diff --git a/services/hydra.nix b/services/hydra.nix
index c06e2ef..4a5fe09 100644
--- a/services/hydra.nix
+++ b/services/hydra.nix
@@ -42,7 +42,7 @@ in mkIf (elem "hydra" config.machine.services) {
       # hydra.conf: binary_cache_secret_key_file is deprecated and ignored. use store_uri=...?secret-key= instead
       extraConfig = ''
         max_output_size = 4294967296
-        store_uri = file://${cacheDir}?secret-key=${cfg.secretPath}/hydra_cache&write-nar-listing=1&ls-compression=br&log-compression=br
+        store_uri = file://${cacheDir}?secret-key=${config.sops.secrets."services.hydra.secretKey".path}&write-nar-listing=1&ls-compression=br&log-compression=br
         # add ?local-nar-cache= to set nar cache location
         server_store_uri = https://cache.${cfg.domain}
         binary_cache_public_uri https://cache.${cfg.domain}
@@ -54,7 +54,7 @@ in mkIf (elem "hydra" config.machine.services) {
       enable = true;
       bindAddress = "0.0.0.0";
       port = 5000;
-      secretKeyFile = "${cfg.secretPath}/hydra_cache";
+      secretKeyFile = config.sops.secrets."services.hydra.secretKey".path;
       extraParams = ''
         # Dont know how to change the store root yet...
         # --user hydra-queue-runner
@@ -64,4 +64,8 @@ in mkIf (elem "hydra" config.machine.services) {
   };
   systemd.services.nix-serve.serviceConfig.User = mkForce "hydra";
   systemd.services.nix-serve.environment.NIX_STORE_DIR = cacheDir;
+  sops.secrets."services/hydra/secretKey" = {
+    owner = "hydra";
+    group = "hydra";
+  };
 }