machine_setup/nix/configuration/roles/doas/default.nix

{
  config,
  lib,
  pkgs,
  ...
}:

{
  imports = [ ];

  options.me = {
    doas.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install doas.";
    };
  };

  config = lib.mkIf config.me.doas.enable {
    # Use doas instead of sudo
    security.doas.enable = true;
    security.doas.wheelNeedsPassword = false;
    security.sudo.enable = false;
    security.doas.extraRules = [
      {
        # Retain environment (for example NIX_PATH)
        keepEnv = true;
        persist = true; # Only ask for a password the first time.
      }
    ];
    environment.systemPackages = with pkgs; [
      doas-sudo-shim # To support --sudo for remote builds
    ];
  };
}