diff --git a/ci/zabbix.jenkinsfile b/ci/zabbix.jenkinsfile
index 7fc27b5..fa65bca 100644
--- a/ci/zabbix.jenkinsfile
+++ b/ci/zabbix.jenkinsfile
@@ -17,53 +17,51 @@ pipeline {
                         variable: 'KEYTAB')]) {
                     sh 'kinit -kt "${KEYTAB}" jenkins@PYROCUFFLINK.BLUE'
                 }
+                withCredentials([file(
+                        credentialsId: 'vault-jenkins@pyrocufflink.blue',
+                        variable: 'SUDO_PASS_FILE'
+                )]) {
+                    sh 'cp "${SUDO_PASS_FILE}" group_vars/pyrocufflink/sudo-pass'
+                }
+                withCredentials([file(
+                        credentialsId: 'vault-jenkins@gw0',
+                        variable: 'SUDO_PASS_FILE'
+                )]) {
+                    sh 'cp -f "${SUDO_PASS_FILE}" host_vars/gw0/sudo-pass'
+                }
             }
         }
 
         stage('Remount R/W') {
             steps {
-                withCredentials([file(
-                        credentialsId: 'vault-jenkins@pyrocufflink.blue',
-                        variable: 'SUDO_PASS_FILE')]) {
-                    ansiblePlaybook \
-                        playbook: 'remount.yml',
-                        limit: 'zabbix',
-                        become: true,
-                        vaultCredentialsId: 'ansible-vault',
-                        extraVars: [
-                            remount_state: 'rw',
-                        ],
-                        extras: '-e@"${SUDO_PASS_FILE}"'
-                }
+                ansiblePlaybook \
+                    playbook: 'remount.yml',
+                    limit: 'zabbix',
+                    become: true,
+                    vaultCredentialsId: 'ansible-vault',
+                    extraVars: [
+                        remount_state: 'rw',
+                    ]
             }
         }
 
         stage('Zabbix') {
             steps {
-                withCredentials([file(
-                        credentialsId: 'vault-jenkins@pyrocufflink.blue',
-                        variable: 'SUDO_PASS_FILE')]) {
-                    ansiblePlaybook \
-                        playbook: 'zabbix.yml',
-                        become: true,
-                        vaultCredentialsId: 'ansible-vault',
-                        extras: '-e@"${SUDO_PASS_FILE}" --diff'
-                }
+                ansiblePlaybook \
+                    playbook: 'zabbix.yml',
+                    become: true,
+                    vaultCredentialsId: 'ansible-vault',
+                    extras: '--diff'
             }
         }
 
         stage('Remount R/O') {
             steps {
-                withCredentials([file(
-                        credentialsId: 'vault-jenkins@pyrocufflink.blue',
-                        variable: 'SUDO_PASS_FILE')]) {
-                    ansiblePlaybook \
-                        playbook: 'remount.yml',
-                        limit: 'zabbix',
-                        become: true,
-                        vaultCredentialsId: 'ansible-vault',
-                        extras: '-e@"${SUDO_PASS_FILE}"'
-                }
+                ansiblePlaybook \
+                    playbook: 'remount.yml',
+                    limit: 'zabbix',
+                    become: true,
+                    vaultCredentialsId: 'ansible-vault'
             }
         }
 
@@ -72,6 +70,7 @@ pipeline {
     post {
         always {
             sh 'kdestroy'
+            sh 'find . -name sudo-pass -delete'
         }
         failure {
             emailext \