diff --git a/flake.nix b/flake.nix
index 5d66806..961895f 100644
--- a/flake.nix
+++ b/flake.nix
@@ -3,10 +3,10 @@
 
   nixConfig = {
     extra-substituters = [
-      "https://zackartz.cachix.org"
+      "https://hydra.zoeys.computer"
     ];
     extra-trusted-public-keys = [
-      "zackartz.cachix.org-1:nrEfVZF8MVX0Lnt73KwYzH2kwDzFuAoR5VPjuUd4R30="
+      "hydra.zoeys.computer-1:ssh-ed25519:0000000b7373682d65643235353139000000205f061b28bd7b23ff28347b79ac7719587c471904487cebc19172a682240256cc"
     ];
   };
 
diff --git a/modules/nixos/sites/hydra/default.nix b/modules/nixos/sites/hydra/default.nix
index 79bacb3..79dc704 100644
--- a/modules/nixos/sites/hydra/default.nix
+++ b/modules/nixos/sites/hydra/default.nix
@@ -7,17 +7,31 @@
 with lib;
 with lib.custom; let
   cfg = config.sites.hydra;
+
+  sec = config.age.secrets;
 in {
   options.sites.hydra = with types; {
     enable = mkBoolOpt false "Enable Hydra";
   };
 
   config = mkIf cfg.enable {
+    age.secrets = {
+      hydra_key = {
+        owner = "hydra";
+        group = "hydra";
+        file = ./sec/hydra_key.age;
+      };
+    };
+
     services.hydra = {
       enable = true;
       hydraURL = "https://hydra.zoeys.computer";
       useSubstitutes = true;
       notificationSender = "hydra@localhost"; # e-mail of hydra service
+
+      extraConfig = ''
+        binary_cache_secret_key_file = ${sec.hydra_key.path}
+      '';
     };
 
     services.nginx.virtualHosts."hydra.zoeys.computer" = {
@@ -28,23 +42,27 @@ in {
       };
     };
 
-    nix.settings.allowed-uris = [
-      "github:"
-      "https://github.com"
-      "git+https://github.com/"
-      "git+ssh://github.com/"
-      "git+https://git.zoeys.computer/"
-      "git+ssh://git.zoeys.computer/"
-    ];
+    users.users.hydra.extraGroups = ["keys"];
 
-    nix.buildMachines = [
-      {
-        hostName = "localhost";
-        protocol = null;
-        system = "x86_64-linux";
-        supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"];
-        maxJobs = 8;
-      }
-    ];
+    nix = {
+      settings.allowed-uris = [
+        "github:"
+        "https://github.com"
+        "git+https://github.com/"
+        "git+ssh://github.com/"
+        "git+https://git.zoeys.computer/"
+        "git+ssh://git.zoeys.computer/"
+      ];
+      trustedUsers = ["hydra"]; # Ensure hydra user is trusted for nix
+      buildMachines = [
+        {
+          hostName = "localhost";
+          protocol = null;
+          system = "x86_64-linux";
+          supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"];
+          maxJobs = 8;
+        }
+      ];
+    };
   };
 }
diff --git a/modules/nixos/sites/hydra/sec/hydra_key.age b/modules/nixos/sites/hydra/sec/hydra_key.age
new file mode 100644
index 0000000..e60964a
Binary files /dev/null and b/modules/nixos/sites/hydra/sec/hydra_key.age differ