{ lib, config, ... }: {
	options = {
		doas.enable = lib.mkEnableOption "enables doas";
		sudo.enable = lib.mkEnableOption "enables sudo";
	};

	config = {
		security = {
			#sudo.enable = config.sudo.enable;
			sudo.enable = true;  # TODO remove once can be built from flake w git
			sudo.wheelNeedsPassword = false;
			doas.enable = config.doas.enable;
			doas.extraRules = lib.mkIf config.doas.enable [{
				keepEnv = true;
			}];
			doas.wheelNeedsPassword = false;
		};
	};
}