dotfiles/nixos/modules/doas.nix

{ flake, config, ... }:
let
  inherit (flake.config.people)
    user0
    user2
    ;
  inherit (flake.config.machines)
    devices
    ;
  hostname = config.networking.hostName;
  desktop = devices.desktop.name;
  fallaryn = devices.fallaryn.name;
in
{
  security = {
    doas = {
      enable = true;
      extraRules = [
        {
          keepEnv = true;
          noPass = true;
          users = [
            (
              if hostname == desktop then
                user0
              else if hostname == fallaryn then
                user2
              else
                ""
            )
          ];
        }
      ];
    };
    # sudo.enable = false;
  };
}