Skip to content

Doas

security.doas.enable

Whether to enable the {command}doas command, which allows non-root users to execute commands as root.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/doas.nix

security.doas.extraConfig

Extra configuration text appended to {file}doas.conf. Be aware that this option cannot be used to override the behaviour allowing passwordless operation for root.

Type: strings concatenated with "\n"

Default

""

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/doas.nix

security.doas.extraRules

Define specific rules to be set in the {file}/etc/doas.conf file. More specific rules should come after more general ones in order to yield the expected behavior. You can use mkBefore and/or mkAfter to ensure this is the case when configuration options are merged. Be aware that this option cannot be used to override the behaviour allowing passwordless operation for root.

Type: list of (submodule)

Default

[ ]

Example

`#!nix [ # Allow execution of any command by any user in group doas, requiring # a password and keeping any previously-defined environment variables.

# Allow execution of "/home/root/secret.sh" by user backup OR user # database OR any member of the group with GID 1006, without a # password. { users = [ "backup" "database" ]; groups = [ 1006 ]; cmd = "/home/root/secret.sh"; noPass = true; }

# Allow any member of group bar to run /home/baz/cmd1.sh as user # foo with argument hello-doas. { groups = [ "bar" ]; runAs = "foo"; cmd = "/home/baz/cmd1.sh"; args = [ "hello-doas" ]; }

# Allow any member of group bar to run /home/baz/cmd2.sh as user # foo with no arguments. { groups = [ "bar" ]; runAs = "foo"; cmd = "/home/baz/cmd2.sh"; args = [ ]; }

# Allow user abusers to execute "nano" and unset the value of # SSH_AUTH_SOCK, override the value of ALPHA to 1, and inherit the # value of BETA from the current environment. { users = [ "abusers" ]; cmd = "nano"; setEnv = [ "-SSH_AUTH_SOCK" "ALPHA=1" "BETA" ]; } ] `

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/doas.nix

security.doas.extraRules.*.args

Arguments that must be provided to the command. When set to [], the command must be run without any arguments.

Type: null or (list of string)

Default

null

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/doas.nix

security.doas.extraRules.*.cmd

The command the user is allowed to run. When set to null (the default), all commands are allowed.

NOTE: It is best practice to specify absolute paths. If a relative path is specified, only a restricted PATH will be searched.

Type: null or string

Default

null

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/doas.nix

security.doas.extraRules.*.groups

The groups / GIDs this rule should apply for. Type: list of (string or signed integer)

Default

[ ]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/doas.nix

security.doas.extraRules.*.keepEnv

If true, environment variables other than those listed in {manpage}doas(1) are kept when creating the environment for the new process.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/doas.nix

security.doas.extraRules.*.noLog

If true, successful executions will not be logged to {manpage}syslogd(8).

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/doas.nix

security.doas.extraRules.*.noPass

If true, the user is not required to enter a password.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/doas.nix

security.doas.extraRules.*.persist

If true, do not ask for a password again for some time after the user successfully authenticates.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/doas.nix

security.doas.extraRules.*.runAs

Which user or group the specified command is allowed to run as. When set to null (the default), all users are allowed.

A user can be specified using just the username: "foo". It is also possible to only allow running as a specific group with ":bar".

Type: null or string

Default

null

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/doas.nix

security.doas.extraRules.*.setEnv

Keep or set the specified variables. Variables may also be removed with a leading '-' or set using variable=value. If the first character of value is a '$', the value to be set is taken from the existing environment variable of the indicated name. This option is processed after the default environment has been created.

NOTE: All rules have setenv { SSH_AUTH_SOCK } by default. To prevent SSH_AUTH_SOCK from being inherited, add "-SSH_AUTH_SOCK" anywhere in this list.

Type: list of string

Default

[ ]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/doas.nix

security.doas.extraRules.*.users

The usernames / UIDs this rule should apply for. Type: list of (string or signed integer)

Default

[ ]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/doas.nix

security.doas.wheelNeedsPassword

Whether users of the wheel group must provide a password to run commands as super user via {command}doas.

Type: boolean

Default

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/doas.nix