From f3c9c83e040135c0b3a42c9b570729c2c01d35ae Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Fri, 23 Nov 2012 15:14:16 +0100
Subject: [PATCH] Make it easier to append to the default sudo configuration

---
 modules/security/sudo.nix | 39 ++++++++++++++++++++-------------------
 1 file changed, 20 insertions(+), 19 deletions(-)

diff --git a/modules/security/sudo.nix b/modules/security/sudo.nix
index 211ff8a9609..d2db9ee993f 100644
--- a/modules/security/sudo.nix
+++ b/modules/security/sudo.nix
@@ -37,25 +37,6 @@ in
     security.sudo.configFile = mkOption {
       # Note: if syntax errors are detected in this file, the NixOS
       # configuration will fail to build.
-      default =
-        ''
-          # Don't edit this file. Set the NixOS option ‘security.sudo.configFile’ instead.
-
-          # Environment variables to keep for root and %wheel.
-          Defaults:root,%wheel env_keep+=LOCALE_ARCHIVE
-          Defaults:root,%wheel env_keep+=NIX_CONF_DIR
-          Defaults:root,%wheel env_keep+=NIX_PATH
-          Defaults:root,%wheel env_keep+=TERMINFO_DIRS
-
-          # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
-          Defaults env_keep+=SSH_AUTH_SOCK
-
-          # "root" is allowed to do anything.
-          root        ALL=(ALL) SETENV: ALL
-
-          # Users in the "wheel" group can do anything.
-          %wheel      ALL=(ALL) ${if cfg.wheelNeedsPassword then "" else "NOPASSWD: ALL, "}SETENV: ALL
-        '';
       description =
         ''
           This string contains the contents of the
@@ -69,6 +50,26 @@ in
 
   config = mkIf cfg.enable {
 
+    security.sudo.configFile =
+      ''
+        # Don't edit this file. Set the NixOS option ‘security.sudo.configFile’ instead.
+
+        # Environment variables to keep for root and %wheel.
+        Defaults:root,%wheel env_keep+=LOCALE_ARCHIVE
+        Defaults:root,%wheel env_keep+=NIX_CONF_DIR
+        Defaults:root,%wheel env_keep+=NIX_PATH
+        Defaults:root,%wheel env_keep+=TERMINFO_DIRS
+
+        # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
+        Defaults env_keep+=SSH_AUTH_SOCK
+
+        # "root" is allowed to do anything.
+        root        ALL=(ALL) SETENV: ALL
+
+        # Users in the "wheel" group can do anything.
+        %wheel      ALL=(ALL) ${if cfg.wheelNeedsPassword then "" else "NOPASSWD: ALL, "}SETENV: ALL
+      '';
+
     security.setuidPrograms = [ "sudo" ];
 
     environment.systemPackages = [ sudo ];