Sudo UID issues

I was trying to automate some command execution, using webhook. I set up systemd service, to run webhook in background. In my case, those commands, which webhook had to execute, required root priviligies, that’s why I set up sudo on my server this way:

security.sudo = {
    enable = true;
    wheelNeedsPassword = false;

and then, added user, from which I run systemd service, to wheel group

users.users.webhook = {
    isNormalUser = false;
    extraGroups = [ "wheel" ];

Here’s systemd service configuration: = {
    path = with pkgs; [
    enable = true;
    serviceConfig = {
      User = "webhook";
      ExecStart = "${pkgs.webhook}/bin/webhook -hooks /etc/webhook.conf -secure -cert /var/lib/acme/ -key /var/lib/acme/ -verbose";
environment.etc."webhook.conf".text = ''
      "id": "update",
      "execute-command": "${pkgs.updateScript}/bin/updateScript",
      "command-working-directory": "/tmp"

And here is how I create updateScript:

nixpkgs.overlays = [(self: super: {
    updateScript = pkgs.writeScriptBin "updateScript" ''

      ${pkgs.sudo}/bin/sudo ${}/bin/nixos-rebuild switch --upgrade

But when systemd service runs updateScript, it shows this error:

sudo must be owned by uid 0 and have the setuid bit set

So I’m wondering, how to make sudo work for systemd service, or is there any way of granting systemd service superuser priviligies, without sudo

You need to use /run/wrappers/bin/sudo, it is a special wrapper that fulfils the requirements of beeing owned correctly.