diff --git a/modules/remote-builder.nix b/modules/remote-builder.nix
index 04b32a6..6c74f92 100644
--- a/modules/remote-builder.nix
+++ b/modules/remote-builder.nix
@@ -39,7 +39,9 @@ in
       isSystemUser = true;
       group = cfg.group;
       useDefaultShell = true;
-      openssh.authorizedKeys.keys = cfg.authorizedKeys;
+      openssh.authorizedKeys.keys = map (
+        key: ''restrict,command="nix-daemon --stdio" ${key}''
+      ) cfg.authorizedKeys;
     };
 
     users.groups.${cfg.user} = { };