diff --git a/machines/nixos/build01/nix-builder.nix b/machines/nixos/build01/nix-builder.nix
index e8dcfcd..27cfc7f 100644
--- a/machines/nixos/build01/nix-builder.nix
+++ b/machines/nixos/build01/nix-builder.nix
@@ -5,6 +5,7 @@
 {
   pkgs,
   lib,
+  dgn-keys,
   meta,
   ...
 }:
@@ -12,6 +13,13 @@
   config = {
     dgn-access-control.users = lib.genAttrs meta.organization.groups.nix-builder (u: lib.singleton u);
 
+    # FIXME(Raito): this should really go into `dgn-access-control` but I don't
+    # know what is the desired architecture for it. Leaving it for the people with opinions™.
+    users.groups.nix-builders = { };
+    users.users = lib.genAttrs meta.organization.groups.nix-builder (u: {
+      extraGroups = [ "nix-builders" ];
+    });
+
     security.pam.loginLimits = [
       {
         domain = "*";
@@ -43,6 +51,10 @@
       nrBuildUsers = 128;
 
       settings = {
+        trusted-users = [
+          "@wheel"
+          "@nix-builders"
+        ];
         keep-outputs = false;
         keep-derivations = false;
         use-cgroups = true;