@adisbladis adisbladis mentioned this pull request May 2, 2020
nixos/modules/security/doas.nix Show resolved Hide resolved
nixos/modules/security/doas.nix Outdated Show resolved Hide resolved
nixos/modules/security/doas.nix Outdated Show resolved Hide resolved
nixos/modules/security/doas.nix Outdated Show resolved Hide resolved
nixos/modules/security/doas.nix Show resolved Hide resolved
nixos/modules/security/doas.nix Outdated Show resolved Hide resolved
nixos/modules/security/doas.nix Outdated Show resolved Hide resolved
@cole-h cole-h force-pushed the cole-h:doas branch from e2d86c2 to 309dc96 May 4, 2020
@cole-h cole-h marked this pull request as ready for review May 4, 2020
@cole-h cole-h changed the title [WIP] nixos/doas: init nixos/doas: init May 4, 2020
@cole-h cole-h requested a review from adisbladis May 4, 2020
@cole-h
Copy link
Member Author

cole-h commented May 4, 2020

I now consider this ready!

I added a release note at the behest of @adisbladis on IRC -- please let me now if it needs to be moved into some other section (preferably with the location of that section, as well).

@cole-h cole-h force-pushed the cole-h:doas branch 2 times, most recently from 701bd99 to 324844e May 4, 2020
`doas` is a lighter alternative to `sudo` that "provide[s] 95% of the
features of `sudo` with a fraction of the codebase" [1]. I prefer it to
`sudo`, so I figured I would add a NixOS module in order for it to be
easier to use. The module is based off of the existing `sudo` module.

[1] https://github.com/Duncaen/OpenDoas
@cole-h cole-h force-pushed the cole-h:doas branch from 324844e to 9323f0a May 4, 2020
@cole-h cole-h force-pushed the cole-h:doas branch from 9323f0a to f798f07 May 6, 2020
@adisbladis adisbladis merged commit 68ee239 into NixOS:master May 10, 2020
16 checks passed
16 checks passed
Evaluation Performance Report Evaluator Performance Report
Details
grahamcofborg-eval ^.^!
Details
grahamcofborg-eval-check-maintainers matching changed paths to changed attrs...
Details
grahamcofborg-eval-check-meta config.nix: checkMeta = true
Details
grahamcofborg-eval-darwin nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="f798f07"; rev="f798f07619b373a04c5cde895dd9b590cdb8ee5a"; } ./pkgs/t
Details
grahamcofborg-eval-lib-tests nix-build --arg pkgs import ./. {} ./lib/tests/release.nix
Details
grahamcofborg-eval-nixos nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="f798f07"; rev="f798f07619b373a04c5cde895dd9b590cdb8ee5a"; } ./nixos/
Details
grahamcofborg-eval-nixos-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="f798f07"; rev="f798f07619b373a04c5cde895dd9b590cdb8ee5a"; } ./nixos/
Details
grahamcofborg-eval-nixos-options nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="f798f07"; rev="f798f07619b373a04c5cde895dd9b590cdb8ee5a"; } ./nixos/
Details
grahamcofborg-eval-nixpkgs-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="f798f07"; rev="f798f07619b373a04c5cde895dd9b590cdb8ee5a"; } ./pkgs/t
Details
grahamcofborg-eval-nixpkgs-tarball nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="f798f07"; rev="f798f07619b373a04c5cde895dd9b590cdb8ee5a"; } ./pkgs/t
Details
grahamcofborg-eval-nixpkgs-unstable-jobset nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="f798f07"; rev="f798f07619b373a04c5cde895dd9b590cdb8ee5a"; } ./pkgs/t
Details
grahamcofborg-eval-package-list nix-env -qa --json --file .
Details
grahamcofborg-eval-package-list-no-aliases nix-env -qa --json --file . --arg config { allowAliases = false; }
Details
tests.doas on aarch64-linux Success
Details
tests.doas on x86_64-linux Success
Details
@cole-h cole-h deleted the cole-h:doas branch May 10, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants
You can’t perform that action at this time.