diff --git a/modules/darwin/nix/default.nix b/modules/darwin/nix/default.nix
index 2a0001c..4dcb0f4 100644
--- a/modules/darwin/nix/default.nix
+++ b/modules/darwin/nix/default.nix
@@ -1,7 +1,8 @@
-{ config
-, pkgs
-, lib
-, ...
+{
+  config,
+  pkgs,
+  lib,
+  ...
 }:
 with lib;
 with lib.metacfg;
@@ -32,35 +33,37 @@ in
       {
         package = cfg.package;
 
-        settings =
-          {
-            experimental-features = "nix-command flakes";
-            http-connections = 50;
-            warn-dirty = false;
-            log-lines = 50;
+        settings = {
+          experimental-features = "nix-command flakes";
+          http-connections = 50;
+          warn-dirty = false;
+          log-lines = 50;
 
-            # Large builds apparently fail due to an issue with darwin:
-            # https://github.com/NixOS/nix/issues/4119
-            sandbox = false;
+          # Large builds apparently fail due to an issue with darwin:
+          # https://github.com/NixOS/nix/issues/4119
+          sandbox = false;
 
-            # This appears to break on darwin
-            # https://github.com/NixOS/nix/issues/7273
-            auto-optimise-store = false;
+          # This appears to break on darwin
+          # https://github.com/NixOS/nix/issues/7273
+          auto-optimise-store = false;
 
-            allow-import-from-derivation = true;
+          allow-import-from-derivation = true;
 
-            trusted-users = users;
-            allowed-users = users;
+          trusted-users = users;
+          allowed-users = [
+            "@users"
+            "root"
+          ];
 
-            # NOTE: This configuration is generated by nix-installer so I'm adding it here in
-            # case it becomes important.
-            extra-nix-path = "nixpkgs=flake:nixpkgs";
-            build-users-group = "nixbld";
-          }
-          // (lib.optionalAttrs config.metacfg.tools.direnv.enable {
-            keep-outputs = true;
-            keep-derivations = true;
-          });
+          # NOTE: This configuration is generated by nix-installer so I'm adding it here in
+          # case it becomes important.
+          extra-nix-path = "nixpkgs=flake:nixpkgs";
+          build-users-group = "nixbld";
+        }
+        // (lib.optionalAttrs config.metacfg.tools.direnv.enable {
+          keep-outputs = true;
+          keep-derivations = true;
+        });
 
         gc = {
           automatic = true;
diff --git a/modules/nixos/nix/default.nix b/modules/nixos/nix/default.nix
index 7ff6bec..c6d618b 100644
--- a/modules/nixos/nix/default.nix
+++ b/modules/nixos/nix/default.nix
@@ -75,7 +75,10 @@ in
           sandbox = true;
           auto-optimise-store = true;
           trusted-users = users;
-          allowed-users = users;
+          allowed-users = [
+            "@users"
+            "root"
+          ];
 
           substituters = [
             cfg.default-substituter.url