diff --git a/common/users/default.nix b/common/users/default.nix
index d9c87e6..2a4c5b3 100644
--- a/common/users/default.nix
+++ b/common/users/default.nix
@@ -1,3 +1,9 @@
+{ config, lib, pkgs, ... }:
+
+let
+  inherit (lib) mkIf mkOption types genAttrs;
+  cfg = config.fountain;
+in
 {
   # TODO: consider DRY-ing these
   imports = [
@@ -7,5 +13,21 @@
     ./trungle.nix
   ];
 
-  users.mutableUsers = false;
+  options.fountain = {
+    admins = mkOption {
+      type = types.listOf types.str;
+      default = [ ];
+      description = "List of users who should have root on this system";
+    };
+  };
+
+  config = {
+    users.mutableUsers = false;
+
+    users.users = genAttrs cfg.admins
+      (name: {
+        extraGroups = [ "wheel" ];
+      }
+      );
+  };
 }
diff --git a/hosts/elucredassa/default.nix b/hosts/elucredassa/default.nix
index e4a517a..97aba67 100644
--- a/hosts/elucredassa/default.nix
+++ b/hosts/elucredassa/default.nix
@@ -37,7 +37,7 @@ in
   };
 
   fountain.users.qenya.enable = true;
-  users.users.qenya.extraGroups = [ "wheel" ];
+  fountain.admins = [ "qenya" ];
 
   system.stateVersion = "24.11";
 }
diff --git a/hosts/kalessin/default.nix b/hosts/kalessin/default.nix
index 473f587..65a0ced 100644
--- a/hosts/kalessin/default.nix
+++ b/hosts/kalessin/default.nix
@@ -15,7 +15,7 @@ in
   networking.domain = "birdsong.network";
 
   fountain.users.qenya.enable = true;
-  users.users.qenya.extraGroups = [ "wheel" ];
+  fountain.admins = [ "qenya" ];
   fountain.users.randomcat.enable = true;
   fountain.users.trungle.enable = true;
 
diff --git a/hosts/kilgharrah/default.nix b/hosts/kilgharrah/default.nix
index f9f4600..96542d0 100644
--- a/hosts/kilgharrah/default.nix
+++ b/hosts/kilgharrah/default.nix
@@ -32,7 +32,7 @@ in
   fountain.users.qenya.enable = true;
   age.secrets.user-password-kilgharrah-qenya.file = ../../secrets/user-password-kilgharrah-qenya.age;
   users.users.qenya.hashedPasswordFile = config.age.secrets.user-password-kilgharrah-qenya.path;
-  users.users.qenya.extraGroups = [ "wheel" ];
+  fountain.admins = [ "qenya" ];
   home-manager.users.qenya = { pkgs, ... }: {
     home.packages = with pkgs; [ obs-studio ];
     # For the moment, this hosts some network-accessible services, so we want it on 24/7
diff --git a/hosts/orm/default.nix b/hosts/orm/default.nix
index 5814498..f5aa5fd 100644
--- a/hosts/orm/default.nix
+++ b/hosts/orm/default.nix
@@ -12,7 +12,7 @@
   networking.domain = "birdsong.network";
 
   fountain.users.qenya.enable = true;
-  users.users.qenya.extraGroups = [ "wheel" ];
+  fountain.admins = [ "qenya" ];
   qenya.base-server.enable = true;
 
   qenya.services.distributed-builds = {
diff --git a/hosts/tohru/default.nix b/hosts/tohru/default.nix
index 3bb4c52..dd1f21f 100644
--- a/hosts/tohru/default.nix
+++ b/hosts/tohru/default.nix
@@ -31,10 +31,10 @@ in
   nix.optimise.automatic = mkForce false;
 
   fountain.users.qenya.enable = true;
+  fountain.admins = [ "qenya" ];
   age.secrets.user-password-tohru-qenya.file = ../../secrets/user-password-tohru-qenya.age;
   users.users.qenya.hashedPasswordFile = config.age.secrets.user-password-tohru-qenya.path;
   users.users.qenya.extraGroups = [
-    "wheel" # sudo
     "networkmanager" # UI wifi configuration
     "dialout" # access to serial ports
   ];
diff --git a/hosts/yevaud/default.nix b/hosts/yevaud/default.nix
index 9e5758a..b93c14b 100644
--- a/hosts/yevaud/default.nix
+++ b/hosts/yevaud/default.nix
@@ -16,7 +16,7 @@
   networking.domain = "birdsong.network";
 
   fountain.users.qenya.enable = true;
-  users.users.qenya.extraGroups = [ "wheel" ];
+  fountain.admins = [ "qenya" ];
   qenya.base-server.enable = true;
 
   qenya.services.distributed-builds = {