diff --git a/hosts/build04/configuration.nix b/hosts/build04/configuration.nix
index 2a4a563..9e0254a 100644
--- a/hosts/build04/configuration.nix
+++ b/hosts/build04/configuration.nix
@@ -9,6 +9,8 @@
     inputs.self.nixosModules.remote-builder
   ];
 
+  nixCommunity.remote-builder.key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEmdo1x1QkRepZf7nSe+OdEWX+wOjkBLF70vX9F+xf68 builder";
+
   nixCommunity.disko.raidLevel = 0; # more disk space, we don't have much state to restore anyway
 
   networking.hostName = "build04";
diff --git a/hosts/darwin02/configuration.nix b/hosts/darwin02/configuration.nix
index 447dda0..84f1d93 100644
--- a/hosts/darwin02/configuration.nix
+++ b/hosts/darwin02/configuration.nix
@@ -8,6 +8,9 @@
     inputs.self.darwinModules.remote-builder
   ];
 
+  # on nix-darwin if user is removed the keys need to be removed manually from /etc/ssh/authorized_keys.d
+  nixCommunity.remote-builder.key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEmdo1x1QkRepZf7nSe+OdEWX+wOjkBLF70vX9F+xf68 builder";
+
   nix.settings.sandbox = "relaxed";
   nix.settings.extra-platforms = [ "x86_64-darwin" ];
 
diff --git a/modules/shared/remote-builder.nix b/modules/shared/remote-builder.nix
index 9a7ce27..d253e66 100644
--- a/modules/shared/remote-builder.nix
+++ b/modules/shared/remote-builder.nix
@@ -1,8 +1,5 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 let
-  # on nix-darwin if user is removed the keys need to be removed manually from /etc/ssh/authorized_keys.d
-  key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEmdo1x1QkRepZf7nSe+OdEWX+wOjkBLF70vX9F+xf68 builder";
-
   # https://discourse.nixos.org/t/wrapper-to-restrict-builder-access-through-ssh-worth-upstreaming/25834
   nix-ssh-wrapper = pkgs.writeShellScript "nix-ssh-wrapper" ''
     case $SSH_ORIGINAL_COMMAND in
@@ -19,10 +16,16 @@ let
   '';
 in
 {
-  users.users.nix.openssh.authorizedKeys.keys = [
+  options.nixCommunity.remote-builder.key = lib.mkOption {
+    type = lib.types.singleLineStr;
+    default = null;
+    description = "ssh public key for the remote build user";
+  };
+
+  config.users.users.nix.openssh.authorizedKeys.keys = [
     # use nix-store for hydra which doesn't support ssh-ng
-    ''restrict,command="${nix-ssh-wrapper}" ${key}''
+    ''restrict,command="${nix-ssh-wrapper}" ${config.nixCommunity.remote-builder.key}''
   ];
 
-  nix.settings.trusted-users = [ "nix" ];
+  config.nix.settings.trusted-users = [ "nix" ];
 }