diff --git a/machines/drone/configuration.nix b/machines/drone/configuration.nix
index 6893b35..66327e6 100644
--- a/machines/drone/configuration.nix
+++ b/machines/drone/configuration.nix
@@ -39,6 +39,8 @@
     nameservers = [ "10.0.0.254" ];
   };
 
+  security.sudo.execWheelOnly = true;
+
   services.openssh.enable = true;
 
   sops.defaultSopsFile = ./secrets.yaml;
diff --git a/machines/gitea/configuration.nix b/machines/gitea/configuration.nix
index 91ed3df..8300f8b 100644
--- a/machines/gitea/configuration.nix
+++ b/machines/gitea/configuration.nix
@@ -41,7 +41,6 @@
   };
 
   security.sudo.execWheelOnly = true;
-  security.pam.enableSSHAgentAuth = true;
 
   # services.openssh.enable = true;
 
diff --git a/machines/minio/configuration.nix b/machines/minio/configuration.nix
index 2e1f687..2326b20 100644
--- a/machines/minio/configuration.nix
+++ b/machines/minio/configuration.nix
@@ -45,7 +45,6 @@
   };
 
   security.sudo.execWheelOnly = true;
-  security.pam.enableSSHAgentAuth = true;
 
   # services.openssh.enable = true;
 
diff --git a/machines/proxy/configuration.nix b/machines/proxy/configuration.nix
index 4253ada..2e72cbd 100644
--- a/machines/proxy/configuration.nix
+++ b/machines/proxy/configuration.nix
@@ -41,6 +41,8 @@
 
   services.openssh.enable = true;
 
+  security.sudo.execWheelOnly = true;
+
   sops.defaultSopsFile = ./secrets.yaml;
   sops.secrets = { };