diff --git a/lib/tiny-cloud/user-data/alpine-config b/lib/tiny-cloud/user-data/alpine-config
index 3b2b51a..2adde1f 100644
--- a/lib/tiny-cloud/user-data/alpine-config
+++ b/lib/tiny-cloud/user-data/alpine-config
@@ -331,6 +331,21 @@ init__userdata_users() {
 				$MOCK addgroup "$name" "$group"
 			done
 		fi
+		if in_list doas $keys; then
+			if [ -d "$ROOT/etc/doas.d" ]; then
+				touch "$ROOT/etc/doas.d/$name.conf"
+				chmod 660 "$ROOT/etc/doas.d/$name.conf"
+			fi
+			local j
+			for j in $(get_userdata users/$i/doas); do
+				local line="$(get_userdata users/$i/doas/$j)"
+				if [ -d "$ROOT/etc/doas.d" ]; then
+					echo "$line" >> "$ROOT/etc/doas.d/$name.conf"
+				elif [ -f "$ROOT/etc/doas.conf" ]; then
+					add_once "$ROOT/etc/doas.conf" "$line"
+				fi
+			done
+		fi
 	done
 }
 
diff --git a/tests/tiny-cloud-alpine.test b/tests/tiny-cloud-alpine.test
index fe3bcbe..cba50b4 100755
--- a/tests/tiny-cloud-alpine.test
+++ b/tests/tiny-cloud-alpine.test
@@ -27,6 +27,7 @@ init_tests \
 	userdata_users_no_create_home \
 	userdata_users_groups \
 	userdata_users_lock_passwd \
+	userdata_users_doas \
 	userdata_users_ssh_authorized_keys \
 	userdata_ssh_authorized_keys \
 	userdata_groups \
@@ -332,6 +333,26 @@ userdata_users_lock_passwd_body() {
 		tiny-cloud main
 }
 
+userdata_users_doas_body() {
+	# first specified user will replace default user
+	fake_userdata_nocloud <<-EOF
+		#alpine-config
+		users:
+		  - none
+		  - name: foo
+		    doas: ["permit nopass foo"]
+	EOF
+	mkdir -p etc/doas.d
+	atf_check -e ignore -o ignore tiny-cloud early
+	atf_check \
+		-e match:"userdata_users: done" \
+		-o ignore \
+		tiny-cloud main
+	find .
+	grep "permit nopass foo" etc/doas.d/foo.conf \
+		|| atf_fail "etc/doas.d/foo.conf is not as expected"
+}
+
 userdata_users_ssh_authorized_keys_body() {
 	fake_bin getent <<-EOF
 		#!/bin/sh