Sudo - member of wheel cannot run commands without password

Edit: While typing this I did some more troubleshooting and found a workaround. Posting because I think it may help others running into a similar problem.

I have an admin user setup as a member of %wheel, which by default provides the ability to run any command as sudo. However, there are specific commands I want the user to be able to run without a password. I’m configuring sudo as follows (abbreviated to a single command for simplicity):

root     ALL=(ALL:ALL)    SETENV: ALL
%wheel  ALL=(ALL:ALL)    SETENV: ALL

All fine. However, I’m unable to run the configured command without a password:

$ sudo -l
Matching Defaults entries for user on host:
    !tty_tickets, !lecture, !env_reset, timestamp_timeout=120,
    env_keep+=TERMINFO_DIRS, env_keep+=TERMINFO

User user may run the following commands on host:
    (root) NOPASSWD: /run/wrappers/bin/mount

$ sudo mount
[sudo] password for user:

I spent a while troubleshooting this and found it’s an ordering issue. If I manually edit /etc/sudoers and put the user NOPASSWD line after %wheel:

Defaults !tty_tickets, !lecture, !env_reset, timestamp_timeout = 120
Cmnd_Alias SCRIPTS = /run/wrappers/bin/mount

# Don't edit this file. Set the NixOS options ‘security.sudo.configFile’
# or ‘security.sudo.extraRules’ instead.

root     ALL=(ALL:ALL)    SETENV: ALL
%wheel  ALL=(ALL:ALL)    SETENV: ALL

# extraConfig

# Keep terminfo database for root and %wheel.
Defaults:root,%wheel env_keep+=TERMINFO_DIRS
Defaults:root,%wheel env_keep+=TERMINFO

Then it works as expected:

$ sudo mount
devtmpfs on /dev type devtmpfs (rw,nosuid,size=1598444k,nr_inodes=3990817,mode=755)

Edit: This is where I was about to post for help, but then I discovered that security.sudo.configFile is written before the default root/%wheel lines, while security.sudo.extraConfig is written after those lines. Simply changing my config from configFile to extraConfig resolved the problem for me.

Hope this saves someone else some time.