{
  # sudo and nix can only be used by the wheel group
  nix.settings.allowed-users = ["@wheel"];
  security.sudo.execWheelOnly = true;
}