{ ... }:
{
  security.sudo.extraRules = [
    { groups = "wheel";
      commands = map (command: { inherit command; options = "NOPASSWD"; }) [
        "/run/current-system/sw/sbin/shutdown"
        "/run/current-system/sw/sbin/reboot"
        "/run/current-system/sw/sbin/halt"
        "/run/current-system/sw/bin/systemctl"
      ];
    }
  ];

  users.extraGroups.network = {};

  security.polkit = {
    enable = true;
    extraConfig = ''
      polkit.addRule(function(action, subject) {
        if (    action.id == "org.freedesktop.systemd1.manage-units"
             && subject.isInGroup("wheel")
           ) {
          return polkit.Result.YES;
        }
      });

      polkit.addRule(function(action, subject) {
        if ((action.id == "org.blueman.rfkill.setstate" ||
             action.id == "org.blueman.network.setup" ||
             action.id == "org.freedesktop.NetworkManager.settings.modify.system"
            ) && subject.local
            && subject.active && subject.isInGroup("network")
           ) {
          return polkit.Result.YES;
        }
      });
    '';
  };
}