diff --git a/modules/microvm.nix b/modules/microvm.nix
index b44048e8..8df5d8a8 100644
--- a/modules/microvm.nix
+++ b/modules/microvm.nix
@@ -62,21 +62,10 @@ in
     };
   };
 
-  config.system.build = with pkgs; {
-    copyToServer = writeScript "copy-to-${server}" ''
-      #! ${runtimeShell} -e
-
-      nix copy --no-check-sigs --to ssh-ng://root@${serverFQDN} $@
-    '';
-
-    runOnServer = writeScript "run-on-${server}" ''
-      #! ${runtimeShell} -e
-
-      ssh root@${serverFQDN} -- $@
-    '';
-  };
-
   config = {
+    # autoupdates do not make sense inside MicroVMs with read-only /nix/store
+    c3d2.autoUpdate = false;
+
     boot.kernelParams = [
       "preempt=none"
       # No server/router runs any untrusted user code
@@ -123,6 +112,9 @@ in
       useNetworkd = true;
     };
 
+    # nix store is mounted read only
+    nix.gc.automatic = false;
+
     systemd.network = lib.mkIf config.c3d2.deployment.autoNetSetup {
       links = builtins.foldl' (links: net: links // {
         "30-${net}" = {
@@ -165,10 +157,18 @@ in
       }) {} nets;
     };
 
-    # autoupdates do not make sense inside MicroVMs with read-only /nix/store
-    c3d2.autoUpdate = false;
+    system.build = with pkgs; {
+      copyToServer = writeScript "copy-to-${server}" ''
+        #! ${runtimeShell} -e
 
-    # nix store is mounted read only
-    nix.gc.automatic = false;
+        nix copy --no-check-sigs --to ssh-ng://root@${serverFQDN} $@
+      '';
+
+      runOnServer = writeScript "run-on-${server}" ''
+        #! ${runtimeShell} -e
+
+        ssh root@${serverFQDN} -- $@
+      '';
+    };
   };
 }