]> git.scottworley.com Git - auto-upgrade-with-pinch/blobdiff - modules/auto-upgrade.nix
projects / auto-upgrade-with-pinch / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Narrow sudoers to runAs=root
[auto-upgrade-with-pinch] / modules / auto-upgrade.nix
diff --git a/modules/auto-upgrade.nix b/modules/auto-upgrade.nix
index c52f0bce10ab6fa5ce6ba0c47114692290ed84b5..7d2404cefb21183d7701854288d1c3b6fba35291 100644 (file)
--- a/modules/auto-upgrade.nix
+++ b/modules/auto-upgrade.nix
@@ -281,6 +281,7 @@ in
     security.sudo.extraRules = lib.mkAfter [
       {
         groups = [ "users" ];
     security.sudo.extraRules = lib.mkAfter [
       {
         groups = [ "users" ];
+        runAs = "root";
         commands = [
           {
             command = "${auto-upgrade-script}";
         commands = [
           {
             command = "${auto-upgrade-script}";
Automatic NixOS upgrades with pinch