diff --git a/etc/default.nix b/etc/default.nix
index d05ae3f6c87..3fe44a2665f 100644
--- a/etc/default.nix
+++ b/etc/default.nix
@@ -192,19 +192,6 @@ let
     target = "ldap.conf";
   }
     
-  # "sudo" configuration.
-  ++ optional config.security.sudo.enable {
-    source = pkgs.runCommand "sudoers"
-      { src = pkgs.writeText "sudoers-in" (config.security.sudo.configFile);
-      }
-      # Make sure that the sudoers file is syntactically valid.
-      # (currently disabled - NIXOS-66)
-      #"${pkgs.sudo}/sbin/visudo -f $src -c && cp $src $out";
-      "cp $src $out";
-    target = "sudoers";
-    mode = "0440";
-  }
-    
   # A bunch of PAM configuration files for various programs.
   ++ (map
     (program:
@@ -227,7 +214,6 @@ let
       "login"
       "slim"
       "su"
-      "sudo"
       "other"
       "passwd"
       "shadow"
diff --git a/system/options.nix b/system/options.nix
index a85564aa62e..1d2a85f17cd 100644
--- a/system/options.nix
+++ b/system/options.nix
@@ -2608,37 +2608,6 @@ in
       };
     };
 
-    sudo = {
-
-      enable = mkOption {
-        default = true;
-        description = "
-          Whether to enable the <command>sudo</command> command, which
-          allows non-root users to execute commands as root.
-        ";
-      };
-
-      configFile = mkOption {
-        default = "
-# WARNING: do not edit this file directly or with \"visudo\".  Instead,
-# edit the source file in /etc/nixos/nixos/etc/sudoers.
-
-# \"root\" is allowed to do anything.
-root        ALL=(ALL) SETENV: ALL
-
-# Users in the \"wheel\" group can do anything.
-%wheel      ALL=(ALL) SETENV: ALL
-        ";
-        description = "
-          This string contains the contents of the
-          <filename>sudoers</filename> file.  If syntax errors are
-          detected in this file, the NixOS configuration will fail to
-          build. 
-        ";
-      };
-
-    };
-
   };
 
 
@@ -2853,6 +2822,9 @@ root        ALL=(ALL) SETENV: ALL
     (import ../system/activate-configuration.nix)
     (import ../upstart-jobs/default.nix)
 
+    # security
+    (import ../system/sudo.nix)
+
     # environment
     (import ../etc/default.nix)
 
diff --git a/system/sudo.nix b/system/sudo.nix
new file mode 100644
index 00000000000..c1a655e4557
--- /dev/null
+++ b/system/sudo.nix
@@ -0,0 +1,87 @@
+{pkgs, config, ...}:
+
+###### interface
+let
+  inherit (pkgs.lib) mkOption;
+
+  options = {
+    security = {
+      sudo = {
+
+        enable = mkOption {
+          default = true;
+          description = "
+            Whether to enable the <command>sudo</command> command, which
+            allows non-root users to execute commands as root.
+          ";
+        };
+
+        configFile = mkOption {
+          default = "
+# WARNING: do not edit this file directly or with \"visudo\".  Instead,
+# edit the source file in /etc/nixos/nixos/etc/sudoers.
+
+# \"root\" is allowed to do anything.
+root        ALL=(ALL) SETENV: ALL
+
+# Users in the \"wheel\" group can do anything.
+%wheel      ALL=(ALL) SETENV: ALL
+          ";
+          description = "
+            This string contains the contents of the
+            <filename>sudoers</filename> file.
+          ";
+          # If syntax errors are detected in this file, the NixOS
+          # configuration will fail to build.
+        };
+
+      };
+    };
+  };
+in
+
+###### implementation
+let
+  cfg = config.security.sudo;
+  inherit (pkgs.lib) mkIf;
+  inherit (pkgs) sudo;
+in
+
+mkIf cfg.enable {
+  require = [
+    options
+
+    # config.environment.etc
+    (import ../etc/default.nix)
+
+    # (import ?) # config.environment.extraPackages
+    # (import ?) # config.security.extraSetuidPrograms
+  ];
+
+  security = {
+    extraSetuidPrograms = [
+      "sudo"
+    ];
+  };
+
+  environment = {
+    extraPackages = [ sudo ];
+
+    etc = [
+      {
+        source = ../etc/pam.d/sudo;
+        target = "pam.d/sudo";
+      }
+      {
+        source = pkgs.runCommand "sudoers"
+          { src = pkgs.writeText "sudoers-in" cfg.configFile; }
+          # Make sure that the sudoers file is syntactically valid.
+          # (currently disabled - NIXOS-66)
+          #"${pkgs.sudo}/sbin/visudo -f $src -c && cp $src $out";
+          "cp $src $out";
+        target = "sudoers";
+        mode = "0440";
+      }
+    ];
+  };
+}
diff --git a/system/system.nix b/system/system.nix
index 4ca281a9fc8..f0b1fe849f0 100644
--- a/system/system.nix
+++ b/system/system.nix
@@ -158,7 +158,6 @@ rec {
         pkgs.utillinux
         pkgs.wirelesstools
       ]
-      ++ pkgs.lib.optional config.security.sudo.enable pkgs.sudo
       ++ pkgs.lib.optional config.services.bitlbee.enable pkgs.bitlbee
       ++ pkgs.lib.optional config.networking.defaultMailServer.directDelivery pkgs.ssmtp 
       ++ config.environment.extraPackages
@@ -199,7 +198,6 @@ rec {
     setuidPrograms =
       config.security.setuidPrograms ++
       config.security.extraSetuidPrograms ++
-      pkgs.lib.optional config.security.sudo.enable "sudo" ++
       pkgs.lib.optional (config.services.xserver.sessionType == "kde") "kcheckpass" ++
       map ( x : x.program ) config.security.setuidOwners;