Superuser bypass #2

Merged
wymiller merged 8 commits from macos-superuser-bypass-refactor into master 2025-10-02 08:59:48 -05:00
6 changed files with 66 additions and 62 deletions

56
flake.lock generated
View File

@@ -7,11 +7,11 @@
]
},
"locked": {
"lastModified": 1749744770,
"narHash": "sha256-MEM9XXHgBF/Cyv1RES1t6gqAX7/tvayBC1r/KPyK1ls=",
"lastModified": 1757432263,
"narHash": "sha256-qHn+/0+IOz5cG68BZUwL9BV3EO/e9eNKCjH3+N7wMdI=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "536f951efb1ccda9b968e3c9dee39fbeb6d3fdeb",
"rev": "1fef4404de4d1596aa5ab2bd68078370e1b9dcdb",
"type": "github"
},
"original": {
@@ -64,11 +64,11 @@
"zon2nix": "zon2nix"
},
"locked": {
"lastModified": 1754941490,
"narHash": "sha256-2AJf0q4u1zakqjr0y4dCyqzdDSil8P5m2YpZxAAzJJw=",
"lastModified": 1759330332,
"narHash": "sha256-ZKyOgOOm9Itjbc5xi89xMtw+cnnOFfl79zndPMTzKpU=",
"owner": "ghostty-org",
"repo": "ghostty",
"rev": "5bf632e9cc0e77a578bad983b0cbdf0451ce87d4",
"rev": "a5aff0e347b0016e2735d4ec4b4cdca96b5438d1",
"type": "github"
},
"original": {
@@ -84,11 +84,11 @@
]
},
"locked": {
"lastModified": 1753592768,
"narHash": "sha256-oV695RvbAE4+R9pcsT9shmp6zE/+IZe6evHWX63f2Qg=",
"lastModified": 1758463745,
"narHash": "sha256-uhzsV0Q0I9j2y/rfweWeGif5AWe0MGrgZ/3TjpDYdGA=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "fc3add429f21450359369af74c2375cb34a2d204",
"rev": "3b955f5f0a942f9f60cdc9cacb7844335d0f21c3",
"type": "github"
},
"original": {
@@ -129,11 +129,24 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1754767907,
"narHash": "sha256-8OnUzRQZkqtUol9vuUuQC30hzpMreKptNyET2T9lB6g=",
"lastModified": 1758360447,
"narHash": "sha256-XDY3A83bclygHDtesRoaRTafUd80Q30D/Daf9KSG6bs=",
"rev": "8eaee110344796db060382e15d3af0a9fc396e0e",
"type": "tarball",
"url": "https://releases.nixos.org/nixos/unstable/nixos-25.11pre864002.8eaee1103447/nixexprs.tar.xz"
},
"original": {
"type": "tarball",
"url": "https://channels.nixos.org/nixos-unstable/nixexprs.tar.xz"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1759281824,
"narHash": "sha256-FIBE1qXv9TKvSNwst6FumyHwCRH3BlWDpfsnqRDCll0=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "c5f08b62ed75415439d48152c2a784e36909b1bc",
"rev": "5b5be50345d4113d04ba58c444348849f5585b4a",
"type": "github"
},
"original": {
@@ -149,7 +162,7 @@
"ghostty": "ghostty",
"home-manager": "home-manager",
"nix-flatpak": "nix-flatpak",
"nixpkgs": "nixpkgs_2"
"nixpkgs": "nixpkgs_3"
}
},
"systems": {
@@ -198,27 +211,20 @@
},
"zon2nix": {
"inputs": {
"flake-utils": [
"ghostty",
"flake-utils"
],
"nixpkgs": [
"ghostty",
"nixpkgs"
]
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1742104771,
"narHash": "sha256-LhidlyEA9MP8jGe1rEnyjGFCzLLgCdDpYeWggibayr0=",
"lastModified": 1758405547,
"narHash": "sha256-WgaDgvIZMPvlZcZrpPMjkaalTBnGF2lTG+62znXctWM=",
"owner": "jcollie",
"repo": "zon2nix",
"rev": "56c159be489cc6c0e73c3930bd908ddc6fe89613",
"rev": "bf983aa90ff169372b9fa8c02e57ea75e0b42245",
"type": "github"
},
"original": {
"owner": "jcollie",
"repo": "zon2nix",
"rev": "56c159be489cc6c0e73c3930bd908ddc6fe89613",
"rev": "bf983aa90ff169372b9fa8c02e57ea75e0b42245",
"type": "github"
}
}

View File

@@ -15,7 +15,7 @@
extraConfig = {
init.defaultBranch = "master";
push.autoSetupRemote = true;
pull.merge = true;
pull.rebase = false;
merge.tool = "nvimdiff";
mergetool.keepBackup = false;
};

View File

@@ -1,20 +1,23 @@
{ lib, pkgs, ... }: {
# Common packages that every system will use
environment.systemPackages = with pkgs; [
git
vim
neovim
usbutils
coreutils
lshw
systemd
dmidecode
pciutils
nix-ld
patchelf
htop
];
] ++
lib.optionals pkgs.stdenv.isLinux (with pkgs; [
systemd
lshw
dmidecode
nix-ld
]) ++
lib.optionals pkgs.stdenv.isDarwin (with pkgs; [
# nothing here, yet ;)
]);
# Common environment variables that every system will use
environment.variables.EDITOR = "nvim";
}

View File

@@ -1,30 +1,23 @@
{ lib, pkgs, userName, hostname, ... }:
{
lib,
pkgs,
userName,
hostname,
...
} @ args: {
networking.hostName = hostname;
# Don't forget to set a password with passwd!
users.users."${userName}" = lib.mkMerge [
{
home =
if pkgs.stdenv.isDarwin
users.users."${userName}" = {
home = if pkgs.stdenv.isDarwin
then "/Users/${userName}"
else "/home/${userName}";
description = userName;
}
(lib.mkIf (pkgs.stdenv.isLinux) {
} // lib.optionalAttrs pkgs.stdenv.isLinux {
group = "${userName}";
isNormalUser = true;
})
];
};
security.sudo = {
extraRules = [
users.groups.wyatt = {};
nix.settings.trusted-users = [userName];
security = lib.optionalAttrs pkgs.stdenv.isLinux {
sudo.extraRules = [
{
groups = [ "wheel" ];
commands = [
@@ -37,7 +30,9 @@
];
};
users.groups.wyatt = {};
nix.settings.trusted-users = [userName];
environment = lib.optionalAttrs pkgs.stdenv.isDarwin {
etc."sudoers.d/wheel-nopasswd".text = ''
%wheel ALL=(ALL:ALL) NOPASSWD: SETENV: ALL
'';
};
}

View File

@@ -5,7 +5,7 @@
}:
with lib; {
options = {
security.sudo = {
security.sudoers = {
needsPassword = mkOption {
type = types.bool;
default = true;

View File

@@ -8,7 +8,7 @@
with lib; let
cfg = config.sound.hardware.focusrite;
in {
options.focusrite = {
options.sound.hardware.focusrite = {
enable = mkEnableOption "Focusrite audio interface support";
guiSupport = mkOption {
type = types.bool;