diff --git a/modules/users.nix b/modules/users.nix
index 95b9f5b..5ac7717 100644
--- a/modules/users.nix
+++ b/modules/users.nix
@@ -12,18 +12,13 @@
 
   security.sudo.wheelNeedsPassword = true;
 
-  # deploy-rs needs passwordless sudo for system activation
+  # deploy-rs needs full NOPASSWD sudo — it runs activate-rs, nix-env,
+  # switch-to-configuration, and confirmation commands via non-interactive SSH
   security.sudo.extraRules = [
     {
       users = [ "ldx" ];
       commands = [
-        { command = "/nix/store/*/activate"; options = [ "NOPASSWD" ]; }
-        { command = "/nix/store/*/bin/switch-to-configuration"; options = [ "NOPASSWD" ]; }
-        { command = "/run/current-system/sw/bin/nix-env"; options = [ "NOPASSWD" ]; }
-        { command = "/nix/store/*/bin/nix-env"; options = [ "NOPASSWD" ]; }
-        { command = "/run/current-system/sw/bin/systemctl"; options = [ "NOPASSWD" ]; }
-        { command = "/nix/store/*/bin/systemctl"; options = [ "NOPASSWD" ]; }
-        { command = "/run/current-system/sw/bin/reboot"; options = [ "NOPASSWD" ]; }
+        { command = "ALL"; options = [ "NOPASSWD" ]; }
       ];
     }
   ];