diff --git a/.gitignore b/.gitignore
index c49a001..6eab29c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,6 +4,9 @@ vendor
 test.php
 config.json
 .bash_hist
-/config*
+config.private.json
+config.prod.json
+config.local.json
+config.*irc*.json
 result
 target
diff --git a/README.md b/README.md
index 0b443c7..24a9148 100644
--- a/README.md
+++ b/README.md
@@ -144,6 +144,17 @@ Run
 ```
 
 
+Note the config.public.json for the public pieces of how I run ofborg,
+which is merged with config.known-users.json and a third private
+config file of credentials. These files contain some special keys like
+
+ - known users
+ - authorized users
+ - log storage
+
+they are only used in the backend processing tasks, and there is no
+need for them on builders. However, to update the list in
+config.known-users.json, run `./scripts/update-known-users.sh`.
 
 ## old php stuff...
 
diff --git a/config.known-users.json b/config.known-users.json
new file mode 100644
index 0000000..1962b1c
--- /dev/null
+++ b/config.known-users.json
@@ -0,0 +1,111 @@
+{
+  "runner": {
+    "known_users": [
+      "7c6f434c",
+      "abbradar",
+      "adisbladis",
+      "aforemny",
+      "amiddelk",
+      "aminechikhaoui",
+      "andersontorres",
+      "andir",
+      "antono",
+      "aristidb",
+      "armijnhemel",
+      "astsmtl",
+      "aszlig",
+      "aycanirican",
+      "bendlas",
+      "benley",
+      "bennofs",
+      "bjornfor",
+      "bluescreen303",
+      "c0bw3b",
+      "chaoflow",
+      "cillianderoiste",
+      "civodul",
+      "copumpkin",
+      "cpages",
+      "cstrahan",
+      "damiencassou",
+      "dezgeg",
+      "dguibert",
+      "disassembler",
+      "domenkozar",
+      "edolstra",
+      "edwtjo",
+      "ehmry",
+      "ericson2314",
+      "errge",
+      "falsifian",
+      "fpletz",
+      "fridh",
+      "fuuzetsu",
+      "garbas",
+      "gebner",
+      "globin",
+      "grahamc",
+      "grahamcofborg",
+      "gridaphobe",
+      "hrdinka",
+      "jagajaga",
+      "jgeerds",
+      "joachifm",
+      "jtojnar",
+      "jwiegley",
+      "kevincox",
+      "kosmikus",
+      "lethalman",
+      "lnl7",
+      "lovek323",
+      "lsix",
+      "madjar",
+      "maggesi",
+      "matejc",
+      "matthewbauer",
+      "mic92",
+      "mornfall",
+      "mp2e",
+      "nbp",
+      "nckx",
+      "ndowens",
+      "nequissimus",
+      "nicolaspetton",
+      "obadz",
+      "ocharles",
+      "offlinehacker",
+      "orivej",
+      "peterhoeg",
+      "peti",
+      "phreedom",
+      "pikajude",
+      "primeos",
+      "profpatsch",
+      "psub",
+      "qknight",
+      "rasendubi",
+      "rbvermaa",
+      "rickynils",
+      "roconnor",
+      "rushmorem",
+      "ryantrinkle",
+      "rycee",
+      "shlevy",
+      "srhb",
+      "svanderburg",
+      "the-kenny",
+      "thoughtpolice",
+      "ts468",
+      "ttuegel",
+      "vbgl",
+      "vcunat",
+      "viric",
+      "vrthra",
+      "wizeman",
+      "wkennington",
+      "wmertens",
+      "yegortimoshenko",
+      "zimbatm"
+    ]
+  }
+}
diff --git a/config.public.json b/config.public.json
new file mode 100644
index 0000000..ead1457
--- /dev/null
+++ b/config.public.json
@@ -0,0 +1,50 @@
+{
+    "feedback": {
+        "full_logs": true
+    },
+    "log_storage": {
+        "path": "/var/lib/nginx/ofborg/logs/"
+    },
+    "runner": {
+        "trusted_users": [
+            "7c6f434c",
+            "adisbladis",
+            "andir",
+            "ankhers",
+            "aneeshusa",
+            "aszlig",
+            "copumpkin",
+            "disassembler",
+            "domenkozar",
+            "fpletz",
+            "fridh",
+            "garbas",
+            "globin",
+            "grahamc",
+            "jb55",
+            "joachifm",
+            "jtojnar",
+            "lheckemann",
+            "lnl7",
+            "mic92",
+            "nequissimus",
+            "orivej",
+            "peti",
+            "rbvermaa",
+            "shlevy",
+            "srhb",
+            "veprbl",
+            "vcunat",
+            "yegortimoshenko",
+            "zimbatm"
+        ]
+    },
+    "checkout": {
+        "root": "/var/lib/gc-of-borg/.nix-test-rs"
+    },
+    "nix": {
+        "system": "x86_64-linux",
+        "remote": "daemon",
+        "build_timeout_seconds": 3600
+    }
+}
diff --git a/ofborg/.gitignore b/ofborg/.gitignore
index 8c39a01..7cee623 100644
--- a/ofborg/.gitignore
+++ b/ofborg/.gitignore
@@ -2,3 +2,4 @@ target
 rust-amqp
 test-scratch
 *.bk
+rust-amq-proto
\ No newline at end of file
diff --git a/scripts/merge-config.sh b/scripts/merge-config.sh
new file mode 100755
index 0000000..e697a6a
--- /dev/null
+++ b/scripts/merge-config.sh
@@ -0,0 +1,4 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -p bash -p jq -p curl -i bash
+
+jq -s '.[0] * .[1] * .[2]' ./config.public.json ./config.known-users.json ./config.private.json > ./config.prod.json
diff --git a/scripts/update-known-users.sh b/scripts/update-known-users.sh
new file mode 100755
index 0000000..996700d
--- /dev/null
+++ b/scripts/update-known-users.sh
@@ -0,0 +1,35 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -p bash -p jq -p curl -i bash
+
+readonly token=$(jq -r '.github.token' ./config.private.json)
+
+readonly dest=config.known-users.json
+readonly scratch=user-list.scratch
+readonly accumulator=user-list.accumulator
+readonly result=user-list.result
+
+function fetch_users() {
+    curl \
+        -H "Authorization: token $token" \
+        "https://api.github.com/orgs/NixOS/members?page=$1" \
+        | jq 'map(.login | ascii_downcase)'
+}
+
+echo '[]' > "$accumulator"
+
+page=0
+while true; do
+    page=$((page + 1))
+    fetch_users "$page" > "$scratch"
+
+    jq -s '.[0] + .[1]' "$accumulator" "$scratch" > "$result"
+    mv "$result" "$accumulator"
+
+    if [ $(jq -r 'length' "$scratch") -eq 0 ]; then
+        break
+    fi
+done
+
+jq -s '{ "runner": { "known_users": .[0]}}' "$accumulator" > "$dest"
+
+rm -f "$result" "$scratch" "$accumulator"