nixos/sudo: default rule should be first

In /etc/sudoers, the last-matched rule will override all previously-matched rules. Thus, make the default rule show up first (but still allow some wiggle room for a user to `mkBefore` it), before any user-defined rules. (cherry picked from commit 13e2c75)
NixOS · Jun 18, 2020 · 30c703c · 30c703c
1 parent 87cde1c
commit 30c703c
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix
@@ -173,7 +173,9 @@ in
 
   config = mkIf cfg.enable {
 
-    security.sudo.extraRules = [
+    # We `mkOrder 600` so that the default rule shows up first, but there is
+    # still enough room for a user to `mkBefore` it.
+    security.sudo.extraRules = mkOrder 600 [
       { groups = [ "wheel" ];
         commands = [ { command = "ALL"; options = (if cfg.wheelNeedsPassword then [ "SETENV" ] else [ "NOPASSWD" "SETENV" ]); } ];
       }