diff --git a/modules/sudo.nix b/modules/sudo.nix
index a1abbd5..f63aaf6 100644
--- a/modules/sudo.nix
+++ b/modules/sudo.nix
@@ -1,10 +1,56 @@
-{ ulib, ... }: with ulib;
+{ lib, ulib, ... }: with ulib; merge
 
-systemConfiguration {
+(desktopSystemConfiguration {
+  security.sudo.wheelNeedsPassword = false;
+})
+
+(systemConfiguration {
   security.sudo = enabled {
     extraConfig   = ''
-      Defaults timestamp_timeout=${if ulib.isDesktop then "-1" else "0"}
+      Defaults lecture = never
+      Defaults pwfeedback
+      Defaults env_keep += "DISPLAY EDITOR PATH"
+      ${lib.optionalString ulib.isServer ''
+        Defaults timestamp_timeout = 0
+      ''}
     '';
     execWheelOnly = true;
+
+    extraRules = [{
+      groups   = [ "wheel" ];
+      commands = let
+        system = "/run/current-system";
+        store = "/nix/store";
+      in [
+        {
+          command = "${store}/*/bin/switch-to-configuration";
+          options = [ "SETENV" "NOPASSWD" ];
+        }
+        {
+          command = "${system}/sw/bin/nix system";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "${system}/sw/bin/nix-collect-garbage";
+          options = [ "SETENV" "NOPASSWD" ];
+        }
+        {
+          command = "${system}/sw/bin/nix-env";
+          options = [ "SETENV" "NOPASSWD" ];
+        }
+        {
+          command = "${system}/sw/bin/nix-store";
+          options = [ "SETENV" "NOPASSWD" ];
+        }
+        {
+          command = "${system}/sw/bin/nixos-rebuild";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "${system}/sw/bin/systemctl";
+          options = [ "NOPASSWD" ];
+        }
+      ];
+    }];
   };
-}
+})