diff --git a/flake.nix b/flake.nix
index cbb0a17..f79d450 100644
--- a/flake.nix
+++ b/flake.nix
@@ -74,24 +74,15 @@
       flake = {
         # Configurations for Linux (NixOS) systems
         nixosConfigurations = {
-          here = self.nixos-flake.lib.mkLinuxSystem {
-            imports = [
-              self.nixosModules.common # Defined in nixos/default.nix
-              inputs.sops-nix.nixosModules.sops
-              ./systems/here.nix
-              ./nixos/server/harden.nix
-            ];
-            sops.defaultSopsFile = ./secrets.json;
-            sops.defaultSopsFormat = "json";
-            services.tailscale.enable = true;
-          };
+          linux-builder = self.nixos-flake.lib.mkLinuxSystem
+            ./systems/linux-builder.nix;
 
           immediacy = self.nixos-flake.lib.mkLinuxSystem {
             imports = [
               self.nixosModules.default # Defined in nixos/default.nix
               inputs.sops-nix.nixosModules.sops
               ./systems/hetzner/ax41.nix
-              ./nixos/server/harden.nix
+              ./nixos/server/harden
             ];
             sops.defaultSopsFile = ./secrets.json;
             sops.defaultSopsFormat = "json";
diff --git a/justfile b/justfile
index a230b4c..a1b95f1 100644
--- a/justfile
+++ b/justfile
@@ -2,8 +2,16 @@ default:
     @just --list
 
 # Remote deploy to a host
-remote host='here':
+remote-deploy host='linux-builder':
     nixos-rebuild switch --fast --use-remote-sudo \
         --flake .#{{host}} \
         --target-host $USER@{{host}} \
         --build-host $USER@{{host}}
+
+# First install on a remote machine
+remote-install host='linux-builder':
+    nix run github:nix-community/nixos-anywhere \
+        -- \
+        --build-on-remote \
+        --flake .#{{host}} \
+        root@{{host}}
diff --git a/nixos/default.nix b/nixos/default.nix
index 1faae50..33d6f32 100644
--- a/nixos/default.nix
+++ b/nixos/default.nix
@@ -8,7 +8,7 @@
       common.imports = [
         ./nix.nix
         ./caches
-        ./ssh-authorize.nix
+        ./self/primary-as-admin.nix
       ];
 
       my-home = {
@@ -24,7 +24,7 @@
         self.nixosModules.home-manager
         self.nixosModules.my-home
         self.nixosModules.common
-        ./self-ide.nix
+        ./self/self-ide.nix
         ./current-location.nix
       ];
     };
diff --git a/nixos/ssh-authorize.nix b/nixos/self/primary-as-admin.nix
similarity index 56%
rename from nixos/ssh-authorize.nix
rename to nixos/self/primary-as-admin.nix
index 721f0f0..6338745 100644
--- a/nixos/ssh-authorize.nix
+++ b/nixos/self/primary-as-admin.nix
@@ -1,7 +1,8 @@
+# Make flake.config.peope.myself the admin of the machine
 { flake, pkgs, lib, ... }:
 
 {
-  # Let me login
+  # Login via SSH with mmy SSH key
   users.users =
     let
       people = flake.config.people;
@@ -13,6 +14,13 @@
         openssh.authorizedKeys.keys = myKeys;
       } // lib.optionalAttrs pkgs.stdenv.isLinux {
         isNormalUser = true;
+        extraGroups = [ "wheel" ];
       };
     };
+
+  # Make me a sudoer without password
+  security = lib.optionalAttrs pkgs.stdenv.isLinux {
+    sudo.execWheelOnly = true;
+    sudo.wheelNeedsPassword = false;
+  };
 }
diff --git a/nixos/self-ide.nix b/nixos/self/self-ide.nix
similarity index 100%
rename from nixos/self-ide.nix
rename to nixos/self/self-ide.nix
diff --git a/nixos/server/harden.nix b/nixos/server/harden/basics.nix
similarity index 53%
rename from nixos/server/harden.nix
rename to nixos/server/harden/basics.nix
index 2d283e1..a30edb7 100644
--- a/nixos/server/harden.nix
+++ b/nixos/server/harden/basics.nix
@@ -1,18 +1,15 @@
-{ flake, ... }: {
+{
 
   # Firewall
   networking.firewall.enable = true;
 
-  security.sudo.execWheelOnly = true;
-
-  security.sudo.wheelNeedsPassword = false;
-  users.users.${flake.config.people.myself} = {
-    extraGroups = [ "wheel" ];
-  };
-
+  # Enable auditd
   security.auditd.enable = true;
   security.audit.enable = true;
 
+  # Standard openssh protections
+  #
+  # See primary-as-admin.nix to setup passwordless setup.
   services = {
     openssh = {
       enable = true;
@@ -20,12 +17,8 @@
       settings.PasswordAuthentication = false;
       allowSFTP = false;
     };
-    fail2ban = {
-      enable = true;
-      ignoreIP = [
-        "100.80.93.92" # Tailscale "appreciate"
-      ];
-    };
   };
+
+  # 🤲
   nix.settings.allowed-users = [ "root" "@users" ];
 }
diff --git a/nixos/server/harden/default.nix b/nixos/server/harden/default.nix
new file mode 100644
index 0000000..9e2e88c
--- /dev/null
+++ b/nixos/server/harden/default.nix
@@ -0,0 +1,14 @@
+{
+  imports = [
+    ./basics.nix
+  ];
+
+  services = {
+    fail2ban = {
+      enable = true;
+      ignoreIP = [
+        "100.80.93.92" # Tailscale "appreciate"
+      ];
+    };
+  };
+}
diff --git a/systems/darwin/ci.nix b/systems/darwin/ci.nix
index 8814cb2..2455f07 100644
--- a/systems/darwin/ci.nix
+++ b/systems/darwin/ci.nix
@@ -1,4 +1,4 @@
-{ pkgs, lib, ... }:
+{ flake, pkgs, lib, ... }:
 
