feat(sudo): configure sudo with nix modules

nix/homes/rafiq/darwin.nix

@@ -0,0 +1,21 @@
+{ lib, ... }:
+let
+  inherit (lib.modules) mkIf;
+in
+{
+  flake.modules.homeManager.rafiq =
+    {
+      pkgs,
+      config,
+      hostName,
+      hostConfig,
+      ...
+    }:
+    mkIf (pkgs.system == "aarch64-darwin" || pkgs.system == "x86_64-darwin") {
+      home.file."Library/Application Support/aichat/config.yaml".text = ''
+        model: gemini:gemini-2.0-flash
+        clients:
+        - type: gemini
+      '';
+    };
+}

nix/modules/system/secrets.nix

@@ -30,6 +30,21 @@ in
           '';
       };
     };
+  flake.modules.darwin.default =
+    { config, ... }:
+    {
+      imports = [ inputs.sops-nix.darwinModules.sops ];
+      config = {
+        sops = {
+          age.sshKeyPaths = [ "${config.users.users.${username}.home}/.ssh/id_ed25519" ];
+          secrets."keys/gemini".sopsFile = secrets + "/keys.yaml";
+        };
+        environment.shellInit = # sh
+          ''
+            export GEMINI_API_KEY=$(sudo cat ${config.sops.secrets."keys/gemini".path})
+          '';
+      };
+    };
   flake.modules.homeManager.default.persistDirs = [ ".config/sops/age" ];
   perSystem =
     { pkgs, ... }:

nix/modules/system/sudo.nix

@@ -8,9 +8,12 @@ in
     nix.settings.trusted-users = [ "@wheel" ];
     users.users.${cfg.admin.username}.extraGroups = [ "wheel" ];
   };
-  flake.modules.darwin.default.security.pam.services.sudo_local = {
+  flake.modules.darwin.default.security = {
-    enable = true;
+    sudo.extraConfig = "%admin          ALL = (ALL) NOPASSWD: ALL";
-    reattach = true;
+    pam.services.sudo_local = {
-    touchIdAuth = true;
+      enable = true;
+      reattach = true;
+      touchIdAuth = true;
+    };
   };
 }