From c4dda5910009a9354b122592a9bd4a1f9e80d3dc Mon Sep 17 00:00:00 2001
From: Antoine Viallon <antoine@lesviallon.fr>
Date: Sun, 1 Jan 2023 20:04:23 +0100
Subject: [PATCH] [Hardening] Forbid sudo usage by non-wheel users

---
 hardening.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/hardening.nix b/hardening.nix
index ffe9089..74b1c83 100644
--- a/hardening.nix
+++ b/hardening.nix
@@ -47,6 +47,8 @@ in
 
     aviallon.hardening.expensive = mkIf cfg.hardcore (mkForce true);
 
+    security.sudo.execWheelOnly = true;
+
     services.openssh.permitRootLogin = "prohibit-password";
 
     security.apparmor.enable = true;