From a811aa4a1c703ab559390310e21cab7625b8b947 Mon Sep 17 00:00:00 2001
From: Scott Worley <scottworley@scottworley.com>
Date: Sun, 29 Mar 2026 01:40:05 -0700
Subject: [PATCH 1/1] Narrow sudoers to runAs=root

---
 modules/auto-upgrade.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/auto-upgrade.nix b/modules/auto-upgrade.nix
index c52f0bc..7d2404c 100644
--- a/modules/auto-upgrade.nix
+++ b/modules/auto-upgrade.nix
@@ -281,6 +281,7 @@ in
     security.sudo.extraRules = lib.mkAfter [
       {
         groups = [ "users" ];
+        runAs = "root";
         commands = [
           {
             command = "${auto-upgrade-script}";
-- 
2.51.2