From 33aa287e1269d55d77fe62de5e49b529e57290ad Mon Sep 17 00:00:00 2001
From: xnm <artem.shv@proton.me>
Date: Sun, 18 May 2025 03:40:44 +0300
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=20feat(security):=20replace=20`sud?=
 =?UTF-8?q?o`=20with=20`sudo-rs`?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Enable `sudo-rs` with wheel-only execution
- Disable legacy `sudo`
- Update AppArmor and U2F configs for `sudo-rs`
- Update Yubikey U2F auth for `sudo-rs`
---
 nixos/security-services.nix | 7 ++++++-
 nixos/yubikey.nix           | 2 +-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/nixos/security-services.nix b/nixos/security-services.nix
index 38924cd..6e5bf59 100644
--- a/nixos/security-services.nix
+++ b/nixos/security-services.nix
@@ -10,6 +10,11 @@
   # };
 
   # Enable Security Services
+  security.sudo-rs = {
+    enable = true;
+    execWheelOnly = true;
+  };
+  security.sudo.enable = false;
   users.users.root.hashedPassword = "!";
   security.tpm2 = {
     enable = true;
@@ -28,7 +33,7 @@
   security.pam.services = {
     login.enableAppArmor = true;
     sshd.enableAppArmor = true;
-    sudo.enableAppArmor = true;
+    sudo-rs.enableAppArmor = true;
     su.enableAppArmor = true;
     greetd.enableAppArmor = true;
     u2f.enableAppArmor = true;
diff --git a/nixos/yubikey.nix b/nixos/yubikey.nix
index c4369c9..6815f04 100644
--- a/nixos/yubikey.nix
+++ b/nixos/yubikey.nix
@@ -14,7 +14,7 @@
 
   security.pam.services = {
     greetd.u2fAuth = true;
-    sudo.u2fAuth = true;
+    sudo-rs.u2fAuth = true;
     hyprlock.u2fAuth = true;
   };