diff --git a/machines/modules/malobeo/users.nix b/machines/modules/malobeo/users.nix
index 3982f28..543cdd7 100644
--- a/machines/modules/malobeo/users.nix
+++ b/machines/modules/malobeo/users.nix
@@ -5,8 +5,16 @@ let
 in
 {
   options.malobeo.users = {
-    malobeo = lib.mkEnableOption "enable malobeo user";
-    admin = lib.mkEnableOption "enable admin user";
+    malobeo = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "enable malobeo user, defaults to on";
+    };
+    admin = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "enable admin user, defaults to on to prevent lockouts";
+    };
   };
   config = lib.mkMerge [
     (lib.mkIf cfg.malobeo {
@@ -27,6 +35,7 @@ in
         extraGroups = [ "networkmanager" ];
       };
       environment.systemPackages = with pkgs; [];
+      nix.settings.trusted-users = [ "admin" ];
       security.sudo.extraRules = [
         {
           users = [ "admin" ];