f603cb6101
Enable markdown syntax (instead of docbook) for descriptions. This only affects external doc tooling that renders the descriptions.
59 lines
1.7 KiB
Nix
59 lines
1.7 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
let
|
|
options.nix-bitcoin.operator = {
|
|
enable = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = mdDoc ''
|
|
Whether to define a user named `operator` for convenient interactive access
|
|
to nix-bitcoin features (like `bitcoin-cli`).
|
|
|
|
When using nix-bitcoin as part of a larger system config, it makes sense
|
|
to set your main system user as the operator, by setting option
|
|
`nix-bitcoin.operator.name = "MAIN_USER_NAME";`.
|
|
'';
|
|
};
|
|
name = mkOption {
|
|
type = types.str;
|
|
default = "operator";
|
|
description = mdDoc "Name of the operator user.";
|
|
};
|
|
groups = mkOption {
|
|
type = with types; listOf str;
|
|
default = [];
|
|
description = mdDoc "Extra groups of the operatur user.";
|
|
};
|
|
allowRunAsUsers = mkOption {
|
|
type = with types; listOf str;
|
|
default = [];
|
|
description = mdDoc "Users as which the operator is allowed to run commands.";
|
|
};
|
|
};
|
|
|
|
cfg = config.nix-bitcoin.operator;
|
|
in {
|
|
inherit options;
|
|
|
|
config = mkIf cfg.enable {
|
|
users.users.${cfg.name} = {
|
|
isNormalUser = true;
|
|
extraGroups = [
|
|
"systemd-journal"
|
|
"proc" # Enable full /proc access and systemd-status
|
|
] ++ cfg.groups;
|
|
};
|
|
|
|
security = mkIf (cfg.allowRunAsUsers != []) {
|
|
# Use doas instead of sudo if enabled
|
|
doas.extraConfig = mkIf config.security.doas.enable ''
|
|
${lib.concatMapStrings (user: "permit nopass ${cfg.name} as ${user}\n") cfg.allowRunAsUsers}
|
|
'';
|
|
sudo.extraConfig = mkIf (!config.security.doas.enable) ''
|
|
${cfg.name} ALL=(${builtins.concatStringsSep "," cfg.allowRunAsUsers}) NOPASSWD: ALL
|
|
'';
|
|
};
|
|
};
|
|
}
|