{
  # sudo and nix can only be used by the wheel group

  nix.settings.allowed-users = ["@wheel"];

  security.sudo = {
    enable = true;
    execWheelOnly = true;
    extraConfig = "Defaults insults";
  };
}