diff --git a/data.nix b/data.nix
index a10a75b..2b4172d 100644
--- a/data.nix
+++ b/data.nix
@@ -48,6 +48,7 @@ rec {
   tailscale_subnet = {
     cidr = "100.89.176.0/20";
     range = "100.89.176.0-100.89.191.255";
+    pattern = "100.89.176.?"; # until we have more hosts
   };
 
   jakstysLTZone = let
diff --git a/modules/services/deployerbot/default.nix b/modules/services/deployerbot/default.nix
index aed54ef..8fac9da 100644
--- a/modules/services/deployerbot/default.nix
+++ b/modules/services/deployerbot/default.nix
@@ -2,6 +2,7 @@
   config,
   lib,
   pkgs,
+  myData,
   ...
 }: {
   options.mj.services.deployerbot.main = with lib.types; {
@@ -95,7 +96,9 @@
             isSystemUser = true;
             createHome = true;
             uid = uidgid;
-            openssh.authorizedKeys.keys = [publicKey];
+            openssh.authorizedKeys.keys = let
+              restrictedPubKey = "from=\"${myData.tailscale_subnet.pattern}\" " + publicKey;
+            in [restrictedPubKey];
           };
         };
         users.groups.deployerbot-follower.gid = uidgid;