Can't disable password for certain commands with sudo or doas

I’m trying to setup doas so that my user can run certain commands without password, but I can’t find the right syntax. I tried

{ pkgs, ... }:

{
  security.doas.enable = true;
  security.sudo.enable = false;

  security.doas.extraRules = [{
    users = ["username"];
    keepEnv = true; 
    persist = true;
    cmd = {
      "${pkgs.nixos-rebuild}/bin/nixos-rebuild switch" = noPass: true;
      "${pkgs.nixos-rebuild}/bin/nixos-rebuild boot" = noPass: true;
    };
  }];
}

and nil doesn’t report any error, but it doesn’t build.

I also tried with sudo with this

{ pkgs, ... }:

{
  security.sudo = {
    enable = true;
    extraRules = [{
      users = [ "username" ];
      commands = [
        {
          command = "${pkgs.nixos-rebuild}/bin/nixos-rebuild switch";
          options = [ "NOPASSWD" ];
        }
        {
          command = "${pkgs.nixos-rebuild}/bin/nixos-rebuild boot";
          options = [ "NOPASSWD" ];
        }
      ];
    }];
  };
}

and although it builds correctly, after reboot I’m always asked for a password for those commands I declared. What am I doing wrong?

Right now I just disabled the password completely but was looking into the same topic for remote deployment. In my research stumbled upon this post but I haven’t had the time to test it though.

My guess is that you are not directly executing the specified command but rather using the symlink in current system which does not fit the rule above. But that is just a guess :smirk:

That used to work, until something changed in how sudo resolves the name.

On top of that eventually NixOS changed how stuff gets activated, which again was out of reach for my changes, and I have not yet been able to get passwordless rebuilds without allowing full passwordless sudo, which I will definitely not do!

1 Like

Thanks for the answer @NobbZ. Then I won’t bother trying.

I totally agree with you that doing complete passwordless sudo is not safe. I only do it during setup of a new system (which I’m currently doing) when I frequently change things.

Does the same apply to doas?

I don’t use doas, sudo usually works well enough for me, and it allows using environment from PAM.