diff --git a/contributors.nix b/contributors.nix
index 9475a27..df76a01 100644
--- a/contributors.nix
+++ b/contributors.nix
@@ -35,7 +35,9 @@
       canonicalEmail = "jett@burrow.net";
       isAdmin = true;
       forgeAuthorized = false;
+      forgeUnixUser = true;
       bootstrapAuthentik = true;
+      sshPublicKeyPath = ./nixos/keys/jett_at_burrow_net.pub;
       roles = [
         "member"
         "operator"
diff --git a/nixos/hosts/burrow-forge/default.nix b/nixos/hosts/burrow-forge/default.nix
index 1b46f6c..96eca4f 100644
--- a/nixos/hosts/burrow-forge/default.nix
+++ b/nixos/hosts/burrow-forge/default.nix
@@ -3,6 +3,7 @@
 let
   contributors = import ../../../contributors.nix;
   identities = contributors.identities;
+  stripNewline = value: lib.replaceStrings [ "\n" ] [ "" ] value;
   authentikPasswordSecretPath = identity:
     if identity ? authentikPasswordSecret
     then config.age.secrets.${identity.authentikPasswordSecret}.path
@@ -27,6 +28,23 @@ let
       }
     )
     (lib.filterAttrs (_: identity: identity.bootstrapAuthentik or false) identities);
+  forgeUnixUsernames =
+    builtins.attrNames (lib.filterAttrs (_: identity: identity.forgeUnixUser or false) identities);
+  forgeUnixUsers = lib.genAttrs forgeUnixUsernames (username:
+    let
+      identity = identities.${username};
+      sshKeys = lib.optional (identity ? sshPublicKeyPath) (stripNewline (builtins.readFile identity.sshPublicKeyPath));
+    in
+    {
+      isNormalUser = true;
+      createHome = true;
+      home = "/home/${username}";
+      shell = pkgs.bashInteractive;
+      extraGroups = lib.optional (identity.isAdmin or false) "wheel";
+      openssh.authorizedKeys.keys = sshKeys;
+    });
+  forgeUnixAdminUsernames =
+    builtins.attrNames (lib.filterAttrs (_: identity: (identity.forgeUnixUser or false) && (identity.isAdmin or false)) identities);
   forgeAuthorizedKeys = map
     (username: builtins.readFile identities.${username}.sshPublicKeyPath)
     (builtins.attrNames (lib.filterAttrs (_: identity: identity.forgeAuthorized or false) identities));
@@ -52,6 +70,18 @@ in
     "flakes"
   ];
 
+  users.users = forgeUnixUsers;
+
+  security.sudo.extraRules = lib.map (username: {
+    users = [ username ];
+    commands = [
+      {
+        command = "ALL";
+        options = [ "NOPASSWD" ];
+      }
+    ];
+  }) forgeUnixAdminUsernames;
+
   environment.systemPackages = lib.optionals config.services.forgejo-nsc.enable [
     self.packages.${pkgs.stdenv.hostPlatform.system}.nsc
   ];
diff --git a/nixos/keys/jett_at_burrow_net.pub b/nixos/keys/jett_at_burrow_net.pub
new file mode 100644
index 0000000..36c85ee
--- /dev/null
+++ b/nixos/keys/jett_at_burrow_net.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMe960j6TC869F6RvElpICxlBauIT3E0uLyy0m7n70ZC
diff --git a/secrets.nix b/secrets.nix
index e3fd9a2..32d7882 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -2,10 +2,12 @@ let
   conradev = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBueQxNbP2246pxr/m7au4zNVm+ShC96xuOcfEcpIjWZ";
   contact = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO42guJ5QvNMw3k6YKWlQnjcTsc+X4XI9F2GBtl8aHOa";
   agent = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEN0+tRJy7Y2DW0uGYHb86N2t02WyU5lDNX6FaxBF/G8 agent@burrow.net";
+  jett = builtins.replaceStrings [ "\n" ] [ "" ] (builtins.readFile ./nixos/keys/jett_at_burrow_net.pub);
   burrowForgeHost = "age1quxf27gnun0xghlnxf3jrmqr3h3a3fzd8qxpallsaztd2u74pdfq9e7w9l";
   burrowForgeRecipients = [
     contact
     agent
+    jett
     burrowForgeHost
   ];
   uiTestRecipients = burrowForgeRecipients ++ [ conradev ];
diff --git a/secrets/infra/authentik-google-account-map.json.age b/secrets/infra/authentik-google-account-map.json.age
