diff --git a/services/baremetal-builder/default.nix b/services/baremetal-builder/default.nix
index b871482..5e4c51b 100644
--- a/services/baremetal-builder/default.nix
+++ b/services/baremetal-builder/default.nix
@@ -14,10 +14,23 @@ in
   };
 
   config = lib.mkIf cfg.enable {
-
     boot.initrd.availableKernelModules = [ "ahci" "ehci_pci" "usb_storage" "usbhid" "sd_mod" ];
     boot.initrd.kernelModules = [ "dm-snapshot" ];
 
+    users.users.builder = {
+      isSystemUser = true;
+      group = "nogroup";
+      home = "/var/empty";
+      shell = "/bin/sh";
+      openssh.authorizedKeys.keys = [
+        # Do not hardcode Hydra's public key, selectively
+        # add the keys of the coordinators that require us.
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAvUT9YBig9LQPHgypIBHQuC32XqDKxlFZ2CfgDi0ZKx"
+      ];
+    };
+    nix.settings.trusted-users = [ "builder" ];
+
+
     nixpkgs.hostPlatform = "x86_64-linux";
     hardware.cpu.intel.updateMicrocode = true;