diff --git a/ops/nixos/lib/switch-prebuilt.nix b/ops/nixos/lib/switch-prebuilt.nix
index 5b0a3764c5..4adbb16a27 100644
--- a/ops/nixos/lib/switch-prebuilt.nix
+++ b/ops/nixos/lib/switch-prebuilt.nix
@@ -5,17 +5,20 @@
 { depot, pkgs, ... }:
 pkgs.writeShellScriptBin "switch-prebuilt" ''
   set -ue
-  if [[ $EUID -ne 0 ]]; then
-    exec sudo "$0" "$@"
-  fi
-
 
   export AWS_ACCESS_KEY_ID="${depot.ops.secrets.nixCache.AWS_ACCESS_KEY_ID}"
   export AWS_SECRET_ACCESS_KEY="${depot.ops.secrets.nixCache.AWS_SECRET_ACCESS_KEY}"
   system="''${1}"
 
-  nix copy --from 's3://lukegb-nix-cache?endpoint=storage.googleapis.com' --no-check-sigs "$system"
+  # We should be a trusted-user.
+  nix copy -v --from 's3://lukegb-nix-cache?endpoint=storage.googleapis.com' --no-check-sigs "$system"
   diff "$system/etc/hostname" "/etc/hostname"
+
+  # The next phase requires sudo, but it's harmless to run the preceding commands twice.
+  if [[ $EUID -ne 0 ]]; then
+    exec sudo "$0" "$@"
+  fi
+
   nix-env -p /nix/var/nix/profiles/system --set "$system"
   "$system/bin/switch-to-configuration" switch
 ''