diff --git a/infra/common/resource.nix b/infra/common/resource.nix
index 15b5693b..4606ddf4 100644
--- a/infra/common/resource.nix
+++ b/infra/common/resource.nix
@@ -54,6 +54,10 @@ in
 
     ## FIXME: Remove direct root authentication once the NixOps4 NixOS provider
     ## supports users with password-less sudo.
-    users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors;
+    users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors ++ [
+      # allow our panel vm access to the test machines
+      keys.panel
+    ];
+
   };
 }
diff --git a/infra/flake-part.nix b/infra/flake-part.nix
index 6a69278e..c849dc46 100644
--- a/infra/flake-part.nix
+++ b/infra/flake-part.nix
@@ -22,10 +22,26 @@ let
     { vmName, isTestVm }:
     {
       _module.args = { inherit inputs; };
-      imports = [
-        ./common/resource.nix
-        (if isTestVm then ./test-machines + "/${vmName}" else ./machines + "/${vmName}")
-      ];
+      imports =
+        [
+          ./common/resource.nix
+        ]
+        ++ (
+          if isTestVm then
+            [
+              ./test-machines/${vmName}
+              {
+                nixos.module.users.users.root.openssh.authorizedKeys.keys = [
+                  # allow our panel vm access to the test machines
+                  (import ../keys).panel
+                ];
+              }
+            ]
+          else
+            [
+              ./machines/${vmName}
+            ]
+        );
       fediversityVm.name = vmName;
     };
 
diff --git a/infra/machines/fedi201/fedipanel.nix b/infra/machines/fedi201/fedipanel.nix
index 4f90c473..5c4236fc 100644
--- a/infra/machines/fedi201/fedipanel.nix
+++ b/infra/machines/fedi201/fedipanel.nix
@@ -15,6 +15,24 @@ in
     defaults.email = "beheer@procolix.com";
   };
 
+  age.secrets.panel-ssh-key = {
+    owner = name;
+    mode = "400";
+  };
+
+  programs.ssh.startAgent = true;
+
+  home-manager = {
+    users.${name}.home = {
+      stateVersion = "25.05";
+      file.".ssh/config" = {
+        text = ''
+          IdentityFile ${config.age.secrets.panel-ssh-key.path}
+        '';
+      };
+    };
+  };
+
   services.${name} = {
     enable = true;
     production = true;
diff --git a/keys/default.nix b/keys/default.nix
index c51049cb..6e33783b 100644
--- a/keys/default.nix
+++ b/keys/default.nix
@@ -34,4 +34,5 @@ in
 {
   contributors = collectKeys ./contributors;
   systems = collectKeys ./systems;
+  panel = removeTrailingWhitespace (readFile ./panel-ssh-key.pub);
 }
diff --git a/keys/panel-ssh-key.pub b/keys/panel-ssh-key.pub
new file mode 100644
index 00000000..3f2d09a8
--- /dev/null
+++ b/keys/panel-ssh-key.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICWfTPs64ImqGh3c/Y+3zqB9YVr5ApsKiS/aTLGXUTzb panel@fedi201
diff --git a/panel/nix/configuration.nix b/panel/nix/configuration.nix
index 27359503..ecf06e0f 100644
--- a/panel/nix/configuration.nix
+++ b/panel/nix/configuration.nix
@@ -158,8 +158,7 @@ in
     };
 
     users.users.${name} = {
-      isSystemUser = true;
-      group = name;
+      isNormalUser = true;
     };
 
     users.groups.${name} = { };
diff --git a/secrets/panel-ssh-key.age b/secrets/panel-ssh-key.age
new file mode 100644
index 00000000..427d9972
Binary files /dev/null and b/secrets/panel-ssh-key.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index f2e30797..167234d4 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -28,6 +28,7 @@ concatMapAttrs
       forgejo-email-password = [ vm02116 ];
       forgejo-runner-token = [ ];
       panel-secret-key = [ fedi201 ];
+      panel-ssh-key = [ fedi201 ];
       wiki-basicauth-htpasswd = [ vm02187 ];
       wiki-password = [ vm02187 ];
       wiki-smtp-password = [ vm02187 ];