From b497b6405db42fbb1097a243cc4f39c8e4e4f116 Mon Sep 17 00:00:00 2001
From: Henri Dohmen <henri.dohmen@stud.tu-darmstadt.de>
Date: Wed, 2 Jul 2025 22:40:07 +0200
Subject: [PATCH] sudo -> doas

---
 host/nix.nix             |  1 -
 host/roam/default.nix    |  7 +++++++
 host/roam/security.nix   |  9 ---------
 mod/desktop/default.nix  |  6 +++---
 mod/desktop/security.nix | 28 ++++++++++++++++++++++++++++
 5 files changed, 38 insertions(+), 13 deletions(-)
 delete mode 100644 host/roam/security.nix
 create mode 100644 mod/desktop/security.nix

diff --git a/host/nix.nix b/host/nix.nix
index 86b42fd..7deb378 100644
--- a/host/nix.nix
+++ b/host/nix.nix
@@ -13,6 +13,5 @@
     trusted-users = [ "root" ];
     auto-optimise-store = true;
   };
-
   nixpkgs.config.allowUnfree = false;
 }
diff --git a/host/roam/default.nix b/host/roam/default.nix
index dd9a50e..e370f5f 100644
--- a/host/roam/default.nix
+++ b/host/roam/default.nix
@@ -9,6 +9,13 @@
     ./services.nix
   ];
 
+  security = {
+    acme = {
+      acceptTerms = true;
+      defaults.email = "acme@henri-dohmen.de";
+    };
+  };
+
   # ====== DON'T CHANGE ======
   system.stateVersion = "24.11";
 }
diff --git a/host/roam/security.nix b/host/roam/security.nix
deleted file mode 100644
index 9c8200d..0000000
--- a/host/roam/security.nix
+++ /dev/null
@@ -1,9 +0,0 @@
-{ ... }:
-{
-  security = {
-    acme = {
-      acceptTerms = true;
-      defaults.email = "acme@henri-dohmen.de";
-    };
-  };
-}
diff --git a/mod/desktop/default.nix b/mod/desktop/default.nix
index a8bd2f4..b4b01f8 100644
--- a/mod/desktop/default.nix
+++ b/mod/desktop/default.nix
@@ -15,9 +15,10 @@ in
     ./fonts.nix
     ./gpg.nix
     ./network.nix
+    ./security.nix
     ./services.nix
-    ./window-manager.nix
     ./software
+    ./window-manager.nix
     inputs.nixos-config-hidden.nixosModules.pc
     inputs.home-manager.nixosModules.home-manager
     {
@@ -45,6 +46,7 @@ in
       fonts.enable = true;
       gpg.enable = true;
       network.enable = true;
+      security.enable = true;
       services.enable = true;
       software.enable = true;
       wm.enable = true;
@@ -70,7 +72,5 @@ in
       home.stateVersion = config.system.stateVersion;
       imports = [ ../../mod-hm ];
     };
-
-    security.protectKernelImage = true;
   };
 }
diff --git a/mod/desktop/security.nix b/mod/desktop/security.nix
new file mode 100644
index 0000000..5bc97a0
--- /dev/null
+++ b/mod/desktop/security.nix
@@ -0,0 +1,28 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.desktop.security;
+  inherit (lib) mkEnableOption mkIf;
+in
+{
+  options.desktop.security.enable = mkEnableOption "Security";
+  config = mkIf cfg.enable {
+    security.protectKernelImage = true;
+
+    security.sudo.enable = false;
+    security.doas = {
+      enable = true;
+      extraRules = [
+        {
+          groups = [ "wheel" ];
+          persist = true;
+          keepEnv = true;
+        }
+      ];
+    };
+  };
+}