nixos/sudo: Make the default rules' options configurable

nixos/doc/manual/release-notes/rl-2311.section.md

@@ -286,10 +286,11 @@ The module update takes care of the new config syntax and the data itself (user
 
 - New `boot.bcache.enable` (default enabled) allows completely removing `bcache` mount support.
 
-- `security.sudo` now provides an extra option, that does not change the
+- `security.sudo` now provides two extra options, that do not change the
   module's default behaviour:
-  `keepTerminfo` controls whether `TERMINFO` and `TERMINFO_DIRS` are preserved
+  - `defaultOptions` controls the options used for the default rules;
-  for `root` and the `wheel` group.
+  - `keepTerminfo` controls whether `TERMINFO` and `TERMINFO_DIRS` are preserved
+    for `root` and the `wheel` group.
 
 
 ## Nixpkgs internals {#sec-release-23.11-nixpkgs-internals}

nixos/modules/security/sudo.nix

@@ -38,6 +38,15 @@ in
 
   options.security.sudo = {
 
+    defaultOptions = mkOption {
+      type = with types; listOf str;
+      default = [ "SETENV" ];
+      description = mdDoc ''
+        Options used for the default rules, granting `root` and the
+        `wheel` group permission to run any command as any user.
+      '';
+    };
+
     enable = mkOption {
       type = types.bool;
       default = true;
@@ -206,8 +215,8 @@ in
           inherit users groups;
           commands = [ {
             command = "ALL";
-            options = opts ++ [ "SETENV" ];
+            options = opts ++ cfg.defaultOptions;
-	  } ];
+          } ];
         } ];
       in mkMerge [
         # This is ordered before users' `mkBefore` rules,