From d0fcde133dc0f634a8f1c5dd5dbd79124bb0d170 Mon Sep 17 00:00:00 2001
From: imxyy_soope_ <imxyy1soope1@gmail.com>
Date: Fri, 4 Jul 2025 20:06:59 +0800
Subject: [PATCH] feat: move to doas

---
 modules/user.nix | 69 ++++++++++++++++++++++++++++++++++++++++--------
 1 file changed, 58 insertions(+), 11 deletions(-)

diff --git a/modules/user.nix b/modules/user.nix
index fe39158..13ff134 100644
--- a/modules/user.nix
+++ b/modules/user.nix
@@ -27,7 +27,6 @@ lib.my.makeSwitch {
         description = userdesc;
         shell = pkgs.zsh;
         extraGroups = [
-          "wheel"
           username
         ];
         hashedPasswordFile = lib.mkDefault config.sops.secrets.imxyy-nix-hashed-password.path;
@@ -36,16 +35,64 @@ lib.my.makeSwitch {
     };
     users.users.root.hashedPasswordFile = lib.mkDefault config.sops.secrets.imxyy-nix-hashed-password.path;
 
-    security.sudo.extraRules = [
-      {
-        users = [ username ];
-        commands = [
-          {
-            command = "ALL";
-            options = [ "NOPASSWD" ];
-          }
-        ];
-      }
+    security.doas = {
+      enable = true;
+      extraRules = [
+        {
+          users = [ username ];
+          noPass = true;
+        }
+      ];
+    };
+    environment.shellAliases = {
+      sudo = "doas";
+      sudoedit = "doasedit";
+    };
+    environment.systemPackages = [
+      (pkgs.writeShellScriptBin "doasedit" ''
+        if [ -n "''${2}" ]; then
+          printf 'Expected only one argument\n'
+          exit 1
+        elif [ -z "''${1}" ]; then
+          printf 'No file path provided\n'
+          exit 1
+        elif [ "$(id -u)" -eq 0 ]; then
+          printf 'Cannot be run as root\n'
+          exit 1
+        fi
+
+        set -eu
+
+        tempdir="$(mktemp -d)"
+
+        trap 'rm -rf $tempdir' EXIT
+        srcfile="$(doas realpath "$1")"
+
+        if doas [ -f "$srcfile" ]; then
+          doas cp -a "$srcfile" "$tempdir"/file
+          doas cp -a "$tempdir"/file "$tempdir"/edit
+
+          # make sure that the file is editable by user
+          doas chown "$USER":"$USER" "$tempdir"/edit
+          chmod 600 "$tempdir"/edit
+        else
+          # create file with "regular" system permissions (root:root 644)
+          touch "$tempdir"/file
+          doas chown root:root "$tempdir"/file
+        fi
+
+        $EDITOR "$tempdir"/edit
+
+        doas tee "$tempdir"/file 1>/dev/null < "$tempdir"/edit
+
+        if doas cmp -s "$tempdir/file" "$srcfile"; then
+          printf 'Skipping write; no changes.\n'
+          exit 0
+        else
+          doas mv -f "$tempdir"/file "$srcfile"
+          exit 0
+        fi
+      '')
     ];
 
     nix.settings.trusted-users = [