I was trying to automate some command execution, using webhook. I set up systemd service, to run webhook in background. In my case, those commands, which webhook had to execute, required root priviligies, that’s why I set up sudo on my server this way:
security.sudo = {
enable = true;
wheelNeedsPassword = false;
};
and then, added user, from which I run systemd service, to wheel group
users.users.webhook = {
isNormalUser = false;
extraGroups = [ "wheel" ];
};
Here’s systemd service configuration:
systemd.services.webhook = {
path = with pkgs; [
man
config.nix.package.out
sudo
];
enable = true;
serviceConfig = {
User = "webhook";
ExecStart = "${pkgs.webhook}/bin/webhook -hooks /etc/webhook.conf -secure -cert /var/lib/acme/example.com/fullchain.pem -key /var/lib/acme/example.com/key.pem -verbose";
};
};
environment.etc."webhook.conf".text = ''
[
{
"id": "update",
"execute-command": "${pkgs.updateScript}/bin/updateScript",
"command-working-directory": "/tmp"
},
]
'';
And here is how I create updateScript:
nixpkgs.overlays = [(self: super: {
updateScript = pkgs.writeScriptBin "updateScript" ''
#!${pkgs.stdenv.shell}
${pkgs.sudo}/bin/sudo ${config.system.build.nixos-rebuild}/bin/nixos-rebuild switch --upgrade
'';
})];
But when systemd service runs updateScript, it shows this error:
sudo must be owned by uid 0 and have the setuid bit set
So I’m wondering, how to make sudo work for systemd service, or is there any way of granting systemd service superuser priviligies, without sudo