fix: passwordless sudo only for yule

modules/core/default.nix

@@ -29,17 +29,6 @@ in {
 
   # Limit the use of sudo to the group wheel
   security.sudo.execWheelOnly = true;
-  security.sudo.extraRules = [
-    {
-      users = ["${psCfg.user.name}"];
-      commands = [
-        {
-          command = "ALL";
-          options = ["NOPASSWD"];
-        }
-      ];
-    }
-  ];
 
   # Remove the complete default environment of packages like
   # nano, perl and rsync

modules/user/default.nix

@@ -28,6 +28,11 @@ with lib; {
         type = types.nullOr types.str;
         default = null;
       };
+      passwordlessSudo = mkOption {
+        description = "Whether this user can use sudo without entering a password";
+        type = types.bool;
+        default = false;
+      };
       publicKeys = mkOption {
         description = "User SSH public keys";
         type = types.listOf types.str;
@@ -81,5 +86,17 @@ with lib; {
           else [];
       };
     };
+
+    security.sudo.extraRules = mkIf psCfg.user.passwordlessSudo [
+      {
+        users = ["${psCfg.user.name}"];
+        commands = [
+          {
+            command = "ALL";
+            options = ["NOPASSWD"];
+          }
+        ];
+      }
+    ];
   };
 }

users/yule/default.nix

@@ -15,6 +15,7 @@ in {
         name = "yule";
         description = "b12f";
         password = "$y$j9T$x1nyqcXw/1iYKo3054cdB1$0TOuyE5t5ZV6z9Gzl9zIrmZGADBxupnwcUMTcMtMa73";
+        passwordlessSudo = true;
         fullName = "Benjamin Bädorf";
         email = "hello@benjaminbaedorf.eu";
         gpgKeyId = "4406E80E13CD656C";