diff --git a/group_vars/all.yml b/group_vars/all.yml
index 29b87fe..a90b9c7 100644
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -5,6 +5,11 @@ managed_users:
   groups:
   - wheel
 
+doas_authorized_ssh_keys: |
+  sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIF4yQAS0bAQ9Ymxgxv828MsX0z4ff/Fs//0PQOtPexRJAAAABHNzaDo= dustin@rosalina.pyrocufflink.blue
+  sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINal4+Gn/KuyP6YTsQuW4cphfDcjrS428osVIqnqMfagAAAABHNzaDo= dustin@luma.pyrocufflink.blue
+  ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDD3Ebb7dyEyCylgEjmhFxvGqbPkT+0KSpI+xEGXLFnn jenkins
+
 sshca_url: https://sshca.pyrocufflink.blue
 ssh_trusted_user_ca_keys: >-
   ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINyi18IfxAf9wLnyffnMrThYpqxVwu0rsuiLoqW6rcwF sshca.pyrocufflink.blue
diff --git a/roles/doas/files/pam.conf b/roles/doas/files/pam.conf
new file mode 100644
index 0000000..ba66c4b
--- /dev/null
+++ b/roles/doas/files/pam.conf
@@ -0,0 +1,7 @@
+#%PAM-1.0
+auth       required     pam_ssh_agent_auth.so file=/etc/security/doas.authorized_keys
+account    include      system-auth
+password   include      system-auth
+session    optional     pam_keyinit.so revoke
+session    required     pam_limits.so
+session    include      system-auth
diff --git a/roles/doas/tasks/main.yml b/roles/doas/tasks/main.yml
new file mode 100644
index 0000000..390b577
--- /dev/null
+++ b/roles/doas/tasks/main.yml
@@ -0,0 +1,31 @@
+- name: ensure required packages are installed
+  package:
+    name:
+    - libuser
+    - opendoas
+    - pam_ssh_agent_auth
+    state: present
+  tags:
+  - install
+
+- name: ensure pam is configured for doas
+  copy:
+    src: pam.conf
+    dest: /etc/pam.d/doas
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  tags:
+  - pam
+  - pam-ssh-agent
+
+- name: ensure doas authorized ssh_keys are configured
+  copy:
+    dest: /etc/security/doas.authorized_keys
+    content: '{{ doas_authorized_ssh_keys }}'
+    mode: u=rw,go=r
+    owner: root
+    group: root
+  tags:
+  - pam-ssh-agent
+  - pam-ssh-agent-keys
diff --git a/users.yml b/users.yml
index 61301c9..eef74fe 100644
--- a/users.yml
+++ b/users.yml
@@ -1,4 +1,8 @@
 - hosts: all
+  roles:
+  - role: doas
+    tags:
+    - doas
   tasks:
   - name: ensure users exist
     user: