about summary refs log tree commit diff
path: root/nixpkgs/nixos/modules/security/sudo.nix
diff options
context:
space:
mode:
Diffstat (limited to 'nixpkgs/nixos/modules/security/sudo.nix')
-rw-r--r--nixpkgs/nixos/modules/security/sudo.nix48
1 files changed, 24 insertions, 24 deletions
diff --git a/nixpkgs/nixos/modules/security/sudo.nix b/nixpkgs/nixos/modules/security/sudo.nix
index 99e578f8adae..faa99a31a6d6 100644
--- a/nixpkgs/nixos/modules/security/sudo.nix
+++ b/nixpkgs/nixos/modules/security/sudo.nix
@@ -36,8 +36,8 @@ in
       type = types.bool;
       default = true;
       description =
-        ''
-          Whether to enable the <command>sudo</command> command, which
+        lib.mdDoc ''
+          Whether to enable the {command}`sudo` command, which
           allows non-root users to execute commands as root.
         '';
     };
@@ -55,19 +55,19 @@ in
       type = types.bool;
       default = true;
       description =
-        ''
-          Whether users of the <code>wheel</code> group must
-          provide a password to run commands as super user via <command>sudo</command>.
+        lib.mdDoc ''
+          Whether users of the `wheel` group must
+          provide a password to run commands as super user via {command}`sudo`.
         '';
       };
 
     security.sudo.execWheelOnly = mkOption {
       type = types.bool;
       default = false;
-      description = ''
-        Only allow members of the <code>wheel</code> group to execute sudo by
+      description = lib.mdDoc ''
+        Only allow members of the `wheel` group to execute sudo by
         setting the executable's permissions accordingly.
-        This prevents users that are not members of <code>wheel</code> from
+        This prevents users that are not members of `wheel` from
         exploiting vulnerabilities in sudo such as CVE-2021-3156.
       '';
     };
@@ -77,15 +77,15 @@ in
       # Note: if syntax errors are detected in this file, the NixOS
       # configuration will fail to build.
       description =
-        ''
+        lib.mdDoc ''
           This string contains the contents of the
-          <filename>sudoers</filename> file.
+          {file}`sudoers` file.
         '';
     };
 
     security.sudo.extraRules = mkOption {
-      description = ''
-        Define specific rules to be in the <filename>sudoers</filename> file.
+      description = lib.mdDoc ''
+        Define specific rules to be in the {file}`sudoers` file.
         More specific rules should come after more general ones in order to
         yield the expected behavior. You can use mkBefore/mkAfter to ensure
         this is the case when configuration options are merged.
@@ -114,7 +114,7 @@ in
         options = {
           users = mkOption {
             type = with types; listOf (either str int);
-            description = ''
+            description = lib.mdDoc ''
               The usernames / UIDs this rule should apply for.
             '';
             default = [];
@@ -122,7 +122,7 @@ in
 
           groups = mkOption {
             type = with types; listOf (either str int);
-            description = ''
+            description = lib.mdDoc ''
               The groups / GIDs this rule should apply for.
             '';
             default = [];
@@ -131,7 +131,7 @@ in
           host = mkOption {
             type = types.str;
             default = "ALL";
-            description = ''
+            description = lib.mdDoc ''
               For what host this rule should apply.
             '';
           };
@@ -139,17 +139,17 @@ in
           runAs = mkOption {
             type = with types; str;
             default = "ALL:ALL";
-            description = ''
+            description = lib.mdDoc ''
               Under which user/group the specified command is allowed to run.
 
-              A user can be specified using just the username: <code>"foo"</code>.
-              It is also possible to specify a user/group combination using <code>"foo:bar"</code>
-              or to only allow running as a specific group with <code>":bar"</code>.
+              A user can be specified using just the username: `"foo"`.
+              It is also possible to specify a user/group combination using `"foo:bar"`
+              or to only allow running as a specific group with `":bar"`.
             '';
           };
 
           commands = mkOption {
-            description = ''
+            description = lib.mdDoc ''
               The commands for which the rule should apply.
             '';
             type = with types; listOf (either str (submodule {
@@ -159,7 +159,7 @@ in
                   type = with types; str;
                   description = ''
                     A command being either just a path to a binary to allow any arguments,
-                    the full command with arguments pre-set or with <code>""</code> used as the argument,
+                    the full command with arguments pre-set or with <literal>""</literal> used as the argument,
                     not allowing arguments to the command at all.
                   '';
                 };
@@ -182,8 +182,8 @@ in
     security.sudo.extraConfig = mkOption {
       type = types.lines;
       default = "";
-      description = ''
-        Extra configuration text appended to <filename>sudoers</filename>.
+      description = lib.mdDoc ''
+        Extra configuration text appended to {file}`sudoers`.
       '';
     };
   };
@@ -245,7 +245,7 @@ in
 
     environment.systemPackages = [ sudo ];
 
-    security.pam.services.sudo = { sshAgentAuth = true; };
+    security.pam.services.sudo = { sshAgentAuth = true; usshAuth = true; };
 
     environment.etc.sudoers =
       { source =
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-17 14:20:37 +0000