diff --git a/roles/saltmaster/sudo/init.sls b/roles/saltmaster/sudo/init.sls
new file mode 100644
index 0000000..12f1b95
--- /dev/null
+++ b/roles/saltmaster/sudo/init.sls
@@ -0,0 +1,20 @@
+#   -------------------------------------------------------------
+#   Salt — Salt master configuration
+#   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+#   Project:        Nasqueron
+#   Created:        2017-04-28
+#   License:        Trivial work, not eligible to copyright
+#   -------------------------------------------------------------
+
+{% from "map.jinja" import dirs with context %}
+
+#   -------------------------------------------------------------
+#   Sudo capabilities
+#
+#   Ops should be able to sudo -u salt …
+#   -------------------------------------------------------------
+
+saltmaster_sudo_capabilities_file:
+  file.managed:
+    - name: {{ dirs.etc }}/sudoers.d/salt
+    - source: salt://roles/saltmaster/sudo/files/salt
diff --git a/top.sls b/top.sls
index b00e9b9..182b68d 100644
--- a/top.sls
+++ b/top.sls
@@ -1,24 +1,26 @@
 #   -------------------------------------------------------------
 #   Salt configuration for Nasqueron servers
 #   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 #   Project:        Nasqueron
 #   Created:        2016-04-10
 #   License:        Trivial work, not eligible to copyright
 #   -------------------------------------------------------------
 
 base:
   '*':
     - roles/core/rc
     - roles/core/hostname
     - roles/core/network
     - roles/core/motd
     - roles/core/rsyslog
     - roles/core/sshd
     - roles/core/letsencrypt
+  'local':
+    - roles/saltmaster/sudo
   'eglide':
     - roles/shellserver/users
     - roles/shellserver/userland-software
     - roles/shellserver/eglide-website
     - roles/shellserver/vhosts
     - roles/shellserver/web-hosting
     - roles/shellserver/odderon