From 51b8af587e46d4e03b059a51253d9671e27d08e3 Mon Sep 17 00:00:00 2001
From: sommerfeld <sommerfeld@sommerfeld.dev>
Date: Wed, 13 May 2026 13:43:31 +0100
Subject: feat(doas): smarter sudo shim + paru SudoLoop
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The packaged doas-sudo-shim is just 'exec doas "$@"', which means
'sudo -v' (used by paru --sudoloop to keep the auth timestamp fresh
during long AUR builds) hits doas, which doesn't implement -v, and
the loop dies. Then when the build finally finishes and tries the real
install, the cached timestamp has long expired, so we reprompt — and
opendoas only allows one attempt before bailing, so a single mistype
throws an hour of compilation away.

Replace it (per-user, via $HOME/.local/bin precedence) with a shim
that translates:
  -v        -> doas true     (refresh persist timestamp)
  -k / -K   -> doas -L       (clear)
  -E -H -i -S etc -> dropped (no doas equivalent)
  rest      -> doas "$@"

Then enable SudoLoop in paru.conf so the timestamp stays fresh.
---
 dot_config/paru/paru.conf     |  2 +-
 dot_local/bin/executable_sudo | 59 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 60 insertions(+), 1 deletion(-)
 create mode 100644 dot_local/bin/executable_sudo

diff --git a/dot_config/paru/paru.conf b/dot_config/paru/paru.conf
index 57cb11b..6a3632c 100644
--- a/dot_config/paru/paru.conf
+++ b/dot_config/paru/paru.conf
@@ -14,7 +14,7 @@ Provides
 DevelSuffixes = -git -cvs -svn -bzr -darcs -always
 # BottomUp
 RemoveMake
-#SudoLoop
+SudoLoop
 #UseAsk
 CombinedUpgrade
 BatchInstall
diff --git a/dot_local/bin/executable_sudo b/dot_local/bin/executable_sudo
new file mode 100644
index 0000000..b643f34
--- /dev/null
+++ b/dot_local/bin/executable_sudo
@@ -0,0 +1,59 @@
+#!/bin/sh
+# sudo → doas shim that takes precedence over /usr/bin/sudo
+# (provided by doas-sudo-shim) by living in $HOME/.local/bin.
+#
+# Why a custom shim: opendoas does not implement `sudo -v` (extend the
+# auth timestamp without running a command). paru --sudoloop relies on
+# that to keep credentials fresh during long AUR builds; without it,
+# building gcc-git for an hour then mistyping the password at the install
+# step throws the whole build away. We translate the handful of sudo
+# flags paru / common scripts use into doas equivalents and swallow the
+# rest.
+#
+# Translations:
+#   -v / --validate     → doas true   (refresh persist timestamp)
+#   -k / -K             → doas -L     (clear persist timestamp)
+#   -n                  → doas -n
+#   -E -H -i -S         → silently dropped
+#   anything else       → doas "$@"
+
+set -eu
+
+forward=
+for arg; do
+	case $arg in
+		-v|--validate)
+			exec doas true
+			;;
+		-k|-K)
+			exec doas -L
+			;;
+		-h|--help)
+			exec doas -h
+			;;
+		-n)
+			forward="$forward -n"
+			;;
+		-E|-H|-i|-S|--preserve-env|--set-home|--login|--stdin)
+			# meaningless under doas; drop
+			;;
+		--)
+			shift
+			# shellcheck disable=SC2086
+			exec doas $forward "$@"
+			;;
+		-*)
+			# unknown flag — pass through and let doas complain
+			forward="$forward $arg"
+			;;
+		*)
+			# first non-flag: rest of argv is the command
+			# shellcheck disable=SC2086
+			exec doas $forward "$@"
+			;;
+	esac
+	shift
+done
+
+# Only flags, no command — treat as `sudo -v` semantics.
+exec doas true
-- 
cgit v1.3.1