diff --git a/nix/nixosModules/common/sudo-conf.nix b/nix/nixosModules/common/sudo-conf.nix
index b2b66182..ad4c6a6a 100644
--- a/nix/nixosModules/common/sudo-conf.nix
+++ b/nix/nixosModules/common/sudo-conf.nix
@@ -1,8 +1,18 @@
 {pkgs, ...}: {
-  security.doas.enable = true;
   security.sudo.enable = false;
 
   environment.systemPackages = [
     pkgs.doas-sudo-shim
   ];
+  security.doas = {
+    enable = true;
+    extraRules = [
+      {
+        # invoke just with doas directly as a nixos-rebuild helper
+        users = [":wheel"];
+        setEnv = ["PATH"];
+        cmd = "just";
+      }
+    ];
+  };
 }