Can't seem to get sudo working under NixOS

Question

The title (embarassing as it is) says it all. Some context first:

I'm running NixOS using a custom ISO on Vultr.

Timeframe of attempts:

• which sudo shows no sudo
• Installed sudo using nix-env -i sudo
• Then, when I tried to sudo ..., I see sudo: /home/agam/.nix-profile/bin/sudo must be owned by uid 0 and have the setuid bit set
• sudo su didn't work for the same reason
• Okay, I uninstalled it (nix-env --uninstall sudo)
• Thought hmm, maybe I'm supposed to install it as root?
• So, su and then repeat the install
• Now when I try to sudo ..., I see sudo: /nix/var/nix/profiles/default/bin/sudo must be owned by uid 0 and have the setuid bit set (so the same error as before, with a different path)
• As a last resort, try a hammer, and kudos to NixOS for stopping me:

[root@nixos:/home/agam]# chmod 4755 /nix/var/nix/profiles/default/bin/sudo
chmod: changing permissions of '/nix/var/nix/profiles/default/bin/sudo': Read-only file system

Any clues on what's going on here?

Some possible options I see here are: 1. The custom ISO that Vultr provided was ... missing something 2. Some fundamentally different ways that sudo is supposed to work in NixOS 3. I'm missing something very basic in how to go about using Nix (most likely!)

Some details:

[agam@nixos:~]$ nixos-version
18.09.1534.d45a0d7a4f5 (Jellyfish)

[agam@nixos:~]$ which sudo
/nix/var/nix/profiles/default/bin/sudo

[agam@nixos:~]$ nix-channel --list
nixos https://nixos.org/channels/nixos-18.09

Edit: final set of steps that worked:

1. As suggested in the answer, enable sudo first:

security.sudo.enable =  true;

2. Add a sudoers section to /etc/nixos/configuration.nix:

  # Allow members of the "wheel" group to sudo:
  security.sudo.configFile = ''
    %wheel ALL=(ALL) ALL
  '';

3. Add myself to wheel:

usermod -a -G wheel agam

Answer 1

The way to install sudo on NixOS is by adding to configuration.nix:

security.sudo.enable = true;

Nix by itself is simply not capable of creating setuid binaries like sudo. Otherwise it could not be "safe and policy free" - no multi user support. The nix/nix-* tools are designed to perform safe store operations and not to allow elevation of privileges.

In order to support setuid binaries like sudo, NixOS maintains a directory of setuid wrappers outside the Nix store, in /run/wrappers. This is only possible because NixOS is started/switched/activated with root privileges.