diff --git a/hosts/tkaronto/modules/secrets.nix b/hosts/tkaronto/modules/secrets.nix
index 305c1ec..bf62cd6 100644
--- a/hosts/tkaronto/modules/secrets.nix
+++ b/hosts/tkaronto/modules/secrets.nix
@@ -8,4 +8,11 @@
     owner = "systemd-network";
     group = "systemd-network";
   };
+
+  age.secrets.nixBuildKey = {
+    file = ../../../secrets/nixBuildKey.age;
+    owner = "root";
+    group = "nix-build-key-access";
+  };
+  users.groups."nix-build-key-access" = {};
 }
diff --git a/modules/develop/nixbuild/default.nix b/modules/develop/nixbuild/default.nix
index fb84531..b0ecf9b 100644
--- a/modules/develop/nixbuild/default.nix
+++ b/modules/develop/nixbuild/default.nix
@@ -1,8 +1,8 @@
-{...}: {
+{config, ...}: {
   programs.ssh.extraConfig = ''
     Host eu.nixbuild.net
       PubkeyAcceptedKeyTypes ssh-ed25519
-      IdentityFile /etc/nixos/keys/nixbuild.key
+      IdentityFile ${config.age.secrets.nixBuildKey.path}
   '';
 
   programs.ssh.knownHosts = {
diff --git a/secrets/nixBuildKey.age b/secrets/nixBuildKey.age
new file mode 100644
index 0000000..7d4fde5
Binary files /dev/null and b/secrets/nixBuildKey.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index fd8c250..dcd3feb 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -7,4 +7,5 @@ in {
   "bernbotToken.age".publicKeys = [yusdacra wolumonde];
   "musikquadConfig.age".publicKeys = [yusdacra wolumonde];
   "nixGithubAccessToken.age".publicKeys = [yusdacra];
+  "nixBuildKey.age".publicKeys = [yusdacra];
 }
diff --git a/shells/default.nix b/shells/default.nix
index eea6e72..f3dfeeb 100644
--- a/shells/default.nix
+++ b/shells/default.nix
@@ -7,7 +7,7 @@ tlib.genPkgs (pkgs: let
       if [ -z "''${1-}" ]; then
         agenix
       else
-        RULES="/etc/nixos/secrets/secrets.nix" agenix -i /etc/nixos/keys/ssh_key "$@"
+        RULES="/etc/nixos/secrets/secrets.nix" agenix -i /persist/keys/ssh_key "$@"
       fi
     '';
   };
diff --git a/users/modules/musikcube/default.nix b/users/modules/musikcube/default.nix
index c2ff4c5..3c6f6cc 100644
--- a/users/modules/musikcube/default.nix
+++ b/users/modules/musikcube/default.nix
@@ -1,4 +1,9 @@
-{config, pkgs, lib, ...}: let
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: let
   cfg = config.programs.musikcube;
 in {
   options = {
diff --git a/users/modules/musikcubed/default.nix b/users/modules/musikcubed/default.nix
index d178f10..237db79 100644
--- a/users/modules/musikcubed/default.nix
+++ b/users/modules/musikcubed/default.nix
@@ -1,4 +1,9 @@
-{config, lib, pkgs, ...}: let
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
   cfg = config.services.musikcubed;
 in {
   options = {
diff --git a/users/patriot/default.nix b/users/patriot/default.nix
index 0ba1a5d..94e8003 100644
--- a/users/patriot/default.nix
+++ b/users/patriot/default.nix
@@ -20,6 +20,7 @@ in {
       "adbusers"
       "dialout"
       "video"
+      "nix-build-key-access"
       (l.optional nixosConfig.networking.networkmanager.enable "networkmanager")
       (l.optional nixosConfig.virtualisation.docker.enable "docker")
     ];