Add sysops group

The wheel group is allowed to do everything by default.
We need a separate group to really confine users.

For example:

$ sudo ls

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for pashev:
Sorry, user pashev is not allowed to execute '/run/current-system/sw/bin/ls --color=tty' as root on vbox-manul.

1 files changed, 11 insertions, 4 deletions

diff --git a/modules/system/sysops.nix b/modules/system/sysops.nix
index ccf6d0b..54ff074 100644
--- a/modules/system/sysops.nix
+++ b/modules/system/sysops.nix
@@ -1,8 +1,7 @@
 { config, lib, ...}:
 let
 
-  inherit (lib) concatMapStringsSep concatStringsSep mkOption types;
-  inherit (types) str listOf;
+  inherit (lib) concatStringsSep genAttrs mkIf ;
 
   bindir = "/run/current-system/sw/bin";
 
@@ -27,9 +26,17 @@ let
 
 in {
 
-  config = {
+  config = mkIf ( [] != config.nixsap.system.users.sysops ) {
+    nixsap.system.groups = [ "sysops" ];
+
+    users.users = genAttrs config.nixsap.system.users.sysops (
+      name: {
+        extraGroups = [ "sysops" "systemd-journal" "proc" ];
+      }
+    );
+
     security.sudo.extraConfig = ''
-      %wheel ALL=(ALL) NOPASSWD: ${commands}
+      %sysops ALL=(ALL) NOPASSWD: ${commands}
     '';
   };
 }