diff --git a/hosts/modules/roles/build-machine.nix b/hosts/modules/roles/build-machine.nix
index aee123dfc..54a4136dc 100644
--- a/hosts/modules/roles/build-machine.nix
+++ b/hosts/modules/roles/build-machine.nix
@@ -28,6 +28,7 @@ in
       sane.programs.qemu.enableFor.user.colin = true;
       # serve packages to other machines that ask for them
       sane.services.nixserve.enable = true;
+      sane.services.nixserve.remoteBuilderPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4KI7I2w5SvXRgUrXYiuBXPuTL+ZZsPoru5a2YkIuCf root@nixremote";
 
       # each concurrent derivation realization uses a different nix build user.
       # default is 32 build users, limiting us to that many concurrent jobs.
diff --git a/modules/services/nixserve.nix b/modules/services/nixserve.nix
index 5be97eb99..cafca0e7d 100644
--- a/modules/services/nixserve.nix
+++ b/modules/services/nixserve.nix
@@ -24,6 +24,9 @@ in
       type = types.path;
       description = "path to file that contains the nix_serve_privkey secret (should not be in the store)";
     };
+    sane.services.nixserve.remoteBuilderPubkey = mkOption {
+      type = types.str;
+    };
   };
 
   config = mkIf cfg.enable {
@@ -53,7 +56,7 @@ in
       ];
       initialPassword = "";
       openssh.authorizedKeys.keys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4KI7I2w5SvXRgUrXYiuBXPuTL+ZZsPoru5a2YkIuCf root@nixremote"
+        cfg.remoteBuilderPubkey
       ];
     };