diff --git a/nix/modules/system/sudo.nix b/nix/modules/system/sudo.nix
new file mode 100644
index 0000000..1c9b560
--- /dev/null
+++ b/nix/modules/system/sudo.nix
@@ -0,0 +1,11 @@
+{ config, ... }:
+let
+  cfg = config.flake;
+in
+{
+  flake.modules.nixos.default = {
+    security.sudo.wheelNeedsPassword = false;
+    nix.settings.trusted-users = [ "@wheel" ];
+    users.users.${cfg.admin.username}.extraGroups = [ "wheel" ];
+  };
+}
diff --git a/nix/modules/system/users.nix b/nix/modules/system/users.nix
index b9ab8f7..5815089 100644
--- a/nix/modules/system/users.nix
+++ b/nix/modules/system/users.nix
@@ -1,26 +1,20 @@
-{ config, lib, ... }:
+{ config, ... }:
 let
   cfg = config.flake;
   inherit (cfg.lib.modules) userListToAttrs forAllUsers';
-  inherit (lib.lists) optional;
 in
 {
   flake.modules.nixos.default =
     { config, ... }:
     {
-      #TODO: move sudo/security options elsewhere
-      # security.sudo.wheelNeedsPassword = false;
-      # nix.settings.trusted-users = [ "@wheel" ];
-      # persist uids and gids
       persistDirs = [ "/var/lib/nixos" ];
       users = {
         mutableUsers = false;
         groups.users.gid = 100;
         users = forAllUsers' (
-          name: value: {
+          name: _: {
             isNormalUser = true;
             hashedPasswordFile = config.sops.secrets."${name}/hashedPassword".path;
-            extraGroups = optional (value.primary or false) "wheel";
           }
         );
       };