From 2f202aac57da298009eeeaca98bf0295c79e9a04 Mon Sep 17 00:00:00 2001
From: Lu Wang <rebmit@rebmit.moe>
Date: Sat, 14 Dec 2024 02:02:41 +0800
Subject: [PATCH] security/sudo: disable lecture and no longer persist
 `/var/db`

---
 flake/nixos.nix                              |  1 +
 nixos/profiles/security/sudo/default.nix     | 10 ++++++++++
 nixos/profiles/system/global-persistence.nix |  2 +-
 3 files changed, 12 insertions(+), 1 deletion(-)
 create mode 100644 nixos/profiles/security/sudo/default.nix

diff --git a/flake/nixos.nix b/flake/nixos.nix
index cd5bd05..206ba6c 100644
--- a/flake/nixos.nix
+++ b/flake/nixos.nix
@@ -17,6 +17,7 @@ let
         # keep-sorted start
         programs.tools.common
         security.polkit
+        security.sudo
         services.dbus
         services.journald
         services.openssh
diff --git a/nixos/profiles/security/sudo/default.nix b/nixos/profiles/security/sudo/default.nix
new file mode 100644
index 0000000..bad051a
--- /dev/null
+++ b/nixos/profiles/security/sudo/default.nix
@@ -0,0 +1,10 @@
+{ ... }:
+{
+  security.sudo = {
+    execWheelOnly = true;
+    wheelNeedsPassword = true;
+    extraConfig = ''
+      Defaults lecture="never"
+    '';
+  };
+}
diff --git a/nixos/profiles/system/global-persistence.nix b/nixos/profiles/system/global-persistence.nix
index 485d829..946fe45 100644
--- a/nixos/profiles/system/global-persistence.nix
+++ b/nixos/profiles/system/global-persistence.nix
@@ -2,7 +2,7 @@
 {
   environment.globalPersistence = {
     directories = [
-      "/var/db"
+      "/var/cache"
       "/var/lib"
       "/var/log"
       "/var/tmp"