diff --git a/morph/grid/local/config.json b/morph/grid/local/config.json
index 3d377cc0e1ebbdec0dff421c806c901e2e5ce06d..f55b44443968059c0903a1ea976fe3287341c550 100644
--- a/morph/grid/local/config.json
+++ b/morph/grid/local/config.json
@@ -10,4 +10,5 @@
 , "allowedChargeOrigins": [
     "http://localhost:5000"
   ]
+, "deployKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIANTUgFOHIfRuVYEbxp8gD+H9uZV1RCQUC4AhCABYT57"
 }
diff --git a/morph/grid/local/grid.nix b/morph/grid/local/grid.nix
index 5345a16198e79dd8c91c8566fb62480ce5cea51a..3aeda9b507360644c2a00b479292b4071819d90f 100644
--- a/morph/grid/local/grid.nix
+++ b/morph/grid/local/grid.nix
@@ -18,6 +18,8 @@ let
           monitoringvpnIPv4 = "172.23.23.11";
       }))
     ];
+    services.private-storage.deployment.authorizedKey = config.deployKey;
+    services.private-storage.deployment.gridName = "local";
   };
 
   storage1 = {
@@ -29,6 +31,8 @@ let
         stateVersion = "19.09";
       }))
     ];
+    services.private-storage.deployment.authorizedKey = config.deployKey;
+    services.private-storage.deployment.gridName = "local";
   };
 
   storage2 = {
@@ -40,6 +44,8 @@ let
         stateVersion = "19.09";
       }))
     ];
+    services.private-storage.deployment.authorizedKey = config.deployKey;
+    services.private-storage.deployment.gridName = "local";
   };
 
   monitoring = {
@@ -53,6 +59,8 @@ let
         stateVersion = "19.09";
       })
     ];
+    services.private-storage.deployment.authorizedKey = config.deployKey;
+    services.private-storage.deployment.gridName = "local";
   };
 
   # TBD: derive these automatically:
diff --git a/morph/grid/local/secrets/users.nix b/morph/grid/local/secrets/users.nix
index 93a8b660c78fa12b1e20c6d560f78efb1b5684c7..e981919227a147efad80a100648b5f8d3c21a428 100644
--- a/morph/grid/local/secrets/users.nix
+++ b/morph/grid/local/secrets/users.nix
@@ -1,4 +1,3 @@
-# Add your public key. Example: 
-# let key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHx7wJQNqKn8jOC4AxySRL2UxidNp7uIK9ad3pMb1ifF flo@fs-la";
-let key = undefined;
+# Add your public key. Example:
+let key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN4GenAY/YLGuf1WoMXyyVa3S9i4JLQ0AG+pt7nvcLlQ exarkun@baryon";
 in { "root" = key; "vagrant" = key; }
diff --git a/morph/lib/issuer.nix b/morph/lib/issuer.nix
index 417ef7965ea0120322995059fcca7a5a9afe2543..51046b436e297cdc5034134e3503556e8030588c 100644
--- a/morph/lib/issuer.nix
+++ b/morph/lib/issuer.nix
@@ -40,6 +40,9 @@ rec {
   };
 
   imports = [
+    # Allow us to remotely trigger updates to this system.
+    ../../nixos/modules/deployment.nix
+
     ../../nixos/modules/issuer.nix
     ../../nixos/modules/monitoring/vpn/client.nix
     ../../nixos/modules/monitoring/exporters/node.nix
diff --git a/morph/lib/monitoring.nix b/morph/lib/monitoring.nix
index b48820f0941694869fdda06e724ba1ae714b5993..fa769d5ebcb32d893310136291064a85c09beee2 100644
--- a/morph/lib/monitoring.nix
+++ b/morph/lib/monitoring.nix
@@ -21,6 +21,9 @@ rec {
   };
 
   imports = [
+    # Allow us to remotely trigger updates to this system.
+    ../../nixos/modules/deployment.nix
+
     ../../nixos/modules/monitoring/vpn/server.nix
     ../../nixos/modules/monitoring/server/grafana.nix
     ../../nixos/modules/monitoring/server/prometheus.nix
diff --git a/morph/lib/storage.nix b/morph/lib/storage.nix
index 1cac51b43aa38fb90a535fd34ba53363fc0cdbaa..ebad3d17e17e0098f6e098d61d7c614fde91b31e 100644
--- a/morph/lib/storage.nix
+++ b/morph/lib/storage.nix
@@ -32,6 +32,8 @@ rec {
 
