1 files changed, 11 insertions, 1 deletions

diff --git a/nixpkgs/doc/packages/darwin-builder.section.md b/nixpkgs/doc/packages/darwin-builder.section.md
index bf6ef906ca5a..3a547de53705 100644
--- a/nixpkgs/doc/packages/darwin-builder.section.md
+++ b/nixpkgs/doc/packages/darwin-builder.section.md
@@ -1,5 +1,12 @@
 # darwin.linux-builder {#sec-darwin-builder}
 
+:::{.warning}
+By default, `darwin.linux-builder` uses a publicly-known private SSH **host key** (this is different from the SSH key used by the user that connects to the builder).
+
+Given the intended use case for it (a Linux builder that runs **on the same machine**), this shouldn't be an issue.
+However, if you plan to deviate from this use case in any way (e.g. by exposing this builder to remote machines), you should understand the security implications of doing so and take any appropriate measures.
+:::
+
 `darwin.linux-builder` provides a way to bootstrap a Linux remote builder on a macOS machine.
 
 This requires macOS version 12.4 or later.
@@ -97,6 +104,7 @@ $ sudo launchctl kickstart -k system/org.nixos.nix-daemon
         { virtualisation = {
             host.pkgs = pkgs;
             darwin-builder.workingDirectory = "/var/lib/darwin-builder";
+            darwin-builder.hostPort = 22;
           };
         }
       ];
@@ -110,7 +118,9 @@ $ sudo launchctl kickstart -k system/org.nixos.nix-daemon
           {
             nix.distributedBuilds = true;
             nix.buildMachines = [{
-              hostName = "ssh://builder@localhost";
+              hostName = "localhost";
+              sshUser = "builder";
+              sshKey = "/etc/nix/builder_ed25519";
               system = linuxSystem;
               maxJobs = 4;
               supportedFeatures = [ "kvm" "benchmark" "big-parallel" ];