index b3cb6f8..158814a 100644
Binary files a/secrets/infra/authentik-google-account-map.json.age and b/secrets/infra/authentik-google-account-map.json.age differ
diff --git a/secrets/infra/authentik-google-client-id.age b/secrets/infra/authentik-google-client-id.age
index f295804..344c73b 100644
Binary files a/secrets/infra/authentik-google-client-id.age and b/secrets/infra/authentik-google-client-id.age differ
diff --git a/secrets/infra/authentik-google-client-secret.age b/secrets/infra/authentik-google-client-secret.age
index 43ecf0b..9a841c7 100644
--- a/secrets/infra/authentik-google-client-secret.age
+++ b/secrets/infra/authentik-google-client-secret.age
@@ -1,9 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 ux4N8Q 4uq5z93mRUUgcMOxP4+Yfe2Jq4tGYErwtzvtMHUvgi0
-J9DkDeSPkQbOjFM3QoV+1Kz3ZVLfR4PUxCT8Zxz+Wvk
--> ssh-ed25519 IrZmAg uLEVmJ+e9ZiLas5YooR4GfgyspWTsFdMB2WPvluU/VI
-7vqqQ/BIDQaOp6VDVLa5ugoRxVZZsMj116cTHY6+8KM
--> X25519 9spF9eLz63UOaBfuG9vTIr6bCKwzFsWMjnaIj1PIR3Y
-iGFELg2RQUT9rEal7pblQhfxtwYhxsZdXYxEhvjtHpw
---- 3TDrUnIN826N/n5gc+YY8ilMMc/6K8zGTh6FxzKC/JM
-ÊÉXÍHºéÓ#Ä²G§uíÃâeÒüÖ¹f&1€a2ƒB„JÔŽõg¯ºÁ=Ì¿Šä”.ÅÕ÷ë*7™F·´‰–bÖ
\ No newline at end of file
+-> ssh-ed25519 ux4N8Q Q3rYrGroJXarMLdatYCHVERefWDyGwM0Ii/kOp5m3Fs
+W3tgHNXLSVfGU5p8MhBj0mX72SNgMl8nf8sQX29yvBw
+-> ssh-ed25519 IrZmAg fyFQQkd51GthNZ4R+W5Al266LnlKbr4ZoMERlCM1OTQ
+rNjnHTGCfF8LkqU8mzTrHlL5G4az1k62gvH4gW8zmjc
+-> ssh-ed25519 0kWPgQ OWokv9XAphqbkDi1cznb9V09VcM6Li1eIh0JpcIlVTY
+TnPVlqKB78y7NPYp02UJmuRXdBMKJKCngpvo8TjpFZ8
+-> X25519 HWaWhyejjo4IjDrNsBYxU1JaGU0899FqiBYgstInuiU
+enbBGnhH+uJKY3NBD6mmy09Uos+in6ytRQ5BakvTUvI
+--- gOBrh88hnvlUSmnRiowJiUIwgIz5zzVKH8YCRb8Ckdw
+Úx¥¢õokPà²íáÐàn8¬ý­vòµ„™HRÊoMºÒðªÃ‹¼ê¢9&TÁb]Ä‰¬Àƒ'|ý<ÒèPbe†
\ No newline at end of file
diff --git a/secrets/infra/authentik-ui-test-password.age b/secrets/infra/authentik-ui-test-password.age
index e84a7be..773833e 100644
Binary files a/secrets/infra/authentik-ui-test-password.age and b/secrets/infra/authentik-ui-test-password.age differ
diff --git a/secrets/infra/authentik.env.age b/secrets/infra/authentik.env.age
index f9f6136..dbada85 100644
Binary files a/secrets/infra/authentik.env.age and b/secrets/infra/authentik.env.age differ
diff --git a/secrets/infra/forgejo-nsc-autoscaler-config.age b/secrets/infra/forgejo-nsc-autoscaler-config.age
index 28e3d4a..5b5da65 100644
Binary files a/secrets/infra/forgejo-nsc-autoscaler-config.age and b/secrets/infra/forgejo-nsc-autoscaler-config.age differ
diff --git a/secrets/infra/forgejo-nsc-dispatcher-config.age b/secrets/infra/forgejo-nsc-dispatcher-config.age
index 5ef71b5..4ab9cc0 100644
Binary files a/secrets/infra/forgejo-nsc-dispatcher-config.age and b/secrets/infra/forgejo-nsc-dispatcher-config.age differ
diff --git a/secrets/infra/forgejo-nsc-token.age b/secrets/infra/forgejo-nsc-token.age
index ff8c278..68b6572 100644
Binary files a/secrets/infra/forgejo-nsc-token.age and b/secrets/infra/forgejo-nsc-token.age differ
diff --git a/secrets/infra/forgejo-oidc-client-secret.age b/secrets/infra/forgejo-oidc-client-secret.age
index ce6c440..68c35e9 100644
Binary files a/secrets/infra/forgejo-oidc-client-secret.age and b/secrets/infra/forgejo-oidc-client-secret.age differ
diff --git a/secrets/infra/headscale-oidc-client-secret.age b/secrets/infra/headscale-oidc-client-secret.age
index 925512c..81cff1c 100644
Binary files a/secrets/infra/headscale-oidc-client-secret.age and b/secrets/infra/headscale-oidc-client-secret.age differ
diff --git a/secrets/infra/tailscale-oidc-client-secret.age b/secrets/infra/tailscale-oidc-client-secret.age
index e88c2d1..3c3c074 100644
Binary files a/secrets/infra/tailscale-oidc-client-secret.age and b/secrets/infra/tailscale-oidc-client-secret.age differ