# Install at /etc/sudoers.d/ttyd-users (mode 0440, owner root:root).
#
# wizard (the user running ttyd.service + tmux-api.service) needs to run
# tmux as the OS user that backs each Authentik identity. Narrow the
# NOPASSWD grant to the tmux binary only, scoped to each named target user
# — never `(ALL)`.
#
# Add one line per OS user listed on the right-hand side of
# /etc/ttyd-user-map. The mapping file is the source of truth for which
# Authentik usernames are accepted; this file is the kernel-level grant
# that makes the per-user attach actually work.

wizard ALL=(emo) NOPASSWD: /usr/bin/tmux