Use classic unix users rather than systemd dynamic users

Dynamic Users are neat and probably very useful for a tmpnb
style situation. However, for regular use they have the following
problems:

1. Can't set ProtectHome=no, so you can never apt install or
   similar from inside admin accounts.
2. Dynamic uid / gid makes it hard to write sudo rules. We want
   admin users to have sudo.
3. Persistent uids / gids are very useful for ad-hoc ACLs between
   users. gid sharing isn't the most flexible sharing mechanism,
   but it is well known & quite useful.
4. /etc/skel is pretty useful!

tljh/installer.py

@@ -2,6 +2,7 @@ import sys
 import os
 import tljh.systemd as systemd
 import tljh.conda as conda
+from tljh import user
 
 INSTALL_PREFIX = os.environ.get('TLJH_INSTALL_PREFIX', '/opt/tljh')
 HUB_ENV_PREFIX = os.path.join(INSTALL_PREFIX, 'hub')
@@ -17,7 +18,7 @@ def ensure_jupyterhub_service(prefix):
     unit = unit_template.format(
         python_interpreter_path=sys.executable,
         jupyterhub_config_path=os.path.join(HERE, 'jupyterhub_config.py'),
-        prefix=prefix
+        install_prefix=INSTALL_PREFIX
     )
     systemd.install_unit('jupyterhub.service', unit)
 
@@ -33,13 +34,20 @@ def ensure_jupyterhub_package(prefix):
     conda.ensure_conda_packages(prefix, ['jupyterhub==0.9.0'])
     conda.ensure_pip_packages(prefix, [
         'jupyterhub-dummyauthenticator==0.3.1',
-        'jupyterhub-systemdspawner==0.9.12'
+        'jupyterhub-systemdspawner==0.9.12',
+        'escapism'
     ])
 
 
 ensure_jupyterhub_package(HUB_ENV_PREFIX)
 ensure_jupyterhub_service(HUB_ENV_PREFIX)
 
+user.ensure_group('jupyterhub-admins')
+user.ensure_group('jupyterhub-users')
+
+with open('/etc/sudoers.d/jupyterhub-admins', 'w') as f:
+    f.write('%jupyterhub-admins ALL = (ALL) NOPASSWD: ALL')
+
 conda.ensure_conda_env(USER_ENV_PREFIX)
 conda.ensure_conda_packages(USER_ENV_PREFIX, [
     'jupyterhub==0.9.0',