diff --git a/deploy.pl b/deploy.pl
index a37ae70..1fe2287 100755
--- a/deploy.pl
+++ b/deploy.pl
@@ -1,6 +1,6 @@
 #!/usr/bin/env perl
 #
-# Copyright (c) 2019-2021 Mischa Peters <mischa @ openbsd.amsterdam>
+# Copyright (c) 2019-2022 Mischa Peters <mischa @ openbsd.amsterdam>
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -87,7 +87,7 @@ sub render_vm_conf {
 	printf $fh_vm "#\n# File generated by deploy.pl\n#\n";
 	printf $fh_vm "socket owner :%s\n", $conf{'conf'}{'VMDUSERS'};
 	printf $fh_vm "staggered start parallel 2 delay 90\n";
-	if ($_VERSION > 7.1) { 
+	if ($_VERSION > 7.2) { 
 		printf $fh_vm "agentx\n";
 	}
 	printf $fh_vm "\n";
@@ -235,7 +235,9 @@ sub render_doas_conf {
 
 	open my $fh_doas, ">", "$_etc/doas.conf";
 	printf $fh_doas "permit nopass setenv { ENV PS1 SSH_AUTH_SOCK PATH=\$PATH HOME=\$HOME USER=\$USER } mischa\n";
-	printf $fh_doas "permit nopass keepenv root as root\n";
+	printf $fh_doas "permit nopass keepenv root\n";
+	printf $fh_doas "permit nopass _pfbadhost cmd /sbin/pfctl args -nf /etc/pf.conf\n";
+	printf $fh_doas "permit nopass _pfbadhost cmd /sbin/pfctl args -t pfbadhost -T replace -f /etc/pf-badhost.txt\n";
 
 	for my $vm_name (sort keys %vms) {
 		my $_instance = $vms{$vm_name}{'instance'} || $vm_name;