diff --git a/common/substitutors.nix b/common/substitutors.nix
index 855d7ee..02b34e3 100644
--- a/common/substitutors.nix
+++ b/common/substitutors.nix
@@ -13,7 +13,7 @@
         "https://cache.iog.io"
       ];
       trusted-public-keys = [
-        "cache.itepastra.nl:zCB+g5uXlDuFXbs9pI10UmidFQt17kFTaPywv+J33FQ="
+        "cache.itepastra.nl:ogbo80MrUQqtOyGACPjMf1SBdCOL+IQ3LEvRf/6gy1k="
         "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
         "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ="
         "cuda-maintainers.cachix.org-1:0dq3bujKpuEPMCX6U4WylrUDZ9JyUG0VpVZa7CNfq5E="
diff --git a/hosts/nuos/configuration.nix b/hosts/nuos/configuration.nix
index b2aa7ec..f4dc503 100644
--- a/hosts/nuos/configuration.nix
+++ b/hosts/nuos/configuration.nix
@@ -148,6 +148,7 @@
     secrets = {
       "secrets/token-flurry".file = ../../secrets/github/flurry.age;
       "secrets/token-nixconf".file = ../../secrets/github/nixconf.age;
+      "secrets/nix-store-key".file = ../../secrets/nix-serve/private.age;
     };
   };
 
@@ -155,7 +156,7 @@
     nix-serve = {
       enable = true;
       package = pkgs.nix-serve-ng;
-      secretKeyFile = "/secrets/nix-store-key.pem";
+      secretKeyFile = config.age.secrets."secrets/nix-store-key".path;
       port = 22332;
     };
     github-runners = {
diff --git a/secrets/nix-serve/private.age b/secrets/nix-serve/private.age
new file mode 100644
index 0000000..b1dee46
--- /dev/null
+++ b/secrets/nix-serve/private.age
@@ -0,0 +1,6 @@
+age-encryption.org/v1
+-> ssh-ed25519 ropO2g reajL/TSZ+gq379mQUsG/Xzbwz89rI6zLLRdBJIeajI
+XqFW72j91D6uLYUvOOJI0T1PJBc95+1muS+v2+s14QI
+--- L+aEor9AfdbEDv1FJHZ5RvGUWrwN9uGaOhkNTneHDgI
+×!U²M‘à‹šJæýûÿžd¨Þ:&‘ Ä±-~LèXUÙ€'iÅÈ°2Ée/ÿYãcˆYç¢m;%ƒ³}½^Òp^Æ:Õw¸¨€–¨0e)·}¬Ú>÷êdÑsä	(èft™å}ÞÒc*ç
+8å|»×G|ZÅ/:Ñþ„èý
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 0ae3732..d49e053 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -6,7 +6,8 @@ in
   "restic/env.age".publicKeys = [ noa ];
   "restic/repo.age".publicKeys = [ noa ];
   "restic/password.age".publicKeys = [ noa ];
-  "github/flurry.age".publicKeys = [ noa nuOS ];
-  "github/nixconf.age".publicKeys = [ noa nuOS ];
+  "github/flurry.age".publicKeys = [ nuOS ];
+  "github/nixconf.age".publicKeys = [ nuOS ];
+  "nix-serve/private.age".publicKeys = [ nuOS ];
 }