nixverse/nodes/hosts/common/system/security.nix

{ pkgs, lib, ... }: {
  security = {
    rtkit.enable = true;
    pam.services.hyprlock = {};

    polkit = {
      enable = true;
      adminIdentities = [
        "unix-group:wheel"
      ];
    };
   
    # For security reasons, we are disabling the use of regular sudo and...
    sudo = {
      enable = lib.mkForce false;
    };
  
    # ...switching over to sudo-rs which is a Rust rewrite of sudo.
    # See https://cybersecsentinel.com/cve-2025-32463-privilege-escalation-in-sudo-triggers-urgent-linux-patching/.
    sudo-rs = {
      enable = true;
      wheelNeedsPassword = true;
      execWheelOnly = true;
    };
  };

  environment.systemPackages = [
    pkgs.vulnix
  ];
}