diff --git a/machines/WinMax2/default.nix b/machines/WinMax2/default.nix
index 187a110..899f761 100755
--- a/machines/WinMax2/default.nix
+++ b/machines/WinMax2/default.nix
@@ -2,5 +2,6 @@
   imports = [
     ./configuration.nix
     ./hardware-configuration.nix
+    ./remote-builder.nix
   ];
 }
diff --git a/machines/WinMax2/remote-builder.nix b/machines/WinMax2/remote-builder.nix
new file mode 100644
index 0000000..ad86042
--- /dev/null
+++ b/machines/WinMax2/remote-builder.nix
@@ -0,0 +1,55 @@
+{
+  config,
+  flakeSelf,
+  ...
+}: let
+  hostSecrets = "${flakeSelf.inputs.secrets}/" + config.networking.hostName + "/";
+  hostKeyPath = "/etc/ssh/winmax2_host_key";
+in {
+  age.secrets = {
+    winmax2-host-key = {
+      file = hostSecrets + "host-private-key.age";
+      path = hostKeyPath;
+      mode = "0400";
+    };
+    "winmax2-host-key.pub" = {
+      file = hostSecrets + "host-public-key.age";
+      path = hostKeyPath + ".pub";
+    };
+  };
+
+  users = {
+    groups.nixrbld = {};
+    users.nixrbld = {
+      isSystemUser = true;
+      group = "nixrbld";
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF8v+04ZwqHZRG8P8nxdQt+fGJfzlxHXF0F6jzENb+U6 Remote builder access key"
+      ];
+    };
+  };
+
+  nix.settings.trusted-users = ["nixrbld"];
+
+  services.openssh = {
+    enable = true;
+    startWhenNeeded = true;
+    # I only want it to be accesible though tailscale
+    openFirewall = false;
+    allowSFTP = false;
+    settings = {
+      UseDns = true;
+      PermitRootLogin = "no";
+      PasswordAuthentication = false;
+      AllowUsers = ["nixrbld"];
+    };
+    hostKeys = [
+      {
+        path = hostKeyPath;
+        type = "ed25519";
+        comment = "Everest host key";
+      }
+    ];
+  };
+  networking.firewall.interfaces.tailscale0.allowedTCPPorts = [22];
+}