From 717e51a140d6af347b5362ddb149a2c343b947b8 Mon Sep 17 00:00:00 2001
From: nicoo <nicoo@mur.at>
Date: Thu, 7 Sep 2023 12:50:48 +0000
Subject: [PATCH] nixos/sudo: Make the default rules' options configurable

---
 nixos/doc/manual/release-notes/rl-2311.section.md |  7 ++++---
 nixos/modules/security/sudo.nix                   | 13 +++++++++++--
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/nixos/doc/manual/release-notes/rl-2311.section.md b/nixos/doc/manual/release-notes/rl-2311.section.md
index 98c521b1106b..b7df38e67159 100644
--- a/nixos/doc/manual/release-notes/rl-2311.section.md
+++ b/nixos/doc/manual/release-notes/rl-2311.section.md
@@ -286,10 +286,11 @@ The module update takes care of the new config syntax and the data itself (user
 
 - New `boot.bcache.enable` (default enabled) allows completely removing `bcache` mount support.
 
-- `security.sudo` now provides an extra option, that does not change the
+- `security.sudo` now provides two extra options, that do not change the
   module's default behaviour:
-  `keepTerminfo` controls whether `TERMINFO` and `TERMINFO_DIRS` are preserved
-  for `root` and the `wheel` group.
+  - `defaultOptions` controls the options used for the default rules;
+  - `keepTerminfo` controls whether `TERMINFO` and `TERMINFO_DIRS` are preserved
+    for `root` and the `wheel` group.
 
 
 ## Nixpkgs internals {#sec-release-23.11-nixpkgs-internals}
diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix
index 04a8e7194064..882e3d18aa43 100644
--- a/nixos/modules/security/sudo.nix
+++ b/nixos/modules/security/sudo.nix
@@ -38,6 +38,15 @@ in
 
   options.security.sudo = {
 
+    defaultOptions = mkOption {
+      type = with types; listOf str;
+      default = [ "SETENV" ];
+      description = mdDoc ''
+        Options used for the default rules, granting `root` and the
+        `wheel` group permission to run any command as any user.
+      '';
+    };
+
     enable = mkOption {
       type = types.bool;
       default = true;
@@ -206,8 +215,8 @@ in
           inherit users groups;
           commands = [ {
             command = "ALL";
-            options = opts ++ [ "SETENV" ];
-	  } ];
+            options = opts ++ cfg.defaultOptions;
+          } ];
         } ];
       in mkMerge [
         # This is ordered before users' `mkBefore` rules,