use doas instead of sudo

flake.nix

@@ -145,6 +145,7 @@
     outputsBuilder = channels: let
       pkgs = channels.unstable;
       pkgs-zfs = channels.unstable-zfs;
+      # FIXME: nixos-rebuild with --flakes flag doesn't work with doas
       rebuild = pkgs.writeShellScriptBin "rebuild" ''
         if [[ -z $1 ]]; then
           echo "Usage: $(basename $0) {switch|boot|test}"
@@ -152,8 +153,8 @@
           shift
           nix build .#nixosConfigurations.Flakes-ISO.config.system.build.isoImage "$@"
         else
-          arg=$1; shift;
-          sudo nixos-rebuild $arg --flake . "$@"
+          # doas nix-shell -p git --run "nixos-rebuild --flake . $@"
+          \sudo nixos-rebuild --flake . $@
         fi
       '';
       update-vscode = pkgs.writeShellScriptBin "update-vscode" ''

modules/secrets.nix

@@ -62,7 +62,7 @@ let
       } "${password-store}"
     fi
     cat ${password-store}/spotify.gpg | ${pkgs.gnupg}/bin/gpg --decrypt > /dev/null
-    [ ! -z "${allServices}" ] && sudo systemctl restart ${allServices}
+    [ ! -z "${allServices}" ] && doas systemctl restart ${allServices}
   '';
 
   decrypt = name: cfg:
@@ -79,7 +79,7 @@ let
         '';
 
         script = ''
-          if cat '${encrypted}' | /run/wrappers/bin/sudo -u ${user} ${cfg.decrypt} > '${decrypted}.tmp'; then
+          if cat '${encrypted}' | /run/wrappers/bin/doas -u ${user} ${cfg.decrypt} > '${decrypted}.tmp'; then
             mv -f '${decrypted}.tmp' '${decrypted}'
             chown '${owner}' '${decrypted}'
             chmod '${permissions}' '${decrypted}'
@@ -112,10 +112,12 @@ let
 
   mkServices = name: cfg: [ (decrypt name cfg) (addDependencies name cfg) ];
 
-  allServices = toString (map (name: "${name}-envsubst.service")
+  allServicesMap = (map (name: "${name}-envsubst.service")
     (builtins.attrNames config.secrets-envsubst)
     ++ map (name: "${name}-secrets.service")
     (builtins.attrNames config.secrets));
+
+  allServices = toString allServicesMap;
 in {
   options.secrets = lib.mkOption {
     type = attrsOf (submodule secret);
@@ -140,12 +142,12 @@ in {
   config.systemd.services =
     mkMerge (concatLists (mapAttrsToList mkServices config.secrets));
 
-  config.security.sudo.extraRules = [{
+  config.security.doas.extraRules = [{
     users = [ "alukard" ];
-    commands = [{
-      command = "/run/current-system/sw/bin/systemctl restart ${allServices}";
-      options = [ "NOPASSWD" ];
-    }];
+    noPass = true;
+    keepEnv = true;
+    cmd = "/run/current-system/sw/bin/systemctl ";
+    args = [ "restart" ] ++ allServicesMap;
   }];
 
   config.home-manager.users.alukard = {

profiles/nix/doas.patch

@@ -0,0 +1,23 @@
+From 012a913fbc861029a0f4b100cfd57d3b505a455f Mon Sep 17 00:00:00 2001
+From: ForeverNooob <106961997+ForeverNooob@users.noreply.github.com>
+Date: Sun, 30 Oct 2022 08:13:19 +0000
+Subject: [PATCH] Add doas support to the installation script.
+
+Previously the install errored out and told you to manually add `/nix/` and set the perms if you had `doas` installed instead of `sudo`. Well, not any more!
+---
+ scripts/install-nix-from-closure.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/install-nix-from-closure.sh b/scripts/install-nix-from-closure.sh
+index d4eed2efe80..d8931e97015 100644
+--- a/scripts/install-nix-from-closure.sh
++++ b/scripts/install-nix-from-closure.sh
+@@ -137,7 +137,7 @@ echo "performing a single-user installation of Nix..." >&2
+ if ! [ -e "$dest" ]; then
+     cmd="mkdir -m 0755 $dest && chown $USER $dest"
+     echo "directory $dest does not exist; creating it by running '$cmd' using sudo" >&2
+-    if ! sudo sh -c "$cmd"; then
++    if ! (sudo sh -c "$cmd" || doas sh -c "$cmd") ; then
+         echo "$0: please manually run '$cmd' as root to create $dest" >&2
+         exit 1
+     fi

profiles/overlay.nix

@@ -68,7 +68,7 @@ with lib; {
 
         nix = inputs.nix.packages.${system}.default.overrideAttrs (oa: {
           doInstallCheck = false;
-          patches = [ ./nix/nix.patch ] ++ oa.patches or [ ];
+          patches = [ ./nix/nix.patch ./nix/doas.patch ] ++ oa.patches or [ ];
         });
 
