diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 4442203524306166d6187910df46e21eadfa78a1..463185d53c8fa45a04a1a05f4c99082a4e68d5ae 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -330,10 +330,37 @@ (define* (guix-build-accounts count #:key
                     1+
                     1))))
 
+(define (hydra-key-authorization guix)
+  "Return a gexp with code to register the hydra.gnu.org public key with
+GUIX."
+  #~(unless (file-exists? "/etc/guix/acl")
+      (let ((pid (primitive-fork)))
+        (case pid
+          ((0)
+           (let* ((key  (string-append #$guix
+                                       "/share/guix/hydra.gnu.org.pub"))
+                  (port (open-file key "r0b")))
+             (format #t "registering public key '~a'...~%" key)
+             (close-port (current-input-port))
+             ;; (close-fdes 0)
+             (dup port 0)
+             (execl (string-append #$guix "/bin/guix")
+                    "guix" "archive" "--authorize")
+             (exit 1)))
+          (else
+           (let ((status (cdr (waitpid pid))))
+             (unless (zero? status)
+               (format (current-error-port) "warning: \
+failed to register hydra.gnu.org public key: ~a~%" status))))))))
+
 (define* (guix-service #:key (guix guix) (builder-group "guixbuild")
-                       (build-accounts 10))
+                       (build-accounts 10) authorize-hydra-key?)
   "Return a service that runs the build daemon from GUIX, and has
-BUILD-ACCOUNTS user accounts available under BUILD-USER-GID."
+BUILD-ACCOUNTS user accounts available under BUILD-USER-GID.
+
+When AUTHORIZE-HYDRA-KEY? is true, the hydra.gnu.org public key provided by
+GUIX is authorized upon activation, meaning that substitutes from
+hydra.gnu.org are used by default."
   (mlet %store-monad ((accounts (guix-build-accounts build-accounts
                                                      #:group builder-group)))
     (return (service
@@ -349,7 +376,9 @@ (define* (guix-service #:key (guix guix) (builder-group "guixbuild")
              (user-groups (list (user-group
                                  (name builder-group)
                                  (members (map user-account-name
-                                               user-accounts)))))))))
+                                               user-accounts)))))
+             (activate (and authorize-hydra-key?
+                            (hydra-key-authorization guix)))))))
 
 (define %base-services
   ;; Convenience variable holding the basic services.
diff --git a/gnu/system/install.scm b/gnu/system/install.scm
index c69e51b2b545b3c5c7dc2f1e73b9cd3cc93c81cf..707f6b6c86ca7e1dbe936f98890dd3c5a12071f7 100644
--- a/gnu/system/install.scm
+++ b/gnu/system/install.scm
@@ -77,7 +77,12 @@ (define (normal-tty tty)
 
           ;; The usual services.
           (syslog-service)
-          (guix-service)
+
+          ;; The build daemon.  Register the hydra.gnu.org key as trusted.
+          ;; This allows the installation process to use substitutes by
+          ;; default.
+          (guix-service #:authorize-hydra-key? #t)
+
           (nscd-service))))
 
 (define %issue