From 0365b05f13a4230d75bb63708694ee4692638236 Mon Sep 17 00:00:00 2001
From: nicoo <nicoo@mur.at>
Date: Mon, 4 Sep 2023 23:05:00 +0000
Subject: nixos/terminfo: Add config option not to add extra sudo config

This will be necessary for compatibility with `sudo-rs`.
---
 nixos/modules/config/terminfo.nix | 25 ++++++++++++++++++-------
 1 file changed, 18 insertions(+), 7 deletions(-)

(limited to 'nixos/modules/config')

diff --git a/nixos/modules/config/terminfo.nix b/nixos/modules/config/terminfo.nix
index 1ae8e82c471e6..ebd1aaea8f04a 100644
--- a/nixos/modules/config/terminfo.nix
+++ b/nixos/modules/config/terminfo.nix
@@ -6,12 +6,23 @@ with lib;
 
 {
 
-  options.environment.enableAllTerminfo = with lib; mkOption {
-    default = false;
-    type = types.bool;
-    description = lib.mdDoc ''
-      Whether to install all terminfo outputs
-    '';
+  options = with lib; {
+    environment.enableAllTerminfo = mkOption {
+      default = false;
+      type = types.bool;
+      description = lib.mdDoc ''
+        Whether to install all terminfo outputs
+      '';
+    };
+
+    security.sudo.keepTerminfo = mkOption {
+      default = true;
+      type = types.bool;
+      description = lib.mdDoc ''
+        Whether to preserve the `TERMINFO` and `TERMINFO_DIRS`
+        environment variables, for `root` and the `wheel` group.
+      '';
+    };
   };
 
   config = {
@@ -54,7 +65,7 @@ with lib;
       export TERM=$TERM
     '';
 
-    security.sudo.extraConfig = ''
+    security.sudo.extraConfig = mkIf config.security.sudo.keepTerminfo ''
 
       # Keep terminfo database for root and %wheel.
       Defaults:root,%wheel env_keep+=TERMINFO_DIRS
-- 
cgit 1.4.1


From 914bf5836974520e6cfd3e687dead3937f6d3db2 Mon Sep 17 00:00:00 2001
From: nicoo <nicoo@mur.at>
Date: Thu, 7 Sep 2023 14:55:33 +0000
Subject: nixos/{sudo, terminfo}: Adjust defaults for compatibility with
 `sudo-rs`

---
 nixos/doc/manual/release-notes/rl-2311.section.md | 10 ++++++++++
 nixos/modules/config/terminfo.nix                 |  5 ++++-
 nixos/modules/security/sudo.nix                   | 10 ++++------
 3 files changed, 18 insertions(+), 7 deletions(-)

(limited to 'nixos/modules/config')

diff --git a/nixos/doc/manual/release-notes/rl-2311.section.md b/nixos/doc/manual/release-notes/rl-2311.section.md
index b7df38e671590..dd75c8b517ac6 100644
--- a/nixos/doc/manual/release-notes/rl-2311.section.md
+++ b/nixos/doc/manual/release-notes/rl-2311.section.md
@@ -10,6 +10,16 @@
 
 - The `nixos-rebuild` command has been given a `list-generations` subcommand. See `man nixos-rebuild` for more details.
 
+- [`sudo-rs`], a reimplementation of `sudo` in Rust, is now supported.
+  Switching to it (via `security.sudo.package = pkgs.sudo-rs;`) introduces
+  slight changes in default behaviour, due to `sudo-rs`' current limitations:
+  - terminfo-related environment variables aren't preserved for `root` and `wheel`;
+  - `root` and `wheel` are not given the ability to set (or preserve)
+    arbitrary environment variables.
+
+[`sudo-rs`]: https://github.com/memorysafety/sudo-rs/
+
+
 ## New Services {#sec-release-23.11-new-services}
 
 - [MCHPRS](https://github.com/MCHPR/MCHPRS), a multithreaded Minecraft server built for redstone. Available as [services.mchprs](#opt-services.mchprs.enable).
diff --git a/nixos/modules/config/terminfo.nix b/nixos/modules/config/terminfo.nix
index ebd1aaea8f04a..d1dbc4e0d0598 100644
--- a/nixos/modules/config/terminfo.nix
+++ b/nixos/modules/config/terminfo.nix
@@ -16,7 +16,10 @@ with lib;
     };
 
     security.sudo.keepTerminfo = mkOption {
-      default = true;
+      default = config.security.sudo.package.pname != "sudo-rs";
+      defaultText = literalMD ''
+        `true` unless using `sudo-rs`
+      '';
       type = types.bool;
       description = lib.mdDoc ''
         Whether to preserve the `TERMINFO` and `TERMINFO_DIRS`
diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix
index 528c230686f71..9a018b8574690 100644
--- a/nixos/modules/security/sudo.nix
+++ b/nixos/modules/security/sudo.nix
@@ -40,7 +40,10 @@ in
 
     defaultOptions = mkOption {
       type = with types; listOf str;
-      default = [ "SETENV" ];
+      default = optional usingMillersSudo "SETENV";
+      defaultText = literalMD ''
+        `[ "SETENV" ]` if using the default `sudo` implementation
+      '';
       description = mdDoc ''
         Options used for the default rules, granting `root` and the
         `wheel` group permission to run any command as any user.
@@ -204,11 +207,6 @@ in
   ###### implementation
 
   config = mkIf cfg.enable {
-    assertions = [
-      { assertion = usingMillersSudo;
-        message = "The NixOS `sudo` module does not yet work with other implementations."; }
-    ];
-
     security.sudo.extraRules =
       let
         defaultRule = { users ? [], groups ? [], opts ? [] }: [ {
-- 
cgit 1.4.1