diff --git a/hosts/hydra/hydra.nix b/hosts/hydra/hydra.nix
index 7713df48..10b54c9c 100644
--- a/hosts/hydra/hydra.nix
+++ b/hosts/hydra/hydra.nix
@@ -152,7 +152,11 @@ in
 
   sops = {
     defaultSopsFile = ./secrets.yaml;
-    secrets."nix-serve/secretKey".mode = "0444";
+    secrets."nix-serve/secretKey" = {
+      mode = "440";
+      owner = config.users.users.hydra-queue-runner.name;
+      inherit (config.users.users.hydra-queue-runner) group;
+    };
   };
 
   systemd.services = {
@@ -185,4 +189,7 @@ in
       MemorySwapMax = "64G";
     };
   };
+
+  # allow reading nix-serve secret
+  users.users.harmonia.extraGroups = [ "hydra" ];
 }