diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index bad35c0..9bb8b9e 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -57,4 +57,4 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Build devops image
-        run: docker build ./images/devops --build-arg BASE_IMAGE=ubuntu:noble
+        run: docker build ./images/devops
diff --git a/images/nix/flake.nix b/images/nix/flake.nix
index f164e68..c5429ef 100644
--- a/images/nix/flake.nix
+++ b/images/nix/flake.nix
@@ -18,8 +18,8 @@
           extraGroupLines = [ "coder:x:1000:" ];
         })
         (writeTextDir "etc/shadow" ''
-root:!x:::::::
-coder:!:::::::
+root:*:::::::
+coder:*:::::::
         '')
         (writeTextDir "etc/gshadow" ''
 root:x::
@@ -39,6 +39,15 @@ auth sufficient pam_rootok.so
 password requisite pam_unix.so nullok yescrypt
 session required pam_unix.so
         '')
+        # Dedicated PAM config for sudo – auth and account use pam_permit
+        # because actual authorisation is handled by sudoers, while session
+        # uses pam_unix for proper session setup.
+        (writeTextDir "etc/pam.d/sudo" ''
+auth       sufficient pam_rootok.so
+auth       required   pam_permit.so
+account    required   pam_permit.so
+session    required   pam_unix.so
+        '')
       ];
 
       # Nix configuration with flakes enabled