diff --git a/libexec/nuageinit/nuage.lua b/libexec/nuageinit/nuage.lua
--- a/libexec/nuageinit/nuage.lua
+++ b/libexec/nuageinit/nuage.lua
@@ -276,6 +276,52 @@
 	end
 end
 
+local function adddoas(pwd)
+	local chmodetcdir = false
+	local chmoddoasconf = false
+	local root = os.getenv("NUAGE_FAKE_ROOTDIR")
+	local etcdir = "/usr/local/etc"
+	if root then
+		etcdir= root .. etcdir
+	end
+	local doasconf = etcdir .. "/doas.conf"
+	local doasconf_attr = lfs.attributes(doasconf)
+	if doasconf_attr == nil then
+		chmoddoasconf = true
+		local dirattrs = lfs.attributes(etcdir)
+		if dirattrs == nil then
+			local r, err = mkdir_p(etcdir)
+			if not r then
+				return nil, err .. " (creating " .. etcdir .. ")"
+			end
+			chmodetcdir = true
+		end
+	end
+	local f = io.open(doasconf, "a")
+	if not f then
+		warnmsg("impossible to open " .. doasconf)
+		return
+	end
+	if type(pwd.doas) == "string" then
+		local rule = pwd.doas
+		rule = rule:gsub("%%u", pwd.name)
+		f:write(rule .. "\n")
+	elseif type(pwd.doas) == "table" then
+		for _, str in ipairs(pwd.doas) do
+			local rule = str
+			rule = rule:gsub("%%u", pwd.name)
+			f:write(rule .. "\n")
+		end
+	end
+	f:close()
+	if chmoddoasconf then
+		chmod(doasconf, "0640")
+	end
+	if chmodetcdir then
+		chmod(etcdir, "0740")
+	end
+end
+
 local function addsudo(pwd)
 	local chmodsudoersd = false
 	local chmodsudoers = false
@@ -584,6 +630,7 @@
 	update_packages = update_packages,
 	upgrade_packages = upgrade_packages,
 	addsudo = addsudo,
+	adddoas = adddoas,
 	addfile = addfile
 }
 
diff --git a/libexec/nuageinit/nuageinit b/libexec/nuageinit/nuageinit
--- a/libexec/nuageinit/nuageinit
+++ b/libexec/nuageinit/nuageinit
@@ -139,6 +139,9 @@
 			if u.sudo then
 				nuage.addsudo(u)
 			end
+			if u.doas then
+				nuage.adddoas(u)
+			end
 		else
 			nuage.warn("invalid type : " .. type(u) .. " for users entry number " .. n)
 		end
diff --git a/libexec/nuageinit/nuageinit.7 b/libexec/nuageinit/nuageinit.7
--- a/libexec/nuageinit/nuageinit.7
+++ b/libexec/nuageinit/nuageinit.7
@@ -308,6 +308,13 @@
 .It Ic sudo
 A string or an array of strings which should be appended to
 .Pa /usr/local/etc/sudoers.d/90-nuageinit-users
+.It Ic doas
+A string or an array of strings which should be appended to
+.Pa /usr/local/etc/doas.conf
+.Pp
+Instead of hardcoding the username, you can use
+.Sy %u Ns ,
+which will be replaced by the current username.
 .El
 .Pp
 A special case exist: if the entry is a simple string with the value
diff --git a/libexec/nuageinit/tests/nuageinit.sh b/libexec/nuageinit/tests/nuageinit.sh
--- a/libexec/nuageinit/tests/nuageinit.sh
+++ b/libexec/nuageinit/tests/nuageinit.sh
@@ -119,12 +119,16 @@
     gecos: Foo B. Bar
     primary_group: foobar
     sudo: ALL=(ALL) NOPASSWD:ALL
+    doas: permit persist %u as root
     groups: users
     passwd: $6$j212wezy$7H/1LT4f9/N3wpgNunhsIqtMj62OKiS3nyNwuizouQc3u7MbYCarYeAHWYPYb2FT.lbioDm2RrkJPb9BZMN1O/
   - name: bla
     sudo:
     - "ALL=(ALL) NOPASSWD:/usr/sbin/pw"
     - "ALL=(ALL) ALL"
+    doas:
+    - "deny %u as foobar"
+    - "permit persist %u as root cmd whoami"
 EOF
 	atf_check /usr/libexec/nuageinit "${PWD}"/media/nuageinit nocloud
 	atf_check /usr/libexec/nuageinit "${PWD}"/media/nuageinit postnet