{
  config,
  lib,
  ...
}:
with lib; {
  options = {
    security.sudo = {
      wheelNeedsPassword = mkOption {
        type = types.bool;
        default = true;
        description = "Whether users in the wheel group need to provide a password for sudo.";
      };
    };
  };

  config = {
    environment.etc."sudoers.d/wheel-no-password" = mkIf (!config.security.sudo.wheelNeedsPassword) {
      text = ''
        %wheel ALL=(ALL) NOPASSWD: ALL
      '';
      # mode = "0440";
    };
  };
}