🔒 feat(security): replace sudo with sudo-rs

- Enable `sudo-rs` with wheel-only execution
- Disable legacy `sudo`
- Update AppArmor and U2F configs for `sudo-rs`
- Update Yubikey U2F auth for `sudo-rs`

nixos/security-services.nix

@@ -10,6 +10,11 @@
   # };
 
   # Enable Security Services
+  security.sudo-rs = {
+    enable = true;
+    execWheelOnly = true;
+  };
+  security.sudo.enable = false;
   users.users.root.hashedPassword = "!";
   security.tpm2 = {
     enable = true;
@@ -28,7 +33,7 @@
   security.pam.services = {
     login.enableAppArmor = true;
     sshd.enableAppArmor = true;
-    sudo.enableAppArmor = true;
+    sudo-rs.enableAppArmor = true;
     su.enableAppArmor = true;
     greetd.enableAppArmor = true;
     u2f.enableAppArmor = true;