diff --git a/flake.lock b/flake.lock
index 3b187f4f..8b48f84f 100644
--- a/flake.lock
+++ b/flake.lock
@@ -327,11 +327,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1640802687,
-        "narHash": "sha256-ITEKxmlg4ectAqSp8mM3M/VCHu973UEcdt8yDb+hzDg=",
+        "lastModified": 1641509208,
+        "narHash": "sha256-W6BJOARYB3bUTBsOT4mBw3sEWNNOzWmlIv/LXlH99y4=",
         "ref": "master",
-        "rev": "6ae85faf2f864c6a004915cce7d071e827dda314",
-        "revCount": 115,
+        "rev": "c5957e417db3bd82d14c5b3c2198a04e13dc3f7e",
+        "revCount": 117,
         "type": "git",
         "url": "ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git"
       },
diff --git a/flake.nix b/flake.nix
index e4701cf6..147b3301 100644
--- a/flake.nix
+++ b/flake.nix
@@ -347,7 +347,9 @@
             ./hosts/containers/dn42
             (_: {
               nixpkgs.overlays = [ secrets.overlays.dn42 ];
+              sops.defaultSopsFile = "${secrets}/hosts/dn42/secrets.yaml";
             })
+            sops-nix.nixosModules.sops
           ];
           system = "x86_64-linux";
         };
diff --git a/hosts/containers/dn42/default.nix b/hosts/containers/dn42/default.nix
index 5052fd21..75b83a66 100644
--- a/hosts/containers/dn42/default.nix
+++ b/hosts/containers/dn42/default.nix
@@ -38,8 +38,20 @@ in {
       Exec "collectd" "${routecount}"
     '';
 
-  # SSH for nixops
+  # SSH for deployment
   services.openssh.enable = true;
+  sops.secrets = builtins.foldl' (result: name:
+    let
+      conf = neighbors.${name};
+    in result // (
+      if conf ? openvpn
+      then { "neighbors/${name}/openvpn/key" = {}; }
+      else if conf ? wireguard
+      then { "neighbors/${name}/wireguard/privateKey" = {}; }
+      else {}
+    )
+  ) {} (builtins.attrNames neighbors);
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
 
   boot.kernel.sysctl = {
     "net.ipv4.conf.all.forwarding" = true;
@@ -69,7 +81,7 @@ in {
         ping-restart 45
         verb 1
         ${conf.openvpn}
-        secret ${pkgs.openvpn-keyfile name}
+        secret ${config.sops.secrets."neighbors/${name}/openvpn/key".path}
       '';
       up = ''
         ${pkgs.iproute}/bin/ip addr flush dev $1
@@ -88,7 +100,8 @@ in {
       wireguardNeighbors =
         lib.filterAttrs (_: conf: conf ? wireguard) neighbors;
     in builtins.mapAttrs (name: conf: {
-      inherit (conf.wireguard) listenPort privateKey;
+      inherit (conf.wireguard) listenPort;
+      privateKeyFile = config.sops.secrets."neighbors/${name}/wireguard/privateKey".path;
       ips = [ "${address4}/32" "${address6}/64" ];
       allowedIPsAsRoutes = false;
       postSetup = ''