{ pkgs, lib, ... }:
let
  inherit (lib.modules) mkForce;
in
{
  security = {
    sudo-rs.enable = mkForce false;

    sudo = {
      enable = true;
      execWheelOnly = mkForce true;
      wheelNeedsPassword = lib.modules.mkDefault false;

      extraConfig = ''
        Defaults lecture = never
        Defaults pwfeedback
        Defaults env_keep += "EDITOR PATH DISPLAY"
        Defaults timestamp_timeout = 300
      '';

      extraRules = [
        {
          groups = [ "wheel" ];
          commands =
            map
              (rule: {
                command = lib.meta.getExe' rule.package rule.command;
                options = [ "NOPASSWD" ];
              })
              (
                with pkgs;
                [
                  {
                    package = coreutils;
                    command = "sync";
                  }
                  {
                    package = hdparm;
                    command = "hdparm";
                  }
                  {
                    package = nixos-rebuild;
                    command = "nixos-rebuild";
                  }
                  {
                    package = nvme-cli;
                    command = "nvme";
                  }
                  {
                    package = systemd;
                    command = "poweroff";
                  }
                  {
                    package = systemd;
                    command = "reboot";
                  }
                  {
                    package = systemd;
                    command = "shutdown";
                  }
                  {
                    package = systemd;
                    command = "systemctl";
                  }
                  {
                    package = util-linux;
                    command = "dmesg";
                  }
                ]
              );
        }
      ];
    };
  };
}