From 36e8e08e2f615e95460e27b9afe09ca7bf84c5ac Mon Sep 17 00:00:00 2001
From: Christoph Cullmann <christoph@cullmann.io>
Date: Sat, 5 Oct 2024 18:25:08 +0200
Subject: [PATCH] use doas, get steam to work

---
 share/common.nix | 24 +++++++++++++++++-------
 share/home.nix   | 14 +++++++-------
 2 files changed, 24 insertions(+), 14 deletions(-)

diff --git a/share/common.nix b/share/common.nix
index 6543d55..d4f1fe9 100644
--- a/share/common.nix
+++ b/share/common.nix
@@ -376,6 +376,7 @@ in
     vscodium
     vulkan-tools
     wayland-utils
+    xorg.xhost
     xorg.xlsclients
     zoxide
     zsh
@@ -489,8 +490,11 @@ in
     };
   };
 
-  # OpenGL
-  hardware.graphics.enable = true;
+  # OpenGL, 32-bit for steam
+  hardware.graphics = {
+    enable = true;
+    enable32Bit = true;
+  };
 
   # try to ensure we can use our network LaserJet
   services.printing.enable = true;
@@ -560,9 +564,15 @@ in
   virtualisation.virtualbox.host.enableHardening = false;
   virtualisation.virtualbox.host.addNetworkInterface = false;
 
-  # configure sudo
-  security.sudo.execWheelOnly = true;
-  security.sudo.extraConfig = ''
-    Defaults lecture = never
-  '';
+  # use doas instead of sudo
+  security.sudo.enable = false;
+  security.doas.enable = true;
+  security.doas.extraRules = [
+    # wheel users are allowed to become all users
+    { groups = [ "wheel" ]; noPass = false; keepEnv = true; persist = true; }
+
+    # wheel users can use sandbox stuff without password
+    { groups = [ "wheel" ]; runAs = "sandbox-games"; noPass = true; }
+    { groups = [ "wheel" ]; runAs = "sandbox-kde"; noPass = true; }
+  ];
 }
diff --git a/share/home.nix b/share/home.nix
index aaec33c..d1ab41a 100644
--- a/share/home.nix
+++ b/share/home.nix
@@ -31,13 +31,13 @@
     # aliases
     shellAliases = {
       # system build/update/cleanup
-      update = "sudo nixos-rebuild boot";
-      upgrade = "sudo nixos-rebuild boot --upgrade";
-      updatenow = "sudo nixos-rebuild switch";
-      upgradenow = "sudo nixos-rebuild switch --upgrade";
-      gc = "sudo nix-collect-garbage --delete-older-than 7d";
-      verify = "sudo nix --extra-experimental-features nix-command store verify --all";
-      optimize = "sudo nix --extra-experimental-features nix-command store optimise";
+      update = "doas nixos-rebuild boot";
+      upgrade = "doas nixos-rebuild boot --upgrade";
+      updatenow = "doas nixos-rebuild switch";
+      upgradenow = "doas nixos-rebuild switch --upgrade";
+      gc = "doas nix-collect-garbage --delete-older-than 7d";
+      verify = "doas nix --extra-experimental-features nix-command store verify --all";
+      optimize = "doas nix --extra-experimental-features nix-command store optimise";
 
       # list latest files last
       ltr = "eza -l -s modified";