Allow passwordless sudo for fred

40-char password from a manager is impractical for frequent sudo use.
SSH is already key-only, so local privilege escalation is the only
remaining threat — acceptable on a single-user home server.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

settings/users.nix

@@ -3,6 +3,11 @@
 
 {
     # Define a user account. Don't forget to set a password with 'passwd'.
+	security.sudo.extraRules = [{
+		users = [ "fred" ];
+		commands = [{ command = "ALL"; options = [ "NOPASSWD" ]; }];
+	}];
+
 	users.users.fred = {
 		isNormalUser = true;
 		description = "fred";