diff --git a/astro.pub b/astro.pub
new file mode 100644
index 0000000..efcbe5c
--- /dev/null
+++ b/astro.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGJJTSJdpDh82486uPiMhhyhnci4tScp5uUe7156MBC8 stephan@mayhem
diff --git a/flake.nix b/flake.nix
index 38a7d2b..a69c398 100644
--- a/flake.nix
+++ b/flake.nix
@@ -11,7 +11,7 @@
       let
         inherit (self.nixosConfigurations) quakeserver;
 
-        remoteCommand = "ssh -Co ClearAllForwardings=yes sbz -- sudo lxc-attach -n quake-astro --";
+        remote = "2a01:4f9:4b:39ec::1c";
       in rec {
         rootfs = quakeserver.config.system.build.toplevel;
         container = quakeserver.config.system.build.tarball;
@@ -20,8 +20,8 @@
           writeScriptBin "deploy" ''
             #! ${runtimeShell} -e
 
-            nix-store --export $(cat ${writeReferencesToFile rootfs}) | pv -brep | ${remoteCommand} /run/current-system/sw/bin/nix-store --import
-            ${remoteCommand} ${rootfs}/bin/switch-to-configuration switch
+            nix copy --to ssh://root@${remote} ${rootfs}
+            ssh root@${remote} ${rootfs}/bin/switch-to-configuration switch
           '';
       } //
       import ./pkgs/baseq3.nix (inputs // { inherit system; })
diff --git a/nixos-modules/container.nix b/nixos-modules/container.nix
index 366b8e0..d4ee259 100644
--- a/nixos-modules/container.nix
+++ b/nixos-modules/container.nix
@@ -15,10 +15,14 @@
   networking.useDHCP = false;
   systemd.network.enable = false;
   services.resolved.enable = false;
+  networking.firewall.allowedTCPPorts = [ 22 ];
   services.openssh = {
-    enable = false;
-    startWhenNeeded = false;
+    startWhenNeeded = true;
+    permitRootLogin = "prohibit-password";
   };
+  users.users.root.openssh.authorizedKeys.keyFiles = [
+    ../astro.pub
+  ];
 
   environment.noXlibs = false;
   environment.systemPackages = with pkgs; [