diff --git a/secrets.nix b/secrets.nix
index f42454c..d2977b6 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -5,6 +5,7 @@ let
 
   secrets = with keys; {
     hydra-s3-credentials = [ machines.bagel-box ];
+    hydra-ssh-key-priv = [ machines.bagel-box ];
   };
 in
   builtins.listToAttrs (
diff --git a/secrets/hydra-ssh-key-priv.age b/secrets/hydra-ssh-key-priv.age
new file mode 100644
index 0000000..298c9ff
Binary files /dev/null and b/secrets/hydra-ssh-key-priv.age differ
diff --git a/services/hydra/default.nix b/services/hydra/default.nix
index 63b25b1..7e69c4a 100644
--- a/services/hydra/default.nix
+++ b/services/hydra/default.nix
@@ -20,6 +20,11 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
+    age.secrets.hydra-s3-credentials.file = ../../secrets/hydra-s3-credentials.age;
+
+    age.secrets.hydra-ssh-key-priv.owner = "hydra-queue-runner";
+    age.secrets.hydra-ssh-key-priv.file = ../../secrets/hydra-ssh-key-priv.age;
+
     systemd.tmpfiles.rules = [
       "d /var/cache/hydra 0755 hydra hydra -  -"
       "d ${narCacheDir}   0755 hydra hydra 1d -"
@@ -42,6 +47,12 @@ in {
 
       notificationSender = "bagel@delroth.net";
 
+      buildMachinesFiles = [
+        (pkgs.writeText "hydra-builders.conf" ''
+          ssh://bagel-builder@epyc.infra.newtype.fr x86_64-linux ${config.age.secrets.hydra-ssh-key-priv.path} 8 1 big-parallel,kvm,nixos-test - c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUJwcFBwKzhsdDFSTDNodW5aaGlXRUUvY1laaHJXYjFzaVhKVWpiU2l6Rzggcm9vdEBlcHljCg==
+        '')
+      ];
+
       extraConfig = ''
         store_uri = s3://bagel-cache?${mkCacheSettings {
           endpoint = "s3.delroth.net";
@@ -73,9 +84,8 @@ in {
       '';
     };
 
-    age.secrets."hydra-s3-credentials".file = ../../secrets/hydra-s3-credentials.age;
     systemd.services.hydra-queue-runner.serviceConfig.EnvironmentFile =
-      config.age.secrets."hydra-s3-credentials".path;
+      config.age.secrets.hydra-s3-credentials.path;
 
     services.nginx = {
       enable = true;