sudo.nix: initial config

modules/system/os/security/sudo.nix

@@ -0,0 +1,21 @@
+{
+  lib,
+  pkgs,
+}: let
+  inherit (lib) mkForce mkDefault;
+in {
+  security = {
+    sudo-rs.enable = mkForce false;
+    sudo = {
+      enable = true;
+      # We use the default sudo package
+      package = pkgs.sudo;
+
+      # Wheel user should need the password to execute sudo commands
+      wheelNeedsPassword = mkDefault true;
+
+      # BUT, only wheel users should be able to use sudo.
+      execWheelOnly = mkForce true;
+    };
+  };
+}