diff --git a/machines/newton/services.nix b/machines/newton/services.nix
index 1466996..f752bf2 100644
--- a/machines/newton/services.nix
+++ b/machines/newton/services.nix
@@ -47,6 +47,8 @@ in
     homer = {
       enable = true;
     };
+    # remote build
+    remote-build.enable = true;
     # RSS provider for websites that do not provide any feeds
     rss-bridge = {
       enable = true;
diff --git a/modules/services/default.nix b/modules/services/default.nix
index b579048..4e4177d 100644
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -34,6 +34,7 @@
     ./promtail
     ./prowlarr
     ./radarr
+    ./remote-build
     ./rss-bridge
     ./sonarr
     ./ssh-server
diff --git a/modules/services/remote-build/default.nix b/modules/services/remote-build/default.nix
new file mode 100644
index 0000000..210e4b5
--- /dev/null
+++ b/modules/services/remote-build/default.nix
@@ -0,0 +1,24 @@
+# manages remote builds
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.my.services.remote-build;
+in
+{
+  options.my.services.remote-build = {
+    enable = lib.mkEnableOption "remote-build user";
+  };
+
+  config = lib.mkIf cfg.enable {
+    # Create user for distributed nix builds
+    users.groups.nixremote = { };
+    users.users.nixremote = {
+      isSystemUser = true;
+      group = "nixremote";
+      home = "/home/nixremote";
+      homeMode = "550"; # disable write
+      shell = pkgs.bashInteractive;
+      openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGYSzDdxqaNHmaaLqEvOK/vB65zvqoCebI3Nxzgg5smq root@thinkman" ];
+    };
+    nix.settings.trusted-users = [ "nixremote" ];
+  };
+}