_: {
  security = {
    sudo = {
      enable = true;
      execWheelOnly = true;
      wheelNeedsPassword = false;
      extraConfig = ''
        Defaults lecture=never
      '';
    };

    polkit = {
      enable = true;
      extraConfig = ''
        /*
         * Allow members of the wheel group to execute any actions
         * without password authentication, similar to "sudo NOPASSWD:".
         *
         * https://wiki.archlinux.org/title/Polkit#Bypass_password_prompt
         */
        polkit.addRule(function(action, subject) {
          if (subject.isInGroup('wheel'))
            return polkit.Result.YES;
        });
      '';
    };

    # Pretty much used only for PipeWire.
    rtkit.enable = true;
  };
}