From 5e794db02aeaf8f61642620e7581a1ba752699a3 Mon Sep 17 00:00:00 2001
From: Superredstone <patrickcanal3@gmail.com>
Date: Thu, 28 May 2026 10:24:22 +0200
Subject: [PATCH] feat(sudo): add sane rules

---
 modules/nix-config/security.nix | 41 +++++++++++++++++++++++++++++----
 1 file changed, 37 insertions(+), 4 deletions(-)

diff --git a/modules/nix-config/security.nix b/modules/nix-config/security.nix
index 6bb831e..6996eaf 100644
--- a/modules/nix-config/security.nix
+++ b/modules/nix-config/security.nix
@@ -1,9 +1,42 @@
 { currentSystemUser, ... }:
+let
+  swBin = "/run/current-system/sw/bin";
+  wrappersBin = "/run/wrappers/bin";
+in
 {
-  security.sudo.extraConfig = ''
-    		Defaults pwfeedback
-        		Defaults timestamp_timeout=120
-    	'';
+  security.sudo = {
+    extraConfig = ''
+      Defaults pwfeedback
+      Defaults timestamp_timeout=120
+    '';
+    extraRules = [
+      {
+        groups = [ "wheel" ];
+        commands = [
+          {
+            command = "${swBin}/shutdown";
+            options = [ "NOPASSWD" ];
+          }
+          {
+            command = "${swBin}/reboot";
+            options = [ "NOPASSWD" ];
+          }
+          {
+            command = "${swBin}/poweroff";
+            options = [ "NOPASSWD" ];
+          }
+          {
+            command = "${wrappersBin}/mount";
+            options = [ "NOPASSWD" ];
+          }
+          {
+            command = "${wrappersBin}/umount";
+            options = [ "NOPASSWD" ];
+          }
+        ];
+      }
+    ];
+  };
   sops = {
     age.sshKeyPaths = [
       "/etc/ssh/ssh_host_ed25519_key"