{
  inputs,
  lib,
  ...
}:
with lib; {
  security = {
    sudo = {
      enable = true;
      execWheelOnly = true;
      wheelNeedsPassword = false;
      # https://mwl.io/archives/1000
      extraConfig = ''
        Defaults env_keep += "SSH_CLIENT SSH_CONNECTION SSH_TTY SSH_AUTH_SOCK"
      '';
    };

    polkit = {
      enable = true;
      # https://wiki.archlinux.org/title/Polkit#Bypass_password_prompt
      extraConfig = ''
        polkit.addRule(function (action, subject) {
          if (subject.isInGroup('wheel'))
            return polkit.Result.YES;
        });
      '';
    };
  };
}