Narrow sudoers to runAs=root

author Scott Worley <scottworley@scottworley.com>

Sun, 29 Mar 2026 08:40:05 +0000 (01:40 -0700)

committer Scott Worley <scottworley@scottworley.com>

Sun, 29 Mar 2026 08:40:05 +0000 (01:40 -0700)
author Scott Worley <scottworley@scottworley.com>
Sun, 29 Mar 2026 08:40:05 +0000 (01:40 -0700)
committer Scott Worley <scottworley@scottworley.com>
Sun, 29 Mar 2026 08:40:05 +0000 (01:40 -0700)
diff --git a/modules/auto-upgrade.nix b/modules/auto-upgrade.nix

index c52f0bce10ab6fa5ce6ba0c47114692290ed84b5..7d2404cefb21183d7701854288d1c3b6fba35291 100644 (file)
--- a/modules/auto-upgrade.nix
+++ b/modules/auto-upgrade.nix
@@ -281,6 +281,7 @@ in
      security.sudo.extraRules = lib.mkAfter [
        {
          groups = [ "users" ];
      security.sudo.extraRules = lib.mkAfter [
        {
          groups = [ "users" ];
+        runAs = "root";
          commands = [
            {
              command = "${auto-upgrade-script}";
          commands = [
            {
              command = "${auto-upgrade-script}";
author	Scott Worley <scottworley@scottworley.com>
	Sun, 29 Mar 2026 08:40:05 +0000 (01:40 -0700)
committer	Scott Worley <scottworley@scottworley.com>
	Sun, 29 Mar 2026 08:40:05 +0000 (01:40 -0700)