The order of sudoers entries is significant. The man page for sudoers(5)
notes:
Where there are multiple matches, the last match is used (which is not
necessarily the most specific match).
This module adds a rule for group "wheel" matching all commands. If you
wanted to add a more specific rule allowing members of the "wheel" group
to run command `foo` without a password, you'd need to use mkAfter to
ensure your rule comes after the more general rule.
extraRules = lib.mkAfter [
{
groups = [ "wheel" ];
commands = [
{
command = "${pkgs.foo}/bin/foo";
options = [ "NOPASSWD" "SETENV" ];
}
]
}
];
Otherwise, when configuration options are merged, if the general rule
ends up after the specific rule, it will dictate the behavior even when
running the `foo` command.
d08967a3a8