diff --git a/config/hosts/imxyy-nix-server/build.nix b/config/hosts/imxyy-nix-server/build.nix
new file mode 100644
index 0000000..4a8dd3f
--- /dev/null
+++ b/config/hosts/imxyy-nix-server/build.nix
@@ -0,0 +1,47 @@
+{
+  config,
+  lib,
+  pkgs,
+  sopsRoot,
+  ...
+}:
+{
+  sops.secrets.et-imxyy-nix-server-nixremote = {
+    sopsFile = sopsRoot + /et-imxyy-nix-server-nixremote.toml;
+    format = "binary";
+  };
+  environment.systemPackages = [ pkgs.easytier ];
+  systemd.services."easytier-nixremote" = {
+    enable = true;
+    script = "${pkgs.easytier}/bin/easytier-core -c ${config.sops.secrets.et-imxyy-nix-server-nixremote.path}";
+    serviceConfig = {
+      Restart = lib.mkOverride 500 "always";
+      RestartMaxDelaySec = lib.mkOverride 500 "1m";
+      RestartSec = lib.mkOverride 500 "100ms";
+      RestartSteps = lib.mkOverride 500 9;
+      User = "root";
+    };
+    wantedBy = [ "multi-user.target" ];
+    after = [
+      "network.target"
+      "sops-nix.service"
+    ];
+  };
+  users.groups.nixremote = { };
+  users.users.nixremote = {
+    isSystemUser = true;
+    description = "nix remote build user";
+    group = "nixremote";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOEFLUkyeaK8ZPPZdVNEmtx8zvoxi7xqS2Z6oxRBuUPO imxyy@imxyy-nix"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBWOy0QmAyxENg/O5m3cus8U3c9jCLioivwcWsh5/a82 imxyy-hisense-pad"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK8pivvE8PMtsOxmccfNhH/4KehDKhBfUfJbQZxo/SZT imxyy-ace5"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKALTBn/QSGcSPgMg0ViSazFcaA0+nEF05EJpjbsI6dE imxyy_soope_@imxyy-cloudwin"
+
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIENauvvhVMLsUwH9cPYsvnOg7VCL3a4yEiKm8I524TE efl@efl-nix"
+    ];
+  };
+  nix.settings.trusted-users = [
+    "nixremote"
+  ];
+}
diff --git a/config/hosts/imxyy-nix-server/default.nix b/config/hosts/imxyy-nix-server/default.nix
index ad127f6..c60c7ca 100644
--- a/config/hosts/imxyy-nix-server/default.nix
+++ b/config/hosts/imxyy-nix-server/default.nix
@@ -21,5 +21,6 @@
     ./note.nix
     ./matrix.nix
     ./minio.nix
+    ./build.nix
   ];
 }
diff --git a/config/hosts/imxyy-nix-server/net.nix b/config/hosts/imxyy-nix-server/net.nix
index b696dba..db33f0b 100644
--- a/config/hosts/imxyy-nix-server/net.nix
+++ b/config/hosts/imxyy-nix-server/net.nix
@@ -455,7 +455,7 @@
   environment.systemPackages = [ pkgs.easytier ];
   systemd.services."easytier" = {
     enable = true;
-    script = "easytier-core -c ${config.sops.secrets.et-imxyy-nix-server.path}";
+    script = "${pkgs.easytier}/bin/easytier-core -c ${config.sops.secrets.et-imxyy-nix-server.path}";
     serviceConfig = {
       Restart = lib.mkOverride 500 "always";
       RestartMaxDelaySec = lib.mkOverride 500 "1m";
@@ -468,11 +468,6 @@
       "network.target"
       "sops-nix.service"
     ];
-    path = with pkgs; [
-      easytier
-      iproute2
-      bash
-    ];
   };
 
   virtualisation.oci-containers = {
diff --git a/config/hosts/imxyy-nix-server/samba.nix b/config/hosts/imxyy-nix-server/samba.nix
index 34a8be4..b2b1903 100644
--- a/config/hosts/imxyy-nix-server/samba.nix
+++ b/config/hosts/imxyy-nix-server/samba.nix
@@ -26,9 +26,8 @@
   ];
   users = {
     users.nas = {
-      isNormalUser = true;
-      home = "/var/empty";
-      description = "nas user";
+      isSystemUser = true;
+      description = "NAS user";
       group = "nextcloud";
     };
   };
diff --git a/config/hosts/imxyy-nix/net.nix b/config/hosts/imxyy-nix/net.nix
index 2c99917..4f2ebbd 100644
