{ config, lib, ... }:

let
  cfg = config.local.security.sudo;
in
{
  options.local.security.sudo = with lib; {
    nopasswd = mkOption {
      type = types.listOf (types.submodule {
        options = {
          commands = mkOption {
            type = with types; listOf (either str package);
          };
          groups = mkOption {
            type = types.listOf types.str;
            default = [ "wheel" ];
          };
        };
      });
      default = [ ];
    };
  };

  config = lib.mkIf (cfg.nopasswd != [ ]) {
    security.sudo.extraRules = lib.flip map cfg.nopasswd (rule: {
      inherit (rule) groups;
      commands = lib.flip map rule.commands (cmd:
        {
          command = "${cmd}";
          options = [ "NOPASSWD" ];
        }
      );
    });
  };

}