Initial commit

modules/nixos/common/sudo.nix

@@ -0,0 +1,26 @@
+{ config, ... }:
+
+{
+  security.sudo = {
+    enable = true;
+    execWheelOnly = true;
+    extraConfig = ''
+      Defaults lecture = never
+    '';
+  };
+
+  assertions =
+    let
+      validUsers = users: users == [ ] || users == [ "root" ];
+      validGroups = groups: groups == [ ] || groups == [ "wheel" ];
+      validUserGroups = builtins.all (
+        r: validUsers (r.users or [ ]) && validGroups (r.groups or [ ])
+      ) config.security.sudo.extraRules;
+    in
+    [
+      {
+        assertion = config.security.sudo.execWheelOnly -> validUserGroups;
+        message = "Some definitions in `security.sudo.extraRules` refer to users other than 'root' or groups other than 'wheel'. Disable `config.security.sudo.execWheelOnly`, or adjust the rules.";
+      }
+    ];
+}