diff --git a/nixos/common/default.nix b/nixos/common/default.nix
index 8d94f4e..5d5fdab 100644
--- a/nixos/common/default.nix
+++ b/nixos/common/default.nix
@@ -10,6 +10,7 @@
     ./nix.nix
     ./openssh.nix
     ./serial.nix
+    ./sudo.nix
     ./upgrade-diff.nix
     ./well-known-hosts.nix
     ./zfs.nix
@@ -36,12 +37,6 @@
   # unecessary rebuilds.
   environment.noXlibs = false;
 
-  # Allow sudo from the @wheel group
-  security.sudo.enable = true;
-  security.sudo.extraConfig = ''
-    Defaults lecture = never
-  '';
-
   # Ensure a clean & sparkling /tmp on fresh boots.
   boot.tmp.cleanOnBoot = lib.mkDefault true;
 }
diff --git a/nixos/common/sudo.nix b/nixos/common/sudo.nix
new file mode 100644
index 0000000..b7a1695
--- /dev/null
+++ b/nixos/common/sudo.nix
@@ -0,0 +1,10 @@
+{
+  # Allow sudo from the @wheel group
+  security.sudo.enable = true;
+  # Only allow members of the wheel group to execute sudo by setting the executable’s permissions accordingly. This prevents users that are not members of wheel from exploiting vulnerabilities in sudo such as CVE-2021-3156.
+  security.sudo.execWheelOnly = true;
+  # Don't lecture the user. Less mutable state.
+  security.sudo.extraConfig = ''
+    Defaults lecture = never
+  '';
+}