From c1bea770122a7cf2dea5113387265f59010d5a7f Mon Sep 17 00:00:00 2001
From: Seth Flynn <getchoo@tuta.io>
Date: Thu, 13 Feb 2025 23:58:06 -0500
Subject: modules/nixos: `sudo` -> `run0`

---
 modules/nixos/defaults/security.nix | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

(limited to 'modules/nixos/defaults/security.nix')

diff --git a/modules/nixos/defaults/security.nix b/modules/nixos/defaults/security.nix
index 65ce729..8d7d879 100644
--- a/modules/nixos/defaults/security.nix
+++ b/modules/nixos/defaults/security.nix
@@ -1,12 +1,24 @@
-# Much of this is sourced from https://xeiaso.net/blog/paranoid-nixos-2021-07-18/
 { lib, ... }:
+
+# Much of this is sourced from https://xeiaso.net/blog/paranoid-nixos-2021-07-18/
 {
   security = {
     apparmor.enable = lib.mkDefault true;
     audit.enable = lib.mkDefault true;
     auditd.enable = lib.mkDefault true;
+
+    pam.services = {
+      # Fix `run0`
+      # TODO: Upstream?
+      systemd-run0 = {
+        startSession = true;
+        setEnvironment = true;
+      };
+    };
+
     polkit.enable = true;
-    sudo.execWheelOnly = true;
+
+    sudo.enable = false;
   };
 
   services.dbus.apparmor = lib.mkDefault "enabled";
-- 
cgit v1.2.3