--- a/config/hosts/imxyy-nix/net.nix
+++ b/config/hosts/imxyy-nix/net.nix
@@ -113,7 +113,7 @@
   environment.systemPackages = [ pkgs.easytier ];
   systemd.services."easytier" = {
     enable = true;
-    script = "easytier-core -c ${config.sops.secrets.et-imxyy-nix.path}";
+    script = "${pkgs.easytier}/bin/easytier-core -c ${config.sops.secrets.et-imxyy-nix.path}";
     serviceConfig = {
       Restart = lib.mkOverride 500 "always";
       RestartMaxDelaySec = lib.mkOverride 500 "1m";
@@ -126,10 +126,5 @@
       "network.target"
       "sops-nix.service"
     ];
-    path = with pkgs; [
-      easytier
-      iproute2
-      bash
-    ];
   };
 }
diff --git a/secrets/et-imxyy-nix-server-nixremote.toml b/secrets/et-imxyy-nix-server-nixremote.toml
new file mode 100644
index 0000000..307f56c
--- /dev/null
+++ b/secrets/et-imxyy-nix-server-nixremote.toml
@@ -0,0 +1,23 @@
+{
+	"data": "ENC[AES256_GCM,data:XGaYFf+y9qx3lKof7LiL08cv2xmm39Cx7yvCvjQj2hL9OGuB6mOQ8WYD+O6HpJaAJTGzpEE/965mA0fZ1Qjl7kyXeeE4DzPv32N8a6lM4+m8qMJhwTZt1gOe3HqwKl+4j7T2CJeNXKgSJaaMOzmJztOBxoL+RUj4ozhjUJJNLonzbsKsOVCA9RCbySDulUA6L14H7+4ouG1MvVQ8pz6OoKejGg62UYXQXmUDSmE2iGj45GaYzQJYGajxBPhbnuu/p5fd5WhPF1Eg7RRJ3WlMISwdP+4v6t2YC3Dg1faC+hEVFiMcC4Cu1Oh6bpaU1FIU7PlkCvZnIQ+pYEHOoc+4Csw4707Tgcly8I16qKEnZOd9emK3ZeUUCL8lzQDJfSQRYv5adf81tEpj1ki2H9FDOGFcDjFnZ13DE+SrTOXRbuepGLCycxHCEArL70TCMHMWInUubajN1bSd4elcPMimKQjGAgYVmEv/RUD1wYQ5N07dzp9Wb6hRcB9Cu7bdZ+5BywjEfxkQzl0l8Y9moQa8pRXdoC8pt+qOXCvKox9epWJlMOy8Ryhs1E2YF6UiL9w8HttDCrfRtXyD172KJKYXLx4bmPCtxDTAhViaDF+HlfUScvH/0fs8lnwhuRkrqXtjEvhT8mecIFB6Mxmy/2BNIb5XLKn4sWQoMG5pHK+q8KRV9XYpzoau+RtM3+Y7JYULLl9laDRdvY5akPIdwYPEVLcFnfvkeTxb2ZUwm3kmkkNiqQNfFubDuEEtIwPbs5S8bVFaXto5+PElpTKtmrU1xiIRa+xZ2KhKJYsnLK9BlC4aRKGR5HDmFxfSKg+sif4=,iv:Aw02ogS30lI3rRGREaeOBFN9RR+KOvWQ0ZIzQNgCVK0=,tag:p8PYkQ8wB6cUDzMP60+dzQ==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1jf5pg2x6ta8amj40xdy0stvcvrdlkwc2nrwtmkpymu0qclk0eg5qmm9kns",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyZG5leDR3SjhWcFFHMlpX\nNkZxc3cyWFRCazZqdEl2NVAxKzJhbkNQREJJClo2V01GYVpEN0tqOEIzSVVSU0hW\nNzFVMjhnSkcyQzFFSlpXSkpLWXJQVk0KLS0tIHFZM0V6Q2FWc1RhTWt5c0RGcXVB\nUVVSOEpNcllnM0pDSThjekpZcVc3TlEKYaYylNY/0gnWCaon0SrMDsVNTp7pXxOw\nr9+yYlaD/JQjOqZxuLYDZ27PxLwhAzRA2uVnHan2QcA1Yr84xMVNlg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1hpgg6psejh4y6jcdd34wxuml75fnweqpe0kh8376yqsctsfn9qxs037kk6",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBUEllejRyUU9kZHA5MmlU\ndG5xUElFZG1OTzNGUytVb0Z4TE5zL3ZrejAwCnZaT1VTdWZxbVFOU2ZZMXMwc0VX\nTGp6WFMzSk1sV2xOejJ2VjR6QnFpWEEKLS0tIEk2dEdXaDhsV3FnSmhXQlhUc21I\nY3pMNVExc0tDV1crazIvODg5WUNYdG8KliiK+R1cIYw9IBYOxdpC/oZNKQqdbUBR\nDnMjZVqL8zn3UsA0glCBcz3gER99Pzg40r94/qAg5t6T4YJ5ByzJBg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1tp7th3rrv3x0l6jl76n0hjqjp223w2y586pkgr0hcjwdm254jd5shkj6a8",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjdGg3QS93dHd1N3ZmMUpl\nVSt1NWplR0RoVEpTRTFMNDdxbVloclJUR0NjClgzalltamFtV0lYUHI5bUdpb1N1\nY0Y2NkxNRnVVMkJpNHZVdCtFdUdYRlkKLS0tIE1CNVYwbFFDUVJsRVFZR2c3cndU\nNTJncVZ2NkdXRnhKR1ZSdGcrWXVrK28K9pUGqIy3hT7VZ5JRcLaAZtGG1VxEPOlG\npDcrDoTRmZjAtaTLXu4bgQTUQaDa3iRWlm9gfRzAa7jSlu3M3OTcOw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-06-28T15:14:52Z",
+		"mac": "ENC[AES256_GCM,data:tAX/KU/iqeBr6AC4kLOqEF9NV6hfQNre8Yg1wPgJEryUGjPykXWh/NhdyoM1if3smSHJ+v+5DcPdsJDhWnl+ULgznka8IHdSTNBdAoZl5AzgmowIt1vAIALP4XwgbCVIo+wzqtcmdzCowQYatSTa+4mue4t6stdotue/j/b9EUM=,iv:xw4d83AHpxmaJi6vB5pnaHGcuPzKyYSw1BljYmUenM4=,tag:FHWq3uMktMvurSpFvi85bg==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}