diff --git a/configuration/default.nix b/configuration/default.nix
index f5d68fb..fc1ba7a 100644
--- a/configuration/default.nix
+++ b/configuration/default.nix
@@ -100,6 +100,15 @@
     gatewayPorts = "yes";
   };
 
+  security = {
+    sudo.execWheelOnly = true;
+
+    pam = {
+      enableSSHAgentAuth = true;
+      services.sudo.sshAgentAuth = true;
+    };
+  };
+
   services.nginx = {
     enable = true;
     recommendedTlsSettings = true;
diff --git a/flake.nix b/flake.nix
index 2dc31c0..04aa990 100644
--- a/flake.nix
+++ b/flake.nix
@@ -53,10 +53,8 @@
       };
 
       sshUser = "tlater";
-      sshOpts = ["-t" "-p" "2222"];
+      sshOpts = ["-p" "2222" "-o" "ForwardAgent=yes"];
       fastConnection = true;
-      # Currently broken, see https://github.com/serokell/deploy-rs/issues/78
-      magicRollback = false;
     };
 
     #########