{ config, lib, pkgs, ... }:

{
  config.security.sudo = {
    enable = true;
    execWheelOnly = true;
    extraRules = [{
      groups = [ "wheel" ];
      commands = [{
        command = "/run/current-system/sw/bin/nixos-rebuild";
        options = [ "NOPASSWD" ];
      }];
    }];
  };
}