diff --git a/configs.yml b/configs.yml
index 993b7a4..b52a8bc 100644
--- a/configs.yml
+++ b/configs.yml
@@ -1,12 +1,6 @@
 sudoers:
     - run:
-        - sudo sed "s/\$USER/$USER/g" $(ls dotfiles/sudoers.d/* | grep -v -e arch -e debian) | sudo tee /etc/sudoers.d/setup-cockpit >/dev/null 2>&1
-    - run:
-        command: sudo sed "s/\$USER/$USER/g" dotfiles/sudoers.d/*.arch | sudo tee -a /etc/sudoers.d/setup-cockpit >/dev/null 2>&1
-        condition: arch
-    - run:
-        command: sudo sed "s/\$USER/$USER/g" dotfiles/sudoers.d/*.debian | sudo tee -a /etc/sudoers.d/setup-cockpit >/dev/null 2>&1
-        condition: debian
+        - sudo sed "s/\$USER/$USER/g" dotfiles/sudoers.d/* | sudo tee /etc/sudoers.d/setup-cockpit >/dev/null 2>&1
     - run:
         - sudo chmod 600 /etc/sudoers.d/setup-cockpit
 
diff --git a/dotfiles/sudoers.d/bye.arch b/dotfiles/sudoers.d/bye.arch
deleted file mode 100644
index ef8d21d..0000000
--- a/dotfiles/sudoers.d/bye.arch
+++ /dev/null
@@ -1,3 +0,0 @@
-## Use "sudo {shutdown,reboot,halt}" without needing a password.
-$USER ALL=(root) NOPASSWD:/usr/bin/reboot,/usr/bin/halt,/usr/bin/shutdown
-
diff --git a/dotfiles/sudoers.d/bye.debian b/dotfiles/sudoers.d/bye.debian
deleted file mode 100644
index 5ac933d..0000000
--- a/dotfiles/sudoers.d/bye.debian
+++ /dev/null
@@ -1,3 +0,0 @@
-## Use "sudo {shutdown,reboot,halt}" without needing a password.
-$USER ALL=(root) NOPASSWD:/usr/sbin/reboot,/usr/sbin/halt,/usr/sbin/shutdown
-
diff --git a/dotfiles/sudoers.d/protonvpn b/dotfiles/sudoers.d/protonvpn
deleted file mode 100644
index 76e2201..0000000
--- a/dotfiles/sudoers.d/protonvpn
+++ /dev/null
@@ -1,5 +0,0 @@
-## Use "sudo protonvpn" without needing a password.
-## This is necessary to boot this setup, because "sudo protonvpn" is invoqued
-## in ~/.xinitrc before starting the WM.
-$USER ALL=(root) NOPASSWD:/usr/bin/protonvpn
-
diff --git a/playbook.yml b/playbook.yml
index a71229a..104d489 100644
--- a/playbook.yml
+++ b/playbook.yml
@@ -24,3 +24,5 @@
       tags: firefox
     - role: tor
       tags: tor
+    - role: sudoers
+      tags: sudoers
diff --git a/dotfiles/sudoers.d/insults b/roles/sudoers/files/insults
similarity index 98%
rename from dotfiles/sudoers.d/insults
rename to roles/sudoers/files/insults
index cffe5c1..963bdab 100644
--- a/dotfiles/sudoers.d/insults
+++ b/roles/sudoers/files/insults
@@ -1,3 +1,2 @@
 ## Replace the usual "Sorry, try again." with insults upon incorrect password.
 Defaults insults
-
diff --git a/roles/sudoers/tasks/main.yml b/roles/sudoers/tasks/main.yml
new file mode 100644
index 0000000..f6a3f5b
--- /dev/null
+++ b/roles/sudoers/tasks/main.yml
@@ -0,0 +1,13 @@
+---
+
+- name: Copy sudoers templates
+  become: true
+  template:
+    src: bye.j2
+    dest: /etc/sudoers.d/bye
+
+- name: Copy sudoers files
+  become: true
+  copy:
+    src: insults
+    dest: /etc/sudoers.d/insults
diff --git a/roles/sudoers/templates/bye.j2 b/roles/sudoers/templates/bye.j2
new file mode 100644
index 0000000..bc17238
--- /dev/null
+++ b/roles/sudoers/templates/bye.j2
@@ -0,0 +1,2 @@
+## Use "sudo {shutdown,reboot,halt}" without needing a password.
+{{ ansible_facts['env']['USER'] }} ALL=(root) NOPASSWD:/usr/sbin/reboot,/usr/sbin/halt,/usr/sbin/shutdown