diff --git a/hosts.yml b/hosts.yml
index 2faaf9f..417aa96 100644
--- a/hosts.yml
+++ b/hosts.yml
@@ -61,7 +61,7 @@ all:
       ansible_user: ansible
       ansible_port: 22
       ansible_python_interpreter: /usr/bin/python3
-      ansible_become_method: sudo
+      ansible_become_method: doas
 
     fugu:
       ansible_host: fugu
diff --git a/roles/wheel/tasks/debian.yml b/roles/wheel/tasks/debian.yml
new file mode 100644
index 0000000..7e457cb
--- /dev/null
+++ b/roles/wheel/tasks/debian.yml
@@ -0,0 +1,11 @@
+---
+- name: install doas
+  apt:
+    name: doas
+
+- name: copy doas config
+  copy:
+    src: doas.conf
+    dest: /etc/doas.conf
+    owner: root
+    mode: '0644'
diff --git a/roles/wheel/tasks/main.yml b/roles/wheel/tasks/main.yml
index c2c9245..2af9296 100644
--- a/roles/wheel/tasks/main.yml
+++ b/roles/wheel/tasks/main.yml
@@ -20,6 +20,6 @@
   include_tasks: openbsd.yml
   when: ansible_distribution == "OpenBSD"
 
-- name: setup with sudo
-  include_tasks: sudo.yml
+- name: 'debian-specific things'
+  include_tasks: debian.yml
   when: ansible_distribution in ["Debian", "Ubuntu"]
diff --git a/roles/wheel/tasks/sudo.yml b/roles/wheel/tasks/sudo.yml
deleted file mode 100644
index d021fb7..0000000
--- a/roles/wheel/tasks/sudo.yml
+++ /dev/null
@@ -1,12 +0,0 @@
----
-- name: install sudo
-  apt:
-    name: sudo
-  when: ansible_distribution in ["Debian", "Ubuntu"]
-
-- name: allow wheel sudo without password
-  copy:
-    dest: /etc/sudoers.d/wheel
-    content: "%wheel ALL=(ALL) NOPASSWD: ALL"
-    mode: '0440'
-    owner: root