diff --git a/ops/nixos/lib/common.nix b/ops/nixos/lib/common.nix
index adb751964b..2ca2c020d0 100644
--- a/ops/nixos/lib/common.nix
+++ b/ops/nixos/lib/common.nix
@@ -35,7 +35,25 @@ in
       extraGroups = [ "wheel" ];
       hashedPassword = secrets.passwordHashes.lukegb;
     };
+    deployer = {
+      isSystemUser = true;
+      uid = 1001;
+      hashedPassword = "NP";
+      openssh.authorizedKeys.keyFiles = [
+        ../../secrets/deployer_ed25519.pub
+      ];
+    };
   };
+  security.sudo.extraRules = [{
+    users = [ "deployer" ];
+    commands = [{
+      command = "${rebuilder}/bin/rebuilder";
+      options = [ "NOPASSWD" ];
+    }];
+  }];
+  security.sudo.extraConfig = ''
+    Defaults:deployer !requiretty
+  '';
 
   programs.mtr.enable = true;
   services.openssh.enable = true;
diff --git a/ops/secrets/deployer_ed25519.pub b/ops/secrets/deployer_ed25519.pub
new file mode 100644
index 0000000000..21a40fbe7e
--- /dev/null
+++ b/ops/secrets/deployer_ed25519.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAz3ZptYA9SjCtZEQwF8/ACCO0W3Edh9asAmNGE2U4bQ lukegb@porcorosso