diff --git a/nix/hosts/cc-ci-orchestrator-hetzner/configuration.nix b/nix/hosts/cc-ci-orchestrator-hetzner/configuration.nix
index 0d5ca61..f2c173e 100644
--- a/nix/hosts/cc-ci-orchestrator-hetzner/configuration.nix
+++ b/nix/hosts/cc-ci-orchestrator-hetzner/configuration.nix
@@ -9,7 +9,15 @@
 {
   # hardware.nix is the nixos-infect generated hardware-configuration.nix (see README Stage 2a).
 
-  services.openssh = { enable = true; settings.PermitRootLogin = "yes"; };
+  services.openssh = {
+    enable = true;
+    settings.PermitRootLogin = "yes";
+  };
+
+  # Root SSH access (the cc-ci-root-ed25519 key used by all loops tooling).
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAcyTGb/wVgdhg5oBCZZvBaR1RuUQRY/3WHnOQpNDCsp claude-cc-ci-sandbox@20260526"
+  ];
   networking.useDHCP = true;
   networking.nameservers = [ "1.1.1.1" "8.8.8.8" ];
   networking.firewall = {