diff --git a/config/default.nix b/config/default.nix
index 80238ecb..5b3fb799 100644
--- a/config/default.nix
+++ b/config/default.nix
@@ -74,10 +74,17 @@
     key = "aws/credentials";
     path = "/root/.aws/credentials";
   };
-  sops.secrets."ssh/builder_id_ed25519" = {
+  sops.secrets."root/ssh/builder_id_ed25519" = {
     sopsFile = ../secrets/shared.yaml;
     owner = "root";
     key = "ssh/builder_id_ed25519";
+    path = "/root/.ssh/builder_id_ed25519";
+  };
+  sops.secrets."darkkirb/ssh/builder_id_ed25519" = {
+    sopsFile = ../secrets/shared.yaml;
+    owner = "darkkirb";
+    key = "ssh/builder_id_ed25519";
+    path = "/home/darkkirb/.ssh/builder_id_ed25519";
   };
   networking.nameservers = ["fd0d:a262:1fa6:e621:b4e1:08ff:e658:6f49" "fd0d:a262:1fa6:e621:746d:4523:5c04:1453"];
 
diff --git a/config/nix.nix b/config/nix.nix
index 5272f16c..12f05d90 100644
--- a/config/nix.nix
+++ b/config/nix.nix
@@ -22,7 +22,7 @@ in {
   nix = {
     settings = {
       sandbox = true;
-      trusted-users = ["@wheel"];
+      trusted-users = ["@wheel" "remote-build"];
       require-sigs = true;
       builders-use-substitutes = true;
       substituters = [
diff --git a/config/programs/builders.nix b/config/programs/builders.nix
index 5db6a219..10f4fe7c 100644
--- a/config/programs/builders.nix
+++ b/config/programs/builders.nix
@@ -1,25 +1,25 @@
-_: {
+{config, ...}: {
   programs.ssh = {
     enable = true;
     matchBlocks = {
       "build-nas" = {
         hostname = "nas.int.chir.rs";
         identitiesOnly = true;
-        identityFile = "/run/secrets/builder_id_ed25519";
+        identityFile = "${config.home.homeDirectory}/.ssh/builder_id_ed25519";
         port = 22;
         user = "remote-build";
       };
       "build-pc" = {
         hostname = "nutty-noon.int.chir.rs";
         identitiesOnly = true;
-        identityFile = "/run/secrets/builder_id_ed25519";
+        identityFile = "${config.home.homeDirectory}/.ssh/builder_id_ed25519";
         port = 22;
         user = "remote-build";
       };
       "build-aarch64" = {
         hostname = "instance-20221213-1915.int.chir.rs";
         identitiesOnly = true;
-        identityFile = "/run/secrets/builder_id_ed25519";
+        identityFile = "${config.home.homeDirectory}/.builder_id_ed25519";
         port = 22;
         user = "remote-build";
       };
diff --git a/config/programs/ssh.nix b/config/programs/ssh.nix
index 9604bc0d..a556a020 100644
--- a/config/programs/ssh.nix
+++ b/config/programs/ssh.nix
@@ -1,4 +1,7 @@
 _: {
+  imports = [
+    ./builders.nix
+  ];
   programs.ssh = {
     controlMaster = "auto";
     controlPersist = "10m";
diff --git a/config/services/hydra.nix b/config/services/hydra.nix
index 542cec4f..c6404d96 100644
--- a/config/services/hydra.nix
+++ b/config/services/hydra.nix
@@ -122,5 +122,10 @@ in {
     };
   };
   nix.settings.trusted-users = ["@hydra"];
-  sops.secrets."ssh/builder_id_ed25519".owner = lib.mkForce "hydra";
+  sops.secrets."hydra/ssh/builder_id_ed25519" = {
+    sopsFile = ../../secrets/shared.yaml;
+    owner = "hydra";
+    key = "ssh/builder_id_ed25519";
+    path = "/var/lib/hydra/.ssh/builder_id_ed25519";
+  };
 }