diff --git a/flake.lock b/flake.lock
index c0cec35..79c1741 100644
--- a/flake.lock
+++ b/flake.lock
@@ -377,11 +377,11 @@
     "secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1713863887,
-        "narHash": "sha256-TwlNZjJloyZ0/5KCPeSWrnyDfEFokayovRPQY7xqq1g=",
+        "lastModified": 1713910881,
+        "narHash": "sha256-MZ1+GmZL3V3Kqe4YrxPA2W8vrF/c+f7sYOpf+jw6ESc=",
         "ref": "refs/heads/main",
-        "rev": "b8c66d7b0ca9fc21bc5332801b0203033cc3a772",
-        "revCount": 13,
+        "rev": "918b61f3ee194d7e67fa1d3200b64fe7741dd24a",
+        "revCount": 15,
         "type": "git",
         "url": "ssh://forgejo@git.everest.sable-pancake.ts.net:4222/Toast/nix-secrets"
       },
diff --git a/machines/WinMax2/default.nix b/machines/WinMax2/default.nix
index 187a110..899f761 100755
--- a/machines/WinMax2/default.nix
+++ b/machines/WinMax2/default.nix
@@ -2,5 +2,6 @@
   imports = [
     ./configuration.nix
     ./hardware-configuration.nix
+    ./remote-builder.nix
   ];
 }
diff --git a/machines/WinMax2/remote-builder.nix b/machines/WinMax2/remote-builder.nix
new file mode 100644
index 0000000..1a3f839
--- /dev/null
+++ b/machines/WinMax2/remote-builder.nix
@@ -0,0 +1,56 @@
+{
+  config,
+  flakeSelf,
+  ...
+}: let
+  hostSecrets = "${flakeSelf.inputs.secrets}/" + config.networking.hostName + "/";
+  hostKeyPath = "/etc/ssh/winmax2_host_key";
+in {
+  age.secrets = {
+    winmax2-host-key = {
+      file = hostSecrets + "host-private-key.age";
+      path = hostKeyPath;
+      mode = "0400";
+    };
+    "winmax2-host-key.pub" = {
+      file = hostSecrets + "host-public-key.age";
+      path = hostKeyPath + ".pub";
+    };
+  };
+
+  users = {
+    groups.nixrbld = {};
+    users.nixrbld = {
+      isSystemUser = true;
+      useDefaultShell = true;
+      group = "nixrbld";
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF8v+04ZwqHZRG8P8nxdQt+fGJfzlxHXF0F6jzENb+U6 Remote builder access key"
+      ];
+    };
+  };
+
+  nix.settings.trusted-users = ["nixrbld"];
+
+  services.openssh = {
+    enable = true;
+    startWhenNeeded = true;
+    # I only want it to be accesible though tailscale
+    openFirewall = false;
+    allowSFTP = false;
+    settings = {
+      UseDns = true;
+      PermitRootLogin = "no";
+      PasswordAuthentication = false;
+      AllowUsers = ["nixrbld"];
+    };
+    hostKeys = [
+      {
+        path = hostKeyPath;
+        type = "ed25519";
+        comment = "Everest host key";
+      }
+    ];
+  };
+  networking.firewall.interfaces.tailscale0.allowedTCPPorts = [22];
+}
diff --git a/roles/common/programs/nix.nix b/roles/common/programs/nix.nix
index 1663df2..6cdf8ae 100755
--- a/roles/common/programs/nix.nix
+++ b/roles/common/programs/nix.nix
@@ -1,9 +1,43 @@
-{systemPkgs, ...}: {
+{
+  systemPkgs,
+  config,
+  flakeSelf,
+  ...
+}: {
+  age.secrets = {
+    remoteBuilderKey.file = "${flakeSelf.inputs.secrets}/WinMax2/nixrbld-private-key.age";
+  };
+
+  programs.ssh = {
+    knownHosts.winmax2.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPE+ksvEq/I2LMLOztVXpLE9yuI6EkRh4EtXdlYkhl6C WinMax2 host key";
+    extraConfig = ''
+      Host nixrbld
+        HostName winmax2
+        IdentitiesOnly yes
+        IdentityFile ${config.age.secrets.remoteBuilderKey.path}
+        User nixrbld
+    '';
+  };
+
   nix = {
     settings = {
       auto-optimise-store = true;
       experimental-features = "nix-command flakes";
     };
+    distributedBuilds = true;
+    buildMachines = [
+      {
+        hostName = "nixrbld";
+        system = "x86_64-linux";
+        protocol = "ssh-ng";
+        maxJobs = 4;
+        supportedFeatures = [
+          "big-parallel"
+          "kvm"
+          "nixos-test"
+        ];
+      }
+    ];
     optimise = {
       automatic = true;
       dates = ["weekly"];