diff --git a/nix/home-server.nix b/nix/home-server.nix
index 3a6cf91..0c4c7eb 100644
--- a/nix/home-server.nix
+++ b/nix/home-server.nix
@@ -128,6 +128,11 @@
   ];
   services.envfs.enable = true;
 
+  security.sudo = {
+    enable = true;
+    wheelNeedsPassword = true;
+  };
+
   # printing
   services.printing = {
     enable = true;
diff --git a/nix/modules/gitea-runner.nix b/nix/modules/gitea-runner.nix
index 8b7d764..0b220e6 100644
--- a/nix/modules/gitea-runner.nix
+++ b/nix/modules/gitea-runner.nix
@@ -27,7 +27,6 @@
         kubectl
         kubernetes-helm
         curl
-        sudo
       ];
       settings = {
         container = { 
@@ -61,7 +60,11 @@
       commands = [
         {
           command = "${pkgs.nix}/bin/nix-collect-garbage";
-          options = [ "NOPASSWD" ];
+          options = [ "NOPASSWD" "SETENV" ];
+        }
+        {
+          command = "${pkgs.nix}/bin/nix-env";
+          options = [ "NOPASSWD" "SETENV" ];
         }
       ];
     }