diff --git a/launch/main.tf b/launch/main.tf
index 3c3c4c93..909577a5 100644
--- a/launch/main.tf
+++ b/launch/main.tf
@@ -37,7 +37,7 @@ locals {
 # FIXME settle for pwd when in /nix/store?
 # FIXME calculate separately to reduce false positives
 data "external" "hash" {
-  program = ["sh", "-c", "echo '{\"hash\":\"$(nix-hash ..)\"}'"]
+  program = ["sh", "-c", "echo \"{\\\"hash\\\":\\\"$(nix-hash ..)\\\"}\""]
 }
 
 # TF resource to build and deploy NixOS instances.
@@ -102,6 +102,13 @@ resource "terraform_data" "nixos" {
               ];
               # nix path for debugging
               nix.nixPath = [ "${local.nix_path}" ];
+              ## FIXME: switch root authentication to users with password-less sudo, see #24
+              users.users.root.openssh.authorizedKeys.keys = let
+                keys = import ../keys;
+              in attrValues keys.contributors ++ [
+                # allow our panel vm access to the test machines
+                keys.panel
+              ];
             } //
             # template parameters passed in from TF thru json
             builtins.fromJSON "${replace(jsonencode({