diff --git a/modules/bagel-container.nix b/modules/bagel-container.nix
index ad2d637..606f0cf 100644
--- a/modules/bagel-container.nix
+++ b/modules/bagel-container.nix
@@ -30,4 +30,17 @@
     networkConfig.Address = [ "172.16.100.1/24" ];
     networkConfig.IPMasquerade = true;
   };
+
+  # Configure a local Nix builder account, since getting sandboxing and KVM
+  # working inside the container will be tricky.
+  users.users.bagel-builder = {
+    isSystemUser = true;
+    group = "nogroup";
+    home = "/var/empty";
+    shell = "/bin/sh";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAvUT9YBig9LQPHgypIBHQuC32XqDKxlFZ2CfgDi0ZKx"
+    ];
+  };
+  nix.settings.trusted-users = [ "bagel-builder" ];
 }