diff --git a/modules/machine.nix b/modules/machine.nix
index 70d53ce..6a56c2b 100644
--- a/modules/machine.nix
+++ b/modules/machine.nix
@@ -36,14 +36,4 @@
   local.programs.pass.enable = lib.mkDefault true;
 
   local.programs.browsers.librewolf.enable = lib.mkDefault true;
-
-  security.sudo.extraRules = [{
-    commands = [
-      {
-        command = "/run/current-system/sw/bin/nixos-container";
-        options = [ "NOPASSWD" ];
-      }
-    ];
-    groups = [ "wheel" ];
-  }];
 }
diff --git a/modules/nixos/configs/default.nix b/modules/nixos/configs/default.nix
index 29c173d..8babd5c 100644
--- a/modules/nixos/configs/default.nix
+++ b/modules/nixos/configs/default.nix
@@ -5,6 +5,7 @@
     ./fonts.nix
     ./keyboard.nix
     ./nix.nix
+    ./security.nix
     ./sound.nix
     ./system.nix
     ./yubikey.nix
diff --git a/modules/nixos/configs/security.nix b/modules/nixos/configs/security.nix
new file mode 100644
index 0000000..0a806c3
--- /dev/null
+++ b/modules/nixos/configs/security.nix
@@ -0,0 +1,36 @@
+{ config, lib, ... }:
+
+let
+  cfg = config.local.security.sudo;
+in
+{
+  options.local.security.sudo = with lib; {
+    nopasswd = mkOption {
+      type = types.listOf (types.submodule {
+        options = {
+          commands = mkOption {
+            type = listOf (types.either types.str types.package);
+          };
+          groups = mkOption {
+            type = types.listOf types.str;
+            default = [ "wheel" ];
+          };
+        };
+      });
+      default = [ ];
+    };
+  };
+
+  config = cfg.nopasswd != [ ] {
+    security.sudo.extraRules = lib.flip map cfg.nopasswd (rule: {
+      inherit (rule) groups;
+      commands = lib.flip map rule.commands (cmd: [
+        {
+          command = "${cmd}";
+          options = [ "NOPASSWD" ];
+        }
+      ]);
+    });
+  };
+
+}
diff --git a/modules/nixos/programs/browsers/default.nix b/modules/nixos/programs/browsers/default.nix
index 69cdd30..9dfeb0f 100644
--- a/modules/nixos/programs/browsers/default.nix
+++ b/modules/nixos/programs/browsers/default.nix
@@ -39,6 +39,8 @@ in
   config = lib.mkIf isEnable {
     environment.systemPackages = hostPackages;
 
+    local.security.sudo.nopasswd = [{ commands = hostPackages; }];
+
     local.sound.systemWide = true;
 
     containers.browsers = {
diff --git a/modules/nixos/programs/communication/skype.nix b/modules/nixos/programs/communication/skype.nix
index c6b6f8e..77a1743 100644
--- a/modules/nixos/programs/communication/skype.nix
+++ b/modules/nixos/programs/communication/skype.nix
@@ -27,6 +27,8 @@ in
   config = lib.mkIf cfg.enable {
     environment.systemPackages = [ hostSkype ];
 
+    local.security.sudo.nopasswd = [{ commands = [ hostSkype ]; }];
+
     local.sound.systemWide = true;
 
     containers.skype = {
diff --git a/modules/nixos/programs/communication/telegram.nix b/modules/nixos/programs/communication/telegram.nix
index b89df54..644b9fb 100644
--- a/modules/nixos/programs/communication/telegram.nix
+++ b/modules/nixos/programs/communication/telegram.nix
@@ -27,6 +27,8 @@ in
   config = lib.mkIf cfg.enable {
     environment.systemPackages = [ hostTelegram ];
 
+    local.security.sudo.nopasswd = [{ commands = [ hostTelegram ]; }];
+
     local.sound.systemWide = true;
 
     containers.telegram = {