diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 62904f6..1fba95b 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -8,11 +8,12 @@ test-default:
     - docker-alpine
     - x86_64
 
-test-dash:
-  extends: test-default
-  before_script:
-    - apk add dash
-    - ln -sf /usr/bin/dash /bin/sh
+# disabled - 0.13.1 has globbing bug
+#test-dash:
+#  extends: test-default
+#  before_script:
+#    - apk add dash
+#    - ln -sf /usr/bin/dash /bin/sh
 
 test-oksh:
   extends: test-default
diff --git a/lib/tiny-cloud/init b/lib/tiny-cloud/init
index 30efbfb..60cd0ec 100644
--- a/lib/tiny-cloud/init
+++ b/lib/tiny-cloud/init
@@ -178,9 +178,11 @@ init__create_default_user() {
 		echo '%wheel ALL=(ALL) NOPASSWD: ALL' > "$ETC/sudoers.d/wheel"
 	fi
 	if [ -d "$ETC/doas.d" ]; then
-		echo 'permit nopass :wheel' > "$TARGET/etc/doas.d/wheel.conf"
+		echo 'permit nopass :wheel' > "$ETC/doas.d/wheel.conf"
+		#echo 'permit nopass :wheel' > "$TARGET/etc/doas.d/wheel.conf"
 	elif [ -f "$ETC/doas.conf" ]; then
-		add_once "$TARGET/etc/doas.conf" "permit nopass :wheel"
+		add_once "$ETC/doas.conf" "permit nopass :wheel"
+		#add_once "$TARGET/etc/doas.conf" "permit nopass :wheel"
 	fi
 }
 
diff --git a/tests/tiny-cloud-alpine.test b/tests/tiny-cloud-alpine.test
index cef4a67..b9024f3 100755
--- a/tests/tiny-cloud-alpine.test
+++ b/tests/tiny-cloud-alpine.test
@@ -32,6 +32,7 @@ init_tests \
 	userdata_users_groups \
 	userdata_users_lock_passwd \
 	userdata_users_doas \
+	userdata_users_doas_with_default \
 	userdata_users_ssh_authorized_keys \
 	userdata_ssh_authorized_keys \
 	userdata_groups \
@@ -420,6 +421,26 @@ userdata_users_doas_body() {
 		|| atf_fail "etc/doas.d/foo.conf is not as expected"
 }
 
+userdata_users_doas_with_default_body() {
+	# first specified user keeps the default user
+	fake_userdata_nocloud <<-EOF
+		#cloud-config
+		users:
+		  - default
+		  - name: foo
+		    doas: ["permit nopass foo"]
+	EOF
+	mkdir -p etc/doas.d
+	atf_check -e ignore -o ignore tiny-cloud early
+	atf_check \
+		-e match:"userdata_users: done" \
+		-o ignore \
+		tiny-cloud main
+	find .
+	grep "permit nopass foo" etc/doas.d/foo.conf \
+		|| atf_fail "etc/doas.d/foo.conf is not as expected"
+}
+
 userdata_users_ssh_authorized_keys_body() {
 	fake_bin getent <<-EOF
 		#!/bin/sh
@@ -923,4 +944,3 @@ userdata_autoinstall_lvm_body() {
 		-o match:"reboot" \
 		tiny-cloud final
 }
-