diff --git a/modules/darwin/hercules-ci/default.nix b/modules/darwin/hercules-ci/default.nix
index b776f85..a392f90 100644
--- a/modules/darwin/hercules-ci/default.nix
+++ b/modules/darwin/hercules-ci/default.nix
@@ -20,4 +20,8 @@
     binaryCachesPath = config.age.secrets.binary-caches.path;
     clusterJoinTokenPath = config.age.secrets.cluster-join-token.path;
   };
+
+  system.systemBuilderArgs.sandboxProfile = ''
+    (allow file-read* file-write* process-exec mach-lookup (subpath "${builtins.storeDir}"))
+  '';
 }