let
  commandsWithoutPassword = [
    "/run/current-system/sw/bin/systemctl restart tor.service"
  ];
in
{
  security.sudo = {
    execWheelOnly = true;
    extraRules = [
      {
        groups = [ "wheel" ];
        commands = map
          (cmd: {
            command = cmd;
            options = [ "NOPASSWD" ];
          })
          commandsWithoutPassword;
      }
    ];
  };
}