 {
   # TODO: Refactor this into a module, like easy-github-runners.nix
@@ -56,6 +56,18 @@
   users.knownGroups = [ "github-runner" ];
   users.knownUsers = [ "github-runner" ];
 
+  # If not using linux-builder, use a VM
+  nix.distributedBuilds = true;
+  nix.buildMachines = [{
+    hostName = "linux-builder";
+    systems = [ "aarch64-linux" "x86_64-linux" ];
+    supportedFeatures = [ "kvm" "benchmark" "big-parallel" ];
+    maxJobs = 6; # 6 cores
+    protocol = "ssh-ng";
+    sshUser = flake.config.people.myself;
+    sshKey = "/etc/ssh/ssh_host_ed25519_key";
+  }];
+
   # To build Linux derivations whilst on macOS.
   # 
   # NOTES:
@@ -64,7 +76,7 @@
   # - To update virtualisation configuration, you have to disable, delete
   #   /private/var/lib/darwin-builder/ and re-enable.
   nix.linux-builder = {
-    enable = true;
+    enable = false;
     systems = [
       "x86_64-linux"
       "aarch64-linux"
diff --git a/systems/disko/vm.nix b/systems/disko/trivial.nix
similarity index 84%
rename from systems/disko/vm.nix
rename to systems/disko/trivial.nix
index edf4bbf..2c6e0ac 100644
--- a/systems/disko/vm.nix
+++ b/systems/disko/trivial.nix
@@ -1,8 +1,11 @@
+# A trivial disk configuration with single root partition taking whole disk
+# space.
+{ device, ... }:
 {
   disk = {
     main = {
+      inherit device;
       type = "disk";
-      device = "/dev/sda";
       content = {
         type = "gpt";
         partitions = {
diff --git a/systems/here.nix b/systems/here.nix
deleted file mode 100644
index 9c03218..0000000
--- a/systems/here.nix
+++ /dev/null
@@ -1,30 +0,0 @@
-# My Linux VM running on macOS
-{ flake, modulesPath, ... }: {
-  imports = [
-    (modulesPath + "/installer/scan/not-detected.nix")
-    flake.inputs.disko.nixosModules.disko
-  ];
-  system.stateVersion = "23.11";
-  services.openssh.enable = true;
-  services.ntp.enable = true; # Accurate time in Parallels VM?
-  boot = {
-    loader = {
-      systemd-boot.enable = true;
-      efi.canTouchEfiVariables = true;
-    };
-    binfmt.emulatedSystems = [ "x86_64-linux" ]; # For cross-compiling
-    swraid.mdadmConf = ''
-      MAILADDR srid@srid.ca
-    '';
-  };
-  nixpkgs.hostPlatform = "aarch64-linux";
-
-  hardware.parallels.enable = true;
-
-  networking = {
-    hostName = "here";
-    networkmanager.enable = true;
-  };
-  time.timeZone = "America/New_York";
-  disko.devices = import ./disko/vm.nix;
-}
diff --git a/systems/linux-builder.nix b/systems/linux-builder.nix
new file mode 100644
index 0000000..379017e
--- /dev/null
+++ b/systems/linux-builder.nix
@@ -0,0 +1,51 @@
+/* My Linux VM running on macOS
+
+  ## Using Parallels to create a NixOS VM
+
+  - Boot into a NixOS graphical installer
+  - Open terminal, and set a root password using `sudo su -` and `passwd root`
+  - Authorize yourself to login to the root user using `ssh-copy-id -o PreferredAuthentications=password root@linux-builder`
+  - Run nixos-anywhere (see justfile; `j remote-deploy`)
+*/
+{ flake, modulesPath, ... }: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+    flake.inputs.disko.nixosModules.disko
+    ../nixos/self/primary-as-admin.nix
+    ../nixos/server/harden/basics.nix
+    # Parallels VM support
+    {
+      hardware.parallels.enable = true;
+      nixpkgs.config.allowUnfree = true; # for parallels
+      services.ntp.enable = true; # Accurate time in Parallels VM?
+    }
+  ];
+
+  # Basics
+  system.stateVersion = "23.11";
+  boot = {
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+    swraid.mdadmConf = ''
+      MAILADDR srid@srid.ca
+    '';
+  };
+  disko.devices = import ./disko/trivial.nix { device = "/dev/sda"; };
+  networking = {
+    hostName = "linux-builder";
+    networkmanager.enable = true;
+  };
+  time.timeZone = "America/New_York";
+
+  # Distributed Builder
+  nixpkgs.hostPlatform = "aarch64-linux";
+  boot.binfmt.emulatedSystems = [ "x86_64-linux" ]; # For cross-compiling
+  services.openssh.enable = true;
+  users.users.${flake.config.people.myself}.openssh.authorizedKeys.keys = [
+    # macos /etc/ssh/ssh_host_ed25519_key.pub
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOPGfskkyhM0wefy0Sex2t5GENEHTIZAWrb9LzRN0R9x"
+  ];
+  nix.settings.trusted-users = [ "root" flake.config.people.myself ];
+}