diff --git a/playbooks/legacy/pre.yaml b/playbooks/legacy/pre.yaml
index 26963687..c0942678 100644
--- a/playbooks/legacy/pre.yaml
+++ b/playbooks/legacy/pre.yaml
@@ -25,14 +25,6 @@
         - id_rsa
         - id_rsa.pub
 
-    - name: Add sudoers role for zuul-sudo-grep.sh
-      copy:
-        dest: /etc/sudoers.d/zuul-sudo-grep
-        content: "zuul ALL = NOPASSWD:/usr/local/jenkins/slave_scripts/zuul-sudo-grep.sh"
-        mode: 0440
-        validate: "/usr/sbin/visudo -cf %s"
-      become: true
-
     - name: Copy zuul-sudo-grep.sh to
       copy:
         dest: /usr/local/jenkins/slave_scripts/zuul-sudo-grep.sh
@@ -40,7 +32,25 @@
         mode: 0755
       become: true
 
-    - name: Modify run-tox.sh to use zuul-sudo-grep.sh
+    - name: Add sudoers role for zuul-sudo-grep.sh
+      copy:
+        dest: /etc/sudoers.d/zuul-sudo-grep
+        content: "zuul ALL = NOPASSWD:/usr/local/jenkins/slave_scripts/zuul-sudo-grep.sh\n"
+        mode: 0440
+      become: true
+
+    - name: Validate sudoers config after edits
+      command: "/usr/sbin/visudo -c"
+      become: true
+
+    - name: Modify run-tox.sh to use zuul-sudo-grep.sh pre
+      lineinfile:
+        path: /usr/local/jenkins/slave_scripts/run-tox.sh
+        regexp: '^sudo .script_path/jenkins-sudo-grep.sh pre'
+        line: 'sudo $script_path/zuul-sudo-grep.sh pre'
+      become: true
+
+    - name: Modify run-tox.sh to use zuul-sudo-grep.sh post
       lineinfile:
         path: /usr/local/jenkins/slave_scripts/run-tox.sh
         regexp: '^    sudo .script_path/jenkins-sudo-grep.sh post'