diff --git a/group_vars/pyrocufflink/main.yml b/group_vars/pyrocufflink/main.yml
index 4017b2c..5587f6a 100644
--- a/group_vars/pyrocufflink/main.yml
+++ b/group_vars/pyrocufflink/main.yml
@@ -13,3 +13,12 @@ root_authorized_keys: |
   ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJsL5fSylmiJmBtW0DH/viAAmtU2E/2M17GPvysiyRs+ dustin@rosalina
   ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBw1T18jnBfR5reKAACOs/LMcs+jbclj6Eh8z56kJE7+ dustin@luma
   {% endif %}
+
+sudo_use_pam_ssh_agent: true
+sudo_authorized_ssh_keys: |
+  sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIF4yQAS0bAQ9Ymxgxv828MsX0z4ff/Fs//0PQOtPexRJAAAABHNzaDo= dustin@rosalina.pyrocufflink.blue
+  sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINal4+Gn/KuyP6YTsQuW4cphfDcjrS428osVIqnqMfagAAAABHNzaDo= dustin@luma.pyrocufflink.blue
+  ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDD3Ebb7dyEyCylgEjmhFxvGqbPkT+0KSpI+xEGXLFnn jenkins
+# Default flags include -n, which makes Ansible complain about a "missing
+# become password," even though it would never actually prompt for one.
+ansible_become_flags: -H