diff --git a/nixos/modules/deployment.nix b/nixos/modules/deployment.nix
index aa2d1d395859a1f140f9d79c78e42639c2885586..4b03ff349dae9329577a63ff0fd3569c1843b8dd 100755
--- a/nixos/modules/deployment.nix
+++ b/nixos/modules/deployment.nix
@@ -8,6 +8,9 @@ let
   # execute a certain command *only*.
   restrictedKey =
     { authorizedKey, command, gridName }:
+    # `restrict` means "disable all the things" then `command` means "but
+    # enable running this one command" (the client does not have to supply the
+    # command; if they authenticate, this is the command that will run).
     "restrict,command=\"${command} ${gridName}\" ${authorizedKey}";
 in {
   options = {