         nix-direnv = inputs.nix-direnv.packages.${system}.default.override { pkgs = final; };

profiles/security.nix

@@ -10,7 +10,6 @@ with config.deviceSpecific; {
       "audio"
       "cdrom"
       "corectrl"
-      "dbus"
       "dialout"
       "disk"
       "docker"
@@ -20,41 +19,69 @@ with config.deviceSpecific; {
       "lp"
       "lxd"
       "networkmanager"
-      "pulse"
+      "podman"
+      "qemu-libvirtd"
       "scanner"
       "smbuser"
-      "sound"
-      "sudo"
-      "vboxusers"
       "video"
-      "wheel"
+      # "wheel" # remove?
     ];
     description = "AtaraxiaDev";
     uid = 1000;
     hashedPassword = "$6$kDBGyd99tto$9LjQwixa7NYB9Kaey002MD94zHob1MmNbVz9kx3yX6Q4AmVgsFMGUyNuHozXprxyuXHIbOlTcf8nd4rK8MWfI/";
     shell = pkgs.zsh;
   };
+  # Safe, because we using doas
+  users.allowNoPasswordLogin = true;
+  # FIXME
   security.sudo = {
     enable = true;
-    extraConfig = lib.concatStrings [''
-      alukard ALL = (root) NOPASSWD: /run/current-system/sw/bin/btrfs fi usage /
-    ''
-    (if (isLaptop) then ''
-      alukard ALL = (root) NOPASSWD: /run/current-system/sw/bin/tlp-stat
-      alukard ALL = (root) NOPASSWD: /run/current-system/sw/bin/tlp ac
-      alukard ALL = (root) NOPASSWD: /run/current-system/sw/bin/tlp bat
-    '' else "")
-    ];
+    extraRules = [{
+      users = [ "alukard" ];
+      commands = [{
+        command = "/run/current-system/sw/bin/nixos-rebuild";
+        options = [ "SETENV" "NOPASSWD" ];
+      } {
+        command = "/run/current-system/sw/bin/nix";
+        options = [ "SETENV" "NOPASSWD" ];
+      } {
+        command = "/run/current-system/sw/bin/nix-shell";
+        options = [ "SETENV" "NOPASSWD" ];
+      }];
+    }];
+    # extraConfig = lib.concatStrings [''
+    #   alukard ALL = (root) NOPASSWD: /run/current-system/sw/bin/btrfs fi usage /
+    # ''
+    # (if (isLaptop) then ''
+    #   alukard ALL = (root) NOPASSWD: /run/current-system/sw/bin/tlp-stat
+    #   alukard ALL = (root) NOPASSWD: /run/current-system/sw/bin/tlp ac
+    #   alukard ALL = (root) NOPASSWD: /run/current-system/sw/bin/tlp bat
+    # '' else "")
+    # ];
   };
-  home-manager.users.alukard = {
-    systemd.user.services.polkit-agent = lib.mkIf (!isServer) {
-      Unit = {
-        Description = "Run polkit authentication agent";
-        X-RestartIfChanged = true;
-      };
-      Install.WantedBy = [ "sway-session.target" ];
-      Service = { ExecStart = "${pkgs.mate.mate-polkit}/libexec/polkit-mate-authentication-agent-1"; };
-    };
+  security.doas = {
+    enable = true;
+    extraRules = [{
+      users = [ "alukard" ];
+      keepEnv = true;
+      persist = true;
+    } {
+      users = [ "alukard" ];
+      noPass = true;
+      keepEnv = true;
+      cmd = "/run/current-system/sw/bin/btrfs";
+      args = [ "fi" "usage" "/" ];
+    }] ++ lib.optionals isLaptop [{
+      users = [ "alukard" ];
+      noPass = true;
+      keepEnv = true;
+      cmd = "/run/current-system/sw/bin/tlp";
+    } {
+      users = [ "alukard" ];
+      noPass = true;
+      keepEnv = true;
+      cmd = "/run/current-system/sw/bin/tlp-stat";
+    }];
   };
   systemd.services."user@" = { serviceConfig = { Restart = "always"; }; };
   services.getty.autologinUser = "alukard";

profiles/workspace/i3status-rust/scripts/df.nix

@@ -1,4 +1,4 @@
 { iconfont, ... }: ''
   #!/usr/bin/env bash
-  echo '<span font="${iconfont} Solid"></span>' `(sudo btrfs fi usage / | head -n7 | tail -n1 | awk '{print $3}')`
+  echo '<span font="${iconfont} Solid"></span>' `(doas btrfs fi usage / | head -n7 | tail -n1 | awk '{print $3}')`
 ''

profiles/workspace/zsh/default.nix

@@ -53,6 +53,7 @@
         '';
 
         shellAliases = {
+          "_" = "doas";
           "clr" = "clear";
           "weather" = "curl wttr.in/Volzhskiy";
           "rede" = "systemctl --user start gammastep.service &";