diff --git a/flake.lock b/flake.lock
index 13bdafd..2683b79 100644
--- a/flake.lock
+++ b/flake.lock
@@ -46,7 +46,7 @@
         "ssh-keypairs": "ssh-keypairs"
       },
       "locked": {
-        "narHash": "sha256-i3c+gzSJO/YckvPXsncOYdrrBoq5WvoHeaB/X2lWr3I=",
+        "narHash": "sha256-fCEml2rFMgJboI7EN0QQLsAYSKdKegnu23IwRK5GBdE=",
         "path": "/state/secrets",
         "type": "path"
       },
@@ -90,11 +90,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1632291606,
-        "narHash": "sha256-oEN24XJYAFK9tsD13TzLEizpgQigEfgC6i9x1b/1pVU=",
+        "lastModified": 1632918953,
+        "narHash": "sha256-XY3TKBfhP7wCu/SeqrwIkTWkyYHy5W1yRR8pxyzRY9Y=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "83413f47809790e4ca012e314e7782adeae36cf2",
+        "rev": "ee90403e147b181300dffca5b0afa405e14f1945",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index 4d90a7d..feef156 100644
--- a/flake.nix
+++ b/flake.nix
@@ -38,6 +38,7 @@
       system = hostOpts.arch;
 
       modules = [
+        fudo-secrets.nixosModule
         "${home-manager}/nixos"
         (import ./initialize.nix {
           inherit hostname pkgs build-timestamp fudo-secrets;
diff --git a/lib/fudo/hosts.nix b/lib/fudo/hosts.nix
index 748ed77..c36d4ef 100644
--- a/lib/fudo/hosts.nix
+++ b/lib/fudo/hosts.nix
@@ -240,15 +240,25 @@ in {
 
     boot.tmpOnTmpfs = host-cfg.tmp-on-tmpfs;
 
-    fudo.secrets.host-secrets.${hostname} = {
-      host-keytab = mkIf (fudo.secrets.files.host-keytabs.${hostname} != null) {
-        source-file = fudo.secrets.files.host-keytabs.${hostname};
+    fudo.secrets.host-secrets.${hostname} = let
+      keytab-file =
+        if (hasAttr hostname config.fudo.secrets.files.host-keytabs) then
+          config.fudo.secrets.files.host-keytabs.${hostname}
+        else null;
+
+      build-private-key-file =
+        if (hasAttr hostname config.fudo.secrets.files.build-keypairs) then
+          config.fudo.secrets.files.build-keypairs.${hostname}
+        else null;
+    in {
+      host-keytab = mkIf (keytab-file != null) {
+        source-file = keytab-file;
         target-file = "/etc/krb5.keytab";
         user = "root";
       };
 
-      build-private-key = mkIf (fudo.secrets.files.build-keypairs.${hostname} != null) {
-        source-file = fudo.secrets.files.build-keypairs.${hostname}.private-key;
+      build-private-key = mkIf (build-private-key-file != null) {
+        source-file = build-private-key-file;
         target-file = "/var/run/nix-build/host.key";
         user = "root";
       };
diff --git a/lib/fudo/sites.nix b/lib/fudo/sites.nix
index 7efa4a1..9629008 100644
--- a/lib/fudo/sites.nix
+++ b/lib/fudo/sites.nix
@@ -124,6 +124,7 @@ let
           my-build-host = {
             port = 22;
             systems = [ "i686-linux" "x86_64-linux" ];
+            build-user = "my-builder";
           };
         };
       };
@@ -194,6 +195,12 @@ let
         description = "List of features supported by this server.";
         default = [ ];
       };
+
+      build-user = mkOption {
+        type = str;
+        description = "User as which to run distributed builds.";
+        default = "site-builder";
+      };
     };
   };
 
diff --git a/lib/fudo/ssh.nix b/lib/fudo/ssh.nix
index 9ce050b..fddf8a6 100644
--- a/lib/fudo/ssh.nix
+++ b/lib/fudo/ssh.nix
@@ -2,9 +2,13 @@
 
 with lib;
 let
-  hostname = config.fudo.instance.hostname;
+  hostname = config.instance.hostname;
   has-attrs = set: length (attrNames set) > 0;
-  host-keypairs = config.fudo.secrets.files.host-ssh-keypairs.${hostname};
+  host-keypairs =
+    if (hasAttr hostname config.fudo.secrets.files.host-ssh-keypairs) then
+      config.fudo.secrets.files.host-ssh-keypairs.${hostname}
+    else [];
+
 
   sshfp-filename = host: keypair: "ssh-${host}-${keypair.key-type}.sshfp-record";
 
@@ -25,14 +29,14 @@ let
 in {
   config = {
     fudo = {
-      secrets.host-secrets.${hostname} = mkIf (host-keypairs != [])
-        map (keypair: {
-          "host-${keypair.key-type}-private-key" = {
+      secrets.host-secrets.${hostname} = listToAttrs
+        (map
+          (keypair: nameValuePair "host-${keypair.key-type}-private-key" {
             source-file = keypair.private-key;
             target-file = "/var/run/ssh/private/host-${keypair.key-type}-private-key";
             user = "root";
-          };
-        });
+          })
+          host-keypairs);
 
       hosts = mapAttrs (hostname: keypairs: {
         ssh-pubkeys = map (keypair: keypair.public-key) keypairs;
@@ -41,16 +45,15 @@ in {
             fingerprint-derivation = dns-sshfp-records hostname keypair.public-key;
             filename = sshfp-filename hostname keypair;
           in builtins.readFile "${fingerprint-derivation}/${filename}") keypairs;
-      } config.fudo.secrets.files.host-ssh-keypairs);
+      }) config.fudo.secrets.files.host-ssh-keypairs;
 
 
     };
 
-    services.openssh.hostKeys = mkIf (host-keypairs != [])
-      (map (keypair: {
-        path = "/var/run/ssh/private/host-${keypair.key-type}-private-key";
-        type = keypair.key-type;
-      }) host-keypairs);
+    services.openssh.hostKeys = map (keypair: {
+      path = "/var/run/ssh/private/host-${keypair.key-type}-private-key";
+      type = keypair.key-type;
+    }) host-keypairs;
 
     programs.ssh.knownHosts = mapAttrs (hostname: keypairs: {
       publicKeyFile = keypairs.public-key;