diff --git a/host_vars/gw1.pyrocufflink.blue/main.yml b/host_vars/gw1.pyrocufflink.blue/main.yml
index 41a78b7..765bc76 100644
--- a/host_vars/gw1.pyrocufflink.blue/main.yml
+++ b/host_vars/gw1.pyrocufflink.blue/main.yml
@@ -13,3 +13,11 @@ nut_monitor_password: !vault |
   3866663235393232320a386230346639643836623063373634383966663334626136313234333435
   33313038643935343635366365626630613365316233393536373232616563396636323064366631
   3734346263623832396439386463323430323437643537623262
+
+sudo_use_pam_ssh_agent: true
+sudo_authorized_ssh_keys: |
+  sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIF4yQAS0bAQ9Ymxgxv828MsX0z4ff/Fs//0PQOtPexRJAAAABHNzaDo= dustin@rosalina.pyrocufflink.blue
+  sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINal4+Gn/KuyP6YTsQuW4cphfDcjrS428osVIqnqMfagAAAABHNzaDo= dustin@luma.pyrocufflink.blue
+# Default flags include -n, which makes Ansible complain about a "missing
+# become password," even though it would never actually prompt for one.
+ansible_become_flags: -H