diff --git a/roles/saltmaster/sudo/files/deploy b/roles/saltmaster/sudo/files/deploy
new file mode 100644
index 0000000..0c2883f
--- /dev/null
+++ b/roles/saltmaster/sudo/files/deploy
@@ -0,0 +1,17 @@
+# -------------------------------------------------------------
+# SaltStack deployment
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# Created: 2017-09-28
+# License: Trivial work, not eligible to copyright
+# Source file: roles/saltmaster/sudo/files/deploy
+# -------------------------------------------------------------
+#
+#
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+#
+
+%deploy ALL = (deploy) NOPASSWD: ALL
diff --git a/roles/saltmaster/sudo/init.sls b/roles/saltmaster/sudo/init.sls
index 12f1b95..6e6512c 100644
--- a/roles/saltmaster/sudo/init.sls
+++ b/roles/saltmaster/sudo/init.sls
@@ -1,20 +1,23 @@
# -------------------------------------------------------------
# Salt — Salt master configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Created: 2017-04-28
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs with context %}
# -------------------------------------------------------------
# Sudo capabilities
#
# Ops should be able to sudo -u salt …
+# Deployers should be able to sudo -u deploy
# -------------------------------------------------------------
-saltmaster_sudo_capabilities_file:
+{% for sudofile in ['salt', 'deploy'] %}
+saltmaster_sudo_capabilities_{{ sudofile }}:
file.managed:
- - name: {{ dirs.etc }}/sudoers.d/salt
- - source: salt://roles/saltmaster/sudo/files/salt
+ - name: {{ dirs.etc }}/sudoers.d/{{ sudofile }}
+ - source: salt://roles/saltmaster/sudo/files/{{ sudofile }}
+{% endfor %}