diff --git a/common/default.nix b/common/default.nix
index 1f4547d..6465876 100644
--- a/common/default.nix
+++ b/common/default.nix
@@ -1,5 +1,6 @@
 {
   imports = [
+    ./sysadmin
     ./users
     ./environment.nix
     ./nginx.nix
diff --git a/common/sysadmin/default.nix b/common/sysadmin/default.nix
new file mode 100644
index 0000000..5e0cdc0
--- /dev/null
+++ b/common/sysadmin/default.nix
@@ -0,0 +1,16 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+  cfg = config.qenya.sysadmin;
+in
+{
+  options.qenya.sysadmin.enable = mkEnableOption "Base configuration for headless servers";
+
+  config = mkIf cfg.enable {
+    # Allow remote deployment with colmena
+    deployment.targetUser = null;
+    security.sudo.wheelNeedsPassword = false;
+    nix.settings.trusted-users = [ "@wheel" ];
+  };
+}
diff --git a/deployment/local.nix b/deployment/local.nix
deleted file mode 100644
index 752e9ce..0000000
--- a/deployment/local.nix
+++ /dev/null
@@ -1,9 +0,0 @@
-{ name, nodes, config, lib, pkgs, ... }:
-
-{
-  deployment = {
-    allowLocalDeployment = true;
-    targetHost = null;
-    tags = [ "local" ];
-  };
-}
diff --git a/deployment/remote.nix b/deployment/remote.nix
deleted file mode 100644
index 022ff5e..0000000
--- a/deployment/remote.nix
+++ /dev/null
@@ -1,12 +0,0 @@
-{ name, nodes, config, lib, pkgs, ... }:
-
-{
-  deployment = {
-    targetHost = "${name}.birdsong.network";
-    targetUser = "qenya";
-    tags = [ "remote" ];
-  };
-
-  security.sudo.wheelNeedsPassword = false;
-  nix.settings.trusted-users = [ "@wheel" ];
-}
diff --git a/flake.nix b/flake.nix
index a262ee5..c86693f 100644
--- a/flake.nix
+++ b/flake.nix
@@ -22,11 +22,14 @@
 
   outputs = inputs@{ self, nixpkgs, home-manager, nur, agenix, birdsong, ... }: {
     colmena = {
-      meta.nixpkgs = import nixpkgs { system = "x86_64-linux"; };
-      meta.nodeNixpkgs.kalessin = import nixpkgs { system = "aarch64-linux"; }; # TODO: this should be generated from the host config somehow
+      meta = {
+        nixpkgs = import nixpkgs { system = "x86_64-linux"; };
+        nodeNixpkgs = {
+          kalessin = import nixpkgs { system = "aarch64-linux"; }; # TODO: this should be generated from the host config somehow
+        };
+      };
 
       defaults = { name, nodes, config, lib, pkgs, ... }: {
-        deployment.replaceUnknownProfiles = lib.mkDefault false;
         networking.hostName = name;
 
         nix.settings.experimental-features = "nix-command flakes";
@@ -62,9 +65,12 @@
       tohru = { name, nodes, ... }: {
         networking.hostId = "31da19c1";
         time.timeZone = "Europe/London";
+        deployment = {
+          allowLocalDeployment = true;
+          targetHost = null; # disallow remote deployment
+        };
 
         imports = [
-          ./deployment/local.nix
           ./hosts/tohru/configuration.nix
         ];
       };
@@ -72,9 +78,9 @@
       yevaud = { name, nodes, ... }: {
         networking.hostId = "09673d65";
         time.timeZone = "Etc/UTC";
+        deployment.targetHost = "yevaud.birdsong.network";
 
         imports = [
-          ./deployment/remote.nix
           ./hosts/yevaud/configuration.nix
         ];
       };
@@ -82,9 +88,9 @@
       orm = { name, nodes, ... }: {
         networking.hostId = "00000000";
         time.timeZone = "Etc/UTC";
+        deployment.targetHost = "orm.birdsong.network";
 
         imports = [
-          ./deployment/remote.nix
           ./hosts/orm/configuration.nix
         ];
       };
@@ -93,12 +99,11 @@
         networking.hostId = "534b538e";
         time.timeZone = "Etc/UTC";
         deployment = {
+          targetHost = "kalessin.birdsong.network";
           buildOnTarget = true;
-          replaceUnknownProfiles = true;
         };
 
         imports = [
-          ./deployment/remote.nix
           ./hosts/kalessin/configuration.nix
         ];
       };
diff --git a/hosts/kalessin/configuration.nix b/hosts/kalessin/configuration.nix
index 84c9f82..238ddb9 100644
--- a/hosts/kalessin/configuration.nix
+++ b/hosts/kalessin/configuration.nix
@@ -7,6 +7,8 @@
 
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
+  
+  qenya.sysadmin.enable = true;
 
   system.stateVersion = "23.11";
 }
diff --git a/hosts/orm/configuration.nix b/hosts/orm/configuration.nix
index 1403b3d..d33d4e6 100644
--- a/hosts/orm/configuration.nix
+++ b/hosts/orm/configuration.nix
@@ -7,6 +7,8 @@
 
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
+  
+  qenya.sysadmin.enable = true;
 
   age.secrets.wireguard-peer-orm.file = ../../secrets/wireguard-peer-orm.age;
 
diff --git a/hosts/yevaud/configuration.nix b/hosts/yevaud/configuration.nix
index 0c21462..d8d11aa 100644
--- a/hosts/yevaud/configuration.nix
+++ b/hosts/yevaud/configuration.nix
@@ -7,6 +7,8 @@
 
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
+  
+  qenya.sysadmin.enable = true;
 
   age.secrets.wireguard-peer-yevaud.file = ../../secrets/wireguard-peer-yevaud.age;