--- /dev/null
+PACKAGES += bilibop-lockfs
+
+.PHONY: _live _live_sudo _live_sudo_users
+
+ifdef users
+ _config: _live_sudo_users
+endif
+
+_umount: _live
+_live: ${CFGROOT} _bootloader
+ grep -x aufs "$${CFGROOT}/etc/initramfs-tools" || printf 'aufs\n' >>"$${CFGROOT}/etc/initramfs-tools/modules"
+ sed -i 's; root=; lockfs=1G root=;' "$${CFGROOT}/boot/bootmenu.cfg" "$${CFGROOT}/boot/grub.cfg"
+
+_config: _live_sudo
+_live_sudo: ${CFGROOT}/etc/sudoers.d/nopassword
+_live_sudo: ${CFGROOT}/var/lib/polkit-1/localauthority/50-local.d/disable-passwords.pkla
+
+${CFGROOT}/etc/sudoers.d/nopassword: ${CFGROOT}
+ printf '%%sudo ALL=NOPASSWD: ALL\n' >"$@"
+ chmod 440 "$@"
+
+${CFGROOT}/var/lib/polkit-1/localauthority/50-local.d/disable-passwords.pkla: ${CFGROOT}
+ mkdir -p -m 700 "$${CFGROOT}/var/lib/polkit-1/"
+ mkdir -p "$(dir $@)"
+ printf '[Nopassword]\nIdentity=unix-group:sudo\nAction=*\nResultActive=yes\n' >"$@"
+
+_live_sudo_users: _users
+ for u in $(subst ${comma_},${space_},${users}); do \
+ chroot "$${CFGROOT}" adduser "$$u" sudo; \
+ done