diff --git a/common/default.nix b/common/default.nix
index d29640c..b88c9f8 100644
--- a/common/default.nix
+++ b/common/default.nix
@@ -79,6 +79,14 @@ in
     trusted-users = [ "root" "googlebot" ];
   };
 
+  # don't use sudo
+  security.doas.enable = true;
+  security.sudo.enable = false;
+  security.doas.extraRules = [
+    # don't ask for password every time
+    { groups = [ "wheel" ]; persist = true; }
+  ];
+
   nix.gc.automatic = true;
 
   security.acme.acceptTerms = true;
diff --git a/common/shell.nix b/common/shell.nix
index 1ba9fb3..55c6336 100644
--- a/common/shell.nix
+++ b/common/shell.nix
@@ -21,6 +21,8 @@
     shellInit = ''
       # disable annoying fish shell greeting
       set fish_greeting
+
+      alias sudo="doas"
     '';
   };