   # Any extra NixOS modules to load on this server.
   imports = [
+    # Allow us to remotely trigger updates to this system.
+    ../../nixos/modules/deployment.nix
     # Bring in our module for configuring the Tahoe-LAFS service and other
     # Private Storage-specific things.
     ../../nixos/modules/private-storage.nix
diff --git a/nixos/modules/deployment.nix b/nixos/modules/deployment.nix
old mode 100644
new mode 100755
index 592d373f61f73574ff1ff00088abf73ba9fb74ad..19cf7395f44d182657c948ed845014f8093e3a16
--- a/nixos/modules/deployment.nix
+++ b/nixos/modules/deployment.nix
@@ -1,5 +1,5 @@
 # A NixOS module which enables remotely-triggered deployment updates.
-{ config, ... }:
+{ config, lib, ... }:
 let
   # A handy alias for our part of the configuration.
   cfg = config.services.private-storage.deployment;
@@ -11,7 +11,7 @@ let
     "restrict,command=\"${command} ${gridName}\" ${authorizedKey}";
 in {
   options = {
-    services.private-storage.deployment.authorizedKey = {
+    services.private-storage.deployment.authorizedKey = lib.mkOption {
       type = lib.types.str;
       example = lib.literalExample ''
         ssh-ed25519 AAAAC3N...
@@ -20,7 +20,7 @@ in {
         The SSH public key to authorize to trigger a deployment update.
       '';
     };
-    services.private-storage.deployment.gridName = {
+    services.private-storage.deployment.gridName = lib.mkOption {
       type = lib.types.str;
       example = lib.literalExample "staging";
       description = ''
@@ -31,6 +31,9 @@ in {
 
   config = {
     users.users.deployment = {
+      # Without some shell no login is possible at all, even to execute our
+      # restricted command.
+      useDefaultShell = true;
       openssh.authorizedKeys.keys = [
         (restrictedKey {
           inherit (cfg) authorizedKey gridName;
diff --git a/nixos/modules/ssh.nix b/nixos/modules/ssh.nix
index 667bdd26215b4e0978781244741dd4c5313cefbd..3e90528322c153d6b96679af5d914c4e753b49bf 100644
--- a/nixos/modules/ssh.nix
+++ b/nixos/modules/ssh.nix
@@ -40,12 +40,6 @@
         # Agent forwarding is fraught.  It can be used by an attacker to
         # leverage one compromised system into more.  Discourage its use.
         AllowAgentForwarding no
-
-        # Only allow authentication as one of the configured users, not random
-        # other (often system-managed) users.  Possibly this is also
-        # superfluous!  NixOS system users have nologin as their shell ... so they
-        # cannot log in anyway.
-        AllowUsers ${builtins.concatStringsSep " " (builtins.attrNames cfg.sshUsers)}
       '';
     };
 
diff --git a/nixos/modules/update-deployment b/nixos/modules/update-deployment
old mode 100644
new mode 100755
index dd988031274f55cccd7cc7c8d1056ca125214a0d..0f9c714e4ce77e65599998dcd61c3986f9781abf
--- a/nixos/modules/update-deployment
+++ b/nixos/modules/update-deployment
@@ -1,11 +1,17 @@
 #!/usr/bin/env nix-shell
-#!nix-shell -i bash -p morph
+#!nix-shell -i bash -p morph git
 
 set -euxo pipefail
 
 GRIDNAME=$1
 shift
 
+if [ "${GRIDNAME}" = "local" ]; then
+    BRANCH="323.continuous-deployment"
+else
+    BRANCH="${GRIDNAME}"
+fi
+
 CHECKOUT="/run/user/$(id --user)/PrivateStorageio"
 REPO="https://whetstone.privatestorage.io/privatestorage/PrivateStorageio.git"
 
@@ -15,7 +21,7 @@ else
     git clone "${REPO}" "${CHECKOUT}"
     # Check out the right branch ... which also happens to be named after this
     # grid (or maybe this grid is named after the branch).
-    git -C "${CHECKOUT}" checkout "${GRIDNAME}"
+    git -C "${CHECKOUT}" checkout "${BRANCH}"
 fi
 
 morph deploy "${CHECKOUT}"/morph/grid/"${GRIDNAME}"/grid.nix switch --on "$(hostname)"