{ x, pkgs, lib, config, ... }:

with lib;
with x;
let cfg = config.module.hardware.security;
in {
  options = { module.hardware.security = { enable = mkBool; }; };

  config = mkIf cfg.enable {
    security.sudo-rs = {
      execWheelOnly = true;
      wheelNeedsPassword = true;
      extraRules = [{
        users = [ userName ];
        commands = with pkgs; [
          {
            command = "${light}/bin/light";
            options = [ "NOPASSWD" ];
          }
          {
            command = "${uutils-coreutils-noprefix}/bin/tee";
            options = [ "NOPASSWD" ];
          }
        ];
      }];
    };
  };
}